SOC BRIEFING: Amazon Bedrock Multi-Agent AI Attack Surface

SUMMARY:
Unit 42 identified new attack surfaces and prompt injection vulnerabilities in multi-agent AI systems deployed on Amazon Bedrock. This matters because prompt injection attacks can manipulate AI agents to bypass security controls, exfiltrate data, or execute unintended actions within your cloud infrastructure.

TRIAGE:
Medium — No active CVEs or exploits in the wild yet, but this represents an emerging threat class. Prioritize if your organization uses Amazon Bedrock with multi-agent architectures.

IOC HUNT:
1. CloudTrail logs: Search for `bedrock:InvokeAgent` and `bedrock:InvokeModel` calls with unusual input patterns or repeated failures
2. Application logs: Hunt for suspicious prompt patterns (e.g., "ignore previous instructions," "execute as admin," encoded payloads) in Bedrock API requests
3. Query example (Splunk): `source=cloudtrail eventName=InvokeAgent | stats count by userIdentity.principalId, sourceIPAddress | where count > threshold`

MITRE:
- T1589 (Gather Victim Org Information) — reconnaissance via prompt injection
- T1190 (Exploit Public-Facing Application) — exploiting Bedrock API endpoints
- T1021.004 (Remote Services: SSH) — potential lateral movement if agents have credential access

ACTION:
Audit all Bedrock agent configurations for input validation and output filtering. Implement prompt injection detection rules and restrict agent permissions to least-privilege IAM roles immediately. Review Unit 42's full post for specific hardening guidance.

SOC BRIEFING: Axios Supply Chain Attack

SUMMARY:
A supply chain attack targeted Axios, compromising the software distribution mechanism to deliver malicious payloads to downstream users. This represents a high-risk vector affecting any organization that consumed affected Axios packages or dependencies.

TRIAGE:
HIGH — Immediate investigation priority. Supply chain compromises have broad blast radius and often evade initial detection. Determine if your environment consumed affected versions during the attack window.

IOC HUNT:
1. Package Manager Logs — Query npm/pip/nuget repositories for Axios package downloads with suspicious timestamps; correlate against known attack window.
2. Process Execution — Hunt for unexpected child processes spawned by applications using Axios (dropper behavior); search for unsigned executables or scripts in temp directories.
3. Network Egress — Monitor DNS/HTTP logs for C2 beaconing from systems running affected Axios versions; flag connections to non-standard ports from application processes.

MITRE:
- T1195.001 — Supply Chain Compromise (Compromise Software Dependencies)
- T1566.002 — Phishing: Spearphishing Link (if initial compromise vector)
- T1547.001 — Boot or Logon Autostart Execution (persistence mechanism)
- T1070.009 — Indicator Removal: Clear Forensic Evidence (cleanup phase noted in attack chain)

ACTION:
Immediately audit all Axios package versions in use across development and production environments. Cross-reference against Unit 42's published IOCs and affected version ranges. Isolate and rebuild any systems running compromised versions before re-deploying patched code.

SOC BRIEFING: TeamPCP Supply Chain Attack Partnership

SUMMARY:
TeamPCP threat group has announced a partnership with Vect ransomware operators and continues executing multi-stage supply chain attacks targeting security infrastructure vendors. This alliance significantly increases attack sophistication and ransomware deployment risk across downstream customers.

TRIAGE:
HIGH — Immediate investigation priority. Supply chain compromises have broad blast radius; security tool vendors are high-value targets. Assess whether your organization uses affected vendor products.

IOC HUNT:
1. Endpoint/EDR: Hunt for suspicious child processes spawned by security software (e.g., antivirus, EDR agents); focus on unsigned binaries or LOLBin execution chains.
2. Network: Query DNS/proxy logs for C2 domains associated with Vect ransomware; monitor for lateral movement from security tool processes to sensitive systems.
3. Log aggregation: Search for unusual privilege escalation or credential access events originating from security vendor software directories.

MITRE:
- T1195 (Supply Chain Compromise) — Tactic: Initial Access
- T1195.003 (Compromise Software Supply Chain) — Tactic: Initial Access
- T1059 (Command and Scripting Interpreter) — Tactic: Execution
- T1486 (Data Encrypted for Impact) — Tactic: Impact

ACTION:
Immediately inventory all security infrastructure vendors in use (EDR, SIEM, antivirus, etc.). Cross-reference against Palo Alto Unit 42 report for affected products. If vulnerable vendor identified, escalate to vendor security team for patch status and implement compensating controls (network segmentation, enhanced monitoring of vendor tool processes).

SOC BRIEFING: GCP Vertex AI "Double Agent" Vulnerability

SUMMARY:
Unit 42 identified a privilege escalation flaw in Google Cloud Vertex AI where overprivileged AI agents can be manipulated to compromise cloud environments. This affects organizations using Vertex AI agents with excessive IAM permissions, creating a lateral movement and data exfiltration risk.

