SOC BRIEFING: Amazon Bedrock Multi-Agent AI Attack Surface

SUMMARY:
Unit 42 identified new attack surfaces and prompt injection vulnerabilities in Amazon Bedrock's multi-agent AI applications. This matters because prompt injection can manipulate AI agents to bypass security controls, exfiltrate data, or execute unintended actions within your cloud infrastructure.

TRIAGE:
Medium — No active CVEs or exploits in the wild yet, but this represents an emerging threat class. Prioritize if your organization uses Amazon Bedrock with multi-agent configurations.

IOC HUNT:
1. CloudTrail logs: Search for `bedrock:InvokeAgent` and `bedrock:InvokeModel` calls with unusual input parameters or repeated failures
2. Application logs: Hunt for suspicious prompt patterns (e.g., "ignore previous instructions," "execute as admin," encoded payloads) in Bedrock API requests
3. Splunk/KQL query: `source="cloudtrail" eventName="InvokeAgent" | stats count by userIdentity.principalId, sourceIPAddress | where count > threshold`

MITRE:
- T1589 (Gather Victim Identity Information) — Prompt injection to extract system/user data
- T1110 (Brute Force) — Fuzzing prompts to find injection vectors
- T1021.004 (Remote Services: SSH) — Potential lateral movement if agent has cloud credential access

ACTION:
Review and enforce input validation/sanitization on all Bedrock API calls; implement prompt filtering and rate-limiting on multi-agent workflows. Document which agents have access to sensitive data or AWS credentials and restrict accordingly.

SOC BRIEFING: Axios Supply Chain Attack

SUMMARY:
A supply chain attack compromised the Axios package, potentially affecting downstream users and applications that depend on this library. This represents a critical distribution vector for malware deployment across multiple organizations simultaneously.

TRIAGE:
HIGH — Immediate investigation priority. Supply chain compromises have broad blast radius; requires urgent inventory of Axios usage and version audit across all systems.

IOC HUNT:
1. Package Repository Logs: Query npm registry access logs for Axios package downloads during attack window; correlate with internal package manager logs for installation timestamps.
2. Process Execution: Hunt for suspicious child processes spawned by applications using Axios (Node.js, npm processes); look for unsigned executables or unexpected network connections.
3. Network Egress: Monitor DNS/HTTP logs for C2 beaconing from systems running affected Axios versions; search for connections to non-standard ports from application servers.

MITRE:
- T1195.001 — Supply Chain Compromise (Compromise Software Dependencies)
- T1195 — Supply Chain Compromise
- T1566.002 — Phishing: Spearphishing Attachment (if initial compromise vector)

ACTION:
Immediately audit all systems for Axios package presence and version. Cross-reference against Unit 42's published IOCs and malware signatures. Isolate any systems running confirmed vulnerable versions pending patched release; block outbound connections from affected hosts pending full forensic analysis.

SOC BRIEFING: TeamPCP Supply Chain Attack Partnership

SUMMARY:
TeamPCP threat group has announced a partnership with Vect ransomware operators and continues executing multi-stage supply chain attacks targeting security infrastructure vendors. This alliance significantly increases attack sophistication and ransomware deployment risk across downstream customers.

TRIAGE:
HIGH — Immediate investigation priority. Supply chain compromises have broad blast radius; security tool vendors are high-value targets. Assess whether your organization uses affected vendor products.

IOC HUNT:
1. Endpoint/EDR: Hunt for suspicious child processes spawned by security software (e.g., antivirus, EDR agents); focus on unsigned binaries or scripts with network callbacks.
2. Network: Query DNS/proxy logs for unusual outbound connections from security vendor infrastructure or management consoles; flag C2 domains associated with Vect ransomware.
3. Log Source: Review vendor software update/patch logs for unexpected modifications; cross-reference with Palo Alto Unit 42 IOCs once published.

MITRE:
- T1195 — Supply Chain Compromise
- T1195.003 — Compromise Software Supply Chain
- T1566 — Phishing (initial access vector)
- T1059 — Command and Scripting Interpreter (post-compromise execution)

ACTION:
Immediately inventory all security vendor software in use (EDR, antivirus, SIEM agents, etc.). Cross-reference against Palo Alto Unit 42's published IOCs and vendor security advisories. Prioritize patching or isolating any affected products within 24 hours.

SOC BRIEFING: GCP Vertex AI "Double Agent" Vulnerability

SUMMARY:
Unit 42 identified a privilege escalation flaw in Google Cloud Vertex AI where overprivileged AI agents can be manipulated to compromise cloud environments. This affects organizations using Vertex AI with excessive IAM permissions, creating a lateral movement and data exfiltration risk.

TRIAGE:
HIGH — No active CVE/EPSS scoring yet, but the attack chain is demonstrated and exploitable. Prioritize if your organization runs Vertex AI agents with broad IAM roles (Editor, Owner, or custom roles with `aiplatform.*` permissions).

