CybserSecurity News

Tag: Palo Alto Networks

  • A New “Browser War” Is Coming: How AI Agents Are Reshaping Cybersecurity

    Palo Alto Networks CEO Nikesh Arora has sounded the alarm over the dawn of a new wave of “browser wars.”

    Speaking during the company’s Q4 2025 earnings call, he observed that Microsoft, Google, OpenAI, and Perplexity are all developing agent-driven AI tools that require browser access to perform tasks such as booking reservations or searching for housing. According to him, technology companies will begin embedding their own versions of these agents directly into browsers, though enterprise customers are likely to treat such innovations with caution.

    “What may benefit consumers poses serious risks for enterprises. No company wants a ‘lawless browser’ where agents operate unchecked,” he warned. In Arora’s view, businesses will ultimately prohibit the use of consumer-grade versions of these products and demand secure, enterprise-grade browsers instead.

    Palo Alto already offers such a solution—Prisma Access Browser, integrated into its Secure Access Service Edge (SASE) platform, which unifies the company’s network security offerings.

    Arora emphasized that Palo Alto’s strategy of “platformization”—selling clients integrated product suites—has been progressing successfully. He stressed that in a landscape where adversaries leverage AI and autonomous agents, organizations require comprehensive defense systems.

    “We’ve reached the era of the 25-minute attack. The question is no longer how much you spend on security, but rather: How quickly can you detect and stop it? If it takes longer than 25 minutes, I have bad news—those agents will exfiltrate your data and compromise your organization,” he cautioned.

    He further argued that defense requires consistent platforms capable of running secure, trusted agents. “We cannot deploy agents atop fragmented infrastructures. There is no agent that can seamlessly understand three different firewall vendors, two SASE providers, a browser, and seven other solutions,” he said.

    Arora also noted that agent technologies could worsen the threat landscape, as adversaries will inevitably employ them to conduct attacks. Thus, in his view, artificial intelligence will act as a catalyst for infrastructure consolidation, driving niche players out of the market in favor of larger, more unified platforms.

    Looking ahead, Arora identified AI-driven products, SASE, and virtual firewalls as the company’s key growth pillars—solutions that are rapidly gaining traction due to their agility and speed of deployment compared to traditional hardware-based systems.

  • HazyBeacon: New Windows Backdoor Uses AWS Lambda for Stealthy Cyber-Espionage in Southeast Asia

    Government institutions across Southeast Asia have found themselves at the center of a new cyber-espionage campaign aimed at harvesting sensitive information through a previously unknown Windows malware tool known as HazyBeacon. Tracked by Palo Alto Networks Unit 42 under the designation CL-STA-1020—where “CL” denotes a threat cluster and “STA” implies suspected state sponsorship—this activity underscores the evolving tactics of advanced threat actors.

    According to analyst Lior Rochberger, the attackers are targeting data related to governmental operations, including documentation on tariff measures and international trade disputes. In recent years, Southeast Asia has increasingly become a focal point for such incursions due to its strategic role in global diplomacy, military alliances, and its delicate balancing act between U.S. and Chinese interests. Gaining access to insights into domestic policy, infrastructure developments, and trade regulations provides adversaries with a substantial geopolitical edge.

    The precise vector through which HazyBeacon infiltrates devices remains undetermined, but researchers have identified the use of DLL sideloading techniques. Attackers deploy a malicious version of “mscorsvc.dll” adjacent to the legitimate Windows binary “mscorsvw.exe.” Once executed, the infected DLL initiates communication with a command-and-control server, enabling the download of additional modules and execution of arbitrary commands. Persistence is achieved via a system service that ensures the DLL is automatically invoked upon reboot.

    What distinguishes HazyBeacon is its use of AWS Lambda cloud URLs as a channel for command and control. This tactic enables the malware to blend in with legitimate cloud traffic, greatly complicating detection. Lambda functions operating over HTTPS provide adversaries with a resilient and virtually invisible control mechanism, leveraging Amazon’s trusted infrastructure.

