This article examines the distribution of malicious payloads embedded in Microsoft OneNote files by type, a first in our research to do so at such a scale. The post Payload Trends in Malicious OneNote Samples appeared first on Unit 42.…
Tag: Unit 42
Leveraging DNS Tunneling for Tracking and Scanning
We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…
Leveraging DNS Tunneling for Tracking and Scanning
We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. The post Leveraging DNS Tunneling for Tracking and Scanning appeared first on Unit 42. This article…
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
We detail Operation MidnightEclipse, a campaign exploiting command injection vulnerability CVE-2024-3400, and include protections and mitigations. The post Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 appeared first on Unit 42. This article has been indexed from Unit 42…
Muddled Libra’s Evolution to the Cloud
Muddled Libra now actively targets CSP environments and SaaS applications. Using the MITRE ATT&CK framework, we outline observed TTPs from incident response. The post Muddled Libra’s Evolution to the Cloud appeared first on Unit 42. This article has been indexed…
It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise
We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. The post It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise appeared first on Unit 42. This…
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
An overview of CVE-2024-3094, a vulnerability in XZ Utils, and information about how to mitigate. The post Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) appeared first on Unit 42. This article has been…
Exposing a New BOLA Vulnerability in Grafana
Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. The post Exposing a New BOLA Vulnerability in Grafana appeared first on Unit 42. This article has been indexed from Unit 42…
ASEAN Entities in the Spotlight: Chinese APT Group Targeting
We analyze the actions of two separate Chinese APTs — including Stately Taurus — that targeted ASEAN-affiliated entities through different methods. The post ASEAN Entities in the Spotlight: Chinese APT Group Targeting appeared first on Unit 42. This article has…
Large-Scale StrelaStealer Campaign in Early 2024
We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. The post Large-Scale StrelaStealer Campaign in Early 2024 appeared first on Unit 42. This article…
Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention
Iran-linked APT Curious Serpens is using a new backdoor, FalseFont, to target the aerospace and defense industries through fake job recruitment. The post Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention appeared first on Unit 42. This article has…
Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor
A surge in use of malware Smoke Loader by threat group UAC-0006 is highlighted in the first-ever joint research published by Unit 42 and SSSCIP Ukraine. The post Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke…
Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled
We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. The post Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled appeared first on Unit 42. This article has been indexed…
Threat Group Assessment: Muddled Libra (Updated)
Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated) appeared first on Unit 42. This article has been indexed from…
Wireshark Tutorial: Exporting Objects From a Pcap
This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. The post Wireshark Tutorial: Exporting Objects From a Pcap appeared first on Unit 42. This article has been…
The Art of Domain Deception: Bifrost’s New Tactic to Deceive Users
The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. The post The Art of Domain Deception: Bifrost's New Tactic to Deceive Users appeared first on…
Navigating the Cloud: Exploring Lateral Movement Techniques
We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. The post Navigating the Cloud: Exploring Lateral Movement Techniques appeared first on Unit 42. This article…
Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns
Data leaks impacting Chinese IT security services company i-Soon reveal links to prior Chinese-affiliated APT campaigns found in the data. We summarize our findings. The post Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns appeared…
Intruders in the Library: Exploring DLL Hijacking
Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. The post Intruders in the Library: Exploring DLL Hijacking appeared first on Unit 42. This article…
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
CVE-2024-1708 and CVE-2024-1709 affect ConnectWise remote desktop application ScreenConnect. This Threat Brief covers attack scope and includes our telemetry. The post Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) appeared first on Unit 42. This article has been indexed from…