DISCARDED: Tales From the Threat Research Trenches

Magic Packets & Stealth Backdoors: The Art of Detection Engineering

Tue, 14 Apr 2026 04:00:00 -0400

Hello to all our Cyber Daffodils! Host Selena Larson, and guest Host, Tim Kromphardt, sit down with Stuart Del Caliz, Senior Threat Detection Engineer at Proofpoint, to unpack the stealthy world of backdoors, malware detection, and the “secret signals” threat actors use to stay hidden.

From magic packets and port knocking to sophisticated backdoors like BPFdoor, Stuart shares how attackers design covert communication methods—and how defenders work to uncover them without overwhelming security teams with noise. The conversation blends deep technical insight with real-world analogies (think speakeasy knocks and undercover “internet cops”) to make complex detection strategies easier to understand.

You’ll also hear:

How detection engineers balance accuracy and performance when writing IDS/IPS signatures
Why some advanced malware can remain undetected for years—and whether we’re simply not seeing it
How historic leaks like Shadow Brokers still influence modern attack techniques
The role of “pattern matching” in identifying evolving malware behaviors
How file metadata and revoked certificates can reveal threats hiding in plain sight
Why community collaboration and feedback loops are critical to stronger detections

Whether you’re a security practitioner or deep in the trenches, this episode offers a closer look at the craft of detection engineering—and the constant challenge of writing high-fidelity detections against increasingly evasive threat techniques.

Resources Mentioned:

https://community.emergingthreats.net/

https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/

https://www.wired.com/story/nsa-hacking-tools-stolen-hackers/

https://github.com/x0rz/EQGRP

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Regional Threats, Global Impact: A TA2725 Case Study

Thu, 26 Mar 2026 11:00:00 -0400

Send us fan mail!

Hello to all our Cyber Pals! Guest host Sarah Sabotka sits down with Senior Threat Researcher Jared Peck to unpack one of the most dynamic and persistent cybercrime groups operating today: TA2725, also known as “Grana.”

From its roots in Latin America to its global reach, TA2725 stands out for its adaptability—and its relentless pursuit of financial gain. Jared shares how the group evolved from a high-volume malware operator into a multifaceted threat actor running phishing, fraud, and malware campaigns simultaneously. The conversation dives into how Grana targets regions like Brazil and Mexico, why their tactics shift across geographies, and what makes their operations uniquely complex.

You’ll also hear:

How threat actors “graduate” to official TA designations (and why it’s a big win for researchers)
The impact of law enforcement disruptions on major malware operations like Grandoreiro
Why Latin America’s banking infrastructure shapes cybercrime tactics differently
The rise (and fall) of RMM tools in TA2725’s playbook
What clues reveal whether activity comes from one group—or an entire cybercrime “service” ecosystem

Whether you’re in cybersecurity or just curious about how modern cybercrime operates, this episode offers a fascinating look at a threat actor that refuses to stay in one lane—and what that means for organizations worldwide.

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

TrustConnect RAT: Inside a Vibe-Coded Malware Ecosystem

Tue, 10 Mar 2026 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Tommy Madjar, Senior Threat Researcher from Proofpoint, to unpack one of the strangest malware investigations of the year: TrustConnect RAT.

What started as a seemingly legitimate remote management tool quickly unraveled into a bizarre, fast-evolving ecosystem of “vibe-coded” malware. TrustConnect masqueraded as a polished RMM platform—complete with fake testimonials, inflated customer counts, and even an extended validation (EV) code-signing certificate to appear trustworthy. But beneath the surface? Sloppy AI-generated web panels, exposed administrative pages, and a backend that literally labeled infected machines as “victims.”

Tommy walks through how the team discovered the malware, why attackers are increasingly building their own fake RMM platforms instead of abusing legitimate ones, and how the use of EV certificates helped the malware evade detection across security tools.

The conversation also dives into:

The explosion of legitimate RMM abuse in cybercrime
How AI-assisted “vibe coding” is lowering the barrier to entry for malware development
The surprising operational security failures that exposed both the malware author and their customers
Connections to past crimeware activity and possible ties to known actors
The rapid evolution of the “Connect” malware family, including newly spotted variants
How Proofpoint disrupted the operation by working with partners to revoke certificates and take down infrastructure

Along the way, the team explores a broader theme: what happens when threat actors move fast with AI—but don’t fully understand security fundamentals?

