DISCARDED: Tales From the Threat Research Trenches

Hello to all our Cyber Ghosts! Join host Selena Larson  as she chats with Eilon Bendet– Cloud Threat Researcher from Proofpoint. ​​From account takeovers to state-sponsored hacks, they uncover how cybercriminals are outsmarting traditional defenses – and why even multi-factor authentication might not be enough to keep them out. Together, they discuss the complexities of cloud threat detection, including the role of User and Entity Behavior Analytics (UEBA) in identifying suspicious activities and preventing account takeovers (ATO). Eilon breaks down two primary ATO threat vectors—credential-based brute force attacks and precision-targeted phishing campaigns. Also discussed:how these groups exploit cloud environmentsconcerning trends such as the rise of reverse proxy-based toolkits and MFA bypass techniquesthe importance of identity-focused defense strategies and how threat actors customize tools to infiltrate cloud systems, steal data, and monetize compromised accountsResources mentioned:MACT or malicious applications blog: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenantsFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our Pumpkin Spice cyber friends! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joe Wise, Senior Threat Researcher and Kyle Cucci, Staff Threat Researcher both from Proofpoint.Together, they unpack recent campaigns involving the abuse of legitimate services, particularly focusing on the clever tactics used by cybercriminals to evade detection.Joe and Kyle discuss a fascinating trend where attackers are leveraging Cloudflare’s temporary tunnels, bundling Python packages, and deploying a range of malware like Xworm and Venom Rat. They explore the increasing abuse of legitimate services like Google Drive, Adobe Acrobat, and Dropbox, which allow attackers to blend in with regular business traffic. The conversation also touches on a range of threat clusters, including Exormactor and Voldemort malware, and TA2541, who have consistently leveraged Google Drive URLs to spread malicious content. Also discussed:the challenge of detecting and mitigating these types of threats and the importance of staying ahead of the evolving attack strategies the motivations behind these campaignswhy traditional defense mechanisms may fall shortResources mentioned:https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemorthttps://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliverFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our cyber citizens! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joshua Miller, Senior Threat Researcher and Rob Kinner, Senior Threat Analyst both from Proofpoint.With election season on the horizon, cyber attackers are sharpening their tactics—impersonating government agencies, emailing journalists, and crafting sophisticated phishing schemes. But how real is the threat? And what can be done to protect our democracy from the digital shadows? Today, we pull back the curtain on the unseen battles being fought in cyberspace and what it means for voters, journalists, and defenders alike.The discussion covers a range of election threats, from malicious domains, impersonation, and typo-squatting to sophisticated credential phishing campaigns that exploit government and election-related themes.Also discussed:how state-sponsored actors from DPRK, Russia, and China are interested in espionage around election related topics the impersonation of various government entities for phishing purposes, revealing the creativity and resourcefulness of threat actorswhile cyber threats are pervasive, the integrity of the voting process remains strong, backed by robust defenses and ongoing efforts by dedicated professionalsResources mentioned:https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-deliveringhttps://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influencehttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalistshttps://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-votersFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our mindful and demure cyber sleuths! Join host Selena Larson and today’s co-host, Sarah Sabotka as they chat with Joshua Miller and Greg Lesnewich, Threat Researchers at Proofpoint about the ever-evolving world of advanced persistent threats (APTs).The team unravels the latest espionage tactics of threat actors from Iran, North Korea, and Russia, exploring everything from Iran’s sophisticated social engineering campaigns to North Korea’s customized Mac malware.They also highlight the increasing interest in MacOS malware in the cybercrime landscape and examine examine the threat posed by a group targeting AI researchers with unique malware like "SugarGh0st RAT."Also discussed:the quirky and often amusing names given to malware campaigns in the cybersecurity world.unexpected connections between cybersecurity and pop culture, featuring a discussion on how celebrities like Taylor Swift handle digital security.what recent activity suggests about the actors’ changing tactics.Resources mentioned:SleuthCon Talk: Presenter, Selena LarsonRivers of Phish from CitizenLabhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-deliveringhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaignhttps://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykornhttps://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-fundshttps://www.theguardian.com/music/shortcuts/2019/jan/29/digital-security-taylor-swift-facetime-privacy-bug-breacheshttps://www.youtube.com/watch?v=LYHmTjFW-nYhttps://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-weekhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello, cyber rebels! Ever wondered what lightsabers, the Force, and intergalactic battles have