Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Proofpoint. Show all posts
T-Mobile
AI technology CIO cyber resilience Cyber Security Proofpoint Quantum computing T-Mobile

Cyber Resilience: Preparing for the Inevitable in a New Era of Cybersecurity

 

At the TED Conference in Vancouver this year, the Radical Innovators foundation brought together over 60 of the world’s leading CHROs, CIOs, and founders to discuss how emerging technologies like AI and quantum computing can enhance our lives. Despite the positive focus, the forum also addressed a more concerning topic: how these same technologies could amplify cybersecurity threats. Jeff Simon, CISO of T-Mobile, led a session on the future of security, engaging tech executives on the growing risks. 

The urgency of this discussion was underscored by alarming data from Proofpoint, which showed that 94% of cloud customers faced cyberattacks monthly in 2023, with 62% suffering breaches. This illustrates the increased risk posed by emerging technologies in the wrong hands. The sentiment from attendees was clear: successful cyberattacks are now inevitable, and the traditional focus on preventing breaches is no longer sufficient. Ajay Waghray, CIO of PG&E Corporation, emphasized a shift in mindset, suggesting that organizations must operate under the assumption that their systems are already compromised. 

He proposed a new approach centered around “cyber resilience,” which goes beyond stopping breaches to maintaining business continuity and strengthening organizational resilience during and after attacks. The concept of cyber resilience aligns with lessons learned during the pandemic, where resilience was about not just recovery, but coming back stronger. Bipul Sinha, CEO of Rubrik, a leading cyber resilience firm, believes organizations must know where sensitive data resides and evolve security policies to stay ahead of future threats. He argues that preparedness, including preemptive planning and strategic evolution after an attack, is crucial for continued business operations. 

Venture capital firms like Lightspeed Venture Partners are also recognizing this shift towards cyber resilience. Co-founder Ravi Mhatre highlights the firm’s investments in companies like Rubrik, Wiz, and Arctic Wolf, which focus on advanced threat mitigation and containment. Mhatre believes that cybersecurity now requires a more dynamic approach, moving beyond the idea of a strong perimeter to embrace evolutionary thinking. Waghray identifies four core elements of a cyber resilience strategy: planning, practice, proactive detection, and partnerships. 

These components serve as essential starting points for companies looking to adopt a cyber resilience posture, ensuring they are prepared to adapt, respond, and recover from the inevitable cyber threats of the future.
Read more »
URL
APT Cyber Attacks fake Iranian Malicious Camapign Proofpoint Threat actor URL

Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.
Read more »
US Healthcare
Cyber Attacks cybersecurity research Healthcare Data Healthcare organizations Proofpoint US Healthcare

88% of Healthcare Organizations Have Suffered a Cybersecurity Incident in Past Year


Organizations included in the healthcare sector, like hospitals and clinics, have struggled with a series of cyberattacks in recent years, resulting in their inability to provide even the minimum services because of computer outages and loss of important files in the data breaches.

In a recent report published on Wednesday by research conducted by Proofpoint, an email security company, around 90% of healthcare organizations have experienced at least one cybersecurity incident in the past year. 

In the past two years, more than half of the healthcare organizations have reported to have experienced an average of four ransomware attacks. 68% of the organizations surveyed noted that the attacks “negatively impacted patient safety and care.”

The aforementioned report conducted by Proofpoint includes a survey of more than 650 IT and cybersecurity professionals in the US healthcare sector, highlighting the healthcare sector's ongoing susceptibility to common attack methods. It occurs as the Cybersecurity and Infrastructure Security Agency works to provide greater assistance to small, rural hospitals that are underfunded and wilting under constant cyberattacks.

As healthcare organizations struggle to find alternatives to their outdated technology so they can keep providing services, these efforts are using up more and more of their resources. Between 2022 and 2023, the cost of the time spent minimizing the attacks' consequences on patient care rose by 50%, from around $660,000 to $1 million.

In the case of ransomware assault in hospital systems, where computer networks shut down, the impact is rapid and extensive. 

Stephen Leffler, president and chief operating officer of the University of Vermont Medical Center, spoke about how a ransomware assault in October 2020 brought about a catastrophe at his facility during a congressional hearing in September. For 28 days, senior physicians had to train junior physicians on how to use paper records as the National Guard assisted the IT department in a round-the-clock operation to wipe and reconfigure every computer in the network.

Leffler remarked, "We literally went to Best Buy and bought every walkie-talkie they had." This was due to their internet-based phone system being offline. Between 2022 and 2023, the cost of patient care grew by 50%, from about $660,000 to $1 million.

Leffler, who has been an emergency medicine doctor for 30 years, further commented “I've been a hospital president for four years. The cyberattack was much harder than the pandemic by far.” 

Read more »
SVB
BEC Attacks Cyber Security Domain Phishing Attack Proofpoint SVB

Cybercriminals Exploit SVB's Downfall for Phishing

The downfall of Silicon Valley Bank (SVB) on March 10, 2023, has caused instability all across the global financial system, but for hackers, scammers, and phishing schemes, it's evolving into a huge opportunity.

Security experts have already observed a variety of schemes that take advantage of the situation, which has severely hurt tech companies. Proofpoint researchers reported on Twitter that they have observed scammers sending fraudulent emails pertaining to a cryptocurrency company impacted by the failure of SVB.

