A recent, well-publicized attack on a Japanese business involved two malware families, PlugX and Elirks, that were found during the investigation. PlugX has been used in a number of attacks since first being discovered in 2012, and we have published several articles related to its use, including an analysis of an attack campaign targeting Japanese
In part three of the Adversaries and Their Motivations blog series, we’ll explore the following top-level actor motivations: Cyber Warfare, Cyber Terrorism, and Cyber Mischief. Even Fuzzier Boundaries The high-level actor motivations covered earlier in this blog series introduced challenges in identifying and attributing activity between Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Analysis of
Palo Alto Networks recently identified a new campaign targeting the transportation sector in Europe with ties to the Dark Seoul and Operation Troy campaigns that took place in 2013. This new campaign used updated instances of the Tdrop malware family discovered in the Operation Troy campaign. For more information on the new campaign discovered by
Sign up to receive the latest news, cyber threat intelligence and research from Unit 42
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.
Part of my role as the Director of Threat Intelligence for Palo Alto Networks is to share the intelligence we produce with others who can put it to use in defending their networks. We believe wholeheartedly that having better information about the threats you face will help you defend yourself from harm. Knowing what kinds
This post is the second in a blog series describing adversaries and their motivations. In part two of the series, we’ll explore the following top-level actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism. Adversary Operational Maturity, Targeting, and Key Roles Before we start, there are some additional concepts that add context to exploring malicious
Executive Summary The Palo Alto Networks vision for threat information sharing is that cybersecurity vendors should share the intelligence that they all individually collect with each other and with whomever else has the capacity to consume it. In that way, each vendor can build more innovative products with that superset of intelligence and better protect their
“A single arrow is easily broken, but not ten in a bundle.” – Japanese proverb Is prevention of cyber attacks impossible? Is trying to prevent attacks a waste of time? Should we spend all our time focused on incident response? These are constant questions in cybersecurity, and while the truth is that we can’t prevent
Earlier this week we published an analysis of KeyRaider, which is an iOS malware family and a reminder of the risks users take when they choose to jailbreak their mobile devices. Attackers used KeyRaider malware to steal more than 225,000 Apple accounts. KeyRaider targeted only jailbroken Apple devices, primarily through Chinese websites and apps that
Executive Summary Recently, WeipTech was analyzing suspicious Apple iOS tweaks reported by users and found over 225,000 valid Apple accounts with passwords stored on a server. In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal
Unit 42 researchers have observed a new Remote Access Tool (RAT) constructed by an unknown actor of Italian origin. This RAT, referred to as uWarrior because of embedded PDB strings, has been previously described by an independent researcher who noted a potentially unknown exploit being used against Microsoft Office.
On July 16, 2015, the Palo Alto Networks Unit 42 threat intelligence team discovered a watering hole attack on the website of a well-known aerospace firm. The website was compromised to launch an apparent watering-hole attack against the company’s customers. It was hosting an Adobe Flash exploit targeting one of the newly disclosed vulnerabilities from
Executive Summary Unit 42 has uncovered a new campaign from the CozyDuke threat actors, aka CozyCar [1], leveraging malware that appears to be related to the Seaduke malware described earlier this week by Symantec. [2] This campaign, which began on July 7, 2015, appears to be targeted at government organizations and think-tanks located in democratic
The 2015 Verizon Data Breach Investigations Report (DBIR) represents the first time Palo Alto Networks has contributed data to this important publication, and we are proud to be part of an intelligence-sharing ecosystem that, in the end, raises the collective bar for everyone in the industry. While reviewing the findings, a few key points stood
Malicious domains are commonly used by cyberattackers for command and control communication, hosting malware and phishing attacks. Palo Alto Networks researchers Wei Xu, Kyle Sanders and Yanxin Zhang recently explored ways to predict malicious domains so they can be added to blacklists before they go live. To hear how they went about this, and to
For a moment, put yourself in the shoes of a cyber criminal. You’ve collected an array of tools (malware), built up your infrastructure (command and control (C2) servers) and you have a process to make money off your hard work. You wake up on Monday morning and the domains your carefully built malware uses for