<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com"> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/hildegard-malware-teamtnt/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" /> <!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.2) - https://yoast.com/wordpress/plugins/seo/ --> <title>Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes</title> <meta name="description" content="Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes" /> <meta property="og:description" content="Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2021-02-03T14:00:48+00:00" /> <meta property="article:modified_time" content="2024-06-06T14:09:04+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Malware_Category_1920x900.jpg" /> <meta property="og:image:width" content="1920" /> <meta property="og:image:height" content="900" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Jay Chen, Aviv Sasson, Ariel Zelivansky" /> <meta name="twitter:card" content="summary_large_image" /> <!-- / Yoast SEO Premium plugin. --> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes Comments Feed" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:hildegard-malware-teamtnt"; webData.pageURL = "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt"; webData.article_title = "Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes"; webData.author = "Jay Chen,Aviv Sasson,Ariel Zelivansky"; webData.published_time = "2021-02-03T06:00:48-08:00"; webData.description = "Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations."; webData.keywords = "Cloud Cybersecurity Research,Threat Research,Containers,cryptojacking,Docker,Kubernetes,public cloud,TeamTnT"; webData.resourceAssetID = "e6eb5b0bd974df44c97c839273d263b9"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="34"/> <meta property="og:readtime" content="10"/> <meta property="og:views" content="89,977"/> <meta property="og:date_created" content="February 3, 2021 at 6:00 AM"/> <meta property="og:post_length" content="2898"/> <meta property="og:category" content="Cloud Cybersecurity Research"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/cloud-cybersecurity-research/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Jay Chen"/> <meta property="og:author" content="Aviv Sasson"/> <meta property="og:author" content="Ariel Zelivansky"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/jaychenpaloaltonetworks-com/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/aviv-sasson/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta name="post_tags" content="Containers,cryptojacking,Docker,Kubernetes,public cloud,TeamTnT"/> <meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/Black-Hat_Container-v1.png"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes","name":"Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes","description":"Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations. ","url":"https:\/\/unit42.paloaltonetworks.com\/hildegard-malware-teamtnt\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/hildegard-malware-teamtnt\/","datePublished":"February 3, 2021","articleBody":"Executive Summary\r\nIn January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.\r\n\r\nTeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT's previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT\u2019s Hildegard malware:\r\n\r\n \tUses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.\r\n \tUses a known Linux process name (bioset) to disguise the malicious process.\r\n \tUses a library injection technique based on LD_PRELOAD to hide the malicious processes.\r\n \tEncrypts the malicious payload inside a binary to make automated static analysis more difficult.\r\n\r\nWe believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard's infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH\/s hashing power, and there is 11 XMR (~$1,500) in the wallet.\r\n\r\nThere has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage. However, knowing this malware's capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.\r\n\r\nPalo Alto Networks customers running Prisma Cloud are protected from this threat by the Runtime Protection feature, Cryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives.\r\n\r\n[caption id=\"attachment_116864\" align=\"aligncenter\" width=\"900\"] Figure 1. Attacker and malware\u2019s movement.[\/caption]\r\nTactics, Techniques and Procedures\r\nFigure 1 illustrates how the attacker entered, moved laterally and eventually performed cryptojacking in multiple containers.\r\n\r\n \tThe attacker started by exploiting an unsecured Kubelet on the internet and searched for containers running inside the Kubernetes nodes. After finding container 1 in Node A, the attacker attempted to perform remote code execution (RCE) in container 1.\r\n \tThe attacker downloaded tmate and issued a command to run it and establish a reverse shell to tmate.io from container 1. The attacker then continued the attack with this tmate session.\r\n \tFrom container 1, the attacker used masscan to scan Kubernetes's internal network and found unsecured Kubelets in Node B and Node C. The attacker then attempted to deploy a malicious crypto mining script (xmr.sh) to containers managed by these Kubelets (containers 2-7).\r\n \tContainers that ran xmr.sh started an xmrig process and established an IRC channel back to the IRC C2.\r\n \tThe attacker could also create another tmate session from one of the containers (container 4). With the reverse shell, the attacker could perform more manual reconnaissance and operations.\r\n\r\nThe indicators of compromise (IOCs) found in each container are listed below. These files are either shell script or Executable Linkable Format (ELF). The IOC section at the end of the blog contains the hash and details of each file.\r\n\r\n \tContainer 1: TDGG was dropped and executed via Kubelet. TDGG then subsequently downloaded and executed tt.sh, api.key and tmate. The attacker used the established tmate connection to drop and run sGAU.sh, kshell, install_monerod.bash, setup_moneroocean_miner.sh and xmrig (MoneroOcean).\r\n \tContainer 2-7: xmr.sh was dropped and executed via Kubelet.\r\n \tContainer 4: The attacker also established a tmate session in this container. The attacker then dropped and executed pei.sh, pei64\/32, xmr3.assi, aws2.sh, t.sh, tmate,x86_64.so, xmrig and xmrig.so.\r\n\r\nFigure 2 maps the malware campaign's TTP to MITRE ATT&amp;CK tactics. The following sections will detail the techniques used in each stage.\r\n\r\n[caption id=\"attachment_116866\" align=\"aligncenter\" width=\"900\"] Figure 2. Attacker\u2019s tactics, techniques and procedures.[\/caption]\r\nInitial Access\r\nkubelet is an agent running on each Kubernetes node. It takes RESTful requests from various components (mainly kube-apiserver) and performs pod-level operations. Depending on the configuration, kubelet may or may not accept unauthenticated requests. Standard Kubernetes deployments come with anonymous access to kubelet by default. However, most managed Kubernetes services such as Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE) and Kubernetes operations (Kops) all enforce proper authentication by default.\r\n\r\nWe discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that allow anonymous access. This was achieved by accessing the kubelet\u2019s run command API and executing commands on running containers.\r\nExecution\r\nHildegard uses kubelet\u2019s API to execute commands inside containers. The initial commands create a tmate reverse shell that allows the attacker to carry out the subsequent operation. Unlike the techniques that TeamTNT used in the past, this malware campaign did not pull or run any new container image.\r\nPrivilege Escalation\r\nAlthough Unit 42 researchers have not observed an attempt to perform privilege escalation, the malware dropped two adversarial tools, Peirates and BOtB, which are capable of breaking out of containers via known vulnerabilities or accessing cloud resources via exposed cloud credentials.\r\nContainer Breakout\r\nBOtB can perform a container breakout using a known vulnerability such as CVE-2019-5736. It can also escape from privileged containers that have enabled CAPS and SYSCALLS.\r\nAccess to Cloud Resources\r\nPeirates can gather multiple infrastructures and cloud credentials. It looks for identity and access management (IAM) credentials from cloud metadata services and service account tokens from the Kubernetes clusters. With the identified credentials, it then further attempts to move laterally or gain control of the cluster. While we observed Peirates in use, the container it was executed in had no credentials.