Unit 42 | Greatest Hits

Unit 42 is the global threat intelligence team at Palo Alto Networks. Experts in hunting and collecting unknown threats, Unit 42 has been internationally recognized for key research on threats and campaigns. This interactive explores some of Unit 42's biggest contributions to threat intelligence research.

Silver terrier

OVERVIEWCONTRIBUTION NEWS RESOURCES

SILVER TERRIER refers to a group of roughly 300 Nigerian cybercriminals who are using off-the-shelf malware kits and mass phishing campaigns to conduct hacking campaigns against targets around the world. Though not sophisticated in operation, these actors have access to a number of malware families which are distributed in hopes of infecting victims and stealing precious data. 

Unit 42 has been tracking SilverTerrier and have attributed 181,000 attacks, using 15 families of malware, to the group in a single year. In 2017, the grouped fired off an average of 17,600 spam emails a month, which was a 45% increase from 2016.

Unit 42, part of Palo Alto Networks, has been tracking the rise of Business Email Compromise attacks from Nigeria for several years. Two years ago, it identified a group known as SilverTerrier who were using malware to help improve the effectiveness of their attacks.

Enterprise Times

Nigerian actors, which Unit 42 identifies as SilverTerrier, are currently producing an average of 840 unique samples of information stealer malware per month, a 17 percent increase over the past year.

Threat Post

keyraider

OVERVIEWCONTRIBUTION NEWS RESOURCES

KeyRaider is computer malware that affects jailbroken Apple iOS devices, specifically iPhones, and allows criminals to steal users' login and password information, as well as to lock the devices and demand a ransom to unlock them.

It was discovered by researchers from Unit 42 and WeiPhone in August 2015 and is believed to have led to more than 225,000 people having their login and password information being stolen, making it, according to cybersecurity columnist, Joseph Steinberg, "one of the most damaging pieces of malware ever discovered in the Apple universe.

The malicious software was reported by security firm Palo Alto Networks earlier this week. The malware steals Apple account usernames, passwords and device information by intercepting iTunes traffic on the user's device.

USA Today

Top security firm Palo Alto Networks announced over the weekend that a rare exploit is out in the wild for Apple AAPL +1.02% iOS devices. A possibly China-originated malware aptly named "KeyRaider" has made its way to Jailbroken iOS devices and it has a nasty method of capturing, you guessed it, your Apple ID keys.

Forbes

lotus blossom

OVERVIEWCONTRIBUTION NEWS RESOURCES

Actors related to the Operation Lotus Blossom are part of a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia. Attacks by the Lotus Blossom group rely heavily on the use of spearphishing emails that use enticing subject lines and legitimate-looking decoy documents to trick users into opening a malware executable they think is a trusted document. 

Unit 42 discovered this attack using the Palo Alto Networks AutoFocus service, which allows analysts to quickly find correlations among malware samples analyzed by WildFire. Unit 42 has linked more than 50 individual attacks across Hong Kong, Taiwan, Vietnam, the Philippines, and Indonesia to the Lotus Blossom group. 

Discovered by the Palo Alto Networks Unit 42 threat intelligence team and dubbed "Operation Lotus Blossom", the attacks appear to be an attempt to gain inside information on the operation of nation-states throughout the region.

Market Watch

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia. The group responsible for the campaign has been nicknamed 'Lotus Blossom', and given its targets and persistence, is likely state-sponsored

Security Week

xcodeghost

OVERVIEWCONTRIBUTION NEWS RESOURCES

XcodeGhost is the first compiler malware in OS X. XcodeGhost’s primary behavior in infected iOS apps is to collect information on the devices and upload that data to command and control (C2) servers. The malware has exposed a very interesting attack vector, targeting the compilers used to create legitimate apps. This technique could also be adopted to attack enterprise iOS apps or OS X apps in much more dangerous ways.

Unit 42 discovered that xCodeGhost has infected more than 39 iOS apps including some very popular apps like WeChat and Didi. Unit 42 shared their samples, threat intelligence and research with Apple, Amazon and Baido to stop the attacks or mitigate the security threat.

The infected apps were discovered by Palo Alto Networks' Unit 42 security research team, which alerted Google to the apps which contained executable files that could be set loose on Windows machines.

The Inquirer

Researchers at Palo Alto Networks have identified a cyber-espionage operation targeting government and military organizations in Southeast Asia. The group responsible for the campaign has been nicknamed 'Lotus Blossom', and given its targets and persistence, is likely state-sponsored

Forbes

keranger

OVERVIEWCONTRIBUTION NEWS RESOURCES

KeRanger (also known as OSX.KeRanger.A) is a ransomware trojan horse targeting computers running macOS. Infecting Transmission, a popular Mac BitTorrent client, the actual malware was found within the install for Transmission version 2.90. The KeRanger ransomware works by encrypting files on your Mac, and then demanding payment. In this instance, payment comes in the form of bitcoin to provide you with the encryption key to recover your files.

It was discovered by researchers from Unit 42 and WeiPhone in August 2015 and is believed to have led to more than 225,000 people having their login and password information being stolen, making it, according to cybersecurity columnist, Joseph Steinberg, "one of the most damaging pieces of malware ever discovered in the Apple universe.

