Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19)
Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
See all Unit 42 Threat Research

Protect Against Russia-Ukraine
Cyber Activity

Palo Alto Networks is closely monitoring developments in Ukraine

Palo Alto Networks is closely monitoring the rapidly evolving cyber activity related to Russia and Ukraine. We continue to release new Unit 42® threat intelligence, deploy protections for our customers, and are actively collaborating with our partners in industry and governments to share our analysis and findings based on our global threat network.

Protecting our customers is our highest priority. In line with warnings by multiple governments, we are also diligently preparing for any cyberattacks that may spread beyond Ukraine. We will continuously update this resource center with the latest cybersecurity information including research, best practices, mitigations, and threat intelligence from the Unit 42 blog. We are standing by and ready to assist our customers as needed.

As of , the following indicators have been identified

2150

Domains

318

Binaries

265

IPs

681

URLs

How can you prepare?

There is no way to know for certain what shape an attack may take, but taking these steps will help provide broad protection against what we expect to come.

  • Patch internet-facing and business-critical software

    Apply patches for any software containing vulnerabilities – not just those known to be exploited in the wild. This is most urgent for software that is internet-facing and necessary for your business’s operations, such as webmail, VPNs and other remote access solutions.

  • Prepare for ransomware and/or data destruction

    A likely form of disruptive cyberattack will use either ransomware or a destructive attack that poses as ransomware.

  • Be prepared to respond quickly

    Ensure that you designate points of contact across your organization in key areas in case of a cybersecurity incident or disruption of critical infrastructure.

  • Lock down your network

    Making small policy changes can decrease the likelihood of a successful attack against your network. In addition, run scans if you can for early indicators of compromise (IoCs), decrease the time between security updates, and perform a gap analysis across major threat vectors to define areas that require alert prioritization.

Read Unit 42 threat analysis

How can Palo Alto Networks help?

Security Consulting and Incident Response Services

Our research indicates that recent attacks have used ransomware or a destructive attack that poses as ransomware (i.e., WhisperGate).

  • Proactive Assessments: Unit 42 cyber risk management consultants are ready should you wish to be better prepared.
  • A Ransomware Readiness Assessmentcan help identify potential weaknesses in your response playbook and identify any ongoing or historical indicators of compromise.
  • Incident Response: Unit 42 IR services can help companies of any size investigate and remediate potential threat actor activity. If you have been breached or have an urgent matter, contact us here.

Technology

Palo Alto Networks provides a full portfolio of products and threat intelligence, and we’ve reinforced relevant capabilities:

  • Threat Prevention: Added coverage for the OctoberCMS vulnerability CVE-2021-32648, exploited in the WhisperGate attacks.
  • WildFire: Improved detection of WhisperGate, which disables Windows Defender and other specific malware families like HermeticWiper that are used by Russian threat groups.
  • Advanced URL Filtering: Blocked hundreds of new malicious domain names, IP addresses and URLs.
  • Cortex XDR: Updated defenses and added signatures to block newly discovered malware, including HermeticWiper, in order to protect the entire attack surface across cloud, networks, endpoints, users and critical infrastructure.
  • Cortex Xpanse: Our automated Attack Surface Management (ASM) platform provides a complete and accurate inventory of your global internet-facing assets to discover, evaluate and mitigate security issues.
  • Prisma Cloud CWP: Identify and update out-of-date packages and known exploited vulnerabilities.
  • Prisma Cloud WAAS: Block OWASP Top 10 attacks on web applications and APIs and prevent attacks that leverage the new CVE based on virtual patching.
  • Prisma Cloud CSPM: Identify IOC used by attackers using threat detection. Prioritize critical web-facing vulnerabilities using True Network Exposure.

Unit 42 Resources
See all resources
Unit 42
BLOG

Russia-Ukraine Cyber Activity Makes Security Best Practices Imperative

Read blog
Unit 42
BLOG

Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine

Read blog
Unit 42
Threat Brief

Ongoing Russia and Ukraine Cyber Conflict

Read threat brief
Unit 42
Blog

How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement

Read blog
Unit 42
Blog

Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot

Read blog
Cortex
BLOG

Cortex XDR Protections Against Malware Associated with Ukraine and Russia Cyber Activity

Read blog
See all resources

Get the latest news, invites to events, and threat alerts