\r\nDefense Evasion\r\nLibrary Injection\r\nHildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the \/etc\/ld.so.preload file to intercept shared libraries\u2019 imported functions. In particular, the malware overwrites two functions: readdir() and readdir64(), which are responsible for returning the directory entries in the file system. The overwritten functions filter out queries made to directory entries under \/proc. The functions then drop queries with keywords such as tmate, xmrig and ziggy. This way, when applications try to identify the running processes (by reading files under \/proc) in the containers, tmate, xmrig and ziggy will not be found. Linux tools such as ps, top and many other container monitoring tools will be blinded from these malicious processes.\r\n\r\n[caption id=\"attachment_116868\" align=\"aligncenter\" width=\"900\"] Figure 3. Function that overwrites readdir64() in X86_64.so.[\/caption]\r\nEncrypted ELF Binary\r\nHildegard deploys an IRC agent built from the open-source project ziggystartux. To avoid being detected by automated static analysis tools, the ziggystartux ELF is encrypted and packed in another binary (ziggy). When the binary is executed, the ziggystartux ELF is decrypted by a hardcoded Advanced Encryption Standard (AES) key and executed in memory.\r\n\r\n[caption id=\"attachment_116870\" align=\"aligncenter\" width=\"900\"] Figure 4. Unpacking and executing the payload.[\/caption]\r\nDisguised Process Name\r\nThe malware names the IRC process \u201cbioset\u201d, which is the name of a well-known Linux kernel process bioset. If one is only looking at the names of the running processes on a host, one can easily overlook this disguised process.\r\n\r\nDNS Monitoring Bypass\r\nThe malware modifies the system DNS resolvers and uses Google\u2019s public DNS servers to avoid being detected by DNS monitoring tools.\r\n\r\n[caption id=\"attachment_116872\" align=\"aligncenter\" width=\"900\"] Figure 5. DNS resolver modification.[\/caption]\r\nDelete Files and Clear Shell History\r\nAll the scripts are deleted immediately after being executed. TeamTNT also uses the \u201chistory -c\u201d command to clear the shell log in every script.\r\n\r\n[caption id=\"attachment_116874\" align=\"aligncenter\" width=\"748\"] Figure 6. The script clears the history and deletes itself.[\/caption]\r\nCredential Access\r\nHildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials. The identified credentials are sent back to the C2.\r\n\r\nThe searched credentials include:\r\n\r\n \tCloud access keys.\r\n \tCloud access tokens.\r\n \tSSH keys.\r\n \tDocker credentials.\r\n \tKubernetes service tokens.\r\n\r\nThe metadata servers searched:\r\n\r\n \t169.254.169.254\r\n \t169.254.170.2\r\n\r\n[caption id=\"attachment_116876\" align=\"aligncenter\" width=\"900\"] Figure 7. The script looks for credentials.[\/caption]\r\nDiscovery\r\nHildegard performs several reconnaissance operations to explore the environment.\r\n\r\n \tIt gathers and sends back the host\u2019s OS, CPU and memory information.\r\n \tIt uses masscan to search for kubelets in Kubernetes\u2019 internal network.\r\n \tIt uses kubelet\u2019s API to search for running containers in a particular node.\r\n\r\n[caption id=\"attachment_116878\" align=\"aligncenter\" width=\"900\"] Figure 8. The script looks for system and network information.[\/caption]\r\nLateral Movement\r\nHildegard mainly uses the unsecured kubelet to move laterally inside a Kubernetes cluster. During the discovery stage, the malware finds the exploitable kubelets and the containers these kubelets manage. The malware then creates C2 channels (tmate or IRC) and deploys malicious crypto miners in these containers. Although not observed by Unit 42 researchers, the attacker may also move laterally with the stolen credentials.\r\nCommand and Control\r\nOnce gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan. 9, 2021, and there are around 220 clients currently connected to the server.\r\n\r\n[caption id=\"attachment_116880\" align=\"aligncenter\" width=\"535\"] Figure 9. Tmate named session created by the malware.[\/caption]\r\n\r\n[caption id=\"attachment_116882\" align=\"aligncenter\" width=\"698\"] Figure 10. The IRC servers are hardcoded in the ziggy binary.[\/caption]\r\n\r\n[caption id=\"attachment_116884\" align=\"aligncenter\" width=\"717\"] Figure 11.The IRC traffic captured at the IRC client.[\/caption]\r\nImpact\r\nThe most significant impact of the malware is resource hijacking and denial of service (DoS). The cryptojacking operation can quickly drain the entire system\u2019s resources and disrupt every application in the cluster. The xmrig mining process joins the supportxmr mining pool using the wallet address 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda. At the time of writing, the malware campaign has ~25.05 KH\/s hashing power and there is 11 XMR (~$1,500) in the wallet.\r\n\r\n[caption id=\"attachment_116886\" align=\"aligncenter\" width=\"900\"] Figure 12. Mining activity on supportxmr.[\/caption]\r\nConclusion\r\nUnlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. These efforts make the malware more stealthy and persistent. Although the malware is still under development and the campaign is not yet widely spread, we believe the attacker will soon mature the tools and start a large-scale deployment.\r\n\r\nPalo Alto Networks customers running Prisma Cloud are protected from this threat by the Runtime Protection features, Cryptominer Detection and by the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives.\r\n\r\n[caption id=\"attachment_116888\" align=\"aligncenter\" width=\"900\"] Figure 13. Prisma Cloud Compute Kubernetes compliance protections.[\/caption]\r\n\r\n[caption id=\"attachment_116890\" align=\"aligncenter\" width=\"900\"] Figure 14. Prisma Cloud Compute alerting on crypto mining incident.[\/caption]\r\nIndicators of Compromise\r\nDomains\/IPs:\r\n\r\n\r\n\r\nDomain\/IP\r\nDescription\r\n\r\n\r\nThe.borg[.]wtf\r\n\r\n(45.9.150[.]36)\r\nThis machine hosts malicious files used in the campaign and receives the collected data to this C2.\r\n\r\nHosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi\r\n\r\n\r\n147.75.47[.]199\r\nThe malware connects to this IP to obtain the victim host's public IP.\r\n\r\n\r\nteamtnt[.]red\r\n(45.9.148[.]108)\r\nThis host hosts malicious scripts and binaries.\r\nHosted files: pei.sh, pei64.\r\n\r\n\r\nBorg[.]wtf\r\n(45.9.148[.]108)\r\nThis host hosts malicious scripts and binaries.\r\nHosted files: aws2.sh\r\n\r\n\r\nirc.borg[.]wtf\r\n(123.245.9[.]147)\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\n\r\n\r\nsampwn.anondns[.]net\r\n\r\n(13.245.9[.]147)\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\n\r\n\r\n164.68.106[.]96\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\n\r\n\r\n62.234.121[.]105\r\nThis host is one of the C2s. It runs an IRC server on port 6667.\r\n\r\n\r\n\r\nFiles:\r\n\r\n\r\n\r\nSHA256\r\nFile Name\r\nType\r\nDescription\r\n\r\n\r\n2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f\r\nTDGG\r\nscript\r\nThis script downloads and executes tt.sh.\r\n\r\n\r\n2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172\r\ntt.sh\r\nscript\r\nThis script downloads and runs tmate. It collects system information from the victim's host and sends the collected data to C2(45.9.150[.]36)\r\n\r\n\r\nb34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204\r\napi.key\r\ntext\r\nThe API key is used for creating a named tmate session from the compromised containers.\r\n\r\n\r\nd2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f\r\ntmate\r\nELF\r\ntmate v2.4.0\r\n\r\n\r\n74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64\r\nsGAU.sh\r\nscript\r\nThis script downloads and installs masscan. It scans Kubernetes' internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet, it attempts to download and execute a cryptojacking script in all the containers.\r\n\r\n\r\n8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c\r\nkshell\r\nscript\r\nThe script performs remote code execution in containers via Kubelet\u2019s API. It also downloads and executes xmr.sh in a target container.\r\n\r\n\r\n518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887\r\ninstall_monerod.bash\r\nscript\r\nThe script is hosted in this Github repo. It pulls and builds the official monero project. It then creates a user named \u201cmonerodaemon\u201d and starts the monero service.\r\n\r\n\r\n5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b\r\nsetup_moneroocean_miner.sh\r\nscript\r\nThe script is hosted in this Github repo. It pulls and runs the MoneroOcean advanced version of xmrig.\r\n\r\n\r\na22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9\r\nxmrig (oneroocean)\r\nELF\r\nxmrig 6.7.2-mo3. This binary is hosted in MoneroOcean\/xmrig Github repo.\r\n\r\n\r\nee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015\r\npei.sh\r\nscript\r\nThis script downloads and executes pei64 or pei32, depending on the host\u2019s architecture.