SOC BRIEFING: Amazon Bedrock Multi-Agent AI Attack Surface

SUMMARY:
Unit 42 identified new attack surfaces and prompt injection vulnerabilities in Amazon Bedrock's multi-agent AI applications. This matters because prompt injection can manipulate AI agents to bypass security controls, exfiltrate data, or execute unintended actions at scale.

TRIAGE:
Medium — No active CVEs or exploits reported, but prompt injection is a known attack vector. Prioritize if your organization uses Bedrock multi-agent systems in production.

IOC HUNT:
1. CloudTrail logs — Search for `bedrock:InvokeAgent` or `bedrock:InvokeModel` calls with unusual input patterns (e.g., encoded payloads, instruction overrides, role-play requests).
2. Application logs — Query for prompt inputs containing injection keywords: `ignore previous`, `system override`, `execute as`, or similar jailbreak patterns.
3. Bedrock API responses — Monitor for unexpected agent behavior: agents performing actions outside their defined scope or returning sensitive data.

MITRE:
- T1589 (Gather Victim Identity Information) — Agents extracting unintended data
- T1566 (Phishing) — Prompt injection as social engineering vector
- T1059 (Command and Scripting Interpreter) — Malicious prompts as code execution

ACTION:
Review Bedrock agent configurations and input validation rules. Implement strict prompt filtering and role-based constraints on agent capabilities. Escalate to cloud security team for architectural review of multi-agent deployments.

SOC BRIEFING: Axios Supply Chain Attack

SUMMARY:
A supply chain attack targeted Axios, compromising the software distribution mechanism to deliver malicious payloads to downstream users. This represents a high-risk vector affecting any organization using Axios dependencies, requiring immediate inventory and detection efforts.

TRIAGE:
HIGH — Supply chain compromises have broad blast radius and delayed detection windows. Prioritize identification of affected systems and lateral movement indicators within 2 hours.

IOC HUNT:
1. Package Repository Logs — Query npm/package manager logs for Axios version downloads between attack window; correlate with internal deployment records for version mismatches.
2. Process Execution — Hunt for suspicious child processes spawned by Node.js/application processes using Axios (look for cmd.exe, PowerShell, curl, wget execution).
3. Network Egress — Search DNS/proxy logs for C2 domains and unusual outbound connections from systems running affected Axios versions; focus on non-standard ports.

MITRE:
- T1195.002 — Supply Chain Compromise (Compromised Software)
- T1195.001 — Compromise Software Dependencies
- T1059.001 — Command and Scripting Interpreter (PowerShell/Bash)
- T1071.001 — Application Layer Protocol (HTTP/HTTPS C2)

ACTION:
Immediately audit all Axios package versions in use across development and production environments; cross-reference against Unit 42's published IOCs and block identified malicious versions at the package manager level. Isolate any system with confirmed affected versions pending forensic analysis.

SOC BRIEFING: TeamPCP Supply Chain Attack & Vect Ransomware Partnership

SUMMARY:
TeamPCP threat actor has announced a partnership with the Vect ransomware group and continues executing multi-stage supply chain attacks targeting security infrastructure vendors. This alliance significantly increases attack sophistication and ransomware deployment risk across downstream customers.

TRIAGE:
HIGH — Immediate investigation priority. Supply chain compromises have broad blast radius; ransomware partnership indicates intent to monetize access at scale. Escalate to incident response if any affected vendor products are deployed in your environment.

IOC HUNT:
1. Log source: Network egress logs — hunt for C2 beacons to known TeamPCP/Vect infrastructure (request IOCs from Unit 42 report)
2. Query: `EventID=3 AND Image="*security_vendor_process*" AND DestinationPort NOT IN (80,443,53)` (Splunk/Windows Event Logs)
3. Log source: Endpoint execution logs — monitor for unsigned or recently-modified binaries from security software installation directories

MITRE:
- T1195.002 — Supply Chain Compromise: Software Supply Chain
- T1195.003 — Supply Chain Compromise: Hardware Supply Chain
- T1566.002 — Phishing: Spearphishing Link (initial access vector)
- T1486 — Data Encrypted for Impact (ransomware deployment)

ACTION:
Immediately inventory all security infrastructure vendors in use (EDR, SIEM, firewalls, etc.). Cross-reference against Unit 42's affected vendor list. For confirmed affected products, isolate systems pending patch availability and increase monitoring for lateral movement and data exfiltration.

SOC BRIEFING: GCP Vertex AI "Double Agent" Vulnerability

SUMMARY:
Unit 42 identified a privilege escalation flaw in Google Cloud Vertex AI where overprivileged AI agents can be manipulated to compromise cloud environments. This affects organizations using Vertex AI with excessive IAM permissions, creating a lateral movement and data exfiltration risk.

TRIAGE:
High — No active CVE/EPSS scoring yet, but the attack chain is demonstrated and exploitable in production environments. Prioritize if your organization runs Vertex AI agents with broad IAM roles.