    Detection efforts benefit from monitoring anomalous calls to domains such as “.lambda-url..amazonaws.com,” especially if initiated by unfamiliar processes. While the use of AWS alone is not inherently malicious, contextual analysis—such as examining process origins, parent-child relationships, and behavioral anomalies—can illuminate covert activity.

    One of the downloaded modules functions as a document harvester, specifically searching for files with extensions like .doc, .docx, .xls, .xlsx, and .pdf. Notably, data collection is confined to a predefined time range, allowing attackers to surgically extract only recent and relevant documents. Analysts have recorded attempts to access information pertaining to recent U.S. tariff decisions.

    To exfiltrate data, the attackers exploit popular cloud storage platforms such as Google Drive and Dropbox. This approach allows the transfer of stolen files to masquerade as routine user activity. However, in the instance analyzed by Unit 42, these efforts were thwarted by active security measures.

    In the final phase of the intrusion, the perpetrators execute commands to erase their digital footprints—removing temporary archives, downloaded payloads, and other artifacts generated during the operation.

    Experts assess that HazyBeacon serves as a primary tool for persistence and data exfiltration. The campaign exemplifies how threat actors are increasingly harnessing legitimate cloud platforms as covert communication and control channels.

    This strategy aligns with the broader trend known as Living-off-Trusted-Sites (LoTS), wherein malicious actors leverage legitimate APIs—such as those from Google Workspace, Microsoft Teams, or Dropbox—to circumvent security mechanisms and maintain long-term access within target environments.

  • African Financial Institutions Targeted: “CL-CRI-1014” IAB Uses Open-Source Tools & Forged Signatures for Covert Access

    For nearly a year, a hacker collective has been orchestrating a large-scale campaign targeting the financial sector across Africa. Experts from Unit 42 at Palo Alto Networks have sounded the alarm, tracking this operation under the designation CL-CRI-1014. According to the company, the abbreviation denotes a “criminally motivated cluster,” highlighting the attackers’ clear commercial intent.

    The primary objective of the threat actors is to gain initial access to organizational infrastructure, which they subsequently resell to other criminal groups via underground forums. In this capacity, the group operates as a typical initial access broker—posing a significant threat to institutions that store vast amounts of financial and personal data.

    To execute their intrusions, the hackers employ a well-established arsenal that is often indistinguishable from legitimate software. Their toolkit includes PoshC2 for command-and-control operations, Chisel for traffic tunneling and evading network restrictions, and Classroom Spy for remote monitoring of compromised systems.

    Particular attention has been drawn to the group’s methods of obfuscation. They forge digital file signatures by mimicking those of well-known, legitimate applications. This tactic camouflages malicious code and complicates detection. Additionally, they adopt the icons of widely used software such as Microsoft Teams, Palo Alto Cortex, and Broadcom VMware Tools, allowing the malware to blend in visually with benign programs.

    Once inside the network, the attackers establish persistence through three distinct mechanisms: creating a system service, placing a malicious shortcut in the Windows startup folder, and adding a scheduled task labeled “Palo Alto Cortex Services.” This ensures the continued presence of the malware, even after system reboots.

    In several cases, user credentials were exfiltrated and leveraged to deploy proxy servers, effectively concealing communication between infected endpoints and command-and-control infrastructure. Some variants of PoshC2, researchers report, were specifically tailored to the targeted environments.

    Notably, attacks involving PoshC2 have previously been observed within Africa’s financial landscape. In September 2022, Check Point detailed the DangerousSavanna campaign, which relied on spear-phishing to distribute Metasploit, PoshC2, DWservice, and AsyncRAT. The victims included banks and insurance firms in Côte d’Ivoire, Morocco, Cameroon, Senegal, and Togo.

    Such incidents starkly illustrate how the boundaries between legitimate software and criminal misuse can blur in the face of sophisticated threats. When attackers appropriate familiar tools, replicate authentic signatures, and disguise malware with commonplace icons, conventional defenses often prove insufficient.

    For organizations, this underscores a fundamental truth: security cannot rely solely on superficial indicators or formal credentials. Genuine protection demands relentless vigilance, in-depth inspection, and an unwavering readiness to confront threats that may be hidden behind the most familiar user interface—especially in critical sectors like finance, where the cost of a misstep transcends money and touches trust itself.