\r\n\r\n\r\n937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d\r\npei64\r\nELF\r\nThis is a Kubernetes penetration tool from the peirates project. The tool is capable of escalating privilege and pivoting through the Kubernetes cluster.\r\n\r\n\r\n72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742\r\npei32\r\nELF\r\nSame as pei64, but for i686 architecture.\r\n\r\n\r\n12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3\r\nxmr3.assi\r\nscript\r\nThe script downloads and runs aws2.sh, t.sh and xmrig.\r\n\r\n\r\n053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e\r\naws2.sh\r\nscript\r\nThe script searches for cloud credentials and sends the identified credentials to C2 (the.borg[.]wtf).\r\n\r\n\r\ne6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7\r\nt.sh\r\nscript\r\nThe script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the victim\u2019s system info and tmate session to C2.\r\n\r\n\r\n77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8\r\nx86_64.so\r\nELF\r\nThis shared object replaces the existing \/etc\/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process.\r\n\r\n\r\n78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983\r\nxmrig\r\nELF\r\nxmrig v6.7.0\r\n\r\n\r\n3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f\r\nxmrig.so\r\nELF\r\nThis shared object replaces the existing \/etc\/ld.so.preload.\r\n\r\nIt uses the LD_PRELOAD trick to hide the xmrig process.\r\n\r\n\r\nfe0f5fef4d78db808b9dc4e63eeda9f8626f8ea21b9d03cbd884e37cde9018ee\r\nxmr.sh\r\nscript\r\nThe script downloads and executes xmrig and ziggy.\r\n\r\n\r\n74f122fb0059977167c5ed34a7e217d9dfe8e8199020e3fe19532be108a7d607\r\nziggy\r\nELF\r\nziggy is a binary that packs an encrypted ELF. The binary decrypts the ELF at runtime and runs it in the memory. The encrypted ELF is built from ZiggyStarTux, an IRC client for embedded devices.\r\n\r\n\r\n\r\n&nbsp;","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/01_Malware_Category_1920x900-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Jay Chen"},{"@type":"Person","name":"Aviv Sasson"},{"@type":"Person","name":"Ariel Zelivansky"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.8' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":116861,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"efa6193a47","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.8" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"aec505c39e"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.15" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/116861" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.1" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=116861' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F&#038;format=xml" /> <meta name="generator" content="WPML ver:4.6.15 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script> <!-- <script src="https://www.google.com/recaptcha/api.js"></script> --> <!-- End: Scripts Migrated From Unit42-v5 --> </head> <body class="post-template-default single single-post postid-116861 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ if( pcontainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex' ; } else{ referer = 'Cortex' ; } } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ if( nContainer.indexOf('CloudCortex') != -1){ referer = 'CloudCortex'; sessionStorage.setItem("container","CloudCortex"); } else{ referer = 'Cortex'; sessionStorage.setItem("container","Cortex"); } } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "CloudCortex" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'CloudCortex'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=cortexcloud'; searchResultsPagePath = referrer_domain+"/search/cortexcloudsearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php?type=unit42'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'CloudCortex' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'CloudCortex'){ article.dataset.type = 'cloudcortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script> <!-- End: Scripts Migrated From Unit42-v5 --> <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Malware_Category_1920x900.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" title="Threat Research" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:breadcrumb:Threat Research">Threat Research</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/cloud-cybersecurity-research/" role="link" title="Cloud Cybersecurity Research" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:breadcrumb:Cloud Cybersecurity Research">Cloud Cybersecurity Research</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/cloud-cybersecurity-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Cloud Cybersecurity Research"><span class="ab-title__pre">Cloud Cybersecurity Research</span></a> <h1>Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 10</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> <span class="ab-title__pre">Related Products</span><div class="ab__link-cards"><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/prisma-cloud/" style="--card-color: #00c0e8" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Prisma Cloud"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/prisma_RGB_logo_Icon_Color.png" alt="Prisma Cloud icon">Prisma Cloud</a></div> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Jay Chen" href="https://unit42.paloaltonetworks.com/author/jaychenpaloaltonetworks-com/">Jay Chen</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Aviv Sasson" href="https://unit42.paloaltonetworks.com/author/aviv-sasson/">Aviv Sasson</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Ariel Zelivansky" href="https://unit42.paloaltonetworks.com/author/ariel-zelivansky/">Ariel Zelivansky</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>February 3, 2021</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Cloud Cybersecurity Research" href="https://unit42.paloaltonetworks.com/category/cloud-cybersecurity-research/">Cloud Cybersecurity Research</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Containers" href="https://unit42.paloaltonetworks.com/tag/containers/">Containers</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:cryptojacking" href="https://unit42.paloaltonetworks.com/tag/cryptojacking/">Cryptojacking</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Docker" href="https://unit42.paloaltonetworks.com/tag/docker/">Docker</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:Kubernetes" href="https://unit42.paloaltonetworks.com/tag/kubernetes/">Kubernetes</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:public cloud" href="https://unit42.paloaltonetworks.com/tag/public-cloud/">Public cloud</a></li><li><a data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:TeamTnT" href="https://unit42.paloaltonetworks.com/tag/teamtnt/">TeamTnT</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/?pdf=download&#038;lg=en&#038;_wpnonce=209527829e" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/?pdf=print&#038;lg=en&#038;_wpnonce=209527829e" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" role="link" title="Copy link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=Hildegard:%20New%20TeamTNT%20Cryptojacking%20Malware%20Targeting%20Kubernetes&#038;body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F&#038;title=Hildegard:%20New%20TeamTNT%20Cryptojacking%20Malware%20Targeting%20Kubernetes" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F&#038;text=Hildegard:%20New%20TeamTNT%20Cryptojacking%20Malware%20Targeting%20Kubernetes" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=Hildegard:%20New%20TeamTNT%20Cryptojacking%20Malware%20Targeting%20Kubernetes%20https%3A%2F%2Funit42.paloaltonetworks.com%2Fhildegard-malware-teamtnt%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/hildegard-malware-teamtnt/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-116861-_yo7q66wp4ltu"></a>Executive Summary</h2> <p>In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=Synopsis,object%20that%20describes%20a%20pod.">kubelet</a> that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from <a href="https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials">TeamTNT</a>. We refer to this new malware as <strong>Hildegard</strong>, the username of the tmate account that the malware used.</p> <p>TeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (<a href="https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/">Cetus</a>, <a href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/">Black-T</a> and <a href="https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html">TeamTNT DDoS</a>). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT's previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT’s Hildegard malware:</p> <ul> <li>Uses two ways to establish command and control (C2) connections: a <a href="https://tmate.io/">tmate</a> reverse shell and an Internet Relay Chat (<a href="https://modern.ircdocs.horse/">IRC</a>) channel.