The malicious software was reported by security firm Palo Alto Networks earlier this week. The malware steals Apple account usernames, passwords and device information by intercepting iTunes traffic on the user's device.

USA Today

Top security firm Palo Alto Networks announced over the weekend that a rare exploit is out in the wild for Apple AAPL +1.02% iOS devices. A possibly China-originated malware aptly named "KeyRaider" has made its way to Jailbroken iOS devices and it has a nasty method of capturing, you guessed it, your Apple ID keys.

Forbes

sofacy

OVERVIEWCONTRIBUTION NEWS RESOURCES

SOFACY (also know as Fancy Bear, APT 28, STRONTIUM, Pawn Storm) is a Russian cyber espionage group. Active since mid 2000s, they have been responsible for targeted intrusion campaigns against various industry verticals such as Aerospace, Defense, Energy, Government and Media. Their attacks typically deploy variants of the Zebrocy trojan at the start, a custom downloader malware delivered primarily via phishing attacks that contain malicious Microsoft Office documents as well as simple executable file attachments. The Sofacy group continues their attacks on organizations across the globe.

In November 2018, Unit 42 announced the discovery of "Cannon," a trojan being used by Sofacy to target United States and European government entities. The malware communicates with its command and control server with email and uses encryption to evade detection.

In late October and early November, the Palo Alto Networks Unit 42 threat research team collected multiple weaponized documents targeting government organizations […] they managed to glean some valuable insights from two of the documents in particular.

Security Intelligence

The Russian APT cybergang Sofacy has rolled out a new campaign based on a seldom used attack tool called Zebrocy […] The group has been tracked and analysed by PaloAlto's Unit 42, which has found Sofacy using phishing attacks with emails containing malicious Microsoft Office documents with macros or other executable attachments to deliver Zebrocy.

SC Magazine UK
CHECK OUT THE SOFACY PLAYBOOK

oilrig

OVERVIEWCONTRIBUTION NEWS RESOURCES

OilRig is a threat group operating primarily in the Middle East, targeting organizations through this region, and occasionally outside of it, in various industries. The group appears to carry out supply chain attacks, relying on using social engineering to exploit the human rather than software vulnerabilities. Once they gain access, they use credential dumping tools, such as Mimikatz, to steal credentials logged into the compromised system and move laterally across the network. 

Unit 42 was responsible for discovering OilRig in mid-2016 and later uncovering that the group leverages malicious macro documents as part of its attack toolkit. The group is continuing to adapt their tactics and bolster their toolset with newly developed tools. With no signs of slowing down, Unit 42 developed an OilRig Playbook to help organizations protect themselves. 

Unit 42 revealed that the Iran-linked APT group known clandestinely installed an Internet Information Services (IIS) backdoor called RGDoor on the web servers of eight Middle Eastern government organizations, as well as one financial institution and one educational institution.

CS Magazine

In August 2018, Palo Alto Networks’ Unit 42 threat research team detected an OilRig campaign targeting a high-ranking government organization in the Middle East. The email campaign leveraged spear-phishing, one of the most common types of phishing.

TripWire
CHECK OUT THE OILRIG PLAYBOOK

shamoon 2

OVERVIEWCONTRIBUTION NEWS RESOURCES

In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, it has the ability to destroy data and render infected systems unusable. Four years later, 3 new waves of Shamoon attacks occurred suddenly, flattening entire organizations.

Unit 42 discovered the new Disttrack samples that appear to have been used in this updated attack campaign and uncovered that Shamoon 2 was using credential theft to penetrate a organization’s network and spread so widely.

Researchers from Palo Alto Networks and Symantec discovered a new variant, so-called Shamoon 2, that was used at least in a targeted attack against a single Saudi organization, the Saudi Arabia’s General Authority of Civil Aviation (GACA)

Cyber Defense Magazine

While they were collecting files from the third wave of Shamoon 2, Unit 42 threat researchers at Palo Alto Networks discovered something new: a ZIP archive containing files that help Disttrack infect other systems in the target network.

TripWire

Mining monero cryptocurrency

OVERVIEWCONTRIBUTION NEWS RESOURCES

Monero is an open-source cryptocurrency created in April 2014. Since its inception, it has become the target of many cryptocurrency mining campaigns. And while Monero mining campaigns are certainly not a new development, a large-scale campaign emerged that was relatively unnoticed for months. By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale.

Unit 42 observed this large-scale cryptocurrency mining operation that had been active for a long period of time. After researching further, it was discovered that a low-end estimate of 15 million users were made victims of this campaign. Unforunately, the popularity of malicious cryptocurrency mining continues to skyrocket. In June of 2018, Unit 42 found that a total of $175m has been mined via the Monero currency, representing roughly 5% of all Monero currently in circulation. Unit 42 continues to closely monitor cryptocurrency mining activities. 

The latest report released by Unit 42 says that Palo Alto Network’s threat intelligence team discovered that the malware strain makes computers mine XMR by installing an “XMRig cryptocurrency miner.

Oracle Times

Researchers at Palo Alto Networks warned this week of the latest evolution in both cryptojacking and fake Flash updates […] the researchers have found 113 of these fake updaters, which deposit a cryptocurrency miner called XMRig on the affected device

Wired