Unit 42 Threat Intel Bulletin - November

?Cybersecurity Trends

Read our new executive advisory on Navigating the Evolving Threat Landscape: Resilient Cybersecurity Tactics for CISOs to discover the latest insights on evolving cyberthreats, and get actionable tactics to fortify your defenses.

Unit 42 Threat Research

Ransomware Delivery URLS: Top Campaigns and Trends (Threat Brief)

On Oct. 16, 2023, Cisco published a security advisory detailing an actively exploited privilege escalation zero-day vulnerability impacting Cisco IOS XE devices. The vulnerability (CVE-2023-20198) has a criticality score of 10, according to the National Vulnerability Database , it would allow an attacker to create an account with the highest privileges possible.

According to our attack surface telemetry from Cortex Xpanse , analysts observed 22,074 implanted IOS XE devices on Oct. 18, 2023. Telemetry as of Oct. 19, 2023 shows 18,359 impacted devices, and we expect the number to continue to decrease as the implant is no longer persistent. (Note: Implant is a term commonly used to describe a backdoor or malware.)

Learn more

Wireshark Tutorial: Display Filter Expressions (Tutorial)

Security professionals occasionally use Wireshark to review packet captures (pcaps) of malware-generated network traffic. To more efficiently review this type of activity, we suggest users customize their Wireshark installation.

In our previous tutorial , we customized Wireshark's column display. This tutorial introduces display filter expressions useful to review pcaps of malicious network traffic from infected Windows hosts.

Expand your knowledge

RedLine Stealer: Answers to the Unit 42 Wireshark Quiz (Tutorial)

Earlier this month, our quiz Crossing the Line: Unit 42 Wireshark Quiz for RedLine Stealer introduced a packet capture (pcap) from July 2023 with a RedLine Stealer infection. This article provides answers to the quiz, and it offers a more in-depth look at RedLine Stealer traffic.

If you would like to review this material without any answers, please see our previous post announcing the standalone quiz .

Take the quiz

Wireshark Tutorial: Changing Your Column Display (Tutorial)

Wireshark is a free protocol analyzer that can record and display packet captures (pcaps) of network traffic. IT professionals use this tool to investigate a wide range of network issues. Security professionals also use Wireshark to review traffic generated from malware.

What makes Wireshark so useful? It is very customizable. Wireshark’s default column display provides a wealth of information, but you should customize the columns to meet your specific needs.

Explore this topic

Why LaZagne Makes D-Bus API Vigilance Crucial (Malware)

Attackers have increased targeted attacks on Linux systems, and the easy accessibility of hacktool utilities like LaZagne (a popular open-source password recovery tool) has made this increasingly convenient for threat actors to use in malware attack chains for dumping passwords. The tool poses a significant risk to Linux users because it targets popular chat software like Pidgin, using D-Bus APIs to extract sensitive information including passwords.

This article provides a concise overview of how LaZagne leverages the Pidgin D-Bus APIs to fetch this information, and why keeping an eye on the D-Bus APIs can be a smart security move. We will also examine how attackers use LaZagne in specific malware campaigns.

Check it out

Threat Roll-up

• (Phishing) A threat actor known as W3LL compromised more than 8,000 Microsoft 365 corporate accounts with a phishing kit that can bypass multi-factor authentication. (Source: BleepingComputer )
• (Cyberwar Crimes) The International Criminal Court will now prosecute cyberwar crimes and the first case on the docket may be Russia’s cyberattacks against civilian critical infrastructure in Ukraine. (Source: Wired )
• (SPAM/Covert Influence Operations) Facebook's parent company, Meta, says operations linked to China and Russia used fake accounts across social media sites to spread messages. (Source: NPR )
• (Vulnerability) Proof of concept exploit code for vulnerabilities in Juniper SRX firewalls that can allow remote code execution attacks by unauthenticated attackers. (Source: BleepingComputer )
• (Malware) Japan's computer emergency response team (JPCERT) is sharing a new “MalDoc in PDF” attack that bypasses detection by embedding malicious Word files into PDFs. (Source: BleepingComputer )
• (Ransomware) Akira ransomware targets Cisco VPNs to breach organizations. (Source: BleepingComputer )
• (APT) FBI: Lazarus hackers readying to cash out $41 million in stolen crypto. (Source: BleepingComputer )

More Information

• Learn more about Unit 42 .
• Read Unit 42 threat research .

• See Unit 42 customer stories.

• Actionable Threat Object and Mitigations (ATOMs) .
• Help shape our content by taking the Unit 42 Threat Vector survey.

Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.