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/dont-trustconnect-its-a-rat

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

AI as a Tool, Not a Replacement: Malware Research in the Age of LLMs

Thu, 26 Feb 2026 04:00:00 -0500

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Kyle Cucci, and Dr. Chris Wakelin, Threat Researchers from Proofpoint. They unpack how artificial intelligence is shaping modern malware analysis and detection workflows.

The conversation explores how large language models are already embedded in day-to-day security operations—from accelerating rule creation and tooling development to helping analysts quickly interpret complex malware behavior.

Drawing on real-world examples from the team’s work, the episode highlights both the promise and the limitations of AI in cybersecurity. Chris and Kyle share how AI can streamline tedious reverse-engineering tasks, compare malware variants, and surface insights faster—while emphasizing the ongoing need for expert validation, thoughtful prompting, and a human-in-the-loop approach to ensure accuracy and reliability.

We also discuss:

Practical ways AI is used today to support malware reverse engineering and detection development
Prompting strategies that help reduce hallucinations and improve analysis outcomes
The role of MCP (model context protocol) and emerging agentic AI concepts in security tooling
Indicators and characteristics of AI-assisted malware development
Real-world examples of prompt injection attempts within malicious code
Whether AI-generated malware meaningfully changes defender workflows or primarily increases speed and scale
How defenders and threat actors alike are leveraging the same AI capabilities across the threat landscape

Ultimately, this episode offers a balanced look at AI’s growing influence in cybersecurity—showing how intelligent tools can amplify analyst effectiveness while reinforcing that expertise and critical thinking remain central to effective malware defense.

Snowball Learning: Getting Real About Cybersecurity Training

Tue, 10 Feb 2026 14:00:00 -0500

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Sarah Sabotka, chat with Dr. Bob Hausmann, Lead Cognitive Scientist of Human Risk Management at Proofpoint. They have a timely conversation on whether cybersecurity training actually works and what it takes to make it effective.

They unpack why traditional annual training and phishing simulations often fall short, and how insights from cognitive psychology can help organizations design awareness programs that truly change behavior. Drawing on Dr. Bob’s recent research, the conversation explores just-in-time nudges, microlearning, and how understanding attention, memory, and emotion can make security guidance more actionable in the moments that matter most.

In this episode, they cover:

Why once-a-year security training shows little impact on real-world behavior
How just-in-time nudges work and where they fit into security awareness programs
The role of cognitive load, attention, and repetition in learning and memory
How amygdala hijack and emotional manipulation factor into phishing success
Why foundational knowledge is critical for nudges to be effective
The difference between education-driven nudges and punitive approaches to training
Practical ways organizations can design training that fits into everyday workflows

This episode offers a research-backed, human-centered look at security awareness—showing why better outcomes depend less on blaming users and more on designing training that works with the brain, not against it.

Resources Mentioned:

https://www.proofpoint.com/us/blog/security-awareness-training/cybersecurity-nudges-cautionary-tale

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Emerging Threats in 2026: Inside Proofpoint’s Detection Playbook

Thu, 29 Jan 2026 15:00:00 -0500

Send us fan mail!

Hello to all our Cyber Pals! Host Selena Larson and co-host, Tim Kromphardt, chat with Rich Gonzalez, Director of Emerging Threats at Proofpoint, to kick off 2026 with a behind-the-scenes look at how emerging threats are detected, tracked, and turned into real-world protections for defenders.

They explore what it really takes to keep pace with an always-on threat landscape, from rapid response to newly released proof-of-concepts, to why certain vulnerabilities like Log4j continue to dominate attacker activity years later. The conversation also digs into alert fatigue, the realities of SOC burnout, and where automation and AI can genuinely help versus where trust, accuracy, and human judgment still matter most.

