Threat Hub

The Proofpoint threat research team has access to one of the largest, most diverse data sets in all of cybersecurity. We’re bringing you the highlights every week, right here at the Threat Hub.

| Weekly Brief

SocGholish: real updates on a fake-update attack. And the latest Emotet developments on our podcast.

This week on The Threat Hub: Most of the malware we talk about on the Hub is delivered by malicious links or attachments embedded in email. But SocGholish, distributed by threat actor TA569, is different. This malware spreads by JavaScript injects on infected websites. There can be hundreds—even thousands—of websites infected at any one time, and anyone visiting them has the potential to be attacked. The mechanism of infection is a fake browser update that appears if the user meets certain criteria. Once a system is infected, TA569 can launch a number of potential follow-on attacks, including selling access on to ransomware attackers. We’ve just published part one of a deep dive into SocGholish on the Threat Insight blog, with part two coming soon.

But if you’re eager to find out more now, blog author Andrew Northern recently gave a webinar update on SocGholish. At the start of the month this malware was implicated in a supply chain attack affecting hundreds of media websites. The webinar recording contains a rundown of attack chains, TA569 TTPs and tips on how to stay ahead of the threat.

And on this week’s Five-Minute Forecast, a Twitter data breach exposes millions of phone numbers, U.S. authorities seize “pig butchering” sites, and senior reverse engineer Pim Trouerbach shares the latest Emotet developments.

Insights Chart of the Week
SocGholish to Ransomware
Fake Update, Real Ransomware

The group behind Socgholish moves fast. In just 96 hours, ransomware can be installed on a machine infected with the initial SocGholish payload. It's likely that TA569 acts as an initial access facilitator for other threat actors.

Equip your team with threat intelligence

Threat Report
2022 Spring/Summer Threat Summary

Reviewing state-sponsored attacks and major league malware activity from the first half of the year.

Blog Post
How Smishing Operations Abuse Legitimate Services

Messaging services help business communicate with users at scale—but they're also a target for abuse.

Threat Insight
How Threat Actors Hijacked a Pandemic

Exploring two years of attacks and lures exploiting fear and uncertainty about COVID-19.

Go Deeper with our Premium Threat Info Service

Connect with threat analysts, understand threats with intelligence specific to your situation, and gain 24/7 visibility into the latest threat discoveries.

Learn More
Threat Report
The Human Factor 2022

Drawing on insights and data from our products and researchers, the Human Factor tells the story of a year when cybersecurity jumped from the tech page to the front page. Our annual threat report explores user trends from our uniquely people-centric lens. See how vulnerabilities, attacks and privilege are transforming the threat landscape.

Threat Report
2022 State of the Phish

This year’s report dives deep into today’s threats—and how prepared users are to face them. Get a wealth of data, insight and advice based on knowledge assessments, self-reported cybersecurity habits and actual responses to simulated phishing emails.

About The Threat Research Team

Our threat researchers are responsible for tracking shifts in the cybersecurity landscape, identifying new attacks as they emerge, and monitoring how threat actor tactics, techniques and procedures change over time. The threats they detect and the signatures they write feed into our platforms and are keystones in a system that analyzes more than 2.6 billion emails, 49 billion URLs and 1.9 billion attachments every single day.

By studying what cyber criminals are doing now, our threat researchers are better able to anticipate what they’ll do next. Every day, their work keeps our customers protected—not just from today’s attacks, but tomorrow’s threats as they evolve.

Threat Hub Chart of the Week
Follow us @threatinsight:

Subscribe to the Proofpoint Blog