IOC HUNT:
1. GCP Cloud Audit Logs: Filter for `protoPayload.methodName` containing "aiplatform.googleapis.com" AND `protoPayload.status.code != 0` (failed auth attempts on Vertex AI)
2. IAM Activity: Hunt for service accounts with `roles/aiplatform.admin` or `roles/iam.securityAdmin` assigned to Vertex AI agent principals
3. Splunk/KQL: `resource.type="aiplatform.googleapis.com" | where severity="ERROR" or severity="WARNING"` — look for unusual agent behavior or permission escalations

MITRE:
- T1078.004 (Valid Accounts: Cloud Accounts) — Agent credential abuse
- T1548.005 (Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access) — Privilege escalation via overprivileged agent
- T1526 (Cloud Service Discovery) — Agent reconnaissance of cloud environment

ACTION:
Audit all Vertex AI service account IAM bindings immediately. Remove overprivileged roles (Admin, SecurityAdmin) and apply least-privilege: replace with `roles/aiplatform.user` or custom roles limited to required APIs only. Document findings in your CMDB.

SOC BRIEFING: Iranian Cyber Activity Escalation (March 2026)

SUMMARY:
Unit 42 reports escalated Iranian cyberattack activity including phishing campaigns, hacktivist operations, and cybercrime initiatives. This represents a notable uptick in threat volume and warrants immediate defensive posture review across email and network perimeters.

TRIAGE:
HIGH — No active exploits or zero-days identified (CVSS 0.0), but phishing campaigns pose immediate compromise risk. Prioritize email gateway and endpoint logs for the next 24 hours.

IOC HUNT:
1. Email Gateway Logs: Search for phishing indicators from Unit 42 report (obtain specific sender domains/URLs from full brief); filter on failed authentication attempts and suspicious attachment types.
2. Endpoint/EDR: `process.name == "powershell.exe" OR process.name == "cmd.exe"` + suspicious parent processes (outlook.exe, winword.exe) — correlate with recent email delivery times.
3. Network/Proxy Logs: Hunt for C2 beaconing to Iranian IP ranges or known hacktivist infrastructure; cross-reference with OSINT feeds (Shodan, GreyNoise).

MITRE:
- T1566.002 — Phishing: Spearphishing Link
- T1566.001 — Phishing: Spearphishing Attachment
- T1598 — Phishing for Information
- Tactic: Initial Access, Reconnaissance

ACTION:
Issue immediate alert to all users: do not click links or open attachments from untrusted senders. Escalate any confirmed phishing clicks to IR team for credential reset and endpoint forensics within 1 hour.

SOC BRIEFING: Southeast Asian Government Cyberespionage Campaign

SUMMARY:
Unit 42 identified multiple coordinated cyberespionage clusters targeting a Southeast Asian government organization using USBFect malware, remote access trojans (RATs), and loaders. This represents a converging threat landscape where multiple threat actors are simultaneously targeting the same government entity, indicating high-value intelligence collection objectives.

TRIAGE:
HIGH — No active CVE exploitation or widespread impact detected, but persistent espionage activity against government infrastructure demands immediate investigation and threat hunting to identify lateral movement and data exfiltration.

IOC HUNT:
1. Endpoint/Memory: Hunt for USBFect signatures, RAT process execution, and loader artifacts in process trees; search for suspicious USB device access logs and AutoRun registry modifications.
2. Network: Query for C2 communications, DNS queries to suspicious domains, and lateral movement patterns (SMB, RDP, WinRM) between government workstations.
3. Splunk/KQL: `(process.name:*loader* OR process.name:*rat* OR file.name:*USBFect*) AND host.department:government` — adjust for your environment naming conventions.

MITRE:
- T1566.002 — Phishing: Spearphishing Attachment
- T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys
- T1021.002 — Remote Services: SMB/Windows Admin Shares
- T1005 — Data from Local System
- T1041 — Exfiltration Over C2 Channel

ACTION:
Immediately isolate and forensically image any systems showing USBFect, RAT, or loader indicators; disable USB ports on government workstations pending full threat assessment; escalate to CISO and coordinate with government security partners for threat intelligence sharing.

SOC BRIEFING: Palo Alto Networks Impersonation Phishing Campaign

SUMMARY:
Unit 42 identified a recruitment phishing campaign impersonating Palo Alto Networks' talent acquisition team, targeting senior professionals with fraudulent resume fee schemes. This threat matters because it exploits trust in a recognized vendor brand to compromise high-value targets who may have elevated access or sensitive information.

TRIAGE:
Severity: Medium | Priority: High
No active exploitation or CVEs identified, but social engineering targeting senior staff poses credential compromise and data exfiltration risk. Investigate immediately if any internal staff engaged with suspicious recruiter communications.

IOC HUNT:
1. Email logs: Search for sender addresses impersonating `@paloaltonetworks.com` or similar domains; filter for recruitment/HR keywords ("resume," "talent acquisition," "hiring")
2. Web proxy/DNS: Hunt for credential submission to non-PAN domains following recruiter contact; monitor for typosquatting domains mimicking paloaltonetworks.com
3. Splunk/KQL: `index=email sender="*paloaltonetworks*" OR sender="*talent*" | stats count by sender, recipient | where count=1` (identify one-off recruiter emails)

MITRE:
- T1566.002 – Phishing: Spearphishing Link
- T1598.003 – Phishing for Information: Spearphishing Link
- T1589.001 – Gather Victim Identity Information: Credentials

ACTION:
Issue immediate alert to senior staff (C-suite, engineering, security teams) warning against unsolicited recruiter contact requesting resume fees or credential verification; request they report suspicious emails to SOC for analysis.

