Page 79 – Unit 42

Black Hat 2014: Threat Intelligence With an Emphasis On Context

Posted on August 6, 2014 by Chad Berndtson

A few weeks ago we formally introduced Unit 42, the new threat intelligence team at Palo Alto Networks. Following the release Unit 42's inaugural research paper, 419 Evolution, many of the team leads are on the scene here at Black Hat 2014 in Las Vegas.

blog-title-unit42

It's a chance for the security community at large to get to know Unit 42 and our intelligence gathering process, which endeavors not only to provide technical research and detailed analysis of threats, but also to provide context into an attacker's motivations and methods using data collected from the Palo Alto Networks security platform. The approach is intended to help security practitioners and business leaders make sense of trends and thus make better-informed decisions about their security posture.

Ryan Olson, Unit 42 Intelligence Director, joined us from the show floor at Black Hat today to talk about Unit 42, 419 Evolution and what's to come from this exciting new Palo Alto Networks team. Watch below: Continue reading "Black Hat 2014: Threat Intelligence With an Emphasis On Context"

Where To Find Palo Alto Networks At Black Hat 2014

Posted on August 5, 2014 by Chad Berndtson

Black Hat USA 2014 is taking place all this week in Las Vegas, and as the exhibit halls and many of the briefings open on Wednesday, we invite you to visit with Palo Alto Networks throughout the show.

Black Hat

Join us at Booth #227 on Wednesday and Thursday to: Continue reading "Where To Find Palo Alto Networks At Black Hat 2014"

Palo Alto Networks Provides a New Breed of Intelligence to Detect and Prevent

Posted on August 5, 2014 by Tim Treat

Back in June, Microsoft patched 59 Internet Explorer vulnerabilities and Palo Alto Networks discovered 21 of them, all rated critical. Then in July, we released findings about evolved Nigerian 419 scammers from Unit 42, the new Palo Alto Networks threat intelligence team.

The way we perform cybersecurity research is opening the door to a new breed of intelligence that I predict will reshape how organizations gather and share cyber intelligence while converting it to actionable indicators.

The reason is evasive applications. Continue reading "Palo Alto Networks Provides a New Breed of Intelligence to Detect and Prevent"

Backoff and Citadel Abuse Remote Access Tools

Posted on August 4, 2014November 1, 2018 by Rob Downs

Recent events continue to highlight the abuse of remote access applications in the enterprise. Last Tuesday, Trusteer reported that a new variant of Citadel, which has long relied on VNC to give attackers remote control over systems, began adding new credentials to systems it infects and enabling the standard Windows remote desktop application (RDP). This allows the attacker to maintain control over the system even after the Citadel infection is removed. As the report indicates, using RDP this way also allows the attackers to “fly under the radar” as RDP is commonly used by administrators and often not treated as a threat. Continue reading "Backoff and Citadel Abuse Remote Access Tools"

New Release: Decrypting NetWire C2 Traffic

Posted on August 4, 2014November 1, 2018 by Phil Da Silva

On July 22, Palo Alto Networks threat intelligence team, Unit 42, released our first report on the evolution of “Silver Spaniel” 419 scammers. Of particular note is how these actors use a Remote Administration Tool (RAT) named NetWire (part of the NetWiredRC malware family). This RAT gives a remote attacker complete control over a Windows, Mac OS X, or Linux system through a simple graphical user interface.

To better understand this RAT, our team reverse engineered the communication protocol that NetWire uses. Today we have released a tool that decrypts NetWire traffic and outputs any commands issued by the attacker.

NetWire Encrytion Protocol

NetWire uses a custom, TCP-based protocol. The producer of the NetWire WorldWiredLabs, states that the tool uses 256-bit AES encryption, which we found to be accurate. The tool generates two encryption keys using a static password that the attacker chooses when creating the NetWire binary. Each packet has the following structure:

< 4 Byte Little-Endian length > < 1 Byte Command > < Data >

The shortest possible packet is the “HeartBeat” command, which NetWire generates every 10 seconds.

Meet the Unit 42 Team at Black Hat 2014

Posted on July 28, 2014 by Chad Berndtson

Black Hat USA 2014 kicks off next week, and along with our product and solution experts, you'll meet team leads from Unit 42, the Palo Alto Networks threat intelligence team.

Last week we celebrated the official launch of Unit 42, along with the release of 419 Evolution, a new report examining the evolution of Nigerian actors that had previously been active launching 419 scams and are now targeting businesses with more sophisticated techniques.

Download a copy of the report to understand the tools and infrastructure used in their attacks, as well as how to protect your critical assets.

Continue reading "Meet the Unit 42 Team at Black Hat 2014"

Palo Alto Networks News of the Week – July 25

Posted on July 25, 2014 by Chad Berndtson

Here’s a roundup of this week’s top Palo Alto Networks news.

We are happy to officially introduce our new threat intelligence team, Unit 42, and the release of its first research paper, 419 Evolution.

419 evolution

Check out some of the great global coverage from this announcement: Continue reading "Palo Alto Networks News of the Week – July 25"

Unit 42: A New Era In Threat Intelligence

Posted on July 22, 2014April 2, 2019 by Ryan Olson

Today we would like to officially introduce our new threat intelligence team, Unit 42, and announce the release of our first research paper, 419 Evolution.