In this episode, they cover:

How Proofpoint’s Emerging Threats team monitors global attacker behavior and delivers fast, high-confidence detections
What happens behind the scenes when a proof-of-concept drops (especially during holidays)
Why some CVEs remain “evergreen” targets and never truly go away
The balance between speed and accuracy in rule writing without overwhelming SOC teams
Where AI and machine learning are being used today to reduce tedious work and improve triage
The risks of over-automation, hallucinations, and untrusted intelligence in security workflows
What’s coming in 2026, including more frequent rule releases and more detection coverage

This episode offers a candid, practitioner-driven view of modern threat detection—highlighting why adaptability, transparency, and human expertise remain essential as defenders head into 2026.

Operation EndOfYear: New Malware, Popular Tactics, and Where AI Is Taking Us

Wed, 31 Dec 2025 04:00:00 -0500

Send us fan mail!

Hello to all our Cyber Elves! Host Selena Larson chats with Daniel Blackford, Vice President of Threat Research at Proofpoint, for an end-of-year look at how the cyber threat landscape evolved—and what defenders should be preparing for in 2026.

They reflect on how the second half of 2025 brought meaningful shifts in attacker behavior, with familiar techniques becoming more professionalized and new malware emerging alongside identity-focused attacks. The conversation also explores why attribution is getting harder, how law enforcement disruptions are reshaping cybercrime ecosystems, and where AI is genuinely helping defenders versus introducing new risks.

In this episode, they cover:

How attacker tactics “proliferated” in 2025 rather than fully reinvented
The return of new malware families alongside loaders and backdoors
Why identity, social engineering, and legitimate tools (RMMs, device code phishing) remain top attack vectors
The real-world impact of law enforcement takedowns like Operation Endgame
How shared tooling and services are blurring attribution across threat actors
Practical, no-hype perspectives on AI, machine learning, and defender workflows
What organizations should focus on now to stay resilient in 2026

This episode offers a grounded, experience-driven perspective on what actually mattered in 2025—and why strong fundamentals, layered defenses, and adaptability remain the best preparation for whatever comes next.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics

https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys

https://www.proofpoint.com/us/blog/threat-insight/security-brief-venomrat-defanged

https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-ru-2025-1022.pdf

https://www.microsoft.com/en-us/research/wp-content/uploads/2025/01/lee_2025_ai_critical_thinking_survey.pdf

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Ho-Ho-Hold Up—Is That Message Real? Bad Santas Are Sending Seasonal Scams

Tue, 09 Dec 2025 04:00:00 -0500

Send us fan mail!

Happy Holidays to all our Cyber Pals!

Host Selena Larson, and co-guest ho-ho-ho hosts, Tim Kromphardt & Sarah Sabotka unwrap the surprising (and sometimes clever) ways cybercriminals use seasonal themes to trick both consumers and enterprises.

From fake party invites and too-good-to-be-true discounts to holiday-flavored malware and RMM delivery, the team breaks down how threat actors capitalize on increased spending, lower vigilance, and year-end business pressure. They share real examples—like “free Christmas tree” scams, fake travel itineraries, smishing campaigns, and even malware hidden behind a Christmas caroling invitation.

You’ll also hear:

🎁 Why holiday-themed lures work so well
🎁 How scammers tailor their tactics to shifting consumer behavior
🎁 The rise of SMS scams, malvertising, and SEO-poisoned shopping searches
🎁 What enterprises should watch for as employees mix work and personal activity
🎁 Why energy drinks are (shockingly) a hot commodity in cargo theft schemes
🎁 Practical tips to stay safe—whether you’re holiday shopping or closing year-end invoices

Before you head off for vacation, join us for a fun, insightful, and very festive breakdown of the seasonal threats that might be landing under your digital tree this year.

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

From Toasters to Botnets: Securing Everyday IoT

Tue, 18 Nov 2025 10:00:00 -0500

Send us fan mail!

Hello to all our Cyber Squirrels!

Host Selena Larson, and guest host, Tim Kromphardt sit down with Tony Robinson — Senior Security Research Engineer and “rule magician” from Proofpoint’s Emerging Threats team. Tony shares the story behind IoT Hunter, an open-source tool he created to automate writing detection rules for Internet of Things (IoT) vulnerabilities.

From routers and smart cameras to industrial control systems, Tony breaks down how IoT Hunter helps researchers and defenders cover hundreds of CVEs — from long-forgotten exploits to newly discovered zero-days.

