Clickbait articles are highlighted in this article. A jump in compromised sites exploiting CVE-2023-3169 stresses the danger of web-based threats. The post High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites appeared…
Category: Unit 42
Chinese APT Targeting Cambodian Government
Cambodian government entities were targeted by a Chinese APT masquerading as cloud backup services. Our findings include C2 infrastructure and more. The post Chinese APT Targeting Cambodian Government appeared first on Unit 42. This article has been indexed from Unit…
Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors
A cyberattack series by APT Agonizing Serpens (Agrius) targeting Israeli sectors started in January 2023. We analyze the novel wipers and other tools used. The post Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors appeared first…
Threat Brief: Citrix Bleed CVE-2023-4966
Threat brief on CVE-2023-4966 (aka Citrix Bleed) affecting multiple Netscaler products covers attack scope, threat hunting queries and interim guidance. The post Threat Brief: Citrix Bleed CVE-2023-4966 appeared first on Unit 42. This article has been indexed from Unit 42…
Conducting Robust Learning for Empire Command and Control Detection
Unit 42 uses machine learning to create detection for a red team tool used by threat actors. The post Conducting Robust Learning for Empire Command and Control Detection appeared first on Unit 42. This article has been indexed from Unit…
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
We examine a variant of the .NET backdoor Kazuar used by Pensive Ursa. This includes previously undocumented features from system profiling to injection modes. The post Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive…
CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. The post CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys appeared…
When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
A breakdown of how Linux pluggable authentication modules (PAM) APIs are leveraged in malware. We include malware families that leverage PAM. The post When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief appeared first on Unit 42. This article…