All news with #palo alto networks tag

🛡️ Palo Alto Networks Unit 42 attributes a years-long espionage campaign against high-value organizations in South, Southeast and East Asia to a previously undocumented cluster dubbed CL-UNK-1068. The actor uses a mixed toolkit of custom malware, modified open-source utilities and living-off-the-land binaries to operate on both Windows and Linux. Intrusions commonly begin with web server exploits and web shells, followed by credential theft and targeted file harvesting. Researchers observed novel exfiltration methods—archiving with WinRAR, Base64-encoding via certutil, and printing the encoded output to the web shell to avoid direct file transfer.

🔐 Security vendors are reframing post-quantum cryptography (PQC) from a theoretical concern into an operational priority, emphasizing discovery, inventory, and crypto-agility across enterprise environments. Companies such as Palo Alto Networks, Cisco, and Cloudflare are packaging visibility, assessment, and compensating-controls while specialist firms like SandboxAQ deliver continuous monitoring via AQtive Guard. With NIST standards finalized and a 2030 readiness horizon, vendors stress phased migration and prioritization for long-lived sensitive data. The market is competitive as providers position to guide enterprises through complex modernization and legacy constraints.

🔐 The U.S. National Cyber Strategy offers a clear, action-oriented agenda to protect the digital way of life by emphasizing disruption of hostile actors, streamlined regulation, federal network modernization, and the security of AI and quantum technologies. Palo Alto Networks endorses the strategy and highlights practical measures—such as reciprocity for government software certifications, a four-stage quantum-safe framework, and its Secure AI by Design Policy Roadmap—to help operationalize these priorities through public–private collaboration.

⚠️ Unit 42 researchers describe web-based indirect prompt injection (IDPI), where adversaries embed hidden or obfuscated instructions in webpages that are later consumed by LLMs and agentic systems. The report catalogs 22 payload engineering techniques, presents a taxonomy of attacker intents from low to critical, and details multiple in-the-wild detections, including the first observed AI ad-review bypass. It emphasizes detection, intent analysis and web-scale defenses to protect automated pipelines.

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.

🔒 Service providers face a generational opportunity to become AI factories, hosting high-performance, low-latency AI for enterprises while meeting sovereignty and compliance needs. Palo Alto Networks argues that securing these environments requires layered defenses from physical infrastructure through models and agents, combining ML-led NGFWs, Prisma AIRS, CyberArk and Cortex. The aim is real-time governance of data, nonhuman identities and autonomous agents to prevent poisoning, prompt injection and credential theft.

🔒 New Kubernetes clusters are probed and often attacked within minutes, with honeypots run by Palo Alto Networks, Wiz and Aqua Security showing initial compromise attempts in roughly twenty minutes and repeated automated scans against container ports. The platform's permissive defaults and complex model make standard cloud controls insufficient. Organizations should adopt Kubernetes-specific controls: harden and automate RBAC, isolate workloads with network and namespace policies, store secrets in dedicated key management services, perform regular audits, and train developers on platform-specific threats and secure CI/CD practices.

🤖 Palo Alto Networks has rolled out a major Cortex release that embeds context-aware, agentic AI throughout the security operations lifecycle, promising faster detection, investigation and response. An expanded AI-ready data foundation, Cortex XDL 2.0, and new purpose-built agents — including Case Investigation, Cloud Posture and Automation Engineer — aim to slash response times and automate complex playbooks. The launch also introduces the standalone Cortex Agentix orchestration platform and signals intent to acquire Koi to strengthen endpoint protection for AI-driven threats.

🔧 Palo Alto Networks, ServiceNow, and Bell Canada have built a ServiceNow application that automates the full lifecycle of Prisma SASE, creating a direct bridge between security operations and service management. The Prisma SASE app accelerates deployment from months to hours by automating Day 0–Day N tasks—provisioning, ZTNA connector setup, and mobile user workflows—while eliminating swivel-chair operations by syncing incidents into a single ServiceNow interface. ServiceNow’s Service Bridge enables cross-instance support for MSPs and the app supports direct CSP ticket creation, reducing MTTR and operational overhead.

🔍 Recent joint research from Palo Alto Networks, Siemens and the Idaho National Laboratory shows that most OT-impacting attacks originate in IT and manifest at the IT–OT edge. Analysts found attackers dwell an average of 185 days in precursor phases, producing detectable signals like credential abuse, reconnaissance and protocol misuse. The paper recommends edge-focused telemetry and an OT SOC-driven active defense to detect and disrupt threats before operational impact.