The trio dives into:

Why IoT devices remain a major attack vector for threat actors and botnets
What kinds of vulnerabilities IoT Hunter detects (and how it’s not AI)
The surprising persistence of outdated frameworks like Boa HTTPd
Real-world examples of IoT exploitation — from ransomware via smart cameras to botnets made of toasters
Practical steps anyone can take to secure home and small business devices

This episode uncovers the risks and realities behind our increasingly connected world — and how automation and community collaboration are helping defenders keep up.

Resources Mentioned:

community.emergingthreats.net

https://community.emergingthreats.net/t/iot-hunter-public-release/3024

https://community.emergingthreats.net/t/cybersecurity-awareness-month-iot-and-soho-devices/3095

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Elect More Hackers: Tech Skills for Real-World Change

Tue, 04 Nov 2025 15:00:00 -0500

Send us fan mail!

Hello to all our Cyber Squirrels! Can hackers make great public servants?

Host Selena Larson, and co-guest hosts, Sarah Sabotka and Tim Kromphardt sit down with Andrew Brandt, Founder and Executive Director of Elect More Hackers — a nonprofit on a mission to get more cybersecurity and tech-minded thinkers into elected office.

Together, they explore how hackers and technologists can bring their problem-solving mindset into civic life — from teaching digital safety at local libraries to advising lawmakers on cyber hygiene, data privacy, and AI policy. Andrew unpacks why infosec professionals are uniquely equipped to tackle systemic issues like the “enshittification” of online platforms, the right-to-repair movement, and the privacy nightmare of “smart” cars.

The conversation dives into the surprising cybersecurity gaps in government, how social engineering and lobbying overlap, and why civic engagement shouldn’t stop at voting. You’ll also hear how even small acts — like community outreach or helping shape local school tech policies — can lead to smarter, safer public systems.

Whether you’re a hacker or a policy nerd this episode will inspire you to plug in locally, build trust, and maybe even run for office yourself.

🎙️ Tune in to learn:

Why hackers and technologists make great problem-solvers in politics
How policies like right-to-repair and data privacy affect everyone
Practical ways cybersecurity professionals can engage civically — even without running for office

Think civic engagement isn’t for you? Think again — this conversation shows how even small actions from tech-minded thinkers can create big change.

Resources Mentioned:

🔗 Learn more: electmorehackers.com

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

From Web Injects to Info Stealers: How Cybercriminals Stay Ahead

Tue, 21 Oct 2025 14:00:00 -0400

Send us fan mail!

Hello to all our Cyber Sleuths! Host Selena Larson, and guest host, Sarah Sabotka take you behind the scenes of the ever-changing world of cybercrime—where attackers innovate, scams evolve, and staying one step ahead is a constant challenge.

From remote monitoring and management (RMM) abuse to adversary-in-the-middle (AiTM) phishing, web injects, flashy malware lures, and the latest wave of information stealers, we unpack the tactics, techniques, and procedures shaping today’s threat landscape.

We talk about:

Why attackers are leaning on RMM tools and what you can do to defend yourself or your organization.
How MFA-aware phishing kits are evolving and ways to stay secure.
New information stealers emerging in the wake of law enforcement disruptions.
The role Reddit can play in helping spot real-world scams.
The human side of cyber crime, from fraud and job scams to societal pressures driving people into schemes.
The exponential growth of web injects and unique social engineering
The cunning tactics of threat actors like TA582

Along the way, we share practical tips for staying safe online—closing suspicious tabs, using MFA, blocking unsolicited links, and even taking mindful breaks from the digital world.

This episode helps you understand the chaos of the digital underworld and stay one step ahead—without throwing your phone into the woods.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

https://www.proofpoint.com/us/blog/threat-insight/when-monster-bytes-tracking-ta585-and-its-arsenal

https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

https://www.ftc.gov/system/files/ftc_gov/pdf/csn-annual-data-book-2024.pdf

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

When Being Aware of Cybersecurity Means Knowing You're Human

Wed, 08 Oct 2025 13:00:00 -0400

Send us fan mail!

Hello to all our Pumpkin Spice Cyber Friends! It’s Cybersecurity Awareness Month — and what better way to kick it off than with a deep dive into the human side of cyber threats? In this episode host Selena Larson welcomes back guest and part-time co-host Sarah Sabotka, our “Cybersecurity Awareness Month Queen” and Staff Threat Researcher at Proofpoint. She joins us to break down why social engineering is at the heart of so many attacks.

