DISCARDED: Tales From the Threat Research Trenches

Hello to all our cyber squirrels! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Dr. Bob Hausmann, Proofpoint's Manager of Learning Architecture and Assessments and a seasoned psychologist.Our conversation explores how cyber threat actors exploit the different systems of thought in our brains and how attackers leverage our rapid, emotionally-driven responses (system one thinking) to bypass our more deliberate, rational processes (system two thinking).Dr. Bob introduces us to the concept of cognitive biases, particularly normalcy bias, and how these mental shortcuts can shape our cyber defense strategies. He explains how organizations often fall into the trap of thinking "it won't happen to us," leading to underinvestment in critical security measures. Drawing parallels to historical events like the sinking of the Titanic and the COVID-19 pandemic, he underscores the importance of overcoming these biases to enhance preparedness.We also talk about: Real-world implications and examples of social engineering attacks.The impact of urgency and stress on decision-making in cybersecurity.The alarming rise and mechanics of pig butchering scams.The role of AI in scams and cybersecurityEmpathetic approaches to helping scam victimsResources mentioned:Book: "Thinking, Fast and Slow" by Daniel KahnemanBook: "The Art of Deception" by Kevin MitnickPrevious Discarded Episode on Pig Butchering Have I Been PwnedPhishMeCybersecurity and Infrastructure Security Agency (CISA)SANS Institutehttps://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-onlinehttps://therecord.media/southeast-asian-scam-syndicates-stealing-billions-annuallyhttps://www.cfr.org/in-brief/how-myanmar-became-global-center-cyber-scamshttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requestsFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors.We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem.We also talk about: Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptionsHow other groups rise to prominence despite disruptionsDifferences between malware disruptions and business email compromise (BEC) or fraud-focused disruptionsThe evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniquesFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy!Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.Join us as we also discuss:[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.For more information, check out our website.

Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena! We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises.We also dive into:TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victimsUse of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaignsRising trends in cryptocurrency-related scams and other financial fraudsResources mentioned:MFA Bypass (Blog) by Timothy KromphardtIC3 2023 FBI Report New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bidsFor more information, check out our website.

It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader. The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.  We also dive into:a valuable lesson about the consequences of malware running rampant in a sandbox environmentthe shifts in attack chains and tactics employed by threat actorsthe need for adaptive detection methods to combat evolving cyber threatsResources mentioned:Countdown to Zero Day by Kim ZetterShareable Links:https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-thefthttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updateshttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-blackhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax Pim’s Favorite Malware: * Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a * IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid  * Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a * Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor * Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot * Hikit (APT): https://attack.mitre.org/software/S0009/ * Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/ * Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwailFor more information, check out our website.

Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities.Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information.We also dive into:the unique challenges of crafting effective signaturesthe specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructurethe distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victimsResources mentioned:Intro to Traffic Analysis w/ Issac ShaughnessyEmerging Threats Mastodon: https://infosec.exchange/@emergingthreatsThreat Insight Mastodon: https://infosec.exchange/@threatinsightVidar Stealer Picks Up Steam!For more information, check out our website.

The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming.Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity.We also dive into:Communication and attribution challenges including the confusion of different naming conventionsMarketing and the personification of threat actorsStrategic approaches in handling incidents and avoiding panicFor more information, check out our website.

*This episode contains content warnings of suicide and self-harm* “It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks. Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face.They also dive into:The poignant reporting process on a story of pig butchering scamsThe normalization of cyber threats, such as ransomware, and the role of the media in shaping public perceptionThe process of convincing stakeholders to prioritize certain topicsThe emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection.Resources mentioned: trigger warning for content of suicide and self-harm“Online romance scams are netting millions of dollars — and pushing some to self-harm” by Kevin CollierDiscarded Episode with Tim UtzigColonial Pipeline Blog by CISA.govFor more information, check out our website.

Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so!Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams.While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community.Other topics discussed include:Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilitiesThe positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defensesHopeful vision for the industry, advocating for understanding, education, & increased diversityFor more information, check out our website.

To move forward, it’s good to take a minute and reflect on what’s happened. Today’s episode focuses on insights from Daniel Blackford and Alexis Dorais-Joncas, both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024.Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware.Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains.They also dive into:Threat actor activity during the elections and OlympicsSpecific threat actor groups that caught their attention in 2023, TA473 and TA577Living off the Land conceptsFor more information, check out our website.

In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves. This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023. The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year:Pim TrouerbachKelsey MerrimanTommy MadjarBryan CampbellGreg LesnewichKyle EatonJoe WiseEmerging Threats teamThe overall Proofpoint Team, including, but not limited to our PR and marketing teamsResources mentioned:Youtube: Katie Nickels Sans Threat Analysis Rundownhttps://www.sans.org/cyber-security-courses/cyber-threat-intelligence/https://www.networkdefense.co/courses/investigationtheory/https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252https://medium.com/mitre-attack/attack-v14-fa473603f86bhttps://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9ahttps://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/https://www.wired.com/story/gadget-lab-podcast-621/https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/For more information, check out our website.