in common with the world of cybersecurity? Welcome to a special episode of the Discarded Podcast. Join host Selena and co-host Greg Lesnewich, Senior Threat Researcher at Proofpoint, along with our guest, Eric Geller, cybersecurity reporter and host of the Hoth Takes Star Wars podcast, as they dive into the fascinating intersection of Star Wars and cybersecurity. He reveals how the tactics and strategies from a galaxy far, far away can be applied to modern-day digital defense.Greg and Eric share their love for Star Wars while drawing parallels between iconic moments from the saga and modern cybersecurity practices. Ever wondered how the Rebels' infiltration of the Death Star reflects real-world hacking techniques? Or how the Empire's security flaws could be lessons for today's digital defenses? We've got you covered. They highlight how living off the land techniques, identity protection failures, and internal security oversights in the Star Wars universe can teach us valuable lessons for defending against cyber threats.From red teaming with Han and Chewbacca to intelligence analysis with Princess Leia, and even hardware hacking with Babu Frik, we cover a broad spectrum of cyber roles through the lens of Star Wars. We also delve into who would make the best CISO in the Star Wars universe, with some surprising nominations and entertaining analogies.Whether you're a Star Wars enthusiast or a cybersecurity professional, this episode provides a unique and entertaining perspective on the skills and strategies essential for both realms. Tune in for a fun and insightful conversation that bridges the gap between fiction and reality in the most engaging way possible.Resources mentioned:Hoth Takes (podcast)NIST Frameworkhttps://www.wired.com/author/eric-geller/For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by Randy Pargman, Director of Threat Detection at Proofpoint. Randy shares his extensive experience in cybersecurity, from working at the FBI and understanding law enforcement’s role in cyber defense, to endpoint detection and response, to his current role at Proofpoint.We explore the relentless cat-and-mouse game between cyber defenders and threat actors. Randy discusses the importance of Detection Engineering and Threat Hunting (DEATH) and how these disciplines work together to outsmart cybercriminals. He also highlights the significance of log data retention and how investing in longer retention periods can drastically improve the efficacy of detection measures.Randy touches on the upcoming DEATHCon, a must-attend event for cybersecurity professionals. He shares fascinating stories and analogies, making complex cybersecurity concepts accessible and engaging.We also talk about: the concept of the "pyramid of pain" and how spending too much time on IOCs can be a losing battle against agile threat actorsthe value of empathy and collaboration among security teamspractical steps for building shared lab environmentsResources mentioned:DeathCONOperation Endgame Clipboard to Compromise Blog: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwnDFIR Report Labs: https://thedfirreport.com/services/dfir-labs/For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Pim Trouerbach are joined by Andy Greenberg, Senior Writer at WIRED. Known for his deep dives into the world of hacking, cybersecurity, and surveillance, Andy shares his journey of uncovering and telling compelling stories about the digital underworld.The conversation kicks off with Andy detailing his extensive experience in cybersecurity journalism and his knack for long-form storytelling. He shares insights into his acclaimed Wired article on the Mirai botnet hackers and discusses his latest book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. We also talk about: the intricate world of cryptocurrency and its unintended consequence of fueling ransomware attacks the rise of pig butchering scams, now dwarfing ransomware in financial impactthe ethical dilemmas and real-world consequences of cybercrimeResources mentioned:Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy GreenbergTracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency by Andy Greenberghttps://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/https://www.wired.com/story/crypto-home-invasion-crime-ring/https://www.wired.com/story/tigran-gambaryan-us-congress-resolution-hostage-nigeria/ For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Check out new episodes of Only Malware in the Building wherever you listen to podcasts:https://thecyberwire.com/podcasts/only-malware-in-the-building

Hello, Cyber Pirates! In today's episode of the Discarded Podcast, hosts Selena Larson and Tim Kromphardt are joined by Kyle Cucci, Staff Threat Researcher at Proofpoint. Dive with us into the world of cyber attacks as Kyle breaks down the intricacies of evasion techniques used by threat actors. From defense evasion to anti-sandboxing and anti-reversing methods, Kyle sheds light on how modern malware ensures its survival. Discover the evolution and increasing sophistication of these techniques, and learn about specific malware families like WikiLoader, Remcos, and the notorious Loki Bot.We then move into how teams of threat hunters, intelligence analysts, and malware reversers work closely to identify new malware techniques and develop robust defenses within sandbox environments. Kyle shares insights into the constant feedback loop between intelligence and detection teams, highlighting how they stay ahead of evolving threats.We also talk about: evasion strategies, including temperature checks, geofencing, and human detection mechanismsthe use of publicly available tools by malware authorsthe future of AI and large language models (LLMs) in both aiding and combating cyber threatsResources