Featured Webinar
Bridging the Data Security Gap with DSPM
As data sprawls across SaaS, PaaS, IaaS, on-premises, and hybrid environments, organizations face growing visibility gaps and mounting challenges in securing sensitive information. Oversharing, excessive privileges, ... Read More and abandoned data, combined with unchecked user and machine access all contribute to an increased risk of data breaches and compliance violations. As fragmented security tools and growing AI initiatives overwhelm security teams, the financial and reputational impact of data breaches continue to rise. Read Less
Attend
Threat Hub Edition 112 - January 31st
Wed, January 31, 2024 12:00 PM UTC (UTC +00:00)
Looking ahead at trends for 2024 on our threat research blog and podcast. And all the latest news on the Five-Minute Forecast. This week on The Threat Hub: Selena Larson from the Proofpoint threat research team looks ... Read More back at some of the most notable trends in the threat landscape during 2023—and explores what they could mean for the future of cybersecurity. From the rise of QR codes in phishing and malware campaigns, to the creative use of zero-day and N-day (disclosed and not-yet-patched) vulnerabilities by both e-crime and APT actors, to the increasing sophistication of AI-powered tools and techniques, the threat landscape is always changing and evolving. In the blog post, Selena also discusses best practices and recommendations for defending against these threats, such as leveraging threat intelligence, sandboxing and community sharing. Or if you prefer your 2024 prognostications in podcast form, the Discarded team is back with episode two of their series on predicting cyber threats in 2024. This time, Selena and Crista are joined by Randy Pargman and Rich Gonzalez, who manage detections and Emerging Threats at Proofpoint. Topics covered include high profile incidents such as WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities, as well as a discussion about the role of public-private partnerships and international cooperation in enhancing cyberdefenses. And on this week’s Five-Minute Forecast, 23andMe shares details of stolen data in last year's breach, ransomware payments drop to a new low, and senior threat researcher Greg Lesnewich explains the inspiration behind the 100 days of YARA initiative. Read Less
Watch Now Threat Hub Edition 110 - January 17th
Wed, January 17, 2024 12:00 PM UTC (UTC +00:00)
Cybersecurity stop of the month takes aim at MFA manipulation. And reviewing early moves on the 2024 threat landscape. This week on The Threat Hub: As more businesses adopt cloud-based platforms, cybercriminals are ... Read More are finding new ways to compromise them. And one of the most powerful techniques at their disposal is multifactor authentication (MFA) manipulation. This is a post-delivery attack that allows bad actors to bypass or insert their own MFA methods into cloud accounts. A recent blog post explains how this attack works and why it poses a significant threat to cloud security. MFA manipulation can take different forms, such as adversary-in-the-middle (AitM) attacks, where the attacker intercepts the user’s credentials and session cookie. Proofpoint recently detected and prevented a series of MFA manipulation attacks on a large real estate company, where the attackers used the “My Sign-Ins” app to add their own MFA methods to compromised Microsoft 365 accounts. This enabled them to authorize malicious third-party applications and maintain persistence even after their initial access was cut off. The blog post also offers some best practices to protect your cloud accounts from MFA manipulation, such as conducting regular audits, educating users, and using automated tools to monitor and remediate threats. And on this week’s Five-Minute Forecast, CISA issues a high-severity alert over SharePoint vulnerability, fake 401(k) statements are being used as lures in credential phishing spree, and a January threat landscape overview from Selena Larson. Read Less
Watch Now Threat Hub Edition 109 - January 10th
Wed, January 10, 2024 12:00 PM UTC (UTC +00:00)
The Discarded Podcast team shares predictions for 2024. And our researchers open a file on DarkGate malware. This week on The Threat Hub: We start the new year with a special episode of the Discarded podcast. Hosts ... Read More Selena and Crista are joined by senior threat managers Daniel Blackford and Alexis Dorais-Joncas for a look back at the 2023 threat landscape, and a look forward at what defenders will be dealing with over the coming months. Predictions cover developments in the use of traffic-distribution systems, modular attack chains and adoption of non-corporate infrastructure to evade detection. The team also looks at potential activity spikes ahead of this summer’s Olympic Games in Paris. In the last weeks of December, our researchers published a blog post looking at trends related to DarkGate, a relatively new malware strain that rose to prominence during the summer and fall. Multiple cybercrime actors have used DarkGate, but a distinct cluster of activity caught the attention of our team. The cluster isn’t currently attributed to a known threat actor, so it has been dubbed “BattleRoyale” for now. We’re continuing to monitor BattleRoyale, which is notable for using both email and fake browser updates to deliver its payloads. Check out the full blog post for more details of our investigation, as well as a list of Emerging Threats signatures and IoCs. And on this week’s Five-Minute Forecast, LockBit ransomware threatens to release sensitive medical data, crypto-draining scams soar on social media, and Selena Larson explains the significance of DarkGate and BattleRoyale. Read Less
