Learn about new Adversary Playbooks from Palo Alto Networks Unit 42 and view two featured Learning Happy Hour episodes with a malware analyst and a threat hunter. Got questions? Get answers here on LIVEcommunity.
Unit 42 recently released 11 new Adversary Playbooks as part of its mission to provide actionable threat intelligence. Playbooks organize the tools, techniques, and procedures (TTPs) that an adversary uses into a structured format that can easily be shared and built upon. All of the Playbooks Unit 42 has released can be accessed through thePlaybook Viewer.
A few brief descriptions of the new Unit 42 Adversary Playbooks:
MuddyWater:In Spring 2019, the group altered its TTPs to evade particular security controls in the BlackWaterattack campaign. An espionage campaign previously conflated with FIN7 activity, MuddyWater was first reported by Unit 42 in November 2017.
Scarlet Mimic:Unveiled by Unit 42 inearly 2016and active since at least 2014, this espionage campaign largely targeted Tibetan and Uyghur activists using a suite of custom Windows and Android malware.
Inception:Active since at least 2014, this adversary used custom malware for a variety of platforms to target a range of industries, primarily in Russia, but also around the world. InOctober 2018Inception used a new PowerShell backdoor andCVE-2017-11882in attacks against European targets.
Windshift:InFebruary 2019, Unit 42 shared additional targeting and technical data tied to this espionage group, first reported in October 2018. The group’s targets are primarily located in the Middle East. It is unique in that it only targets OSX systems with custom malware.
Sofacy:Active since at least 2007, this Russian-attributed espionage group persistently attacked government and private organizations around the world frommid-October 2018 through mid-November 2018. The majority of targets were NATO-aligned nation states, although several former USSR nation states were also targeted.
Chafer:Active since at least 2015, the espionage group Chafer in November 2018 targeted a Turkish government entity. While investigating, Unit 42 discovered a new secondary Python-based payload we namedMechaFlounder, marking the first time Unit 42 observed this group use a Python-based payload.
Gorgon Group:Unit 42 researchers unveiled the Gorgon Group inAugust 2018, which performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. It was discovered while monitoringSubaat, an apparent member of Gorgon Group, who Unit 42 started tracking in 2017.
Cobalt Gang: While investigating ongoing commodity attacks by the Cobalt Gang inOctober 2018, Unit 42 identified the use of a common macro builder and specific document metadata that allowed us to track and cluster new activity and infrastructure.
Th3bug:In thesummer of 2014, this cyber espionage group, which compromised multiple websites to use in watering hole attacks. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and install malware intended to infect website visitors. These often target popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.
Rocke:InJanuary 2019, Unit 42 revealed that this China-based cybercrime group had added new code to its Linux coin mining malware to uninstalls five different cloud security protection and monitoring products from compromised servers. The products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. This is the first malware family Unit 42 has seen with the unique capability to target and remove cloud security products.
CozyDuke:Active since at least 2008, this Russian-attributed espionage group launched a spear phishing campaign beginning in early July 2015 that leveraged new malware we named MiniDionis. The new malware, which is related to the group’s Seaduke malware, appeared to target government organizations and think-tanks located in democratic countries, and utilized compromised, legitimate websites for spear phishing and C2 activity.
Have you ever wondered how malware is caught and identified? Have you ever been curious who the people are behind the scenes working to stop the spread of cyber threats? Learn about all of this and more as Tacoma Bob interviews a Palo Alto Networks - Unit42 Malware Analyst (Brad Duncan)
In this bonus episode of Learning Happy Hour, Jason and Mitch interview Brian Lee, Principal Researcher in Unit 42. Follow along as they cover a list of topics and Brian takes them through the cybersecurity zoo.