Tis the season for understanding TA422’s latest activity AND for singing podcast guests!Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability.They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access.The conversation continues on the following topics:[11:17] TA422 Recent Activity[13:30] Campaign’s using CVE 2023 23397[18:35] Winrar activity[22:50] October & November activity[26:50] Guest Singing Spotlight[29:30] Noticeable differences in campaignsResources mentioned:TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-weekGoogle TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-TWired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/For more information, check out our website.

Take a deep dive with us into the incomparable MITRE ATT&CK Framework, a comprehensive knowledge base that catalogs real-world threat actor behaviors derived from threat intelligence. Today’s guests are our great friends at MITRE ATT&CK, Adam Pennington (Attack Lead), and Patrick Howell O’Neill, (Lead Cyber Operations Analyst). They explore how the Framework serves as a common language for communicating adversary threat behaviors and discuss its evolution from an internal project to a community-driven resource.The latest version of the MITRE ATT&CK Framework version 14 was released on Halloween, emphasizing new features like the addition of new defensive information and techniques they previously said no to including. They discuss the decision-making process behind incorporating new techniques, such as Financial Theft, Impersonation, Phishing: Spearphishing Voice, and Phishing for Information: Spearphishing Voice.The conversation continues on the following topics:[5:00] MITRE ATT&CK Framework[9:25] Improving cybersecurity detection[13:00] New ATT&CK techniques[16:00] Decisions about which techniques to add[23:00] Mobile ATT&CK[30:00] Decisions about which trends to include[37:00] Feedback about the FrameworkResources mentioned:What is the MITRE ATT&CK Framework?https://attack.mitre.org/ https://medium.com/mitre-attack/attack-v14-fa473603f86bFor more information, check out our website.

While the current Israeli/Palestinian conflict is on everyone’s minds, how many are thinking about the repercussions of cyber security? Today’s guest is returning guest, Joshua Miller, Senior Threat Researcher on the APT team at Proofpoint. While he focuses on different Middle East, North African state-aligned threats, he is talking today about a Palestinian-aligned threat group coined TA402.While there is no direct link to Hamas, their activities support the Palestinian Territories. Joshua paints a vivid picture of TA402's usual targets, strategies, and tactics, highlighting their geofencing techniques and their crafty use of compromised government agency accounts. The recent evolution of their attack chain, involving Dropbox and DLL side loading, is dissected in intricate detail, offering a glimpse into the evolving landscape of cyber threats.This discussion not only provides insights into TA402's modus operandi but also emphasizes its distinctiveness from its previous malware campaigns. TIMESTAMPS[1:35] Length of time tracking TA402[3:00] Differences between known government threat actors vs TA402[7:00] Other groups involved in the Israeli/Palestinian War[10:40] Normal victimology from this type of threat actor[12:30] Comparison of tactics that TA402 is deploying[19:20] Difficulties in tracking TA402Resources mentioned:Ugg Boots 4 Sale: A Tale of Palestinian-Aligned EspionageNew TA402 Molerats Malware Targets Governments in the Middle Easthttps://malpedia.caad.fkie.fraunhofer.de/actor/aridviper https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic For more information, check out our website.

How can you tell when a website (yes, a website) is compromised? These threats are pretty crafty because they aren't out to target specific individuals; they just wait for folks like you and me to innocently click on compromised websites during our regular browsing. But these threats don't stop at casual browsing. They sneak into emails, social media, search engines, and even web alerts. They're like chameleons, adapting to different situations.Our guest today is Dusty Miller, a Threat Detection Analyst at Proofpoint. He identifies four key groups: SocGholish, RogueRaticate/FakeSG, ZPHP/SmartApeSG, and ClearFake. Each has its own style and tricks, but they all love using that tempting fake browser update ruse.These threats work because they exploit our trust in websites we've visited before. Users tend to trust websites they've visited before, making them more susceptible to clicking on fake browser update prompts.Responding to these threats isn't a walk in the park for defenders. To tackle them effectively, you need to pinpoint which specific threat you're dealing with and respond accordingly. It's like playing a game with multiple rulebooks; you've got to know which one you're up against.TIMESTAMPS[1:45] Fake Browser Opportunities[5:00] Threat Actors Using Malware[9:00] Browser Malware Clusters & Tactics[18:00] Combating Fake Updates[19:00] Naming New Malware[28:00] Why These ThreatsResources mentioned:Dr. Bob Hausmann Episode“Are You Sure Your Browser is Up to Date?...” by Dusty MillerFor more information, check out our website.

