Unit 42 Threat Intel Bulletin - March

Cybersecurity Trends

Download now

Unit 42 Threat Intel Blogs

Machine Learning Versus Memory Resident Evil (Malware)

Unit 42 researchers discuss a machine learning pipeline we’ve built around memory-based artifacts from our hypervisor-based sandbox, which is part of Advanced WildFire. This alternative approach is one we’ve come up with to boost detection accuracy against malware using a variety of different evasion techniques.

Find out the details

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Vulnerability)?

Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022, the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394) accounted for more than 40% of the total number of attacks.

Discover more

Chinese PlugX Malware Hidden in Your USB Devices? (Malware)?

Recently, our Unit 42 incident response team was engaged in a Black Basta breach response that uncovered several tools and malware samples on the victim's machines, including GootLoader malware, Brute Ratel C4 red-teaming tool and an older PlugX malware sample. The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into.

Uncover what’s in USB devices

Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms (Cloud)?

Prisma Cloud and Unit 42 released a report examining the use of powerful credentials in popular Kubernetes platforms, which found most platforms install privileged infrastructure components that could be abused for privilege escalation. We're happy to share that, as of today, all platforms mentioned in our report have addressed built-in node-to-admin privilege escalation. However, it’s possible third party add-ons might reintroduce the issue.

Learn what’s next

Chinese Playful Taurus Activity in Iran (Government)

Playful Taurus, also known as APT15, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL, is a Chinese advanced persistent threat group that routinely conducts cyber espionage campaigns. The group has been active since at least 2010 and has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East.

Details on this threat group

Wireshark Quiz - Welcome to the January 2023 Unit 42 Wireshark Quiz (Plus answers to Unit 42 Wireshark Quiz) (Tutorial)

Welcome to the January 2023 Unit 42 Wireshark quiz. This blog presents a packet capture (pcap) of malicious activity and asks questions based on information derived from the network traffic. A separate Unit 42 blog post will present the answers with detailed explanations.

Answers here

PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Cloud)

Unit 42 researchers perform a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. Automated Libra is a South African-based freejacking group that primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their cryptomining operations.?

Read more

Security Issue in JWT Secret Poisoning (Updated)(Cloud, Vulnerability)

After hearing the community's feedback about the prerequisites of the exploitation scenario of the vulnerability, we made the decision to work with Auth0 to retract CVE-2022-23529.?

The security issue described in this blog remains a concern when the JsonWebToken library is used in an insecure way. In that scenario, if all the prerequisites are met, the issue may be exploitable. We agree that the source of this risk in that case will be in the calling code, and not in the library.

Review the updates

Network Security Trends: August-October 2022 (Vulnerability)

Recent August-October 2022 observations of exploits used in the wild reveal that threat actors have been leveraging significant numbers of attacks against the Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394). They have also been making use of a newly published arbitrary file download vulnerability in BackupBuddy and taking advantage of a command injection vulnerability in Bitbucket.

Discover the trends

Threat Roll-up

• (Artificial Intelligence) Insikt Group research examines the ways in which threat actors can utilize ChatGPT for malicious use. (Source: Recorded Future)
• (EV Security) When EVs and smart chargers plug into critical infrastructure, what can go wrong? Plenty. (Source: Dark Reading)
• (SOC) Supply chain and recurring attacks, data destruction, lack of staff — what challenges will your security operations center be facing in 2023? (Source: Dark Reading)
• (Ransomware) Organizations Likely to Experience Ransomware Threat in the Next 24 Months. Security leaders must build resiliency. (Source: Dark Reading)
• (Mobile) Devices running Android 12 and below are at risk for attackers downloading apps that direct users to a malicious domain. (Source: Dark Reading)

More Information

• Learn more about Unit 42.
• Read Unit 42 blogs and threat briefs.
• Actionable Threat Object & Mitigations (ATOMS).

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.