โŒ

Reading view

Unit 42 Incident Response Retainer for AWS Security Incident Response

Palo Alto Networks Unit 42 and AWS Announce Expanded Collaboration, Launching No-Cost Retainer for AWS Security Incident Response available in AWS Marketplace

Speed is everything in todayโ€™s security landscape. From Unit 42ยฎโ€™s frontline experience responding to more than 500 incidents last year, we've seen that in nearly one in five incidents, attackers go from initial compromise to data exfiltration in less than an hour. It leaves almost no time to react.

The challenge is compounded by the distributed nature of the modern IT environment; cyberattacks are rarely confined to one location. In fact, 70 percent of incidents now span three or more attack surfaces, from endpoints and networks to multiple cloud environments. This complexity increases vulnerabilities, which is a key reason why 86 percent of major incidents disrupt business operations.

When a breach moves at this speed and crosses complex silos, an enterprise has two immediate, critical needs:

  1. Rapid, integrated expertise to contain the threat at its source within the cloud.
  2. Holistic, end-to-end investigation to determine the full scope of the attack, tracing the attacker's path wherever it leads, across all systems and environments.

The No-Cost Unit 42 IR Retainer Available on AWS Marketplace

Recognizing customers need a faster, more comprehensive incident response strategy in the cloud, Palo Alto Networks Unit 42 is expanding our partnership with Amazon Web Services (AWS) Security Incident Response service. The collaboration introduces a no-cost Unit 42 Incident Response Retainer, which is now available to qualified customers in AWS Marketplace. Our value-added offer provides qualified customers with rapid access to Unit 42โ€™s world-class investigative expertise and dramatically minimizes the critical time between an alert and full containment.

For qualified customers, here's what the no-cost Unit 42 Incident Response Retainer offers:

  • 250 hours of initial Unit 42 Incident Response services at no cost.
  • A 2-hour response time agreement for incident response.
  • 24/7/365 access to the Unit 42 Incident Response team.

As an AWS Security Incident Response Service Ready partner, this collaboration is designed to deliver seamless, end-to-end incident response and proactive security services. By combining Unit 42โ€™s deep experience in managing complex, legally privileged investigations with the rapid engagement of AWS Security Incident Response, organizations can resolve critical incidents faster and more comprehensively.

Unit 42 also offers preferred pricing to AWS Security Incident Response customers for proactive services through paid retainer offerings, also available in AWS Marketplace.

Hart Rossman, Vice President of Global Services Security, AWS:

When cyberattacks move at cloud speed, customers need immediate access to comprehensive expertise. By integrating Unit 42's end-to-end investigative capabilities with AWS Security Incident Response, we're delivering a unified response that helps customers contain threats faster and minimize business disruption. The no-cost retainer ensures they can activate the full scope of resources they need within minutes, not hours.

Effective response to a cloud breach demands deep technical skill and the ability to manage complexity under pressure. Unit 42 excels at managing high-stakes incidents. By coupling our expertise with AWS Security Incident Responseโ€™s capabilities to prepare, respond and recover from security incidents, Unit 42 offers customers a unified defense. Streamlining the entire process, from initial alert to final resolution, allows organizations to get back to business faster and limit operational disruption.

A Unified Front Against Complex Cloud Incidents

The collaboration is designed to solve a critical customer problem: Reduce the time and complexity of responding to incidents that span both AWS resources and the broader enterprise.

The combined offering delivers three key benefits, providing customers with a holistic and agile defense strategy:

  • Comprehensive Investigation: Unit 42โ€™s expertise enables an investigation across multiple environments, including endpoints, networks and other enterprise data sources, complementing AWSโ€™s incident response technologies and expertise.
  • Rapid, 24/7 Access to Experts: AWS Security Incident Response provides direct, 24/7 access to the AWS Customer Incident Response Team (CIRT), capable of engaging within minutes. Unit 42 is skilled at serving in the incident command role, coordinating efforts among internal stakeholders, other forensic and recovery vendors, as well as legal counsel.
  • Response Readiness with No-Cost Retainer: The offering removes the typical administrative and procurement overhead of incident response engagements. The added value ensures qualified customers can activate the full resources of Unit 42 instantly, often at the direction of counsel.