</li> <li>Uses a known Linux process name (bioset) to disguise the malicious process.</li> <li>Uses a library injection technique based on <a href="https://attack.mitre.org/techniques/T1574/006/">LD_PRELOAD</a> to hide the malicious processes.</li> <li>Encrypts the malicious payload inside a binary to make automated static analysis more difficult.</li> </ul> <p>We believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard's infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.</p> <p><strong>There has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage.</strong> However, knowing this malware's capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters.</p> <p>Palo Alto Networks customers running <a href="https://www.paloaltonetworks.com/prisma/cloud">Prisma Cloud</a> are protected from this threat by the Runtime Protection feature, Cryptominer Detection feature and the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives.</p> <h1></h1> <figure id="attachment_116864" aria-describedby="caption-attachment-116864" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116864 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image.png" alt="The figure shows the attacker's movements through a Kubernetes Cluster divided into nodes A, B and C. It shows the progression from attacking to the use of tmate to the use of an IRC C2 server. " width="900" height="747" /><figcaption id="caption-attachment-116864" class="wp-caption-text">Figure 1. Attacker and malware’s movement.</figcaption></figure> <h2><a id="post-116861-_z2rsvjqagkqb"></a>Tactics, Techniques and Procedures</h2> <p>Figure 1 illustrates how the attacker entered, moved laterally and eventually performed cryptojacking in multiple containers.</p> <ol> <li>The attacker started by exploiting an unsecured Kubelet on the internet and searched for containers running inside the Kubernetes nodes. After finding container 1 in Node A, the attacker attempted to perform remote code execution (RCE) in container 1.</li> <li>The attacker downloaded <a href="https://tmate.io/">tmate</a> and issued a command to run it and establish a reverse shell to tmate.io from container 1. The attacker then continued the attack with this tmate session.</li> <li>From container 1, the attacker used <a href="https://github.com/robertdavidgraham/masscan">masscan</a> to scan Kubernetes's internal network and found unsecured Kubelets in Node B and Node C. The attacker then attempted to deploy a malicious crypto mining script (xmr.sh) to containers managed by these Kubelets (containers 2-7).</li> <li>Containers that ran xmr.sh started an xmrig process and established an IRC channel back to the IRC C2.</li> <li>The attacker could also create another tmate session from one of the containers (container 4). With the reverse shell, the attacker could perform more manual reconnaissance and operations.</li> </ol> <p>The indicators of compromise (IOCs) found in each container are listed below. These files are either shell script or Executable Linkable Format (ELF). The IOC section at the end of the blog contains the hash and details of each file.</p> <ul> <li><strong>Container 1</strong>: <span style="font-family: 'courier new', courier, monospace;">TDGG</span> was dropped and executed via Kubelet. <span style="font-family: 'courier new', courier, monospace;">TDGG</span> then subsequently downloaded and executed <span style="font-family: 'courier new', courier, monospace;">tt.sh<span style="font-family: georgia, palatino, serif;">,</span> api.key</span> and <span style="font-family: 'courier new', courier, monospace;">tmate</span>. The attacker used the established tmate connection to drop and run <span style="font-family: 'courier new', courier, monospace;">sGAU.sh</span>, <span style="font-family: 'courier new', courier, monospace;">kshell, install_monerod.bash, setup_moneroocean_miner.sh</span> and <span style="font-family: 'courier new', courier, monospace;">xmrig (MoneroOcean)</span>.</li> <li><strong>Container 2-7</strong>: <span style="font-family: 'courier new', courier, monospace;">xmr.sh</span> was dropped and executed via Kubelet.</li> <li><strong>Container 4</strong>: The attacker also established a tmate session in this container. The attacker then dropped and executed <span style="font-family: 'courier new', courier, monospace;">pei.sh, pei64/32, xmr3.assi, aws2.sh, t.sh, tmate,x86_64.so, xmrig and xmrig.so</span>.</li> </ul> <p>Figure 2 maps the malware campaign's TTP to <a href="https://attack.mitre.org/">MITRE ATT&amp;CK</a> tactics. The following sections will detail the techniques used in each stage.</p> <figure id="attachment_116866" aria-describedby="caption-attachment-116866" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116866 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-1.png" alt="This details the Hildegard malware campaign's tactics, techniques and procedures, mapped to MITRE ATT&amp;CK tactics including initial access, execution, privilege escalation, defense evasion, credential access, discovery, lateral movement, command and control and impact. " width="900" height="265" /><figcaption id="caption-attachment-116866" class="wp-caption-text">Figure 2. Attacker’s tactics, techniques and procedures.</figcaption></figure> <h2><a id="post-116861-_banp4h9pg4mo"></a>Initial Access</h2> <p><a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#:~:text=The%20kubelet%20is%20the%20primary,object%20that%20describes%20a%20pod.">kubelet</a> is an agent running on each Kubernetes node. It takes RESTful requests from various components (mainly kube-apiserver) and performs pod-level operations. Depending on the configuration, kubelet may or may not accept unauthenticated requests. Standard Kubernetes deployments come with <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication">anonymous access to kubelet </a>by default. However, most managed Kubernetes services such as Azure Kubernetes Service (<a href="https://azure.microsoft.com/en-us/services/kubernetes-service/">AKS</a>), Google Kubernetes Engine (<a href="https://cloud.google.com/kubernetes-engine">GKE</a>) and Kubernetes operations (<a href="https://github.com/kubernetes/kops">Kops</a>) all enforce proper authentication by default.</p> <p>We discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that allow anonymous access. This was achieved by accessing the kubelet’s <a href="https://github.com/kubernetes/kubernetes/blob/14344b57e56258e87cbe80c8cd80399855eca424/pkg/kubelet/server/server.go#L358">run command API</a> and executing commands on running containers.</p> <h2><a id="post-116861-_s2lmkrxk8vxg"></a>Execution</h2> <p>Hildegard uses kubelet’s API to execute commands inside containers. The initial commands create a tmate reverse shell that allows the attacker to carry out the subsequent operation. Unlike the techniques that TeamTNT used in the past, this malware campaign did not pull or run any new container image.</p> <h2><a id="post-116861-_pjdskdrvkh3x"></a>Privilege Escalation</h2> <p>Although Unit 42 researchers have not observed an attempt to perform privilege escalation, the malware dropped two adversarial tools, <a href="https://github.com/inguardians/peirates">Peirates</a> and <a href="https://github.com/brompwnie/botb">BOtB</a>, which are capable of breaking out of containers via known vulnerabilities or accessing cloud resources via exposed cloud credentials.</p> <h4><strong>Container Breakout</strong></h4> <p>BOtB can perform a container breakout using a known vulnerability such as CVE-2019-5736. It can also escape from privileged containers that have enabled CAPS and SYSCALLS.</p> <h4><strong>Access to Cloud Resources</strong></h4> <p>Peirates can gather multiple infrastructures and cloud credentials. It looks for identity and access management (IAM) credentials from cloud metadata services and service account tokens from the Kubernetes clusters. With the identified credentials, it then further attempts to move laterally or gain control of the cluster. While we observed Peirates in use, the container it was executed in had no credentials.