Oh the days when spam was the only concern for email security!Our guest today is Chris Wakelin, a Senior Threat Researcher at Proofpoint. He recounts the era when email attachments were plain text, and the concept of malicious URLs had yet to become prevalent. Chris was a pioneer in implementing email security measures and recalled introducing Spam Assassin, an early open-source program for spam detection, at his university.Chris emphasized his belief in not shipping emails into a black hole (where emails are never seen by humans and they do not return error but instead directing them to spam folders or rejecting them at the gateway.) He stressed the importance of precision in cybersecurity, a lesson learned from his mathematical background.TIMESTAMPS[5:00] First Spam Filtering Implementation[6:00] Spam Assassin[12:15] Differences between static/dynamic detections and various signatures[14:00] Running the Sandbox[19:00] Naming New Malware[23:50] Best PracticesResources mentioned:LCG Kit BlogTA 558 BlogET Open Rule SetFor more information, check out our website.

Billions of dollars in losses is bad enough. But when a friend loses $1,000 on a platform he trusted, online fraud gets personal.In this podcast episode, we dive deep into the world of online fraud with the personal account of Tim Utzig, a Senior Associate Analyst at Anser and friend of his Selena Larson. Utzig, who is blind, lost $1,000 in an online scam. His story highlights the difficulties and risksof being a person with a disability in an online world that enables cyber crime and often neglects accessibility.Timothy Kromphardt, an email fraud researcher at Proofpoint, used his expertise tracking scams and engaging directly with threat actors to help Utzif recover. He explains the complexities of cyber crime investigations and the roadblocks to bringing scammers to justice.TIMESTAMPS[1:00] Twitter scam story[6:00] Viewing images with a screen reader[8:45] Scam Busting[12:30] Cautions to scam busting[17:40] Unraveling the Twitter scam follow up[20:20] Involvement of the police force & government[26:35] Protection techniques for people with disabilities[27:20] Key characteristics of fraudResources mentioned:https://www.wired.com/story/twitter-laptop-scam-hunters/For more information, check out our website.

Live from New York City, it’s your Discarded podcast team at Protect 2023! Joining Selena Larson, is our special guest, John Hultquist, Chief Analyst at Mandiant, now part of Google Cloud.They discuss various cybersecurity threats and activities of nation-states like Russia, China, and North Korea. China stands out as it hasn't executed significant destructive cyberattacks like its peers. Most of China's cyber activity involves intellectual property theft, targeting dissidents, and espionage. However, there's growing concern about their interest in critical infrastructure, particularly in times of geopolitical tension. Russia, on the other hand, has a history of destructive and disruptive attacks, such as those seen in the Middle East and South Korea.They also discuss the role of threat intelligence and information sharing in combating cyber threats, emphasizing the importance of responsible government involvement in providing leads to the cybersecurity community.Of course, the influence of AI in cyber threat creation is also covered, particularly in generating fake media and content.[4:00] China sets themselves apart[8:00] Concerns about cyber enabled kinetic impacts[14:00] Thoughts about Russia and Ukraine[20:00] Techniques that analysts would find helpful[24:00] Target anticipations for 2024Resources mentioned:https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limitedhttps://www.cyberwarcon.com/https://www.goodreads.com/en/book/show/41436213https://www.reuters.com/article/us-france-election-macron-cyber-idUSKBN17Q200https://www.helpnetsecurity.com/2015/07/08/sophisticated-successful-morpho-apt-group-is-after-corporate-data/https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-tritonhttps://podcast.silverado.org/episodes/how-russian-intelligence-operatives-have-attacked-ukraine-in-cyberspace-interview-with-ukrainian-security-service For more information, check out our website.

Regardless of location, it’s important to understand what is happening in the global threat landscape because we are a global economy. What affects one region may affect one closer to home. Part of the reason Brazil has become a recent hotbed is the amount of online population is expanding rapidly. Today’s guest, Jared Peck (Senior Threat Researcher at Proofpoint), dives deeper into his knowledge of this region and breaks down the unusual characteristics. [3:30] The threat landscape in Brazil [5:20] Brazilian banking malware being financially motivated[9:10] Credential theft in Brazil[13:30] Identifying threat actor clusters[17:00] Types of Brazilian campaigns[21:00] Diversity of malware leadersFor more information, check out our website.

Just like a forensic scientist, the job of a threat analyst is to search for the digital fingerprints. The key is to have a starting reference point, and then being able to see what is off from there.Our guest today is Bryan Campbell, a Staff Threat Analyst at Proofpoint. He breaks down what is happening on the China cybercrime threat landscape, as well as, the importance of staying aware of past trends. Join us as we also discuss:[7:09] The Renaissance of Chinese malware in email data[12:05] Chinese themed malware and malware families[13:55] The campaigns delivering this type of malware[20:00] How the China cybercrime landscape has changed[25:04] Expectations for the future [28:32] LLMs being used for these circumstancesFor more information, check out our website.