Cyentia Cybersecurity Research Library
  • Sources
  • Tags
  • About
  • Sponsors
  • More from Cyentia

Palo Alto Networks

Below you will find reports with the source of “Palo Alto Networks”

image from Global Incident Response Report 2025

Global Incident Response Report 2025

Threat actors are augmenting traditional ransomware and extortion with attacks designed to intentionally disrupt operations. Amid these trends, we’re also seeing a multi-pronged approach in attacks, as threat actors target multiple areas of the attack surface. In fact, 70% of the incidents Unit 42 responded to happened on three or more fronts, underscoring the need to protect endpoints, networks, cloud environments and the human factor in tandem. These incidents involved large organizations grappling with extortion, network intrusions, data theft, advanced persistent threats and more.

(more available)
Added: March 18, 2025
image from 2024 Incident Response Report

2024 Incident Response Report

In this report, we bring you the insights from that data. It’s part of how we empower organizations to proactively navigate cyber risks, strengthen security approaches, and respond to incidents with unmatched efficiency. This report helps because it gathers real-world information from organizations like yours, so you can learn which threats really a#ect your peers–and how you can face them.

(more available)
Added: February 26, 2024
image from Ransomware and Extortion Report

Ransomware and Extortion Report

In the 2023 Unit 42 Ransomware Threat Report explores recent incident response cases, as well as our threat intelligence analysts’ assessment of the larger threat landscape. It also offers predictions for how we believe threat actors will use ransomware and extortion tactics going forward. As of late 2022, threat actors engaged in data theft in about 70% of cases on average, Compare this to mid-2021, and we saw data theft in only about 40$ of cases on average. Threat actors often threaten to leak stolen data on dark web leak sites, which are increasingly a key component of their efforts to extort organizations.

(more available)
Added: March 27, 2023
image from 2022 Cortex Xpanse Attack Surface Threat Report

2022 Cortex Xpanse Attack Surface Threat Report

Get the latest Cortex Xpanse “Attack Surface Threat Report” to understand the risks, and learn how automation can help security teams stop chasing a moving post and reduce risks. The Cortex Xpanse research team studied the global attack surface by monitoring scans of 50 million IP addresses associated with 100+ global enterprises and discovered that the attack surfaces of all industries continue to grow. As security teams struggle to keep up, the constant stream of new issues becomes an ever-expanding backlog of exposure - misconfigured RDP, exposed admin portals, insecure Apache Web servers or Microsoft Exchange servers, and more.

(more available)
Added: August 4, 2022
image from Incident Response Report 2022

Incident Response Report 2022

The 2022 Unit 42 Incident Response Report sheds light on the risks and threats that organizations are facing. It provides insights into threat actors and their methods that can then be used to help organizations identify potential gaps in their defenses and areas to focus on to improve their cybersecurity stance going forward.

(more available)
Added: August 1, 2022
image from Ransomware Threat Report 2022

Ransomware Threat Report 2022

As these ransomware gangs and RaaS operators find new ways to remove technical barriers and up the ante, ransomware will continue to challenge organizations of all sizes in 2022. As a result, ransomware has become one of the top threats in cybersecurity and a focus area for Palo Alto Networks. This report provides the latest insights on established and emerging ransomware groups, payment trends, and security best practice.

(more available)
Added: June 16, 2022
image from The State of Cloud Native Security Report 2022

The State of Cloud Native Security Report 2022

Palo Alto Networks surveyed 3,000 cloud security and DevOps professionals from around the world to gain insight into organizations’ cloud adoption strategies, budgets, experiences, and future plans.

(more available)
Added: January 20, 2022
image from Ransomware Threat Report 2021

Ransomware Threat Report 2021

Using Unit 42’s threat intelligence and incident response teams, this report reviews the state of ransomware, focusing on the prevalence, size of payments, techniques, and firmographics of recent events.

(more available)
Added: August 9, 2021
image from Cloud Threat Report: Putting the Sec in DevOps

Cloud Threat Report: Putting the Sec in DevOps

2020 edition of the Unit 42 Cloud Threat Report, ourteam of elite cloud threat researchers focused theirattention on the practices of DevOps. The research aimedto uncover where cloud vulnerabilities are surfacing.DevOps teams are shortening the time to productionusing infrastructure as code (IaC) templates. But the IaCtemplates themselves are not the issue. It’s the flawedprocess by which they are being created.

