AutoFocus: Your Answer to Actionable Threat Intelligence

posted by: on August 23, 2016 5:00 AM

filed in: Cybersecurity
tagged: , , , ,

Threat intelligence involves learning about new attacks, adversaries, campaigns, and malware families through distinct pieces of information often referred to as indicators of compromise, or IOCs. The more we make relevant information available to network defenders, the better the odds are that they will find answers to their questions. One key consideration for leveraging threat intelligence to improve an organization’s security posture is that it must be readily able to enforce new prevention-based controls.

Threat intelligence has traditionally been used by security operations centers’ incident response teams. As security awareness in organizations of all sizes begins to expand, most people realize that they want to know which alerts should be made a priority and which threats the organization is subject to. Who are the threat actors? There is a big difference between commodity and targeted attacks. Answering these questions can lead you to implementing new controls that allow you to better secure the environment.

Enter AutoFocus. AutoFocus is the Palo Alto Networks threat intelligence service …Continue reading

The Cybersecurity Canon: The Cynja: Volume 1 and Code of the Cynja: Volume 2

posted by: on August 22, 2016 12:00 PM

filed in: Cybersecurity
tagged: , , , ,


We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

 The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Rick Howard: “The Cynja: Volume 1” (2014) and “Code of the Cynja: Volume 2” (2016) by Chase Cunningham, Heather Dahl and Shirow Di Rosso (Illustrator) …Continue reading

VB Dropper and Shellcode for Hancitor Reveal New Techniques Behind Uptick

posted by: on August 21, 2016 5:00 PM

filed in: Unit 42
tagged: ,

The Hancitor downloader has been relatively quiet since a major campaign back in June 2016. But over the past week, while performing research using Palo Alto Networks AutoFocus, we noticed a large uptick in the delivery of the Hancitor malware family as they shifted away from H1N1 to distribute Pony and Vawtrak executables. In parallel, we received reports from other firms and security researchers seeing similar activity, which pushed us to look into this further.


Figure 1 AutoFocus view of new sessions of Hancitor since July 2016

The delivery method for these documents remained consistent to other common malicious e-mail campaigns. Lures contained subjects related to recent invoices, or other matters requiring the victim’s attention, such as an overdue bill. These lures were expected, until we started digging into the actual documents attached and saw an interesting method within the Visual Basic (VB) macros in the attached documents used for dropping the malware.

This blog will review in detail the dropping technique, which isn’t technically new, but this was the first time we’ve seen it used in this way. The end goal is to identify where the binary was embedded, but we’ll cover the macro and the embedded shellcode throughout this post. …Continue reading

Older posts →