2 APR 2024 · Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena!  We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises. We also dive into: - TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victims - Use of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaigns - Rising trends in cryptocurrency-related scams and other financial frauds Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/mfa-psa-oh-my (Blog) by Timothy Kromphardt https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids For more information, https://www.proofpoint.com/us/podcasts.

19 MAR 2024 · It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader.  The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.   We also dive into: - a valuable lesson about the consequences of malware running rampant in a sandbox environment - the shifts in attack chains and tactics employed by threat actors - the need for adaptive detection methods to combat evolving cyber threats Resources mentioned: https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/0770436196 by Kim Zetter Shareable Links: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion  https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax  Pim’s Favorite Malware:  * Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a  * IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid   * Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a  * Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor  * Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot  * Hikit (APT): https://attack.mitre.org/software/S0009/  * Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/  * Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail For more information, https://www.proofpoint.com/us/podcasts.

5 MAR 2024 · Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities. Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information. We also dive into: - the unique challenges of crafting effective signatures - the specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructure - the distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims Resources mentioned: https://www.youtube.com/watch?v=0mJayM2X6Wo w/ Issac Shaughnessy Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats Threat Insight Mastodon: https://infosec.exchange/@threatinsight https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271 For more information, https://www.proofpoint.com/us/podcasts.

20 FEB 2024 · The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming. Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity. We also dive into: - Communication and attribution challenges including the confusion of different naming conventions - Marketing and the personification of threat actors - Strategic approaches in handling incidents and avoiding panic For more information, https://www.proofpoint.com/us/podcasts.

6 FEB 2024 · *This episode contains content warnings of suicide and self-harm* “It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks. Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face. They also dive into: - The poignant reporting process on a story of pig butchering scams - The normalization of cyber threats, such as ransomware, and the role of the media in shaping public perception - The process of convincing stakeholders to prioritize certain topics - The emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection. Resources mentioned: trigger warning for content of suicide and self-harm https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252by Kevin Collier https://podcasts.apple.com/us/podcast/obfuscated-online-threats-and-the-visually-impaired/id1612506550?i=1000630148789 Utzig https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years by CISA.gov For more information, https://www.proofpoint.com/us/podcasts.

23 GEN 2024 · Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so! Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams. While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community. Other topics discussed include: - Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities - The positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defenses - Hopeful vision for the industry, advocating for understanding, education, & increased diversity For more information, https://www.proofpoint.com/us/podcasts.

9 GEN 2024 · To move forward, it’s good to take a minute and reflect on what’s happened. Today’s episode focuses on insights from Daniel Blackford and mailto:adoraisjoncas@proofpoint.com, both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024. Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware. Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains. They also dive into: - Threat actor activity during the elections and Olympics - Specific threat actor groups that caught their attention in 2023, TA473 and TA577 - Living off the Land concepts For more information, https://www.proofpoint.com/us/podcasts.

26 DIC 2023 · In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves. This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023. The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year: - Pim Trouerbach - Kelsey Merriman - Tommy Madjar - Bryan Campbell - Greg Lesnewich - Kyle Eaton - Joe Wise - Emerging Threats team - The overall Proofpoint Team, including, but not limited to our PR and marketing teams Resources mentioned: Youtube: https://www.youtube.com/watch?v=xsqVWMTRf6g Sans Threat Analysis Rundown https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/ https://www.networkdefense.co/courses/investigationtheory/ https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252 https://medium.com/mitre-attack/attack-v14-fa473603f86b https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36 https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/ https://www.wired.com/story/gadget-lab-podcast-621/ https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/ For more information, https://www.proofpoint.com/us/podcasts.

12 DIC 2023 · Tis the season for understanding TA422’s latest activity AND for singing podcast guests! Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability. They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access. The conversation continues on the following topics: [11:17] TA422 Recent Activity [13:30] Campaign’s using CVE 2023 23397 [18:35] Winrar activity [22:50] October & November activity [26:50] Guest Singing Spotlight [29:30] Noticeable differences in campaigns Resources mentioned: TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week Google TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/ Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-T Wired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/ For more information, https://www.proofpoint.com/us/podcasts.

29 NOV 2023 · Take a deep dive with us into the incomparable MITRE ATT&CK Framework, a comprehensive knowledge base that catalogs real-world threat actor behaviors derived from threat intelligence. Today’s guests are our great friends at MITRE ATT&CK, Adam Pennington (Attack Lead), and Patrick Howell O’Neill, (Lead Cyber Operations Analyst). They explore how the Framework serves as a common language for communicating adversary threat behaviors and discuss its evolution from an internal project to a community-driven resource. The latest version of the MITRE ATT&CK Framework version 14 was released on Halloween, emphasizing new features like the addition of new defensive information and techniques they previously said no to including. They discuss the decision-making process behind incorporating new techniques, such as Financial Theft, Impersonation, Phishing: Spearphishing Voice, and Phishing for Information: Spearphishing Voice. The conversation continues on the following topics: [5:00] MITRE ATT&CK Framework [9:25] Improving cybersecurity detection [13:00] New ATT&CK techniques [16:00] Decisions about which techniques to add [23:00] Mobile ATT&CK [30:00] Decisions about which trends to include [37:00] Feedback about the Framework Resources mentioned: https://www.proofpoint.com/us/threat-reference/mitre-attack-framework https://attack.mitre.org/ https://medium.com/mitre-attack/attack-v14-fa473603f86b For more information, https://www.proofpoint.com/us/podcasts.