IOC HUNT:
1. GCP Cloud Audit Logs: Filter for `protoPayload.methodName` containing `aiplatform.googleapis.com` + unusual `protoPayload.request.name` patterns or service account impersonation
2. Vertex AI Agent Activity: Search for agent executions (`google.cloud.aiplatform.v1.PredictionService.Predict`) followed by unexpected `compute.instances.get`, `storage.buckets.list`, or `iam.serviceAccounts.getAccessToken` calls
3. IAM Changes: Hunt for `SetIamPolicy` events on service accounts used by Vertex AI agents within 24 hours of agent deployment

MITRE:
- T1078.004 (Valid Accounts: Cloud Accounts) — Agent assumes overprivileged service account identity
- T1526 (Cloud Service Discovery) — Agent enumerates cloud resources
- T1537 (Transfer Data to Cloud Account) — Exfiltration via compromised agent

ACTION:
Audit all Vertex AI agent service accounts immediately. Apply least-privilege IAM roles — replace Editor/Owner with custom roles limited to `aiplatform.predict` and specific resource scopes. Disable unused APIs and implement resource quotas on agent-linked service accounts.

SOC BRIEFING: Iranian Cyber Activity Escalation (March 2026)

SUMMARY:
Unit 42 reports escalated Iranian cyberattack activity including phishing campaigns, hacktivist operations, and cybercrime initiatives. This represents a notable uptick in threat volume and warrants immediate defensive posture review across email and network perimeters.

TRIAGE:
HIGH — No active exploits or zero-days identified (CVSS 0.0), but phishing campaigns pose immediate compromise risk. Prioritize email gateway and endpoint logs for the next 24 hours.

IOC HUNT:
1. Email Gateway Logs: Search for phishing indicators from Unit 42 report; filter on sender reputation, URL redirects, and attachment types flagged as suspicious.
2. Endpoint/EDR: `process where parent_process == "outlook.exe" or "chrome.exe" and command_line contains "powershell" or "cmd"` — detect post-phishing execution chains.
3. DNS/Proxy Logs: Query for known Iranian threat actor C2 domains and newly registered lookalike domains matching your organization's name.

MITRE:
- T1566.002 — Phishing: Spearphishing Link
- T1566.001 — Phishing: Spearphishing Attachment
- T1598 — Phishing for Information
- Tactic: Initial Access, Reconnaissance

ACTION:
Issue immediate email alert to all staff warning of Iranian phishing campaigns; enable URL rewriting/sandboxing on email gateway if not already active; request Unit 42 full IOC list and load into SIEM/EDR within 2 hours.

SOC BRIEFING: Southeast Asian Government Cyberespionage Campaign

SUMMARY:
Unit 42 identified multiple coordinated cyberespionage clusters targeting a Southeast Asian government organization using USBFect malware, RATs, and loaders. This represents a converging threat landscape where multiple threat actors are simultaneously targeting the same government entity, increasing compromise risk and data exfiltration likelihood.

TRIAGE:
HIGH — Multi-cluster espionage activity indicates sustained, resourced adversaries with government-level targeting. Immediate investigation required if your organization operates in Southeast Asia or supports government entities in the region.

IOC HUNT:
1. Process execution logs — Hunt for USBFect indicators: search for suspicious USB-related processes, DLL injection, and unsigned executables in `Sysmon Event ID 1` or `Process Creation` logs
2. Network traffic — Query for C2 beaconing patterns: filter `Destination Port` anomalies, unusual outbound connections to non-standard ports in firewall/proxy logs
3. File system monitoring — Search for RAT/loader artifacts: look for suspicious files in `%TEMP%`, `%AppData%`, and removable media mount points using `Sysmon Event ID 11` (File Created)

MITRE:
- T1566.002 — Phishing: Spearphishing Attachment
- T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys
- T1059.003 — Command and Scripting Interpreter: Windows Command Shell
- T1041 — Exfiltration Over C2 Channel
- T1570 — Lateral Tool Transfer

ACTION:
Immediately isolate and forensically image any systems showing USBFect/RAT indicators. Block identified C2 domains/IPs at perimeter. Escalate to incident response and threat intelligence teams for full campaign correlation analysis.

SOC BRIEFING: Palo Alto Networks Impersonation Recruitment Phishing

SUMMARY:
Unit 42 identified an active phishing campaign impersonating Palo Alto Networks recruiters to target senior professionals, typically requesting fraudulent resume processing fees. This threat exploits trust in legitimate hiring processes and targets high-value individuals who may have elevated access or sensitive information.

TRIAGE:
Severity: HIGH
Investigation Priority: Immediate — focus on email logs and user reporting from the past 30 days for recruitment-themed messages from external senders.

IOC HUNT:
1. Email Gateway Logs: Search for messages with subject lines containing "Palo Alto," "PANW," "recruitment," "resume," or "hiring" from non-corporate domains; filter for attachments or payment requests.
2. Splunk Query: `sourcetype=email sender!="*@paloaltonetworks.com" subject IN ("*recruitment*", "*resume*", "*hiring*") | stats count by sender, recipient`
3. User Reporting: Cross-reference helpdesk tickets and phishing report submissions mentioning job offers or recruiter contact in the past 14 days.