🔒 Palo Alto Networks' Unit 42 finds that AI and growing system complexity have drastically shortened the time between initial compromise and harmful outcomes, with some intrusions progressing to data exfiltration in 72 minutes versus nearly five hours in 2024. The team analyzed 750 incidents across 50 countries and highlights persistent operational gaps—weak authentication, limited real-time visibility, and misconfigurations—that attackers repeatedly exploit. The report flags identity issues in 90% of cases and widespread excessive cloud permissions, and it argues that modern, purpose-built managed SOC services such as XSIAM 2.0 are being positioned to respond at machine speed.

🚨 Palo Alto Networks' Unit 42 reports that cyberattacks are accelerating: the fastest incidents moved from initial access to data exfiltration in 72 minutes, down from nearly five hours in 2024, and AI is compressing reconnaissance, phishing, scripting and execution timelines. Yet most breaches traced to basic failures such as weak authentication, limited real‑time visibility, and misconfigurations. Identity and trust issues featured in 90% of incidents, and Unit 42 found excessive permissions across 99% of 680,000 cloud identities. In response, Palo Alto launched Unit 42 Managed XSIAM 2.0 to provide end‑to‑end onboarding, threat hunting and faster automated response.

🔐 Unit 42 investigates the rising misuse of QR codes for phishing, in‑app deep‑link exploitation, and direct distribution of malicious Android APKs. Their telemetry shows an average of over 11,000 malicious QR-code detections per day, driven by tactics that mask destinations and exploit mobile app behavior. The report highlights QR shorteners, custom deep links, and APK hosting as key evasive techniques and recommends user education plus deployment of decoding and filtering controls such as Advanced URL Filtering and Prisma Browser to improve visibility and block threats.

🔒 Palo Alto Networks has completed its $25 billion acquisition of Israel-based CyberArk, integrating privileged access management into its core platform strategy. The deal aims to extend privileged controls across human, machine, and AI identities to reduce standing privileges, limit lateral movement, and accelerate breach response. Palo Alto will continue offering standalone CyberArk while pursuing deeper integration, though analysts warn of transition friction and potential licensing or vendor lock-in.

🔐 CyberArk is joining Palo Alto Networks to elevate identity security as a core platform pillar for cloud, automation and AI-driven environments. The post argues identity is now the primary attack vector: machine identities outnumber humans by more than 80:1 and 87% of organizations experienced multiple identity-centric breaches in the past year. It calls for continuous visibility, dynamic privilege controls and unified governance to secure human, machine and AI agents and reduce opportunities for lateral movement.

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.

🔎 Unit 42 demonstrates a practical method to map cloud alert events to MITRE ATT&CK tactics and techniques and use the resulting alert patterns as operational fingerprints for known threat actors. The study examined alerts from cloud providers, containers, cloud-hosted applications, and SaaS across 22 industries between June 2024 and June 2025. Comparing cybercrime actor Muddled Libra and nation-state group Silk Typhoon, researchers found distinct, identifiable alert fingerprints and recommend proactive monitoring and mitigation, including Cortex Cloud runtime detection.

🔒 Palo Alto Networks Unit 42 reports an Asia-origin, state-backed actor tracked as TGR-STA-1030 breached at least 70 government and critical-infrastructure organizations across 37 countries and scanned infrastructure tied to 155 countries in late 2025. Active since January 2024, the group used MEGA-hosted phishing ZIPs to deliver a guarded loader, Diaoyu Loader, which requires a zero-byte pic1.png and checks for select AV processes before pulling images from GitHub to stage a Cobalt Strike payload. It also exploited N-day flaws, deployed web shells, tunnelers and an eBPF Linux rootkit ShadowGuard, maintaining prolonged access for intelligence collection.

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.

🔒 Glean and Prisma AIRS have integrated to provide real-time AI threat protection that neutralizes prompt injections, blocks toxic or biased outputs, and inspects generated code and URLs for malicious patterns. The integration enforces organizational policy across chats and agent interactions and immediately blocks risky requests while notifying users. Deployment is designed to be frictionless—enable protection in three clicks by pasting a Prisma AIRS runtime API key into the Glean admin console.