CREDENTIAL THEFT: Exposing the Ecosystem and Motives Behind Credential Phishing, Theft and Abuse

For years, the security industry has focused on securing the network, cloud and endpoints by preventing the delivery of vulnerability exploits, malware or command-and-control activity. While those attack vectors continue to be critical, adversaries have been increasingly using alternative means to break into and move laterally within organizations. Chief among these highly leveraged techniques is the usage of legitimate credentials, which allows attackers to walk in the front door, bypassing security controls, pretending to be a legitimate user with full access to company resources. This in-depth report by Unit 42 delves into the ecosystem behind the theft and usage of credentials, including step-by-step attack methods, and common sense ways to keep your organization safe.

SILVERTERRIER: The Next Evolution in Nigerian Cybercrime

Nigerian Threat Actors have long been considered a nuisance rather than a threat. Palo Alto Networks Unit 42 returns to the topic that launched our research in 2014 with our latest report, "SILVERTERRIER: The Next Evolution in Nigerian Cybercrime." This report shows that Nigerian threat actors are capable and formidable adversaries successfully attacking major companies and governments by using cheap, off-the-shelf commodity malware.

The history of Nigerian threat actors and their use of unsophisticated technology makes it easy to underestimate the threat. This report shows why it’s not just wrong but dangerous to take Nigerian threat actors lightly.

Read the full report


Exploit Kits: Getting In By Any Means Necessary

Exploit kits, which first became popular in 2006, are used to automate the exploitation of vulnerabilities on victims’ machines, most commonly while users are browsing the web. Over the past decade they have become an extremely popular means for criminal groups to distribute mass malware or remote access tools (RAT), because they lower the barrier to entry for attackers and can enable opportunistic attacks at scale. To understand this phenomenon, we must understand the ecosystem that surrounds exploit kits, including the actors, campaigns and terminology involved.

For exploit kit creators, there is a massive opportunity to generate profit. Creators can offer exploit kits for rental on underground criminal markets, where the price for leading kits can reach thousands of dollars per month.

Exploit kit campaigns generate a series of events starting with a compromised website that ultimately directs web traffic to an exploit kit. Within the exploit kit, a specific sequence of events occurs for a successful infection. The sequence starts with a landing page, follows with an exploit, and ends in a payload. Ransomware is their most common payload, but exploit kits also distribute other types of malware, like information stealers and banking Trojans.

While exploit kits are highly effective, there are measures you can take to prevent successful breaches. In the later sections of this report we will describe how to reduce the attack surface, block known malware and exploits, and quickly identify and stop new threats to ensure organizations are protected.

Read the full report
Read the Executive Advisory Report


Ransomware: Unlocking the Lucrative Criminal Business Model

Attackers have traditionally profited by stealing identities or credit card numbers, and then selling them on underground markets. According to the Verizon Data Breach Investigations Reports, the price for stolen records has fallen, so cyber attackers are on the hunt for new ways to make a profit. Thanks to advances in attack distribution, anonymous payments, and the ability to reliably encrypt and decrypt data, ransomware is on a tear. For a deeper dive into ransomware, see the full Unit 42 report


Get Updates

Sign up to receive the latest news, research, and reports from Unit 42.

Scarlet Mimic: Threats analyzed over 7 months by Unit 42, using the Palo Alto Networks WildFire and AutoFocus services.

The Palo Alto Networks threat research team, Unit 42, has spent the last seven months investigating a series of attacks, determining that they are the result of a long-standing cyber espionage campaign. The campaign, which we refer to as “Scarlet Mimic,” has activity dating back over four years. The result of our analysis has allowed us to connect a series of disparate attacks into a coherent picture of the Scarlet Mimic operation, which has targeted human rights activists, as well as organizations with knowledge about these groups, including government entities.

  • New cyber espionage campaign revealed.
  • Attacks date back over 4 years.
  • Well-funded with sophisticated tools and tactics.
  • Targets human rights activists and organizations with information about them.
  • Threats analyzed over 7 months by Unit 42, using the Palo Alto Networks WildFire and AutoFocus services.

The goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to increase awareness of this threat and decrease its operational success through deployment of prevention and detection counter-measures. The information discovered by Unit 42 and shared here indicates Scarlet Mimic is likely a well-funded and skillfully resourced cyber adversary, with the primary goal of gaining information surrounding human rights activists. It is important to note that individuals and groups of all different types may become the target of cyber espionage campaigns.The most well known victims of cyber espionage are typically government organizations or high-tech companies, but we must recognize that espionage-focused adversaries are tasked to collect information from many sources, and everyone in the security community must help mitigate these critical threats.


