For years, the security industry has focused on securing the network, cloud and endpoints by preventing the delivery of vulnerability exploits, malware or command-and-control activity. While those attack vectors continue to be critical, adversaries have been increasingly using alternative means to break into and move laterally within organizations. Chief among these highly leveraged techniques is the usage of legitimate credentials, which allows attackers to walk in the front door, bypassing security controls, pretending to be a legitimate user with full access to company resources. This in-depth report by Unit 42 delves into the ecosystem behind the theft and usage of credentials, including step-by-step attack methods, and common sense ways to keep your organization safe.
Nigerian Threat Actors have long been considered a nuisance rather than a threat. Palo Alto Networks Unit 42 returns to the topic that launched our research in 2014 with our latest report, "SILVERTERRIER: The Next Evolution in Nigerian Cybercrime." This report shows that Nigerian threat actors are capable and formidable adversaries successfully attacking major companies and governments by using cheap, off-the-shelf commodity malware.
The history of Nigerian threat actors and their use of unsophisticated technology makes it easy to underestimate the threat. This report shows why it’s not just wrong but dangerous to take Nigerian threat actors lightly.
Exploit kits, which first became popular in 2006, are used to automate the exploitation of vulnerabilities on victims’ machines, most commonly while users are browsing the web. Over the past decade they have become an extremely popular means for criminal groups to distribute mass malware or remote access tools (RAT), because they lower the barrier to entry for attackers and can enable opportunistic attacks at scale. To understand this phenomenon, we must understand the ecosystem that surrounds exploit kits, including the actors, campaigns and terminology involved.
For exploit kit creators, there is a massive opportunity to generate profit. Creators can offer exploit kits for rental on underground criminal markets, where the price for leading kits can reach thousands of dollars per month.
Exploit kit campaigns generate a series of events starting with a compromised website that ultimately directs web traffic to an exploit kit. Within the exploit kit, a specific sequence of events occurs for a successful infection. The sequence starts with a landing page, follows with an exploit, and ends in a payload. Ransomware is their most common payload, but exploit kits also distribute other types of malware, like information stealers and banking Trojans.
While exploit kits are highly effective, there are measures you can take to prevent successful breaches. In the later sections of this report we will describe how to reduce the attack surface, block known malware and exploits, and quickly identify and stop new threats to ensure organizations are protected.
Attackers have traditionally profited by stealing identities or credit card numbers, and then selling them on underground markets. According to the Verizon Data Breach Investigations Reports, the price for stolen records has fallen, so cyber attackers are on the hunt for new ways to make a profit. Thanks to advances in attack distribution, anonymous payments, and the ability to reliably encrypt and decrypt data, ransomware is on a tear. For a deeper dive into ransomware, see the full Unit 42 report.
Sign up to receive emails with the latest news, research, and reports from Unit 42.
The Palo Alto Networks threat research team, Unit 42, has spent the last seven months investigating a series of attacks, determining that they are the result of a long-standing cyber espionage campaign. The campaign, which we refer to as “Scarlet Mimic,” has activity dating back over four years. The result of our analysis has allowed us to connect a series of disparate attacks into a coherent picture of the Scarlet Mimic operation, which has targeted human rights activists, as well as organizations with knowledge about these groups, including government entities.
The goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to increase awareness of this threat and decrease its operational success through deployment of prevention and detection counter-measures. The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary, with the primary goal of gaining information surrounding human rights activists. It is important to note that individuals and groups of all different types may become the target of cyber espionage campaigns.The most well known victims of cyber espionage are typically government organizations or high-tech companies, but we must recognize that espionage-focused adversaries are tasked to collect information from many sources, and everyone in the security community must help mitigate these critical threats.
The Cyber Threat Alliance was co-founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec to share threat intelligence on advanced cyberattacks, the motivations and tactics of malicious actors, and to enhance protections from these damaging attacks. The Palo Alto Networks threat research team, Unit 42, partnered with the members of the Cyber Threat Alliance to reveal details behind the lucrative CryptoWall threat, which has caused an estimated US $325 million in damages worldwide.
This joint research was created with the shared intelligence and analysis efforts of all members of the Cyber Threat Alliance, resulting in an in-depth technical analysis of the CryptoWall threat, including:
Visit the Cyber Threat Alliance to download the full Whitepaper and additional research.
Built by Unit 42, the Application Usage and Threat Report provides visibility into the real-world threat and application landscape, helping security teams to understand how adversaries are attempting to attack organizations around the world and use this intelligence to build proactive, actionable controls to defend their organizations.
Key trends and takeaways: