< ciso
brief />
Tag Banner

All news with #unit 42 tag

78 articles

Fake Microsoft Teams support call scam targets files

📢 Palo Alto Networks’ Unit 42 warns of a new campaign targeting Microsoft Teams users that begins with a survey email and a malicious PDF. If opened, victims soon receive a voice call claiming to be Microsoft Support; the fake agent requests permission to install a remote access tool and additionally deploys Ether RAT. The Trojan gives attackers full access to the compromised machine, enabling theft of sensitive information and files. Users should be cautious of unsolicited surveys and support calls.
read more →

Phantom squatting: AI-hallucinated domains abused

🛡️ Palo Alto Networks' Unit 42 warns attackers are registering AI-hallucinated domains and using them for phishing and malware distribution. The report shows models invent millions of links, many unregistered, and attackers are preemptively purchasing and cloning brand sites. Because new domains lack reputation data, they evade blocklists until damage is done. Unit 42 documents several real-world cases and offers mitigation steps for defenders and users.
read more →

Phantom Squatting: LLMs Enabling Web Domain Attacks

🛡️ Unit 42 found that large language models (LLMs) commonly hallucinate plausible web domains for real brands, and adversaries are registering these nonexistent domains to intercept AI-generated traffic. This phenomenon, called phantom squatting, poses a supply chain risk and was observed across multiple sectors. Researchers predicted adversary registrations 18–51 days in advance and discovered over 13,229 malicious URLs plus ~250,000 unregistered hallucinated domains.
read more →

Large-Scale Credential Attacks Targeting Edge Devices

🔐 Unit 42 observed a large-scale password spraying and credential theft campaign (dubbed “FortiBleed”) targeting Fortinet devices, with additional attempts seen against MSSQL and reports of Sophos targeting. The actors use curated password lists derived from prior breaches and vulnerabilities, then perform configuration extraction and offline cracking to escalate privileges and persist. Unit 42 urges auditing remote access logs, applying hardening guidance, requiring MFA, and keeping systems patched to mitigate risk.
read more →

SOC Speed Gap: How Attack Timelines Compressed Fast

⚠️ This article launches Unit 42's series Inside the Modern SOC, drawing on customer environments, SOC assessments and investigations to highlight a defining challenge: the speed gap. Attack timelines have compressed dramatically — in some cases from initial access to data exfiltration in about 72 minutes — driven by identity-driven tactics and AI-accelerated adversaries. The piece emphasizes that manual, sequential workflows and fragmented tooling leave defenders behind and argues for automated correlation, predefined response actions and behavior-focused detection to close the gap.
read more →

Microsoft Teams Phishing Risks and Mitigations

🛡️ This Unit 42 report examines how threat actors use Microsoft Teams to impersonate IT staff, leveraging external chat and compromised or typosquatted accounts to phish employees. It outlines real-world incidents, explains how permissive federation and external chat settings widen the attack surface, and emphasizes that identity systems are the ultimate target. The article recommends tighter configuration, identity-centric controls, monitoring, and updated user training.
read more →

AI and Evasion Force Rethink of Network Prevention

🔍 For years network security relied on content inspection and static threat intelligence, but the rise of agentic AI and evasive techniques has upended that model. Unit 42 research shows attackers exploit the IP layer and use anonymizers, rapid infrastructure rotation, and AI-enabled stealth to bypass legacy controls. Security strategies must augment deep inspection with real-time IP-layer monitoring and continuous verification to defend at machine speed.
read more →

FlutterShell macOS backdoor spreads via malvertising

🛡️ Palo Alto Networks Unit 42 uncovered Operation FlutterBridge, a macOS malvertising campaign distributing a Flutter-built backdoor called FlutterShell. The campaign links to a cluster known as JSCoreRunner/FileRipple and an actor tracked as CL-CRI-1089, active since at least 2023. FlutterShell uses WebView and a JavaScript-to-native bridge to load malicious logic from attacker-controlled sites, supports command execution, file manipulation, and exfiltration, and has multiple evolving variants that passed Apple notarization.
read more →

Data-Only Extortion Rising in the Cyber Threat Economy

🔍 This Unit 42 report examines the growing shift from ransomware encryption to data-theft and extortion-only attacks, profiling threat actors, techniques, and sectors most affected. It highlights drivers such as improved backups, faster exfiltration, and regulatory pressures that make disclosure risk financially coercive. The briefing also warns of AI-accelerated attacks and offers prioritized defensive recommendations for DLP, SaaS posture, identity resilience, supply chain integrity, and AI preparedness.
read more →

