Unit 42 Threat Intel Bulletin - September

Unit 42 Threat Intel Bulletin - September

Cybersecurity Trends

Listen to the new Unit 42 Threat Vector podcast. Each five-minute episode will feature our Unit 42? Threat Intelligence experts, incident responders, and proactive security consultants discussing a wide range of topics, including emerging threat actor TTPs, real-world case studies, and proactive solutions to better protect your organization.

Hear the first episode with Michael Sikorski on the topic of AI.


Unit 42 Threat Research

Ransomware Delivery URLS: Top Campaigns and Trends (Ransomware)

Threat actors seeking new ways to get their creations past victims’ defenses are increasingly turning to sending ransomware through URLs. They are also using increasingly dynamic behaviors to deliver their ransomware. In addition to treading the well-worn path of using polymorphic versions of their ransomware, threat actors often rotate hostnames, paths, filenames or a combination of all three to widely distribute ransomware.

Read more

Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers (Threat Briefs & Assessments)

On July 18, 2023, Citrix published a security bulletin for vulnerabilities affecting their NetScaler ADC and NetScaler Gateway products. When these appliances are configured as a gateway or authentication server and managed by a customer (i.e., not Citrix-managed) they can be vulnerable to remote code execution initiated by an attacker. Vulnerabilities on Citrix-managed servers have already been mitigated.

Citrix states that they have observed attacks targeting CVE-2023-3519 against appliances that haven’t been patched. The Cybersecurity and Infrastructure Security Agency (CISA) has also released an advisory detailing an attack using this vulnerability.

Find out more

Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Threat Briefs & Assessments)

On July 24, 2023, Ivanti Endpoint Manager Mobile (EPMM), previously known as MobileIron Core, publicly disclosed details about an unauthenticated API access zero-day vulnerability. CVE-2023-35078 affects versions 11.10, 11.9 and 11.8, but older versions are also at risk of possible exploitation.

At the time of writing, the only confirmed victims have been Norwegian government agencies . They confirmed their government ministries had been targeted in a cyberattack exploiting this vulnerability, but given the number of potentially vulnerable servers on the internet running this software, it's highly likely that other organizations will or already have fallen victim. Open source reporting indicates that these attacks most likely occurred prior to Ivanti knowing about the vulnerability.

Stay updated

Threat Group Assessment: Mallox Ransomware (Ransomware, Threat Briefs & Assessments)

Mallox (aka TargetCompany, FARGO and Tohnichi) is a ransomware strain that targets Microsoft (MS) Windows systems. It has been active since June 2021, and is notable for exploiting unsecured MS-SQL servers as a penetration vector to compromise victims' networks.

Recently, Unit 42 researchers have observed an uptick of Mallox ransomware activities – with an increase of almost 174% compared to the previous year – exploiting MS-SQL servers to distribute the ransomware. Unit 42 incident responders have observed Mallox ransomware using brute forcing, data exfiltration and tools such as network scanners. In addition, we have found indications that the group is working on expanding their operations and recruiting affiliates on hacking forums.

Explore this topic

P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Cloud)

On July 11, 2023, Unit 42 cloud researchers discovered a new peer-to-peer (P2P) worm we call P2PInfect. Written in Rust, a highly scalable and cloud-friendly programming language, this worm is capable of cross-platform infections and targets Redis, a popular open-source database application that is heavily used within cloud environments. Redis instances can be run on both Linux and Windows operating systems. Unit 42 researchers have identified over 307,000 unique Redis systems communicating publicly over the last two weeks, of which 934 may be vulnerable to this P2P worm variant. While not all of the 307,000 Redis instances will be vulnerable, the worm will still target these systems and attempt the compromise.

The P2PInfect worm infects vulnerable Redis instances by exploiting the Lua sandbox escape vulnerability, CVE-2022-0543 . While the vulnerability was disclosed in 2022, its scope is not fully known at this point. However, it is rated in the NIST National Vulnerability Database with a Critical CVSS score of 10.0. Additionally, the fact that P2PInfect exploits Redis servers running on both Linux and Windows operating systems makes it more scalable and potent than other worms. The P2P worm observed by Unit 42 researchers serves as an example of a serious attack threat actors could conduct using this vulnerability.

Unlock the details

Diplomats Beware: Cloaked Ursa Phishing With a Twist (Malware)

Russia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0004, Midnight Blizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:

  • Notes verbale (semiformal government-to-government diplomatic communications)
  • Embassies’ operating status updates
  • Schedules for diplomats
  • Invitations to embassy events

Continue reading

Six Malicious Python Packages in the PyPI Targeting Windows Users (Cloud)

In March 2023, Unit 42 researchers discovered six malicious packages on the Python Package Index (PyPI) package manager. The malicious packages were intended to steal Windows users’ application credentials, personal data and tracking information for their crypto wallets. The attack was an attempted imitation of the attack group W4SP, which had previously launched several supply chain attacks using malicious packages.

We will discuss the ease with which threat actors can use malicious packages to release malicious code in an open-source ecosystem. The behavior we observed is not an organized campaign planned by an attack group, but most likely an imitator who read technical reports of previous campaigns to execute their own attack. We will walk through a technical analysis of the malicious code and unravel what the threat actor tried to achieve in the attack.

Dive in


Threat Roll-up

  • (Zero-Day) Apple rolls out urgent patches for zero-day flaws impacting iOS, iPadOS, macOS, tvOS, watchOS, and Safari. (Source: Hacker News )
  • (Privilege Elevation Flaw) Super Admin elevation bug puts 900,000 MikroTik devices at risk. (Source: BleepingComputer )
  • (APT/Malware) U.S. Hunts Chinese Malware That Could Disrupt American Military Operations. (Source: The New York Times )
  • (Vulnerability) Adobe warns of critical ColdFusion RCE bug exploited in attacks. (Source: BleepingComputer )
  • (Vulnerability) New critical Citrix ADC and Gateway flaw exploited as zero-days. (Source: BleepingComputer )
  • (Vulnerability) A vulnerability has been discovered in Microsoft Azure Active Directory (AD) Open Authorization (OAuth) process, which allows a complete account takeover. (Source: Security Boulevard )
  • (GDPR) New privacy deal allows US tech giants to continue storing European user data on American servers. (Source: Engadget )
  • (Android Security) Android security updates fix three actively exploited vulnerabilities. (Source: BeyondMachines )


More Information


Under Attack?

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team by filling out this form or calling: North America Toll-Free: 1.866.486.4842 (866.4.UNIT42), UK: +44.20.3743.3660, EMEA: +31.20.299.3130, APAC: +65.6983.8730, and Japan: +81.50.1790.0200.

If you have cyber insurance or legal counsel, you can request for Unit 42 to serve as your incident response team. Unit 42 is on over 70 cyber insurance panels as a preferred vendor.


Monica Gambrell

Sales Specialist at National Door Refinishing

1 年

Just subscribed to utube channel. Hopeful more people will become aware. Thank you to all of you. ?????????

KRISHNAN N NARAYANAN

Sales Associate at American Airlines

1 年

Thanks for sharing

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了