</p> <h2>Defense Evasion</h2> <h4><a id="post-116861-_o64p75lyq4z7"></a><strong>Library Injection</strong></h4> <p>Hildegard uses <span style="font-family: 'courier new', courier, monospace;"><a href="https://attack.mitre.org/techniques/T1574/006/">LD_PRELOAD</a></span> to hide the malicious process launched inside the containers. The malware modified the <span style="font-family: 'courier new', courier, monospace;">/etc/ld.so.preload</span> file to intercept shared libraries’ imported functions. In particular, the malware overwrites two functions: <span style="font-family: 'courier new', courier, monospace;"><a href="https://www.mkssoftware.com/docs/man3/readdir.3.asp">readdir() and readdir64()</a></span>, which are responsible for returning the directory entries in the file system. The overwritten functions filter out queries made to directory entries under <span style="font-family: 'courier new', courier, monospace;">/proc</span>. The functions then drop queries with keywords such as tmate, xmrig and ziggy. This way, when applications try to identify the running processes (by reading files under /proc) in the containers, tmate, xmrig and ziggy will not be found. Linux tools such as <a href="https://man7.org/linux/man-pages/man1/ps.1.html">ps</a>, <a href="https://man7.org/linux/man-pages/man1/top.1.html">top</a> and many other container monitoring tools will be blinded from these malicious processes.</p> <figure id="attachment_116868" aria-describedby="caption-attachment-116868" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116868 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-2.png" alt="The screenshot shows the function that Hildegard uses to overwrite readdir64() in X86_64.so" width="900" height="357" /><figcaption id="caption-attachment-116868" class="wp-caption-text">Figure 3. Function that overwrites readdir64() in X86_64.so.</figcaption></figure> <h4><a id="post-116861-_i7ldsbx705gm"></a><strong>Encrypted ELF Binary</strong></h4> <p>Hildegard deploys an IRC agent built from the open-source project <a href="https://github.com/isdrupter/ziggystartux">ziggystartux</a>. To avoid being detected by automated static analysis tools, the ziggystartux ELF is encrypted and packed in another binary (ziggy). When the binary is executed, the ziggystartux ELF is decrypted by a hardcoded Advanced Encryption Standard (AES) key and executed in memory.</p> <figure id="attachment_116870" aria-describedby="caption-attachment-116870" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116870 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-3.png" alt="Hildegard deploys an IRC agent built from the open-source project ziggystartux. To avoid being detected by automated static analysis tools, the ziggystartux ELF is encrypted and packed in another binary (ziggy)." width="900" height="563" /><figcaption id="caption-attachment-116870" class="wp-caption-text">Figure 4. Unpacking and executing the payload.</figcaption></figure> <h4><a id="post-116861-_qggpb8u6frfg"></a><strong>Disguised Process Name</strong></h4> <p>The malware names the IRC process “<span style="font-family: 'courier new', courier, monospace;">bioset</span>”, which is the name of a well-known Linux kernel process <span style="font-family: 'courier new', courier, monospace;"><a href="https://github.com/torvalds/linux/blob/a0725ab0c7536076d5477264420ef420ebb64501/include/linux/bio.h">bioset</a></span>. If one is only looking at the names of the running processes on a host, one can easily overlook this disguised process.</p> <p><a id="post-116861-_ozq5d723pz7t"></a><strong>DNS Monitoring Bypass</strong><br /> The malware modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS monitoring tools.</p> <figure id="attachment_116872" aria-describedby="caption-attachment-116872" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116872 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-4.png" alt="Hildegard modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS monitoring tools." width="900" height="109" /><figcaption id="caption-attachment-116872" class="wp-caption-text">Figure 5. DNS resolver modification.</figcaption></figure> <h4><a id="post-116861-_qgv1cfvje7g5"></a><strong>Delete Files and Clear Shell History</strong></h4> <p>All the scripts are deleted immediately after being executed. TeamTNT also uses the “<span style="font-family: 'courier new', courier, monospace;">history -c</span>” command to clear the shell log in every script.</p> <figure id="attachment_116874" aria-describedby="caption-attachment-116874" style="width: 748px" class="wp-caption aligncenter"><img class="wp-image-116874 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-5.png" alt="TeamTNT also uses the “history -c” command to clear the shell log in every script." width="748" height="149" /><figcaption id="caption-attachment-116874" class="wp-caption-text">Figure 6. The script clears the history and deletes itself.</figcaption></figure> <h2><a id="post-116861-_o7c84ng9nk04"></a>Credential Access</h2> <p>Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials. The identified credentials are sent back to the C2.</p> <p>The searched credentials include:</p> <ul> <li>Cloud access keys.</li> <li>Cloud access tokens.</li> <li>SSH keys.</li> <li>Docker credentials.</li> <li>Kubernetes service tokens.</li> </ul> <p>The metadata servers searched:</p> <ul> <li>169.254.169.254</li> <li>169.254.170.2</li> </ul> <figure id="attachment_116876" aria-describedby="caption-attachment-116876" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116876 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-6.png" alt="Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials." width="900" height="333" /><figcaption id="caption-attachment-116876" class="wp-caption-text">Figure 7. The script looks for credentials.</figcaption></figure> <h2><a id="post-116861-_w4ovdnde7q0s"></a>Discovery</h2> <p>Hildegard performs several reconnaissance operations to explore the environment.</p> <ul> <li>It gathers and sends back the host’s OS, CPU and memory information.</li> <li>It uses <a href="https://masscan">masscan</a> to search for kubelets in Kubernetes’ internal network.</li> <li>It uses kubelet’s API to search for running containers in a particular node.</li> </ul> <figure id="attachment_116878" aria-describedby="caption-attachment-116878" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116878 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-7.png" alt="Hildegard performs several reconnaissance operations to explore the environment, as shown here. " width="900" height="234" /><figcaption id="caption-attachment-116878" class="wp-caption-text">Figure 8. The script looks for system and network information.</figcaption></figure> <h2><a id="post-116861-_4p4dlz3ypwkg"></a>Lateral Movement</h2> <p>Hildegard mainly uses the unsecured kubelet to move laterally inside a Kubernetes cluster. During the discovery stage, the malware finds the exploitable kubelets and the containers these kubelets manage. The malware then creates C2 channels (tmate or IRC) and deploys malicious crypto miners in these containers. Although not observed by Unit 42 researchers, the attacker may also move laterally with the stolen credentials.</p> <h2><a id="post-116861-_ak1bm03dfpiu"></a>Command and Control</h2> <p>Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan. 9, 2021, and there are around 220 clients currently connected to the server.</p> <figure id="attachment_116880" aria-describedby="caption-attachment-116880" style="width: 535px" class="wp-caption aligncenter"><img class="wp-image-116880 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-8.png" alt="Once gaining an initial foothold into a container, the malware may establish a tmate session. " width="535" height="87" /><figcaption id="caption-attachment-116880" class="wp-caption-text">Figure 9. Tmate named session created by the malware.</figcaption></figure> <figure id="attachment_116882" aria-describedby="caption-attachment-116882" style="width: 698px" class="wp-caption aligncenter"><img class="wp-image-116882 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-9.png" alt="Once gaining an initial foothold into a container, the malware may establish an IRC channel back to the C2. The IRC servers are hardcoded in the ziggy binary. " width="698" height="136" /><figcaption id="caption-attachment-116882" class="wp-caption-text">Figure 10. The IRC servers are hardcoded in the ziggy binary.</figcaption></figure> <figure id="attachment_116884" aria-describedby="caption-attachment-116884" style="width: 717px" class="wp-caption aligncenter"><img class="wp-image-116884 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-10.png" alt="The screenshot shows the IRC traffic captured at the IRC client. The IRC server's metadata indicates that the server was deployed on Jan. 9, 2021, and there are around 220 clients currently connected to the server. " width="717" height="392" /><figcaption id="caption-attachment-116884" class="wp-caption-text">Figure 11.The IRC traffic captured at the IRC client.</figcaption></figure> <h2><a id="post-116861-_gyyfpi54roi9"></a>Impact</h2> <p>The most significant impact of the malware is resource hijacking and denial of service (DoS). The cryptojacking operation can quickly drain the entire system’s resources and disrupt every application in the cluster. The xmrig mining process joins the <a href="https://supportxmr.com/">supportxmr</a> mining pool using the wallet address <span style="font-family: 'courier new', courier, monospace;">428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda</span>. At the time of writing, the malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet.</p> <figure id="attachment_116886" aria-describedby="caption-attachment-116886" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116886 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-11.png" alt="At the time of writing, the Hildegard malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet." width="900" height="243" /><figcaption id="caption-attachment-116886" class="wp-caption-text">Figure 12. Mining activity on supportxmr.</figcaption></figure> <h2><a id="post-116861-_gcbz663yufdy"></a>Conclusion</h2> <p>Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. These efforts make the malware more stealthy and persistent. Although the malware is still under development and the campaign is not yet widely spread, we believe the attacker will soon mature the tools and start a large-scale deployment.</p> <p>Palo Alto Networks customers running <a href="https://www.paloaltonetworks.com/prisma/cloud">Prisma Cloud</a> are protected from this threat by the Runtime Protection features, Cryptominer Detection and by the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives.</p> <figure id="attachment_116888" aria-describedby="caption-attachment-116888" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116888 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-12.png" alt="Palo Alto Networks customers running Prisma Cloud are protected from this threat by the Prisma Cloud Compute Kubernetes Compliance Protection, which alerts on an insufficient Kubernetes configuration and provides secure alternatives. " width="900" height="203" /><figcaption id="caption-attachment-116888" class="wp-caption-text">Figure 13. Prisma Cloud Compute Kubernetes compliance protections.</figcaption></figure> <figure id="attachment_116890" aria-describedby="caption-attachment-116890" style="width: 900px" class="wp-caption aligncenter"><img class="wp-image-116890 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2021/02/word-image-13.png" alt="Prisma Cloud also protects against Hildegard through its Cryptominer Detection feature. The screenshot shows an example of the software alerting on a crypto mining incident. " width="900" height="206" /><figcaption id="caption-attachment-116890" class="wp-caption-text">Figure 14. Prisma Cloud Compute alerting on crypto mining incident.</figcaption></figure> <h2><a id="post-116861-_enix4oh8ekjb"></a><strong>Indicators of Compromise</strong></h2> <h4><strong>Domains/IPs:</strong></h4> <table style="width: 100.473%;"> <tbody> <tr> <td style="width: 17.8082%;"><strong>Domain/IP</strong></td> <td style="width: 152.055%;"><strong>Description</strong></td> </tr> <tr> <td style="width: 17.8082%;">The.borg[.]wtf</p> <p>(45.9.150[.]36)</td> <td style="width: 152.055%;">This machine hosts malicious files used in the campaign and receives the collected data to this C2.</p> <p>Hosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi</td> </tr> <tr> <td style="width: 17.8082%;">147.75.47[.]199</td> <td style="width: 152.055%;">The malware connects to this IP to obtain the victim host's public IP.</td> </tr> <tr> <td style="width: 17.8082%;">teamtnt[.]red<br /> (45.9.148[.]108)</td> <td style="width: 152.055%;">This host hosts malicious scripts and binaries.<br /> Hosted files: pei.sh, pei64.</td> </tr> <tr> <td style="width: 17.8082%;">Borg[.]wtf<br /> (45.9.148[.]108)</td> <td style="width: 152.055%;">This host hosts malicious scripts and binaries.<br /> Hosted files: aws2.sh</td> </tr> <tr> <td style="width: 17.8082%;">irc.borg[.]wtf<br /> (123.245.9[.]147)</td> <td style="width: 152.055%;">This host is one of the C2s. It runs an IRC server on port 6667.</td> </tr> <tr> <td style="width: 17.8082%;">sampwn.anondns[.]net</p> <p>(13.245.9[.]147)</td> <td style="width: 152.055%;">This host is one of the C2s. It runs an IRC server on port 6667.</td> </tr> <tr> <td style="width: 17.8082%;">164.68.106[.]96</td> <td style="width: 152.055%;">This host is one of the C2s. It runs an IRC server on port 6667.</td> </tr> <tr> <td style="width: 17.8082%;">62.234.121[.]105</td> <td style="width: 152.055%;">This host is one of the C2s. It runs an IRC server on port 6667.</td> </tr> </tbody> </table> <h4><strong>Files:</strong></h4> <table style="width: 100%;"> <tbody> <tr> <td style="width: 34.4313%;"><strong>SHA256</strong></td> <td style="width: 16.8427%;"><strong>File Name</strong></td> <td style="width: 8.20386%;"><strong>Type</strong></td> <td style="width: 39.9627%;"><strong>Description</strong></td> </tr> <tr> <td style="width: 34.4313%;">2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f</td> <td style="width: 16.8427%;">TDGG</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">This script downloads and executes tt.sh.</td> </tr> <tr> <td style="width: 34.4313%;">2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172</td> <td style="width: 16.8427%;">tt.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">This script downloads and runs tmate. It collects system information from the victim's host and sends the collected data to C2(45.9.150[.]36)</td> </tr> <tr> <td style="width: 34.4313%;">b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204</td> <td style="width: 16.8427%;">api.key</td> <td style="width: 8.20386%;">text</td> <td style="width: 39.9627%;">The API key is used for creating a named tmate session from the compromised containers.</td> </tr> <tr> <td style="width: 34.4313%;">d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f</td> <td style="width: 16.8427%;">tmate</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;"><a href="https://github.com/tmate-io/tmate/releases/tag/2.4.0">tmate v2.4.0</a></td> </tr> <tr> <td style="width: 34.4313%;">74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64</td> <td style="width: 16.8427%;">sGAU.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">This script downloads and installs <a href="https://masscan">masscan</a>. It scans Kubernetes' internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet, it attempts to download and execute a cryptojacking script in all the containers.</td> </tr> <tr> <td style="width: 34.4313%;">8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c</td> <td style="width: 16.8427%;">kshell</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script performs remote code execution in containers via Kubelet’s API. It also downloads and executes xmr.sh in a target container.</td> </tr> <tr> <td style="width: 34.4313%;">518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887</td> <td style="width: 16.8427%;">install_monerod.bash</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script is hosted in this Github <a href="https://gist.github.com/Ernillew/691b5e4b6867425ef4f821aacc2790a4">repo</a>. It pulls and builds the official <a href="https://github.com/monero-project/monero">monero project</a>. It then creates a user named “monerodaemon” and starts the monero service.</td> </tr> <tr> <td style="width: 34.4313%;">5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b</td> <td style="width: 16.8427%;">setup_moneroocean_miner.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script is hosted in this Github <a href="https://github.com/MoneroOcean/xmrig_setup/blob/master/setup_moneroocean_miner.sh">repo</a>. It pulls and runs the MoneroOcean advanced version of xmrig.</td> </tr> <tr> <td style="width: 34.4313%;">a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9</td> <td style="width: 16.8427%;">xmrig (oneroocean)</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">xmrig 6.7.2-mo3. This binary is hosted in <a href="https://github.com/MoneroOcean/xmrig/releases">MoneroOcean/xmrig</a> Github repo.</td> </tr> <tr> <td style="width: 34.4313%;">ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015</td> <td style="width: 16.8427%;">pei.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">This script downloads and executes pei64 or pei32, depending on the host’s architecture.</td> </tr> <tr> <td style="width: 34.4313%;">937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d</td> <td style="width: 16.8427%;">pei64</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">This is a Kubernetes penetration tool from the <a href="https://github.com/inguardians/peirates">peirates</a> project. The tool is capable of escalating privilege and pivoting through the Kubernetes cluster.</td> </tr> <tr> <td style="width: 34.4313%;">72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742</td> <td style="width: 16.8427%;">pei32</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">Same as pei64, but for i686 architecture.