Blog
Cloud Native Security
Prisma Cloud Security Research

Prisma Cloud Security Research

Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware

Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware

In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt critical infrastructure. The outage occurred after the Cyber Security Situation Center (CSSC), affiliated with the Security Service of Ukraine, disclosed details [PDF] of an attack on a municipal energy company in Ukraine in early 2024.

High Profile Threats

Threat Actor Groups

BlackSuit ransomware

Ignoble Scorpius

Nov 20, 2024

Business Email Compromise, Threat Actor Groups, Threat Research, BeaverTail, CL-STA-0237, Contagious Interview, DPRK, Fake IT Worker, InvisibleFerret, Lazarus

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phish...

In December 2019, Amazon Web Services (AWS) announced the av...

Nov 14, 2024

By Unit 42

Cloud Cybersecurity Research, Threat Research, data exfiltration, Google Cloud, Kubernetes, LLM, poisoned model, privilege escalation, Vertex AI

ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI

In the race to gain a competitive edge, organizations are increasingly training artificial...

Nov 12, 2024

By Ofir Balassiano, Ofir Shaty

Cybercrime, Threat Actor Groups, Threat Research, C++, CL-CRI-0941, CVE-2017-11317, CVE-2019-18935, GodPotato, Python, Remote Code Execution

Silent Skimmer Gets Loud (Again)

This article introduces a simple and straightforward technique for jailbreaking that we call Deceptive Delight. Deceptive Delight is a multi-turn tech...

Nov 07, 2024

By Veronika Senderovych, Chema Garcia, Zack Fink

Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Cobalt Strike, DPRK, DTrack, Fiddling Scorpius, Infostealer, Jumpy Pisces

Jumpy Pisces Engages in Play Ransomware

Unit 42 has identified Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance Gene...

Oct 30, 2024

By Unit 42

Malware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, BeaverTail, CL-STA-240, Contagious Interview, DPRK, InvisibleFerret, North Korea

Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to ...

Unit 42 has tracked activity from threat actors associated w...

Oct 09, 2024

By Unit 42

Malware, Threat Actor Groups, APT43, DPRK, FPSpy, G0086, Keylogger, Kimsuky, KLogExe, MITRE

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy

Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, c...

Sep 26, 2024

By Daniel Frank, Lior Rochberger

Malware, Threat Actor Groups, AppleJeus, Citrine Sleet, Cryptocurrency, Gleaming Pisces, Linux, macOS, North Korea, PondRAT

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux an...

Unit 42 researchers have been tracking the activity of an ongoing poisoned Python packages...

Sep 18, 2024

By Yoav Zemah

Cybercrime, High Profile Threats, Ransomware, Threat Actor Groups, Threat Research, ALPHV, Ambitious Scorpius, Bashful Scorpius, BlackCat ransomware, Cicada3301

Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomwar...

Repellent Scorpius is a new ransomware-as-a-service (RaaS) g...

Sep 10, 2024

By Navin Thomas, Jerome Tujague

Cybercrime, High Profile Threats, Malware, Nation-State Cyberattacks, Threat Actor Groups, Advanced Persistent Threat, Alluring Pisces, Andariel, Bluenoroff, Citrine Sleet

Threat Assessment: North Korean Threat Groups

Lazarus has been used in public reporting as an umbrella term for threat actors from the D...

Sep 09, 2024

By Unit 42

Malware, Threat Actor Groups, Advanced Persistent Threat, China, DLL Sideloading, Dropbox, Espionage, Government, Microsoft Visual Studio, Mimikatz

Chinese APT Abuses VSCode to Target Government in Asia

In the summer of 2018, Unit 42 released reporting regarding activity in the Middle East surrounding a cluster of activit...

Sep 06, 2024

By Tom Fakterman

Cloud Cybersecurity Research, Ransomware, Threat Actor Groups, AWS, AWS credential stealing, Bling Libra, Extortion, MITRE, S3, ShinyHunters

Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunter...

In an incident response engagement handled by Unit 42, the threat actor group Bling Libra...

Aug 23, 2024

By Margaret Zimmermann, Chandni Vaya

Cloud Cybersecurity Research, Threat Research, AWS, credential theft, data exfiltration, ENV files, environment variable files, Exploit Kits, exposed environment files, Extortion

Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud...

Unit 42 researchers found an extortion campaign's cloud oper...

Aug 15, 2024

By Margaret Zimmermann, Sean Johnstone, William Gamazo, Nathaniel Quist

Cloud Cybersecurity Research, Threat Research, artifacts, AWS, GitHub, open source, Red Hat, Ubuntu

ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artif...

In part 1 of this 2-part blog series, we discussed why the Havex Trojan is a significant and concerning industry milesto...

Aug 13, 2024

By Yaron Avital

Malware, Nation-State Cyberattacks, Threat Actor Groups, Threat Research, Advanced Persistent Threat, APT28, Fancy Bear, Fighting Ursa, HeadLace, phishing

Fighting Ursa Luring Targets With Car for Sale

A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to di...

Aug 02, 2024

By Unit 42

Cloud Cybersecurity Research, Threat Research, cloud infrastructure, Container, container escape, container security, Docker, Kubernetes

Container Breakouts: Escape Techniques in Cloud Environments

This article reviews container escape techniques, assesses their possible impact and revea...

Jul 18, 2024

By Yosef Yaakov, Bar Ben-Michael

Cloud Cybersecurity Research, CVE-2024-6387, High Profile Threats, OpenSSH, RegreSSHion, Remote Code Execution, SSH, Vulnerabilities

Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability

On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in O...

Jul 02, 2024

By Unit 42

Load more

Load more

Get the latest news, invites to events, and threat alerts