TRIAGE:
HIGH — No active CVE/EPSS scoring yet, but the attack chain is practical and exploitable. Prioritize if your organization runs Vertex AI agents in production.

IOC HUNT:
1. GCP Cloud Audit Logs: Filter for `protoPayload.methodName` containing "aiplatform.googleapis.com" AND `protoPayload.status.code != 0` (failed Vertex AI API calls may indicate exploitation attempts)
2. IAM Activity: Query for service accounts with `roles/aiplatform.agent` or `roles/aiplatform.admin` paired with broad resource permissions (e.g., `roles/editor`, `roles/owner`)
3. Data Access Logs: Search for unusual `storage.googleapis.com` or `bigquery.googleapis.com` calls originating from Vertex AI service account identities

MITRE:
- T1078.004 (Privilege Escalation — Valid Accounts)
- T1548 (Abuse Elevation Control Mechanism)
- T1526 (Cloud Service Discovery)

ACTION:
Audit all Vertex AI agent service accounts immediately. Apply least-privilege IAM roles — remove `Editor`/`Owner` roles and replace with granular, resource-specific permissions. Document findings in your next incident report.

SOC BRIEFING: Iranian Cyber Activity Escalation (March 2026)

SUMMARY:
Unit 42 reports escalated Iranian cyberattack activity including phishing campaigns, hacktivist operations, and cybercrime initiatives. This represents a notable uptick in threat volume and warrants immediate defensive posture review across email and network perimeters.

TRIAGE:
HIGH — No active exploits or zero-days identified (CVSS 0.0), but phishing campaigns pose immediate compromise risk. Prioritize email gateway and endpoint logs for the next 24 hours.

IOC HUNT:
1. Email Gateway Logs: Search for phishing indicators — filter on suspicious sender domains, malicious URLs, and attachment types flagged by Unit 42 (check their full report for IOCs).
2. Splunk Query: `index=email sourcetype=mail_log subject IN ("*urgent*", "*verify*", "*confirm*") recipient=* | stats count by src_ip, sender`
3. Endpoint Logs: Hunt for credential harvesting artifacts — monitor for suspicious PowerShell execution, browser credential dumping, and lateral movement post-phishing.

MITRE:
- T1566.002 — Phishing: Spearphishing Link
- T1598 — Phishing for Information
- T1589 — Gather Victim Identity Information

ACTION:
Issue immediate alert to all users flagging known phishing indicators from Unit 42's report. Reset credentials for any users who clicked suspicious links in the past 7 days. Escalate to IR if compromise is confirmed.

SOC BRIEFING: Southeast Asian Government Cyberespionage Campaign

SUMMARY:
Unit 42 identified multiple coordinated cyberespionage clusters targeting a Southeast Asian government organization using USBFect malware, RATs, and loaders. This represents a converging threat landscape where multiple threat actors are simultaneously targeting the same government entity, indicating high-value intelligence collection objectives.

TRIAGE:
HIGH — No active CVE exploitation or widespread impact detected, but persistent espionage activity against government infrastructure warrants immediate investigation. Prioritize if your organization operates in Southeast Asia or maintains government sector relationships.

IOC HUNT:
1. File Hash/Malware Search: Hunt for USBFect variants, RAT callbacks, and loader artifacts in endpoint telemetry (Sysmon, EDR logs). Search for suspicious USB-based execution patterns.
2. Network IOCs: Query proxy/firewall logs for C2 communications associated with identified RAT families; cross-reference with Unit 42's published indicators.
3. Process Execution: Search for suspicious child processes spawned from USB-mounted drives or temporary directories; look for loader execution chains.

MITRE:
- T1566 (Phishing) — Initial compromise vector
- T1204 (User Execution) — USB-based malware execution
- T1071 (Application Layer Protocol) — C2 communications
- T1005 (Data from Local System) — Espionage objective
- Tactic: Execution, Command & Control, Exfiltration

ACTION:
If indicators match your environment: isolate affected systems immediately, preserve memory/disk images, and escalate to incident response and government sector CISO. Request full IOC list from Unit 42 report and cross-check against your threat intelligence platform.

SOC BRIEFING: Palo Alto Networks Impersonation Recruitment Phishing

SUMMARY:
Unit 42 identified an active phishing campaign impersonating Palo Alto Networks recruiters to target senior professionals, using fraudulent resume fee schemes as the lure. This threat matters because it targets high-value employees who may have access to sensitive systems and credentials.

TRIAGE:
Severity: Medium | Priority: High
No exploit or vulnerability involved, but social engineering targeting privileged users warrants immediate investigation to identify compromised credentials or lateral movement attempts.