On March 12, a considerable amount of domain names with the name SVB were registered. Threat actors are preparing for business email compromise (BEC) attacks by registering suspicious domains, creating phishing pages, and more. These operations seek to defraud targets by stealing money, account information, or malware.

A campaign using lures related to USDC, a digital stablecoin linked to the USD that was impacted by the SVB collapse, was found, as per Proofpoint. Fraudulent cryptocurrency businesses were defamed in messages sent through malicious SendGrid accounts that pointed users to URLs where they could claim their cryptocurrency.

A substantial KYC phishing campaign using SVB branding and a template with a DocuSign theme was found, as per Cloudflare. Within hours of the campaign's inception, 79 instances were where it was discovered. An assault that included HTML code with a first link that changed four times before linking to an attacker-controlled website was also intended at the company's CEO.

The HTML file used in the attack directs the user to a WordPress instance with the capacity to do the recursive redirection, however, it is unclear if this specific WordPress installation has been hijacked or if a plugin was set up to enable the redirect.







Read more »
URL
Cyber Security JavaScript Malicious actor Microsoft PDFs Phishing Attacks Proofpoint Russian Hackers URL

Cybercrime Utilizes Screenshotter to Find Targets in US

Organizations in Germany and the United States are targets of a new threat actor identified as TA886 that requires new, proprietary malware to spy on users and steal their data from affected devices. Proofpoint reported that it initially identified the previously unidentified cluster of activity in October 2022 and that it persisted into 2023.

Malicious Microsoft Publisher (.pub) attachments with macros, URLs leading to.pub files with macros, or PDFs with URLs that download risky JavaScript files are some of the ways the threat actor targets victims.

According to the researchers, which gave the operation the name Screentime, it is being carried out by a brand-new malicious attacker known as TA866. Although it is possible that the group is well-known to the larger cybersecurity sector, no one has been able to connect to any other groups or initiatives.

According to Proofpoint, TA866 is an "organized actor capable of performing well-planned attacks at scale based on their availability of custom tools, ability and connections to buy tools and services from other vendors, and increasing activity volumes."

As a result of some variable names and phrases in their stage-two payloads being written in Russian, the researchers further speculate that the threat actors may be Russian. In Screentime, TA866 would send phishing emails in an effort to get victims to download the harmful WasabiSeed payload. According to the stage-two payloads that the threat actors deem appropriate at the time, this malware develops persistence on the target endpoint.

AHK Bot has been seen downloading and loading the Rhadamanthys information thief into memory while also deploying a script to inspect the victim's computer's Active Directory (AD) domain. According to Proofpoint, the AD profile may result in the compromising of additional domain-joined hosts.

As per Proofpoint, the activity continued into 2023 after the first indications of Screentime advertisements appeared in October 2022. The campaigns have an indiscriminate impact on all industries in terms of verticals.


Read more »
ZIP File
iOS malware Payloads Phishing Attacks Proofpoint ZIP File

TA558 Malware Attacks Travel and Hospitality Services

A persistent wave of attacks on Latin American hospitality, hotel, and travel firms with the intention of planting malware on compromised systems have been attributed to a financially motivated cybercrime ring.

Proofpoint researchers are keeping tabs on a malware campaign being run by the TA558 malware gang. The organization used Loda RAT, Vjw0rm, and Revenge RAT among other malware in its attacks. 

The gang has been active at a faster rate than usual in 2022, with intrusions mostly targeted at Latin American Portuguese and Spanish speakers and to a lesser level at Western European and North American speakers.

The group uses phishing campaigns that involve sending malicious spam messages with lures that have a travel theme, like hotel reservations, that contain weaponized documents or URLs in an effort to persuade unwitting users to install trojans that can conduct reconnaissance, steal data, and distribute add-on payloads.

To download and install a variety of malware, including AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm, the assaults conducted between 2018 and 2021 made use of emails with malicious Word documents that either contained VBA macros or exploits for vulnerabilities like CVE-2017-11882 and CVE-2017-8570.

In more recent attacks, the cybercriminal organization has started distributing malware using Office documents, RAR attachments, ISO attachments, and malicious URLs. The action is in response to Microsoft's decision to make Office products' default settings for macros disabled.

According to Proofpoint, 27 of the 51 campaigns that hackers ran in 2022 made use of URLs linking to ZIP and ISO archives, compared to just five efforts from 2018 through 2021.

Since 2018, at least 15 different malware families have been employed by TA558, sometimes using the same C2 infrastructure, according to Proofpoint. To host the malware payloads, the gang uses websites that have been infiltrated by hotels.

In an effort to prevent detection and obscure the source of the attacks, the threat actor frequently changes languages within the same week.

A number of noticeable patterns are also being used by TA558 in the campaign data, including the use of specific strings, naming conventions, keywords, domains, etc. 











Read more »
TTPs
Cyber Security Emotet HTML ICedID ISO files Proofpoint Qakbot TTPs

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Read more »
Proofpoint
APT attacks China Cyber Attacks Iranian hackers Lazarus Group Malicious Emails Proofpoint

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.
Read more »
Subscribe to: Posts (Atom)