</td> </tr> <tr> <td style="width: 34.4313%;">12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3</td> <td style="width: 16.8427%;">xmr3.assi</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script downloads and runs aws2.sh, t.sh and xmrig.</td> </tr> <tr> <td style="width: 34.4313%;">053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e</td> <td style="width: 16.8427%;">aws2.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script searches for cloud credentials and sends the identified credentials to C2 (the.borg[.]wtf).</td> </tr> <tr> <td style="width: 34.4313%;">e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7</td> <td style="width: 16.8427%;">t.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the victim’s system info and tmate session to C2.</td> </tr> <tr> <td style="width: 34.4313%;">77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8</td> <td style="width: 16.8427%;">x86_64.so</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">This shared object replaces the existing /etc/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process.</td> </tr> <tr> <td style="width: 34.4313%;">78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983</td> <td style="width: 16.8427%;">xmrig</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">xmrig v6.7.0</td> </tr> <tr> <td style="width: 34.4313%;">3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f</td> <td style="width: 16.8427%;">xmrig.so</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">This shared object replaces the existing /etc/ld.so.preload.</p> <p>It uses the LD_PRELOAD trick to hide the xmrig process.</td> </tr> <tr> <td style="width: 34.4313%;">fe0f5fef4d78db808b9dc4e63eeda9f8626f8ea21b9d03cbd884e37cde9018ee</td> <td style="width: 16.8427%;">xmr.sh</td> <td style="width: 8.20386%;">script</td> <td style="width: 39.9627%;">The script downloads and executes xmrig and ziggy.</td> </tr> <tr> <td style="width: 34.4313%;">74f122fb0059977167c5ed34a7e217d9dfe8e8199020e3fe19532be108a7d607</td> <td style="width: 16.8427%;">ziggy</td> <td style="width: 8.20386%;">ELF</td> <td style="width: 39.9627%;">ziggy is a binary that packs an encrypted ELF. The binary decrypts the ELF at runtime and runs it in the memory. The encrypted ELF is built from <a href="https://github.com/isdrupter/ziggystartux">ZiggyStarTux</a>, an IRC client for embedded devices.</td> </tr> </tbody> </table> <p>&nbsp;</p> </div> <!--<span class="post__date">Updated 6 June, 2024 at 7:09 AM PDT</span>--> <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/containers/" role="link" title="Containers" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:Containers">Containers</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/cryptojacking/" role="link" title="cryptojacking" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:cryptojacking">Cryptojacking</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/docker/" role="link" title="Docker" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:Docker">Docker</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/kubernetes/" role="link" title="Kubernetes" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:Kubernetes">Kubernetes</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/public-cloud/" role="link" title="public cloud" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:public cloud">Public cloud</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/teamtnt/" role="link" title="TeamTnT" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:tags:TeamTnT">TeamTnT</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/" role="link" title="Pro-Ocean: Rocke Group’s New Cryptojacking Malware" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:article-nav:Pro-Ocean: Rocke Group’s New Cryptojacking Malware"> <span>Next: Pro-Ocean: Rocke Group’s New Cryptojacking Malware</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-table-of-contents" data-toc-track="hildegard-malware-teamtnt:sidebar:table-of-contents"> <div class="be-title__wrapper"> <h3>Table of Contents</h3> </div> <ul> <li></li> </ul> </div> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/azure-data-factory-apache-airflow-vulnerabilities/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:sidebar:related-articles:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration"> Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:sidebar:related-articles:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI"> ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/container-escape-techniques/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:sidebar:related-articles:Container Breakouts: Escape Techniques in Cloud Environments"> Container Breakouts: Escape Techniques in Cloud Environments </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Cloud Cybersecurity Research Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of vulnerabilities in Azure Data Factory Airflow. Illustration of a digital cloud with a padlock symbol, set against a background of neon circuit board lines." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/12/05_Cloud_cybersecurity_research_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-12-16T23:00:37+00:00">December 16, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/azure-data-factory-apache-airflow-vulnerabilities/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration"> <h4 class="post-title">Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/microsoft-azure/" title="Microsoft Azure" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration:Microsoft Azure">Microsoft Azure</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/container/" title="Container" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration:Container">Container</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/azure-data-factory-apache-airflow-vulnerabilities/" title="Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of vulnerabilities in Vertex AI. A Black woman wearing glasses, looking intently at colorful computer code projected on a screen, highlighting a focus on technology and coding." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/13_Cloud_cybersecurity_research_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-12T11:00:11+00:00">November 12, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI"> <h4 class="post-title">ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-exfiltration/" title="data exfiltration" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI:data exfiltration">Data exfiltration</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/google-cloud/" title="Google Cloud" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI:Google Cloud">Google Cloud</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/kubernetes/" title="Kubernetes" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI:Kubernetes">Kubernetes</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-vertex-ai/" title="ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of ShinyHunters ransomware. An image showing a laptop with security and financial graphics displayed on the screen, surrounded by stacks of coins and a credit card, set against a dark background illuminated by neon lights." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Ransomware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-08-23T10:00:21+00:00">August 23, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware"> <h4 class="post-title">Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware:MITRE">MITRE</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/container/" title="Container" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware:Container">Container</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/" title="Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of an extortion operation in the cloud. Vibrant digital artwork depicting a futuristic cityscape with glowing neon roads weaving through clouds, set against a backdrop of skyscrapers and a vivid sky." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/02_Cloud_cybersecurity_research_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-08-15T10:00:09+00:00">August 15, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments"> <h4 class="post-title">Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/credential-theft/" title="credential theft" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments:credential theft">Credential theft</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments:MITRE">MITRE</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/" title="Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Leaked Environment Variables Allow Large-Scale Extortion Operation in Cloud Environments:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of compromised GitHub repositories. A woman focuses intently on a computer in front of her. Overlaid across the screen are lines of code, suggesting a security technology focus." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/08/04_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-08-13T10:00:36+00:00">August 13, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts"> <h4 class="post-title">ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/artifacts/" title="artifacts" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts:artifacts">Artifacts</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/aws/" title="AWS" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts:AWS">AWS</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/github/" title="GitHub" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts:GitHub">GitHub</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/" title="ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg" class="lozad" alt="Illustration of a futuristic city with glowing orange and blue lights, surrounded by clouds and digital elements, conveying a high-tech, cybernetic theme." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Cloud_cybersecurity_research_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-07-18T10:00:41+00:00">July 18, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/container-escape-techniques/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments"> <h4 class="post-title">Container Breakouts: Escape Techniques in Cloud Environments</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/containers/" title="Containers" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments:Containers">Containers</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/docker/" title="Docker" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments:Docker">Docker</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/container-escape/" title="container escape" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments:container escape">Container escape</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/container-escape-techniques/" title="Container Breakouts: Escape Techniques in Cloud Environments" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Container Breakouts: Escape Techniques in Cloud Environments:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Abstract illustration of a network sppread like a spiderweb, connecting covering the globe and symbolizing data or communication links." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability:High Profile Threats"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/top-threats.svg" alt=" category icon">High Profile Threats</span></a> <span class="post-pub-date"><time datetime="2024-07-02T18:28:47+00:00">July 2, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability"> <h4 class="post-title">Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/openssh/" title="OpenSSH" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability:OpenSSH">OpenSSH</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/ssh/" title="SSH" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability:SSH">SSH</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/threat-brief-cve-2024-6387-openssh/" title="Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks-786x368.jpg" class="lozad" alt="" decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/unit42-cloud-attacks.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-06-18T10:00:23+00:00">June 18, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud"> <h4 class="post-title">Attack Paths Into VMs in the Cloud</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/aws/" title="AWS" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud:AWS">AWS</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/iaas/" title="IaaS" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud:IaaS">IaaS</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/virtual-machines/" title="virtual machines" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud:virtual machines">Virtual machines</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/" title="Attack Paths Into VMs in the Cloud" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Attack Paths Into VMs in the Cloud:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg" class="lozad" alt="Futuristic illustration with glowing neon lights and advanced technology motifs, depicting cloud computing and data flow through interconnected networks. The scene is highlighted by hovering digital clouds and dynamic, illuminated linear structures, set in a dramatic, blue and orange color scheme." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/03_Cloud_cybersecurity_research_Overview_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Muddled Libra’s Evolution to the Cloud:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-04-09T18:00:08+00:00">April 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Muddled Libra’s Evolution to the Cloud"> <h4 class="post-title">Muddled Libra’s Evolution to the Cloud</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/microsoft-azure/" title="Microsoft Azure" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Muddled Libra’s Evolution to the Cloud:Microsoft Azure">Microsoft Azure</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/muddled-libra/" title="Muddled Libra" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Muddled Libra’s Evolution to the Cloud:Muddled Libra">Muddled Libra</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/" title="Muddled Libra’s Evolution to the Cloud" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Muddled Libra’s Evolution to the Cloud:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900-786x368.jpg" class="lozad" alt="Close-up side profile of a Black woman wearing glasses, focused intently on something out of frame." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/05_Vulnerabilities_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/top-cyberthreats/" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094):High Profile Threats"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/top-threats.svg" alt=" category icon">High Profile Threats</span></a> <span class="post-pub-date"><time datetime="2024-03-31T02:15:55+00:00">March 30, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)"> <h4 class="post-title">Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cve-2024-3094/" title="CVE-2024-3094" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094):CVE-2024-3094">CVE-2024-3094</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/linux/" title="Linux" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094):Linux">Linux</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/xz-utils/" title="XZ Utils" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094):XZ Utils">XZ Utils</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/" title="Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)" role="link" data-page-track="true" data-page-track-value="hildegard-malware-teamtnt:related-resources:Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094):read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main> <!-- Start: Footer subscription form --> <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script> <!-- End: Footer subscription form --> <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cloud Security" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security">Cloud Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cloud" role="link" title="Cortex Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud">Cortex Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Cloud Security:Cortex Cloud:Prisma Cloud">Prisma Cloud</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection &amp; Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection &amp; Response">Threat Prevention, Detection &amp; Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item do-not-sell-link"> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2025 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/hildegard-malware-teamtnt/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div> <!-- Start: video modal --> <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div><!-- End: video modal --> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.7.1' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); function noSell(event) { event.preventDefault(); if (( typeof OneTrust != 'undefined') && (!!OneTrust)) { OneTrust.ToggleInfoDisplay(); }else{ var href = event.target.getAttribute('href'); window.open(href, '_blank'); } } window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "CloudCortex" || referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); $( ".do-not-sell-link a" ).on( "click", function( event ) { noSell(event); }); }); </script> <!-- End: Scripts Migrated From Unit42-v5 --> </body> </html>