Availability

The Unit 42 Incident Response and proactive service offerings are available in AWS Marketplace today. More information on the partnership will be shared during AWS re:Invent 2025 (December 1-5, 2025).

To learn more, visit the Unit 42 listing available in AWS Marketplace.

The post Unit 42 Incident Response Retainer for AWS Security Incident Response appeared first on Palo Alto Networks Blog.

  •  

Why iPhone users should update and restart their devices now

If you were still questioning whether iOS 26+ is for you, now is the time to make that call.

Why?

On December 12, 2025, Apple patched two WebKit zeroโ€‘day vulnerabilities linked to mercenary spyware and is now effectively pushing iPhone 11 and newer users toward iOS 26+, because thatโ€™s where the fixes and new memory protections live. These vulnerabilities were primarily used in highly targeted attacks, but such campaigns are likely to expand over time.

WebKit powers the Safari browser and many other iOS applications, so itโ€™s a big attack surface to leave exposed and isnโ€™t limited to โ€œriskyโ€ behavior. These vulnerabilities allowed an attacker to execute arbitrary code on a device after exploitation via malicious web content.

Apple has confirmed that attackers are already exploiting these vulnerabilities in the wild, making installation of the update a highโ€‘priority security task for every user. Campaigns that start with diplomats, journalists, or executives often lead to tooling and exploits leaking or being repurposed, so โ€œIโ€™m not a targetโ€ is not a viable safety strategy.โ€‹

Due to public resistance to new features like Liquid Glass, many iPhone users have not yet upgraded to iOS 26.2. Reports suggest adoption of iOS 26 has been unusually slow. As of January 2026, only about 4.6% of active iPhones are on iOS 26.2, and roughly 16% are on any version of iOS 26, leaving the vast majority on older releases such as iOS 18.

However, Apple only ships these fixes and newer protections, such as Memory Integrity Enforcement, on iOS 26+ for supported devices. Users on older, unsupported devices wonโ€™t be able to access these protections at all.

Another important factor in the upgrade cycle is restarting the device. What many people donโ€™t realize is that when you restart your device, any memory-resident malware is flushedโ€”unless it has somehow gained persistence, in which case it will return. High-end spyware tools tend to avoid leaving traces needed for persistence and often rely on users not restarting their devices.

Upgrading requires a restart, which makes this a win-win: you get the latest protections, and any memory-resident malware is flushed at the same time.

For iOS and iPadOS users, you can check if youโ€™re using the latest software version, go to Settings > General > Software Update. Itโ€™s also worth turning on Automatic Updates if you havenโ€™t already. You can do that on the same screen.

How to stay safe

The most important fixโ€”however painful you may find itโ€”is to upgrade to iOS 26.2. Not doing means missing an accumulating list of security fixes, leaving your device vulnerable to more and more newly found vulnerabilities.

ย But here are some other useful tips:

  • Make it a habit to restart your device on a regular basis. The NSA recommends doing this weekly.
  • Do not open unsolicited links and attachments without verifying with the trusted sender.
  • Remember, Apple threat notifications will never ask users to click links, open files, install apps or ask for account passwords or verification code.
  • For Apple Mail users specifically, these vulnerabilities create risk when viewing HTML-formatted emails containing malicious web content.
  • Malwarebytes for iOS can help keep your device secure, with Trusted Advisor alerting you when important updates are available.
  • If you are a high-value target, or you want the extra level of security, consider using Appleโ€™s Lockdown Mode.

We donโ€™t just report on phone securityโ€”we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices byย downloading Malwarebytes for iOS, and Malwarebytes for Android today.

  •  

Exploitation of Critical Vulnerability in React Server Components (Updated December 12)

We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182.

The post Exploitation of Critical Vulnerability in React Server Components (Updated December 12) appeared first on Unit 42.

  •  

Why You Got Hacked โ€“ 2025 Super Edition

This article was written to provide readers with an overview of a selection of our pentest results from the last 15 months. This data was gathered toward the end of September 2025. Shockingly, the data does not differ much from our prior analyses conducted at the end of 2022 or 2023.

The post Why You Got Hacked โ€“ 2025 Super Edition appeared first on Black Hills Information Security, Inc..

  •  

Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise

Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise.

The post Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise appeared first on Unit 42.

