CREDENTIAL THEFT: Exposing the Ecosystem and Motives Behind Credential Phishing, Theft and Abuse

For years, the security industry has focused on securing the network, cloud and endpoints by preventing the delivery of vulnerability exploits, malware or command-and-control activity. While those attack vectors continue to be critical, adversaries have been increasingly using alternative means to break into and move laterally within organizations. Chief among these highly leveraged techniques is the usage of legitimate credentials, which allows attackers to walk in the front door, bypassing security controls, pretending to be a legitimate user with full access to company resources. This in-depth report by Unit 42 delves into the ecosystem behind the theft and usage of credentials, including step-by-step attack methods, and common sense ways to keep your organization safe.

SILVERTERRIER: The Next Evolution in Nigerian Cybercrime

Nigerian Threat Actors have long been considered a nuisance rather than a threat. Palo Alto Networks Unit 42 returns to the topic that launched our research in 2014 with our latest report, "SILVERTERRIER: The Next Evolution in Nigerian Cybercrime." This report shows that Nigerian threat actors are capable and formidable adversaries successfully attacking major companies and governments by using cheap, off-the-shelf commodity malware.

The history of Nigerian threat actors and their use of unsophisticated technology makes it easy to underestimate the threat. This report shows why it’s not just wrong but dangerous to take Nigerian threat actors lightly.

Read the full report


Exploit Kits: Getting In By Any Means Necessary

Exploit kits, which first became popular in 2006, are used to automate the exploitation of vulnerabilities on victims’ machines, most commonly while users are browsing the web. Over the past decade they have become an extremely popular means for criminal groups to distribute mass malware or remote access tools (RAT), because they lower the barrier to entry for attackers and can enable opportunistic attacks at scale. To understand this phenomenon, we must understand the ecosystem that surrounds exploit kits, including the actors, campaigns and terminology involved.

For exploit kit creators, there is a massive opportunity to generate profit. Creators can offer exploit kits for rental on underground criminal markets, where the price for leading kits can reach thousands of dollars per month.

Exploit kit campaigns generate a series of events starting with a compromised website that ultimately directs web traffic to an exploit kit. Within the exploit kit, a specific sequence of events occurs for a successful infection. The sequence starts with a landing page, follows with an exploit, and ends in a payload. Ransomware is their most common payload, but exploit kits also distribute other types of malware, like information stealers and banking Trojans.

While exploit kits are highly effective, there are measures you can take to prevent successful breaches. In the later sections of this report we will describe how to reduce the attack surface, block known malware and exploits, and quickly identify and stop new threats to ensure organizations are protected.

Read the full report
Read the Executive Advisory Report


Ransomware: Unlocking the Lucrative Criminal Business Model

Attackers have traditionally profited by stealing identities or credit card numbers, and then selling them on underground markets. According to the Verizon Data Breach Investigations Reports, the price for stolen records has fallen, so cyber attackers are on the hunt for new ways to make a profit. Thanks to advances in attack distribution, anonymous payments, and the ability to reliably encrypt and decrypt data, ransomware is on a tear. For a deeper dive into ransomware, see the full Unit 42 report


Get Updates

Sign up to receive emails with the latest news, research, and reports from Unit 42.

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

Scarlet Mimic: Threats analyzed over 7 months by Unit 42, using the Palo Alto Networks WildFire and AutoFocus services.

The Palo Alto Networks threat research team, Unit 42, has spent the last seven months investigating a series of attacks, determining that they are the result of a long-standing cyber espionage campaign. The campaign, which we refer to as “Scarlet Mimic,” has activity dating back over four years. The result of our analysis has allowed us to connect a series of disparate attacks into a coherent picture of the Scarlet Mimic operation, which has targeted human rights activists, as well as organizations with knowledge about these groups, including government entities.

  • New cyber espionage campaign revealed.
  • Attacks date back over 4 years.
  • Well-funded with sophisticated tools and tactics.
  • Targets human rights activists and organizations with information about them.
  • Threats analyzed over 7 months by Unit 42, using the Palo Alto Networks WildFire and AutoFocus services.

The goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to increase awareness of this threat and decrease its operational success through deployment of prevention and detection counter-measures. The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary, with the primary goal of gaining information surrounding human rights activists. It is important to note that individuals and groups of all different types may become the target of cyber espionage campaigns.The most well known victims of cyber espionage are typically government organizations or high-tech companies, but we must recognize that espionage-focused adversaries are tasked to collect information from many sources, and everyone in the security community must help mitigate these critical threats.


Unit 42 Partners with Leading Threat Research Organizations to Analyze and Mitigate CryptoWall Threat

Cyber Threat Alliance Brings together leading security research organizations

The Cyber Threat Alliance was co-founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec to share threat intelligence on advanced cyberattacks, the motivations and tactics of malicious actors, and to enhance protections from these damaging attacks. The Palo Alto Networks threat research team, Unit 42, partnered with the members of the Cyber Threat Alliance to reveal details behind the lucrative CryptoWall threat, which has caused an estimated US $325 million in damages worldwide.

This joint research was created with the shared intelligence and analysis efforts of all members of the Cyber Threat Alliance, resulting in an in-depth technical analysis of the CryptoWall threat, including:

  • The full anatomy of the CryptoWall 3 attack lifecycle, propagation vectors, malware analysis, and campaign infrastructure.
  • Global impact of this lucrative and broad-reaching crimeware campaign.
  • Recommended protections and mitigation actions, including all Indicators of Compromise (IOCs)

Visit the Cyber Threat Alliance to download the full Whitepaper and additional research.


Additional resources:


Application Usage and Threat Report

Defending against cyberthreats starts with the free and open sharing of threat intelligence.

Built by Unit 42, the Application Usage and Threat Report provides visibility into the real-world threat and application landscape, helping security teams to understand how adversaries are attempting to attack organizations around the world and use this intelligence to build proactive, actionable controls to defend their organizations.

Key trends and takeaways:

  • SaaS-based application usage has grown 46% over the past 3 years, including more than 316 apps.
  • Details on the 79 unique remote access applications found in use worldwide.
  • Over 40% of email attachments examined by WildFire® were found to be malicious.
  • Global application usage and threat delivery, including regional breakdowns.
  • Practical recommendations for reducing an organization’s attack surface and preventing threats.

Download the full report


Recommended Resources

What is a denial of service attack (DoS) ?

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users by flooding it with traffic.
  • 2
  • 55066

What is an Intrusion Prevention System?

An Intrusion Prevention System (IPS) is a network security prevention technology that examines network traffic flow to detect and prevent vulnerability exploits
  • 4
  • 105937

Product Summary Specsheet

Key features, performance capacities and specifications for all Palo Alto Networks firewalls.
  • 85
  • 234959

What is a Zero Trust Architecture?

Businesses who want to prevent the exfiltration of sensitive data and improve their defense against modern cyber threats can consider a Zero Trust architecture.
  • 1
  • 37528

What is Cybersecurity?

Cybersecurity refers to the preventative techniques used to protect the integrity of networks, programs and data from attack, damage, or unauthorized access.
  • 4
  • 80229

PA-5200 Series Datasheet

Palo Alto Networks® PA-5200 Series of next-generation firewall appliances is comprised of the PA-5280, PA-5260, PA-5250 and PA-5220.
  • 21
  • 87101