(more available)
Added: February 14, 2020
image from Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository

Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository

In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others. We’ll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.

(more available)
Added: November 15, 2018
image from Threat Actors Target Government of Belarus Using CMSTAR Trojan

Threat Actors Target Government of Belarus Using CMSTAR Trojan

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus. We first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016. In this latest campaign, we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.

(more available)
Added: November 15, 2018
image from The Blockbuster Sequel

The Blockbuster Sequel

Unit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks. This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster.

(more available)
Added: November 15, 2018
image from OilRig Deploys "ALMA Communicator" – DNS Tunneling Trojan

OilRig Deploys "ALMA Communicator" – DNS Tunneling Trojan

Unit 42 has been closely tracking the OilRig threat group since May 2016. One technique we’ve been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016. In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing Effortswe showed how we observed the OilRig threat group developing and refining these Clayside delivery documents.

(more available)
Added: November 15, 2018
image from Magic Hound Campaign Attacks Saudi Targets

Magic Hound Campaign Attacks Saudi Targets

Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others. It is believed the use of specific tools may have coincided with specific attack waves by this adversary, with the most recent attacks using weaponized Microsoft Office documents with malicious macros. Due to the large amount of data collected, and limitations on attack telemetry, this blog will focus primarily on the most recent attacks occurring in the latter half of 2016.

(more available)
Added: November 15, 2018
image from The Gamaredon Group Toolset Evolution

The Gamaredon Group Toolset Evolution

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.

(more available)
Added: November 15, 2018
image from Dimnie: Hiding In Plain Sight

Dimnie: Hiding In Plain Sight

This post discusses the reports of open-source developers receiving malicious emails.

Added: November 15, 2018
image from DragonOK Updates Toolset and Targets Multiple Geographic Regions

DragonOK Updates Toolset and Targets Multiple Geographic Regions

The DragonOK group has been actively launching attacks for years. We first discussed them in April 2015 when we witnessed them targeting a number of organizations in Japan. In recent months, Unit 42 has observed a number of attacks that we attribute to this group. Multiple new variants of the previously discussed sysget malware family have been observed in use by DragonOK. Sysget malware was delivered both directly via phishing emails, as well as in Rich Text Format (RTF) documents exploiting the CVE-2015-1641 vulnerability (patched in MS15-033) that in turn leveraged a very unique shellcode. Additionally, we have observed instances of the IsSpace and TidePool malware families being delivered via the same techniques. While Japan is still the most heavily targeted geographic region by this particular actor, we also observed instances where individuals or organizations in Taiwan, Tibet, and Russia also may have been targeted.

(more available)
Added: November 15, 2018
image from SilverTerrier: The Next Evolution In Nigerian Cybercrime

SilverTerrier: The Next Evolution In Nigerian Cybercrime

With unique and specialized analysis, this paper discusses Nigerian cyber crime actors, their growth, collaboration, and the direction they are headed.

(more available)
Added: October 26, 2018
image from SilverTerrier: Rise Of Nigerian Business Email Compromise

SilverTerrier: Rise Of Nigerian Business Email Compromise

With unique and specialized analysis, this paper discusses Nigerian cyber crime actors, their growth, collaboration, and the direction they are headed.

(more available)
Added: October 25, 2018
image from Ransomware: Unlocking The Lucrative Criminal Business Model

Ransomware: Unlocking The Lucrative Criminal Business Model

This is a well written exclusive look at Ransomware.

Added: October 24, 2018
image from 2018 Cloud Security Report

2018 Cloud Security Report

Offering insight into a variety of issues related to cloud security, this report discusses several key issues, including, the biggest threats to cloud security, legacy security tools that do not work in the cloud, and the growth of cloud security budgets.

(more available)
Added: October 23, 2018
  • ««
  • «
  • 1
  • 2
  • »
  • »»
© Cyentia Institute 2025
Library updated: July 9, 2025 00:09 UTC (build b1d7be4)