Unit 42 Partners with Leading Threat Research Organizations to Analyze and Mitigate CryptoWall Threat

Cyber Threat Alliance Brings together leading security research organizations

The Cyber Threat Alliance was co-founded by Fortinet, Intel Security, Palo Alto Networks, and Symantec to share threat intelligence on advanced cyberattacks, the motivations and tactics of malicious actors, and to enhance protections from these damaging attacks. The Palo Alto Networks threat research team, Unit 42, partnered with the members of the Cyber Threat Alliance to reveal details behind the lucrative CryptoWall threat, which has caused an estimated US $325 million in damages worldwide.

This joint research was created with the shared intelligence and analysis efforts of all members of the Cyber Threat Alliance, resulting in an in-depth technical analysis of the CryptoWall threat, including:

  • The full anatomy of the CryptoWall 3 attack lifecycle, propagation vectors, malware analysis, and campaign infrastructure.
  • Global impact of this lucrative and broad-reaching crimeware campaign.
  • Recommended protections and mitigation actions, including all Indicators of Compromise (IOCs)

Visit the Cyber Threat Alliance to download the full Whitepaper and additional research.


Additional resources:


Application Usage and Threat Report

Defending against cyberthreats starts with the free and open sharing of threat intelligence.

Built by Unit 42, the Application Usage and Threat Report provides visibility into the real-world threat and application landscape, helping security teams to understand how adversaries are attempting to attack organizations around the world and use this intelligence to build proactive, actionable controls to defend their organizations.

Key trends and takeaways:

  • SaaS-based application usage has grown 46% over the past 3 years, including more than 316 apps.
  • Details on the 79 unique remote access applications found in use worldwide.
  • Over 40% of email attachments examined by WildFire™ were found to be malicious.
  • Global application usage and threat delivery, including regional breakdowns.
  • Practical recommendations for reducing an organization’s attack surface and preventing threats.

Download the full report


Recommended Resources

Application Usage and Threat Report

The AUTR provides visibility into the real-world threat and application landscape, helping security teams to understand how adversaries are attempting to attack organizations around the world and build proactive, actionable controls. Built by the Unit 42 threat research team, the report correlates data from more than 7,000 enterprise organizations, providing broad visibility into critical trends.

Santa Clara
  • 29
  • 7399

Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model

Download the report to learn about the rise of ransomware, how adversaries are refining and improving their tactics, and what you can do to better defend your organization against them.

Santa Clara, CA, USA
  • 1
  • 8020

CoolReaper: The Coolpad Backdoor

CoolReaper: The Coolpad Backdoor New research from Unit 42 confirms security risk in Coolpad devices Palo Alto Networks researchers have uncovered CoolReaper, a backdoor contained in millions of Android devices sold by manufacturer Coolpad. CoolReaper exposes users to potential malicious activity and appears to have been installed and maintained by Coolpad despite objections from customers. Due to the unique way Coolpad modifies the Android OS, it is difficult for Android antivirus programs to identify and remove this backdoor.

Palo Alto Networks, Santa Clara, CA
  • 0
  • 11038

Credential-Based Attacks

Credential-Based Attacks: Exposing the Ecosystem and Motives Behind Credential Phishing, Theft and Abuse In this white paper, Unit 42 details the ecosystem behind how adversaries steal and leverage legitimate credentials to break in and move laterally within the organization, often bypassing security controls. Learn the key attack methods currently in use, how this technique fits into attacker playbooks, and real-world guidance on preventing successful attacks.

Santa Clara
  • 0
  • 1815

419 Evolution

In the past three months Palo Alto Networks has identified a series of attacks emanating from Nigerian actors against our customers in Taiwan and South Korea. Our team is tracking this activity under the code name Silver Spaniel. These attacks have deployed commodity tools that can be purchased for small fees on underground forums and deployed by any individual with a laptop and an e-mail address. Read the report by Palo Alto Networks Unit 42.

  • 0
  • 1512

Operation Lotus Blossom

Operation Lotus Blossom describes a persistent cyber espionage campaign against government and military organizations in Southeast Asia. The report exposes the targets, tools, and attack techniques, and provides full details on the Lotus Blossom campaign, including all indicators of compromise. Unit 42 discovered these attacks using the Palo Alto Networks AutoFocus platform, which enables analysts to correlate the results of the hundreds of millions of reports generated by WildFire.

Santa Clara, CA
  • 11
  • 5114