Watch Now Threat Hub Edition 108 - December 20th
Wed, December 20, 2023 12:00 PM UTC (UTC +00:00)
Conversational threats on the rise as smishing growth slows. And a look back at 2023 on our weekly podcast. This week on The Threat Hub: As we enter the final stretch of the holiday shopping season, “missed delivery” SMS ... Read More SMS phishing—or smishing—messages remain a regular nuisance. But there’s some good news. A new blog post reveals that over the past 18 months, smishing growth has slowed in many regions, becoming part of the landscape rather than a rising threat. However, while these malicious messages are now familiar to most, conversational threats are still on the rise, increasing over 300% in the past year. Pig butchering has grabbed a lot of headlines recently—including this week in the New York Times—but it isn’t the only type of conversational attack. Impersonation attacks have become commonplace in some parts of the world. In the U.K., a favored tactic is pretending to be a family member with a lost or broken phone. A classic example of social engineering, this lure uses parental anxiety to bypass caution and increase the chance of engagement. Similar attacks have been reported in New Zealand, and the U.S. may not be far behind. And on this week’s Five-Minute Forecast, authorities issue warning about Play ransomware attacks on infrastructure, Qbot returns only months after law enforcement action, and senior threat research manager Daniel Blackford shares reflections on the 2023 threat landscape. Read Less
Watch Now Threat Hub Edition 107 - December 13th
Wed, December 13, 2023 12:00 PM UTC (UTC +00:00)
Recruiters targeted with fake resumes by sophisticated attacker TA4557. And all the latest news on our podcast. This week on The Threat Hub: Our researchers uncover new activity by threat actor TA4557, targeting ... Read More recruiters. TA4557 is a skilled, financially motivated attacker that our researchers have been monitoring since 2018. In this campaign, the group responds directly to real-world job listings. The initial email is benign, expressing interest in the role. If the recipient responds, the attack chain commences, ultimately leading to delivery of the more_eggs downloader. The campaign uses both URLs and attachments (PDF and Word) to deliver malware. In the case of the former, TA4557 includes a link to a bogus resume website. In one instance, the attacker did not include a link at all, but asked the recipient to visit the domain from their email address to access a portfolio. This was probably an attempt to evade automated detection of a suspicious domain. The bogus site uses filtering to qualify potential victims, sending unsuccessful visitors to a plain-text resume. Victims that pass the filter are shown a CAPTCHA which downloads a ZIP file containing an LNK shortcut that initiates the process to ultimately drop more_eggs on the victim’s computer. Check out the full Security Brief for more details, plus a list of IoCs and Emerging Threats signatures. And on this week’s Five-Minute Forecast, CISA warns of two attacks against U.S. government servers exploiting an unpatched vulnerability in Adobe ColdFusion, Nissan investigates a cyberattack and potential data breach in Australia and New Zealand, and a preview of the next Discarded episode on APT group TA422 from Selena Larson. Read Less
Watch Now Threat Hub Edition 106 - December 6th
Wed, December 6, 2023 12:00 PM UTC (UTC +00:00)
High-volume campaigns from APT attacker TA422 exploit Microsoft Outlook vulnerability. And a seasonal threat update on our weekly podcast. This week on The Threat Hub: Our researchers dig in to recent activity by TA422, ... Read More an advanced persistent threat actor (APT) associated with Russian military intelligence. These phishing campaigns, conducted between March and November 2023, featured unusually high volumes of malicious email for an APT actor, involving as many as 10,000 messages. The attacks targeted a diverse range of industries, including government, aerospace and technology sectors, and were notable for having a daily cadence during the late summer period. In these campaigns, TA422 made use of CVE-2023-23397, a privilege escalation vulnerability in Microsoft Outlook. Messages contained an appointment attachment with a fake file extension to make it look like another file type, such as CSV, Word or Excel. If the appointment attachment was read by a vulnerable version of Outlook, the victim’s NTLM security credentials could be exposed. Over the eight month period, TA422 evolved its tactics several times, using Mockbin and InfinityFree for redirection, and also exploiting a vulnerability with WinRAR. For a detailed technical analysis and a list of IoCs, check out the full blog post. And on this week’s Five-Minute Forecast, U.S. authorities take action against North Korean cybercriminals, TrickBot developer faces 35 years in prison after guilty plea, and senior threat intelligence analyst Selena Larson shares an update on seasonal threats. Read Less
Watch Now