Tracking TamperedChef: Malicious Productivity Software

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.
read more →

Gremlin Stealer Evolves into Modular, Stealthy Infostealer

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.
read more →

West Pharmaceutical hit by cyberattack; data stolen

🔒 West Pharmaceutical Services disclosed a cyberattack detected on May 4, 2026, that resulted in data exfiltration and encryption of certain systems. The company took affected infrastructure offline globally for containment, notified law enforcement, and engaged external responders including Palo Alto Networks Unit 42. Core enterprise systems supporting shipping and manufacturing have been partially restored, but full recovery and the scope of stolen data remain under investigation.
read more →

Defender's Guide: Frontier AI Impact on Cybersecurity

🔒 Palo Alto Networks reports ongoing testing of frontier AI models, including Anthropic and OpenAI, finding they rapidly surface code vulnerabilities and potential exploit paths. In the May 'Patch Wednesday' advisories the majority of findings originated from these AI scans, prompting broad rescanning and remediation. The company warns of a narrow three-to-five-month window before AI-driven exploits spread and offers Unit 42 services to help organizations respond.
read more →

PAN-OS Critical RCE Exploit Observed in the Wild - May 2026

⚠️ Palo Alto Networks disclosed that threat actors attempted and later succeeded in exploiting a critical buffer overflow, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal, enabling unauthenticated remote code execution as root. Unit 42 linked activity to a suspected state-sponsored cluster tracked as CL-STA-1132, noting shellcode was injected into an nginx worker. Customers are advised to restrict access to trusted zones or disable the portal if unused, and to apply fixes expected to begin rolling out on May 13, 2026.
read more →

PAN‑OS Firewall RCE Zero‑Day Exploited Since April 9

🔴 Palo Alto Networks warns that suspected state‑sponsored actors have exploited a critical PAN‑OS zero‑day (CVE-2026-0300) in the User‑ID Authentication Portal, enabling unauthenticated remote code execution as root on exposed PA‑ and VM‑Series firewalls. Unit 42 says initial probing began April 9, with successful exploitation occurring about a week later; attackers cleaned logs and deployed tunneling tools. Palo Alto notes Cloud NGFW and Panorama are not affected and will issue patches starting May 13; administrators should restrict or disable the authentication portal until updates are applied.
read more →

PAN-OS Captive Portal Zero-Day Exploitation and Activity

🔒 Unit 42 details exploitation of a buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that permits unauthenticated remote code execution as root on affected PA‑Series and VM‑Series firewalls. Observed adversary activity included shellcode injection into an nginx worker, rapid log and evidence cleanup, and deployment of tunneling tools such as EarthWorm and ReverseSocks5. Immediate mitigations are to restrict or disable the portal, apply vendor guidance, and enable available threat signatures and protections.
read more →

Shai-Hulud Worm Elevates npm Supply-Chain Risk Globally

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.
read more →

TGR-STA-1030 Targets New Activity in Central America

🔎 Since February, Unit 42 has observed sustained operations by TGR-STA-1030 across multiple countries, with a pronounced concentration in Central and South America. The observed intrusions reuse the same tactics, techniques, and procedures previously attributed to this group, indicating continuity with prior espionage campaigns. Analysts reference The Shadow Campaigns: Uncovering Global Espionage for historical context, and advise organizations in affected regions to review detections and strengthen defensive controls.
read more →

BlackFile extortion gang targets retail and hospitality

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.
read more →

Frontier AI and the Future of Cyber Defense Playbook

🔒 Palo Alto Networks' Unit 42 summarizes the ten most frequent CISO questions about frontier AI, outlining operational risks, strategic impacts, and prioritized mitigation steps. The piece characterizes frontier models (for example, Anthropic Mythos) as advanced foundational systems that can autonomously find vulnerabilities, chain exploits, and scale reconnaissance and social engineering at machine speed. Unit 42 urges organizations to prioritize findings by attacker reachability and AI exploitability, adopt machine-speed defenses, integrate frontier models into the SDLC, and consider the Unit 42 Frontier AI Defense service and a CISO checklist for immediate and long-term hardening.
read more →