Unit 42 Threat Intel Bulletin - May

Cybersecurity Trends

Register for the May 16 Seeing Your Attack Surface Through the Eyes of an Adversary webinar.

Unit 42 Threat Intel Blogs

2023 Unit 42 Ransomware and Extortion Report (Ransomware, Reports)

While much attention has been paid to ransomware in recent years, modern threat actors increasingly use additional extortion techniques to coerce targets into paying—or dispense with ransomware altogether and practice extortion on its own.

What to know

CryptoClippy Speaks Portuguese (Malware)

Unit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users’ wallets and into wallets controlled by threat actors instead. To do this, the campaign uses a type of malware known as a cryptocurrency clipper, which monitors the victim’s clipboard for signs that a cryptocurrency wallet address is being copied.

Key findings

Finding Gozi: Unit 42 Wireshark Quiz, March, 2023 and Finding Gozi Answers to Unit 42 Wireshark Quiz, March 2023 (Tutorial)?

The Palo Alto Networks Unit 42 Twitter handle tweeted Monday, March 6, 2023, about Gozi (ISFB/Ursnif) malware targeting Italy. Also known as ISFB or Ursnif, Gozi malware or its variants have been part of our cyberthreat landscape for the past several years. Gozi generates distinct traffic patterns during post-infection activity.

This month's Unit 42 Wireshark quiz presents real-world traffic from a Gozi infection in an Active Directory (AD) environment. Participants are asked questions based on the network activity. A separate Unit 42 blog post will provide the answers.

Take the quiz

3CXDesktopApp Supply Chain Attack (Threat Brief)?

On March 29, 2023, there was a supply chain attack involving a software-based phone application called 3CXDesktopApp. As of March 30, the 3CXDesktopApp installer hosted on the developer’s website will install the application with two malicious libraries included. The malicious libraries will ultimately run shellcode to load a backdoor on the system that allows actors to install additional malware on the victim machine.

Learn more

CVE-2023-23397 — Microsoft Outlook Privilege Escalation (Threat Brief)?

On March 14, 2023, Microsoft released a patch for CVE-2023-23397. CVE-2023-23397 is a vulnerability in the Windows Microsoft Outlook client that can be exploited by sending a specially crafted email that triggers automatically when it is processed by the Outlook client. No user interaction is required to trigger the exploit.

Find out more

Tailoring Sandboc Techniques to Hidden Threats (Malware)

Malware authors often throw curve balls that are meant to confound automated detection systems. We’ve adapted to these techniques by tailoring our analysis platform in a couple of notable ways that we’ll discuss, particularly to address malware that engages in sandbox evasion.

Discover the details

Malicious JavaScript Injection Campaign Infects 51K Websites (Malware)

Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages. This threat was active throughout 2022 and continues to infect websites in 2023.

More on this vulnerability

Threat Roll-up

• (Ransomware) A new ransomware gang named “Money Message” has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. (Source: BleepingComputer)?
• (Data Privacy) While many apps collect vast troves of user data, sometimes without explicit consent, experts say Chinese e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level. (Source: CNN)
• (Vulnerability) “Remote Code Execution Vulnerability in Azure Pipelines Can Lead To Software Supply Chain Attack.” Our team has found a vulnerability in Azure Pipelines (CVE-2023-21553) that allows an attacker to execute malicious code in a pipeline. (Source: Legit Security)
• (Ransomware) “Users fume after My Cloud network breach locks them out of their data.” The compromise allowed hackers to steal data, raising the specter of ransomware. (Source: Ars Technica)
• (Vulnerability) “3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor.” (Source: Dark Reading)
• (AI) “Microsoft introduces an A.I. chatbot for cybersecurity experts.” Chatbots using generative AI models aren't always accurate. But Microsoft is hoping to make its Security Copilot more accurate with user input. (Source: CNBC)
• (AI, Vulnerability) “ChatGPT Vulnerability May Have Exposed Users’ Payment Information.” The breach was caused by a bug in an open-source library. (Source: Infosecurity Magazine)
• (Ransomware) “Black Basta, Killnet, LockBit groups targeting healthcare in force.” Federal agencies, along with Microsoft, detail three threats facing critical infrastructure entities like healthcare: Black Basta, Killnet and LockBit. (Source: SC Magazine)

More Information

• Learn more about Unit 42.
• Read Unit 42 blogs and threat briefs.
• Actionable Threat Object & Mitigations (ATOMS).

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.