  •  

Proxying Your Way to Code Execution โ€“ A Different Take on DLL Hijackingย 

While DLL hijacking attacks can take on many different forms, this blog post will explore a specific type of attack called DLL proxying, providing insights into how it works, the potential risks it poses, and briefly the methodology for discovering these vulnerable DLLs, which led to the discovery of several zero-day vulnerable DLLs that Microsoft has acknowledged but opted to not fix at this time.

The post Proxying Your Way to Code Execution โ€“ A Different Take on DLL Hijackingย  appeared first on Black Hills Information Security, Inc..

  •  

Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3)

Patterson Cake // In PART 1 of โ€œWrangling the M365 UAL,โ€ we talked about the value of the Unified Audit Log (UAL), some of the challenges associated with acquisition, parsing, [โ€ฆ]

The post Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3) appeared first on Black Hills Information Security, Inc..

  •  

Sshโ€ฆ Donโ€™t Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network

Derek Banks // Living Off the Land Binaries, Scripts, and Libraries, known as LOLBins or LOLBAS, are legitimate components of an operating system that threat actors can use to achieve [โ€ฆ]

The post Sshโ€ฆ Donโ€™t Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network appeared first on Black Hills Information Security, Inc..

  •  

Rogue RDP โ€“ Revisiting Initial Access Methods

Mike Felch // The Hunt for Initial Access With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red [โ€ฆ]

The post Rogue RDP โ€“ Revisiting Initial Access Methods appeared first on Black Hills Information Security, Inc..

  •  

Securing the Cloud: A Story of Research, Discovery, and Disclosure

Jordan Drysdale // tl;dr BHIS made some interesting discoveries while working with a customer to audit their Amazon Web Services (AWS) infrastructure. At the time of the discovery, we found [โ€ฆ]

The post Securing the Cloud: A Story of Research, Discovery, and Disclosure appeared first on Black Hills Information Security, Inc..

  •  

Using CloudFront to Relay Cobalt Strike Traffic

Brian Fehrman // Many of you have likely heard of Domain Fronting. Domain Fronting is a technique that can allow your C2 traffic to blend in with a targetโ€™s traffic [โ€ฆ]

The post Using CloudFront to Relay Cobalt Strike Traffic appeared first on Black Hills Information Security, Inc..

  •  

Webcast: Attack Tactics 5 โ€“ Zero to Hero Attack

Timecode links take you to YouTube: 4:11 โ€“ Infrastructure & Background8:28 โ€“ Overview & Breakdown of Attack Methodology and Plans11:35 โ€“ Start of Attack (Gaining Access), Password Spraying Toolkit15:24 โ€“ [โ€ฆ]

The post Webcast: Attack Tactics 5 โ€“ Zero to Hero Attack appeared first on Black Hills Information Security, Inc..

  •  

BHIS Webcast: Py2k20 โ€“ Transitioning from Python2 to Python3

Joff Thyer// In this webcast, we talk about the 2020 End of Life for Python2. We address what the short and medium term impacts will likely be. Key language differences [โ€ฆ]

The post BHIS Webcast: Py2k20 โ€“ Transitioning from Python2 to Python3 appeared first on Black Hills Information Security, Inc..

  •  

BHIS PODCAST: Endpoint Security Got You Down? No PowerShell? No Problem.

Do your PowerShell scripts keep getting caught? Tired of dealing with EDRs & Windows Defender every time you need to pop a box?ย  In this one-hour podcast, originally recorded as [โ€ฆ]

The post BHIS PODCAST: Endpoint Security Got You Down? No PowerShell? No Problem. appeared first on Black Hills Information Security, Inc..

๐Ÿ’พ

  •  

Getting PowerShell Empire Past Windows Defender

Carrie Roberts //* (Updated 2/12/2020) ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential [โ€ฆ]

The post Getting PowerShell Empire Past Windows Defender appeared first on Black Hills Information Security, Inc..

  •  

SSHazam: Hide Your C2 Inside of SSH

Carrie Roberts //* SSHazam is a method of running any C2 tool of your choice inside a standard SSH tunnel to avoid network detections. The examples here involve running PowerShell [โ€ฆ]

The post SSHazam: Hide Your C2 Inside of SSH appeared first on Black Hills Information Security, Inc..

  •  
โŒ