SOC BRIEFING: Google Cloud Authenticator Analysis

SUMMARY:
Unit 42 published technical analysis of Google's synced passkey architecture used in passwordless authentication systems, detailing key management mechanisms and secure communication protocols. This is educational threat research—not an active threat—but understanding these mechanisms is critical for detecting authentication bypass attempts and passkey compromise in your environment.

TRIAGE:
Medium — Not an active vulnerability or exploit. Prioritize only if your organization uses Google Cloud Authenticator or synced passkeys in production; otherwise, defer to lower priority for defensive knowledge building.

IOC HUNT:
1. Authentication logs: Search for unusual passkey registration events or out-of-band authentication confirmations in Google Workspace/Cloud Identity logs (look for `authentication_type=passkey` or `mfa_method=synced_passkey`)
2. Endpoint logs: Hunt for suspicious Google Authenticator app installations or updates on non-managed devices using EDR (Splunk: `process_name="*authenticator*" AND parent_process!=trusted_installer`)
3. Network logs: Monitor for unexpected communication to Google's passkey sync infrastructure (`*.google.com` on ports 443 with TLS fingerprints matching Google services)

MITRE:
- T1556.006 — Modify Authentication Process: Multi-Factor Authentication (understanding passkey mechanisms aids detection of MFA bypass)
- T1187 — Forced Authentication (relevant if attackers attempt to intercept passkey sync)

ACTION:
Audit your organization's passkey deployment: confirm all synced passkeys are backed by hardware security keys or encrypted device storage, and enable audit logging for all passkey registration and authentication events in your identity provider.

SOC BRIEFING: Retail Fraud via Agentic AI

SUMMARY:
Palo Alto Unit 42 has published research on retail fraud exploitation through agentic AI systems, focusing on prompt injection attacks that manipulate AI agents into bypassing security controls or executing unauthorized transactions. This threat is significant because autonomous AI agents in retail environments (inventory, payment, customer service) can be weaponized at scale without traditional authentication barriers.

TRIAGE:
Medium — No active CVE or widespread exploitation confirmed yet. However, prioritize investigation if your organization deploys AI agents in customer-facing or transaction-processing workflows. This is an emerging threat class requiring proactive detection posture.

IOC HUNT:
1. Web Application Logs: Search for unusual prompt patterns in API calls to AI chatbots/agents (keywords: "ignore instructions," "system override," "execute command," "bypass validation")
2. Transaction Logs: Query for anomalous order patterns—rapid micro-transactions, unusual shipping addresses, or orders placed outside normal business hours from same session
3. AI Agent Audit Logs: If available, hunt for decision logs where agent actions deviate from expected parameters or user intent (e.g., refunds issued without authorization)

MITRE:
- T1589 (Gather Victim Identity Information) — Agents extracting customer/payment data
- T1566 (Phishing) — Prompt injection as social engineering vector
- T1021 (Remote Services) — Unauthorized agent-executed transactions

ACTION:
Immediately audit all AI agent configurations in production: verify input sanitization on user prompts, enforce strict output validation before transaction execution, and implement human-in-the-loop approval for high-value operations. Document current agent decision logic as baseline for anomaly detection.

SOC BRIEFING: AI-Enhanced Malware Threat Landscape

SUMMARY:
Unit 42 published research documenting the evolving integration of AI capabilities into malware, ranging from basic implementations to sophisticated autonomous decision-making systems. This matters because AI-augmented malware can adapt evasion tactics, optimize payload delivery, and make real-time targeting decisions—significantly outpacing traditional signature-based detection.

TRIAGE:
Medium — Informational threat landscape update. No active CVEs, exploits, or IOCs provided. Prioritize after critical incidents; use to inform detection tuning and threat hunting strategy.

IOC HUNT:
1. Endpoint logs: Search for unusual process spawning patterns, memory injection, or behavioral anomalies consistent with adaptive malware (PowerShell obfuscation, reflective DLL injection, process hollowing).
2. Network logs: Hunt for C2 communications with variable beacon intervals, encrypted payloads, or dynamic domain generation—indicators of AI-driven command logic.
3. Query example: `index=main EventCode=1 Image="*powershell*" CommandLine="*-enc*" OR CommandLine="*-nop*" | stats count by ComputerName, CommandLine`

MITRE:
- T1027 (Obfuscation or Encryption: Software Packing) — AI optimizing evasion
- T1071 (Application Layer Protocol) — AI-driven C2 adaptation
- T1036 (Masquerading) — Dynamic behavior mimicry
- TA0005 (Defense Evasion) — Core tactic

ACTION:
Review and enhance behavioral detection rules for polymorphic/adaptive malware patterns. Coordinate with threat intel team to integrate Unit 42 findings into your detection engineering roadmap; prioritize ML-based anomaly detection for process execution and network traffic.