Unit 42 Threat Intel Bulletin - July
Palo Alto Networks Unit 42
Unit 42 Threat Intelligence & Incident Response. Intelligence Driven. Response Ready.
Cybersecurity Trends
Unit 42 Cloud Threat Report, Volume 6
According to Unit 42 research, 99% of cloud users, roles, services and resources were granted excessive permissions.
Unit 42 Threat Intel Blogs?
Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Announcement)?
INTERPOL and The Nigeria Police Force?announced ?the arrest of a prominent business email compromise (BEC) actor who has been active since 2015. His apprehension marks the latest success for Operation Delilah - a counter-BEC operation that began in May 2021 and has involved international law enforcement and industry cooperation across four continents.
GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool?(Malware)?
Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Network Security Trends: November 2021 to January 2022 (Vulnerability)
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) (Threat Brief and Vulnerability)
On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.
Why Are My Junctions Not Followed? Exploring Windows Redirection Trust Mitigation (Vulnerability)
In recent years, one of the most common classes of elevation-of-privilege vulnerabilities is file system redirection attacks. This class abuses the fact that a privileged component, such as a Windows service, operates on files or directories that are writable by unprivileged users. By using different types of file system links, such as hard links or junctions, attackers can trick the privileged component into operating on files it didn’t intend to. The end goal for such attacks is usually to write an attacker-supplied executable (such as a DLL or a script) to disk, and to get it executed with system permissions.
领英推荐
Exposing HelloXD Ransomware and x4k (Ransomware, Threat Briefs and Assessments)?
HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesn’t have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.
LockBit 2.0: How This RaaS Operates and How to Protect Against It (Ransomware, Threat Briefs and Assessments)?
LockBit 2.0 is ransomware as a service (RaaS) that first emerged in June 2021 as an upgrade to its predecessor LockBit (aka ABCD Ransomware), which was first observed in September 2019.
Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability (Threat Briefs, Assessments and Vulnerability)
On May 27, 2022, details began to emerge of malicious Word documents leveraging remote templates to execute PowerShell via the ms-msdt Office URL protocol. The use of this technique appeared to allow attackers to bypass local Office macro policies to execute code within the context of Word. Microsoft has since released?protection guidance ?and assigned?CVE-2022-30190 ?to this vulnerability.
Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor (Malware)?
To better detect attacks that affect the actions of signed applications – such as supply-chain attacks,?dynamic-link libraries (DLL) hijacking , exploitation and malicious thread injection – we have devised a suite of analytics detectors that are able to detect global statistical anomalies.
Updated Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) (Threat Briefs, Assessments?and Vulnerability)
On June 2,?Volexity ?reported that over Memorial Day weekend, they identified suspicious activity on two internet-facing servers running Atlassian’s Confluence Server application. After analysis of the compromise, Volexity determined the initial foothold was the result of a remote code execution vulnerability in Confluence Server and Data Center. The details were reported to Atlassian on May 31, and Atlassian has since assigned the issue to?CVE-2022-26134 .?
Threat Roll-Up
More Information
Under Attack?
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out?this form ?or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.
If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.