Palo Alto Networks Unit 42

OpenSSH is a connectivity tool with a suite of services. CVE-2024-6387 (aka RegreSSHion), a critical signal handler race condition vulnerability, exploits OpenSSH servers to allow attackers root privileges on exploitation. Our threat brief on this vulnerability includes: 1️⃣ Details of the vulnerability 2️⃣ Current scope of the attack, including seen exposed instances 3️⃣ Unit 42 MTH queries 4️⃣ Mitigation guidance We’ll continue to update as more information comes to light. Read the brief now: https://bit.ly/3xK4xk1

Our #DNSHijacking detection system recently observed #GARUDA hackers compromise and deface sites of large orgs, including an ISP and a utility management company via #DNSattacks. We regularly publish on identifying and protecting against DNS threats here: https://bit.ly/4cCUiNB #TimelyThreatIntel #Unit42ThreatIntel

Say goodbye to email alert fatigue. Unit 42 MDR sent just 37 email alerts during the MITRE Engenuity ATT&CK Evaluation: Managed Services, while other vendors sent hundreds. With Unit 42 MDR, built on Cortex by Palo Alto Networks, we deliver only the most actionable information right when you need it. Stay secure without the noise. https://bit.ly/46iAzRf

Malware #DarkGate has been distributed in numerous creative ways: via DLL side-loading, tricking users into copying and pasting malicious scripts, by email attachments that run content from a .cab archive, or even via an installer link sent over Teams. Our researchers dissect a campaign from early 2024, where Microsoft Excel files led to malicious software downloads. Decrypting the configuring data and detailing the anti-analysis techniques, this article looks at how this adaptive malware persists in the threat landscape and what can be learned from how it has evolved. Dive into the research now: https://bit.ly/3S1gQj4

By sandboxing a sample of the malicious backdoor malware #GootLoader, Unit 42 researchers analyzed and then bypassed its anti-analysis techniques. They've broken these steps down in this article. Security researchers will learn how Visual Code Studio and Node.js debugging played a hand in the process. https://bit.ly/4cMLXGG

🙋♀️ Raise your hand if you're ready to fight AI with AI. 🤖 #BHUSA 🗓️ August 7-8 📍Booth #1632 at Mandalay Bay The future is cybersecurity powered by Precision AI™. We'll see you in August and show you how. https://bit.ly/4cMIsAd

🎯 Actionable insights without the noise. Palo Alto Networks Unit 42 MDR, backed by Cortex by Palo Alto Networks XDR, outpaces the competition, delivering MTTD almost twice the speed of the average participant in the MITRE Engenuity ATT&CK Evaluation: Managed Services. With just 37 targeted email alerts, not hundreds. 👀 Learn more about our results. https://bit.ly/3RTCF3J

Unit 42 is tracking the #regreSSHion CVE-2024-6387 unauthenticated remote code execution (RCE) vulnerability affecting #OpenSSH server versions (before v4.4 and between v8.5-9.8). Current guidance is to isolate and patch vulnerable systems. 1️⃣ Patch now. Software updates to address the critical security problem are available – https://bit.ly/3KspXDA. 2️⃣ We are investigating the broader scope of potentially vulnerable systems as well as monitoring for functioning exploit code. Lab experimentation by Qualys (who discovered the vulnerability) highlighted that successful exploitation may take approximately 6-8 hours of continuous connections to the vulnerable server – https://bit.ly/3xIuHDQ. 3️⃣ Unit 42 will share more critical guidance as it is available.

The ransomware group BlackSuit, currently in the news for various global attacks, is a suspected rebranding of the Royal group. Palo Alto Networks Unit 42 has recently responded to multiple cases involving BlackSuit, and feel it’s important to share details on the group so businesses can be vigilant and defend against possible attacks. The group displays signs of operational experience and a higher level of sophistication, potentially inherited from predecessor groups. They are opportunistic & seem to be indiscriminately targeting organizations, demonstrating a global reach. Unlike many other ransomware groups Unit 42 tracks, BlackSuit operates as a private group without affiliates, outside of the popular RaaS model. BlackSuit notable TTPs: -Initial attack vector through various means, such as malicious phishing attachments, social engineering through vishing calls, as well as abuse of legitimate credentials -Deploys both Windows and Linux-based ransomware payloads, and also interacts with VMware ESXi to impact virtual infrastructure -Attempts to disable host security products such as AV and EDR -Leverage data leak sites as part of a double-extortion strategy Unit 42 recommendations for organizations include: -Ensure least privilege for user accounts as well as access control lists to critical systems -Ensure strong, not reused passwords with MFA enabled for remote access to systems -Segment networks and critical systems where appropriate -Review and harden ESXi and other infrastructure configuration and security policies -Have a robust incident response plan Background on BlackSuit: BlackSuit first came to light in May 2023 when Unit 42 published a social media post discussing its ability to target both Windows and Linux hosts. Their first leak site post was on June 18, 2023. Various sources, including Unit 42, have reported similarities in code between Royal and the newly established BlackSuit ransomware, indicating a possible rebranding from Royal to BlackSuit and possible relation to the Conti Group. Unit 42 will continue to share information about this threat actor as their tactics evolve.

Starting with the research question “Can we build an SSL algorithm whose primary objective is to match or outperform a fully supervised baseline for any dataset?” Unit 42 researchers set out to test their contrastive credibility propagation algorithm (presented at AAAI '24) and share their results. This article is a high-level overview of the algorithm’s components, the results of experiments and its real world application to state-of-the-art data loss prevention. It also includes how the authors worked with sensitive data while preserving privacy. Read it now: https://bit.ly/3W2g4Ew #MachineLearning #DeepLearning #DataLossPrevention