IOC HUNT:
1. Email Gateway Logs: Search for sender addresses impersonating `@paloaltonetworks.com` or lookalike domains; filter for recruitment/HR keywords ("resume," "talent acquisition," "hiring")
2. Web Proxy/DNS: Hunt for domains associated with fraudulent fee collection or credential harvesting linked to the campaign (reference Unit 42 post for IOCs)
3. Endpoint/EDR: Search for users who clicked recruitment phishing links; correlate with credential access or lateral movement events within 24–48 hours

MITRE:
- T1566.002 – Phishing: Spearphishing Link
- T1598.003 – Phishing for Information: Spearphishing Link
- T1589.002 – Gather Victim Identity Information: Email Addresses

ACTION:
Issue immediate alert to senior staff via internal security channel with indicators of compromise; block identified sender domains/URLs at email gateway; review mailbox logs for targeted users and escalate any credential submission events to IR team.

SOC BRIEFING: Google Cloud Authenticator Analysis

SUMMARY:
Unit 42 published technical analysis of Google's synced passkey architecture used in passwordless authentication systems, detailing key management mechanisms and secure communication protocols. This is educational threat research—not an active threat—but understanding these mechanisms is critical for detecting authentication bypass attempts and passkey compromise in your environment.

TRIAGE:
Medium — No active CVE, exploit, or IOC. Prioritize for defensive knowledge building rather than incident response. Review if your organization uses Google Cloud Authenticator or synced passkeys.

IOC HUNT:
1. Authentication logs: Search for unusual passkey enrollment, sync events, or cross-device authentication from unexpected geolocations.
- Splunk: `source=auth passkey OR authenticator sync | stats count by user, src_ip, device_type`
2. Cloud logs (GCP): Hunt for abnormal `identitytoolkit.googleapis.com` API calls or `CreateAuthenticator` events.
- KQL: `CloudEvents | where OperationName contains "Authenticator" or OperationName contains "Passkey"`
3. Endpoint logs: Monitor for unauthorized credential manager access or passkey export attempts.

MITRE:
- T1556 (Modify Authentication Process) — Passkey architecture manipulation
- T1187 (Forced Authentication) — Potential passkey interception vectors
- T1556.006 (Multi-Factor Authentication) — Passwordless MFA mechanisms

ACTION:
Audit passkey enrollment policies in your Google Cloud environment: verify only authorized devices can sync credentials, enforce geographic restrictions on new authenticator registration, and enable logging on all passkey operations. Document baseline behavior for future anomaly detection.

SOC BRIEFING: Retail Fraud via Agentic AI

SUMMARY:
Palo Alto Unit 42 has published research on retail fraud exploitation using agentic AI systems, focusing on prompt injection attacks that manipulate AI agents into bypassing security controls or authorizing fraudulent transactions. This represents an emerging attack vector targeting e-commerce and retail infrastructure where AI agents handle purchasing decisions or payment authorization.

TRIAGE:
Medium — No active CVE or widespread exploitation confirmed. Prioritize investigation only if your organization uses autonomous AI agents in payment processing, inventory management, or customer-facing transaction systems.

IOC HUNT:
1. Web Application Logs: Search for unusual prompt patterns in API requests to AI/chatbot endpoints (keywords: "ignore previous," "system override," "bypass," "authorize without verification")
2. Payment Gateway Logs: Query for transactions with mismatched user behavior patterns—high-value orders from dormant accounts, rapid successive purchases, or orders shipping to new addresses
3. AI Agent Audit Logs: Review decision logs for transactions approved outside normal parameters or with suspicious reasoning chains

MITRE:
- T1589 (Gather Victim Identity Information) — Reconnaissance for account takeover
- T1566 (Phishing) — Prompt injection as social engineering variant
- T1021 (Remote Services) — Unauthorized transaction authorization via compromised AI logic

ACTION:
If using agentic AI in transaction workflows: Implement mandatory human review gates for transactions exceeding defined thresholds and add input sanitization/validation to block common prompt injection patterns before AI processing.

SOC BRIEFING: AI Integration in Malware

SUMMARY:
Unit 42 published research documenting how threat actors are integrating AI capabilities into malware, ranging from basic implementations to sophisticated autonomous decision-making systems. This matters because AI-enhanced malware can adapt evasion tactics, optimize payload delivery, and reduce analyst detection windows—requiring updated detection strategies.

TRIAGE:
Medium — Informational/Strategic. No active CVEs, exploits, or IOCs identified. Priority is defensive posture adjustment, not incident response.

IOC HUNT:
1. Endpoint logs: Search for unusual Python/ML library imports (TensorFlow, PyTorch, scikit-learn) in process execution or file creation events
2. Network logs: Hunt for connections to known ML model repositories (Hugging Face, GitHub raw content) from non-development systems
3. Query example: `(process.name:python OR process.command_line:*pip*) AND (tensorflow OR pytorch OR scikit OR keras)`

MITRE:
- T1036 (Obfuscation or Masquerading) — AI used for evasion
- T1105 (Ingress Tool Transfer) — Downloading ML models
- T1059 (Command and Scripting Interpreter) — AI-driven payload execution logic

ACTION:
Update detection rules to flag suspicious ML framework downloads and execution on non-development endpoints. Coordinate with threat intel team to monitor Unit 42's full report for emerging AI-malware IOCs and integrate findings into next threat model review.