MITRE:
- T1566.002 – Phishing: Spearphishing Link
- T1598.003 – Phishing for Information: Spearphishing Link
- T1566.001 – Phishing: Spearphishing Attachment
- Tactic: Initial Access, Reconnaissance

ACTION:
Issue immediate user alert via email/Slack warning staff to verify recruiter identity directly through official Palo Alto Networks HR channels before engaging; block identified sender domains at mail gateway and escalate any confirmed clicks/replies to incident response.

SOC BRIEFING: Google Cloud Authenticator Analysis

SUMMARY:
Unit 42 published technical analysis of Google's synced passkey architecture used in passwordless authentication systems, detailing key management mechanisms and secure communication protocols. This is educational threat research with no active CVEs or exploits identified, but understanding these mechanisms is critical for detecting authentication bypass attempts in your environment.

TRIAGE:
Medium — No active threat detected. Prioritize for defensive knowledge building rather than incident response. Review if your organization uses Google Cloud Authenticator or similar passkey systems.

IOC HUNT:
1. Authentication logs: Search for unusual passkey enrollment events or out-of-band authentication challenges in Google Workspace/Cloud Identity logs (look for `authentication_type=passkey` or `mfa_method=synced_passkey`)
2. Endpoint logs: Hunt for suspicious credential synchronization or key material access via process execution logs (`GoogleAuthenticator.exe`, `gcloud auth` commands with unusual flags)
3. Network logs: Monitor for unexpected communication to Google's key sync endpoints or anomalous TLS certificate pinning failures

MITRE:
- T1556 (Modify Authentication Process) — Passkey architecture manipulation
- T1187 (Forced Authentication) — Potential out-of-band auth interception vectors
- T1111 (Multi-Factor Authentication Interception) — Synced passkey compromise scenarios

ACTION:
Audit your organization's passwordless authentication deployment: verify passkey sync is restricted to managed devices only, confirm device attestation is enforced, and validate that recovery codes are stored offline and encrypted. Document baseline for future anomaly detection.

SOC BRIEFING: Retail Fraud via Agentic AI

SUMMARY:
Palo Alto Unit 42 has published research on retail fraud exploitation using agentic AI systems, focusing on prompt injection attacks that manipulate AI agents into bypassing security controls or authorizing fraudulent transactions. This represents an emerging attack vector against automated retail systems where AI agents make autonomous decisions on purchases, refunds, and account modifications.

TRIAGE:
Medium — No active CVE or widespread exploitation confirmed. Prioritize investigation only if your organization operates AI-driven retail systems, automated approval workflows, or chatbot-based customer service with transaction authority.

IOC HUNT:
1. Web Application Logs: Search for unusual prompt patterns in chatbot/AI agent inputs containing injection keywords ("ignore previous instructions," "system override," "execute as admin")
2. Transaction Logs: Query for refunds/orders approved outside normal parameters, especially those initiated through chat interfaces or automated systems
3. API Logs: Hunt for anomalous API calls from AI agent service accounts with elevated permissions or unusual request patterns

MITRE:
- T1589 (Gather Victim Identity Information) — AI agents extracting customer data
- T1566 (Phishing) — Social engineering via prompt injection
- T1021 (Remote Services) — AI agents accessing backend systems
- Tactic: Initial Access, Execution

ACTION:
If you operate agentic AI systems in retail: Immediately audit AI agent permissions and restrict transaction authority. Implement input validation/sanitization on all AI agent prompts and require human approval for refunds/high-value transactions regardless of AI recommendation.

SOC BRIEFING: AI Integration in Malware

SUMMARY:
Unit 42 published research documenting how threat actors are integrating AI capabilities into malware, ranging from basic implementations to sophisticated autonomous decision-making systems. This matters because AI-enhanced malware can adapt evasion tactics, optimize payload delivery, and complicate detection—requiring SOC teams to evolve detection strategies accordingly.

TRIAGE:
Medium — Informational/Strategic. No active CVEs, exploits, or IOCs identified. Prioritize after critical incidents, but review for detection rule gaps within 2 weeks.

IOC HUNT:
1. Endpoint logs: Search for unusual Python/ML library imports (TensorFlow, PyTorch, scikit-learn) in process execution or script analysis—`process.command_line contains ("tensorflow" OR "pytorch" OR "sklearn")`
2. Network logs: Hunt for connections to known ML model repositories or training infrastructure (Hugging Face, GitHub raw content, S3 buckets)—`destination.domain in ("huggingface.co", "raw.githubusercontent.com") AND process.name NOT IN (approved_dev_tools)`
3. Behavioral analytics: Monitor for malware exhibiting adaptive behavior—multiple failed C2 reconnection attempts with varying parameters or evasion technique switching

MITRE:
- T1036 (Obfuscation or Masquerading) — Evasion
- T1087 (Account Discovery) — Reconnaissance
- T1565 (Data Manipulation) — Impact
- T1583 (Acquire Infrastructure) — Resource Development

ACTION:
Review and update detection rules for process injection, C2 communication, and lateral movement to flag *adaptive* or *iterative* behavior patterns rather than static signatures. Coordinate with threat intel to monitor Unit 42's full research for IOCs as they emerge.