mentioned:Evasive Malware by Kyle CucciSentinelOne Research: https://www.sentinelone.com/blog/blackmamba-chatgpt-polymorphic-malware-a-case-of-scareware-or-a-wake-up-call-for-cyber-security/For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello, cyber sleuths! In today's exciting episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by the brilliant Pim Trouerbach, Senior Reverse Engineer at Proofpoint. Pim gives us the lowdown on this massive law enforcement operation targeting multiple high-profile botnets across the globe, called Operation Endgame, and how this coordinated takedown affects the cybercrime landscape and the significance of arresting the individuals behind these operations.He also breaks down the different malware impacted including SystemBC, IcedID, Pikabot, Bumblebee, and more.We also talk about: the rise and fall of Bumblebee, comparing it to its predecessor, Baza Loader, and contemplating why it didn't quite live up to its anticipated potential despite its advanced featuresthe collaborative efforts between law enforcement and private sector partners, emphasizing the effectiveness of these joint operations in curbing cyber threatsthe high-quality, cinematic videos released as part of Operation EndgameResources mentioned:https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedownhttps://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kitshttps://operation-endgame.com/https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operationhttps://x.com/Shadowserver/status/1797945864004210843For more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our cyber squirrels! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Dr. Bob Hausmann, Proofpoint's Manager of Learning Architecture and Assessments and a seasoned psychologist.Our conversation explores how cyber threat actors exploit the different systems of thought in our brains and how attackers leverage our rapid, emotionally-driven responses (system one thinking) to bypass our more deliberate, rational processes (system two thinking).Dr. Bob introduces us to the concept of cognitive biases, particularly normalcy bias, and how these mental shortcuts can shape our cyber defense strategies. He explains how organizations often fall into the trap of thinking "it won't happen to us," leading to underinvestment in critical security measures. Drawing parallels to historical events like the sinking of the Titanic and the COVID-19 pandemic, he underscores the importance of overcoming these biases to enhance preparedness.We also talk about: Real-world implications and examples of social engineering attacks.The impact of urgency and stress on decision-making in cybersecurity.The alarming rise and mechanics of pig butchering scams.The role of AI in scams and cybersecurityEmpathetic approaches to helping scam victimsResources mentioned:Book: "Thinking, Fast and Slow" by Daniel KahnemanBook: "The Art of Deception" by Kevin MitnickPrevious Discarded Episode on Pig Butchering Have I Been PwnedPhishMeCybersecurity and Infrastructure Security Agency (CISA)SANS Institutehttps://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-onlinehttps://therecord.media/southeast-asian-scam-syndicates-stealing-billions-annuallyhttps://www.cfr.org/in-brief/how-myanmar-became-global-center-cyber-scamshttps://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requestsFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors.We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem.We also talk about: Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptionsHow other groups rise to prominence despite disruptionsDifferences between malware disruptions and business email compromise (BEC) or fraud-focused disruptionsThe evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniquesFor more information about Proofpoint, check out our website.Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy!Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.Join us as we also discuss:[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.For more information, check out our website.

Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena! We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises.We also dive into:TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victimsUse of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaignsRising trends in cryptocurrency-related scams and other financial fraudsResources mentioned:MFA Bypass (Blog) by Timothy KromphardtIC3 2023 FBI Report New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bidsFor more information, check out our website.

It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader. The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.  We also dive into:a valuable lesson about the consequences of malware running rampant in a sandbox environmentthe shifts in attack chains and tactics employed by threat actorsthe need for adaptive detection methods to combat evolving cyber threatsResources mentioned:Countdown to Zero Day by Kim ZetterShareable Links:https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-thefthttps://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updateshttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-blackhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax Pim’s Favorite Malware: * Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a * IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid  * Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a * Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor * Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot * Hikit (APT): https://attack.mitre.org/software/S0009/ * Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/ * Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwailFor more information, check out our website.