Unit 42 uses data collected from the Palo Alto Networks security platform to provide context into an attacker’s motivations and methods. Using our Critical Intelligence Requirements developed by our leadership, we determine what data is necessary to answer questions about threats to Palo Alto Networks and our customers. Continue reading "Unit 42: A New Era In Threat Intelligence"

Why Havex Is a Game-Changing Threat to Industrial Control Systems – Part 2

Posted on July 18, 2014 by Del Rodillas

In part 1 of this 2-part blog series, we discussed why the Havex Trojan is a significant and concerning industry milestone. Here, in part 2, we look at how you can mitigate your exposure through the combination of good practices and next-generation firewall technology.

In my initial engagements with control systems operators interested in our technology, two security objectives, both linked with the objective of keeping uptime high, frequently come up.

First, the operations manager, or person responsible for security in the operational technology (OT) environment, is concerned over whether only the approved users are using the right applications and resources in the specific usage model intended for SCADA. This person, at the very basic level, would want to be able to validate that the system is used only in a way that aligns with the business objectives, ultimately with the goal of implementing role-based access control. In this person’s mind, an internal user accidentally causing system downtime is as much a cyberthreat as an incident malicious in nature. Continue reading "Why Havex Is a Game-Changing Threat to Industrial Control Systems – Part 2"

Black Hat 2014 Is Right Around the Corner…

Posted on July 17, 2014 by Chad Berndtson

Cybersecurity is moving away from legacy "defense-in-depth" and alert-focused solutions and toward a new toolkit that can detect and prevent the most sophisticated threats. Only Palo Alto Networks can deliver on the promise of a true next-generation security platform across network and endpoint, and we invite you to join us at Black Hat USA 2014 to learn about our intelligence-based approach to preventing advanced attacks before they cause harm.

logo

If you're headed for this year's Black Hat conference in Las Vegas (August 2-7), we want to see you! Here's how... Continue reading "Black Hat 2014 Is Right Around the Corner…"

Why Havex Is a Game-Changing Threat to Industrial Control Systems – Part 1

Posted on July 17, 2014 by Del Rodillas

Havex, the main malware tool used in the Energetic Bear, a.k.a Dragonfly, campaign has recently gained a lot of attention after the release of reports from F-secure, Symantec, and other research groups, and last week, we talked about threat mitigation and technical tips from Palo Alto Networks.

These reports and prior intelligence suggest that this campaign and its variants have been active since at least 2011, so what’s the big deal with its latest manifestation? If you pay attention to how the worm has evolved to target ICS (Industrial Control Systems) specifically, you’ll understand why such a high level of attention is warranted.

The Game Has Changed

Continue reading "Why Havex Is a Game-Changing Threat to Industrial Control Systems – Part 1"

Is It the Beginning of the End For Use-After-Free Exploitation?

Posted on July 16, 2014November 1, 2018 by Tao Yan

Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.

To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms in the most recent Internet Explorer patches. In June, Microsoft introduced a new isolated heap mechanism to solve the usage issue of use-after-free exploitation. They followed that up In July by implementing a deferred free method to solve the freeing issue of use-after-free bugs. Continue reading "Is It the Beginning of the End For Use-After-Free Exploitation?"

Iptables Backdoor: Even Linux Is At Risk of Intrusion

Posted on July 16, 2014 by Jin Chen

A backdoor implant is an increasingly common mechanism for maintaining unauthorized access and control over a computer asset. The terms remote administration tool (RAT) and trojan downloader are often used synonymously with such implants. Once installed (i.e. implanted on a system), the modern backdoor typically offers much more than simple (i.e. command line) access to a system.

Depending on the backdoor’s specialization and sophistication, it can also capture keystrokes, take screenshots, scrape memory for valuable information, search for files meeting certain criteria, query databases, download files and additional malware, exfiltrate data and files, and even serve as an attack platform. Effectively, a backdoor implant affects loss of control over a computer asset. Continue reading "Iptables Backdoor: Even Linux Is At Risk of Intrusion"

SMS-Based In-App Purchase on Android Is Not Worth The Risk

Posted on July 15, 2014November 1, 2018 by Claud Xiao

In-App Purchase (IAP) has become a popular way to sell services and virtual items through mobile applications. In the Android ecosystem, in addition to the official IAP service by Google, there are many third-party IAP Software Development Kits (SDKs) spread around the world.

Some of these third-party SDKs provide IAP services based on existing online payment platforms. However, an increasingly popular method uses premium SMS. A primary reason for the popularity of SMS-based IAP is that it does not require Internet connectivity, just cell service. While this is more convenient for both users and developers, there are significant security concerns with using SMS-based IAP on Android. These concerns are detailed below.

Abuse of Privilege

Continue reading "SMS-Based In-App Purchase on Android Is Not Worth The Risk"

Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer

Posted on June 10, 2014 by Ryan Olson

Today, Microsoft patched 59 Internet Explorer vulnerabilities, 21 of them discovered by Palo Alto Networks researchers. Palo Alto Networks is committed not only to detecting attacks, but preventing them as well.

Our internal research team discovered each of these 21 vulnerabilities and reported them to Microsoft so they could begin building and testing patches. Microsoft has already credited our team with 14 previous IE vulnerabilities in 2014, bringing our total for the year up to 35. We want to acknowledge Palo Alto Networks researchers Bo Qu, Hui Gao, Royce Lu, Xin Ouyang and the entire IPS team for all of the hard work they’ve put into discovering and validating these vulnerabilities.

Here’s what you need to know

Continue reading "Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer"

NetWire Encrytion Protocol

The Game Has Changed

Abuse of Privilege

Here’s what you need to know

Peace of mind comes from staying ahead of threats. Subscribe today.

Default Heading