We take a closer look at how scams and social engineering tactics are growing more sophisticated—and how the real battleground isn’t just your inbox, it’s your brain. Our guest explains “amygdala hijacking,” the psychological manipulation behind scams, and why recognizing your emotional responses during suspicious interactions can be just as important as spotting technical red flags.

We also focus on protecting some of the most vulnerable—seniors and young digital natives—highlighting community education programs, interactive teen cybersecurity trainings, and strategies for safe social media use, password hygiene, and multi-factor authentication.

We also talk about:

Why Awareness Month feels different this year and how communicators are packaging complex threat research for real people.
The neuroscience behind social engineering (shoutout to Dr. Bob, Proofpoint’s lead cognitive scientist) and a simple, powerful takeaway: trust your gut.
Concrete examples: ClickFix scams, deepfakes used against small businesses, LLM-enabled phishing, benign-conversation lures (smishing & job scams), and multi-step attacks that prime victims over time.
Practical steps to protect yourself and your org — safe words, pause-and-check habits, and why peer stories beat scary slides.

Tune in and learn how to build better cyber awareness for everyone in your life—because cybersecurity isn’t just for IT teams, it’s for all of us.

Resources Mentioned:

https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering

https://www.proofpoint.com/us/blog/security-awareness-training

https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

https://www.clickorlando.com/news/local/2025/02/19/central-florida-wildlife-rescue-falls-victim-to-podcast-scam-warns-others/

https://abc7.com/post/scam-texts-targeting-people-looking-jobs-are-rise-ftc-warns/17838427/

https://www.cbc.ca/news/marketplace/sextortion-teen-boys-canada-1.7648267

https://www.consumerreports.org/media-room/press-releases/2025/10/consumer-reports-study-finds-surge-in-texting-and-messaging-scams

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Hot sauce and hot takes: An Only Malware in the Building special

Tue, 23 Sep 2025 14:00:00 -0400

Send us fan mail!

Welcome in! You’ve entered, Only Malware in the Building — but this time, it’s not just another episode. This is a special edition you won’t want to miss.

For the first time, our hosts are together in-studio — and they’re turning up the heat. Literally. Join ⁠⁠⁠⁠⁠⁠Selena Larson⁠⁠⁠⁠⁠⁠, ⁠⁠⁠⁠⁠⁠Proofpoint⁠⁠⁠⁠⁠⁠ intelligence analyst and host of their podcast ⁠⁠⁠⁠⁠⁠DISCARDED⁠, along with ⁠⁠⁠⁠⁠⁠N2K Networks⁠⁠⁠⁠⁠⁠ ⁠⁠⁠⁠⁠⁠Dave Bittner⁠⁠⁠⁠⁠⁠ and ⁠⁠⁠⁠⁠Keith Mularski⁠⁠⁠⁠⁠, former FBI cybercrime investigator and now Chief Global Ambassador at ⁠⁠⁠⁠⁠Qintel⁠⁠⁠⁠⁠⁠⁠⁠⁠, as they take on a fiery hot wings challenge while answering personal questions about themselves, their careers, and the stories that shaped them. Think you’ve seen them tackle malware mysteries before? Wait until you see them sweat.

This one’s too good for audio alone — you’ll want to watch the full ⁠video⁠ edition to catch every spicy reaction, every laugh, and maybe even a few tears.

So grab your milk, get ready to feel the burn, and come join us for this special hot take on Only Malware in the Building.

Freighty Cats: RFQ Phishing Comes to A Warehouse Near You

Tue, 09 Sep 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Stars! In this episode host Selena Larson welcomes back guest and part-time co-host Tim Kromphardt, fresh from DEFCON, to explore the world of request-for-quote (RFQ) fraud—a growing scam targeting small- to medium-sized businesses with fake purchase requests and net financing schemes.

Tim explains how cybercriminals exploit legitimate business practices to steal physical goods like networking tools, surveillance equipment, and medical devices. Using stolen business credentials, fake domains, and freight forwarding services, these scams combine social engineering with real-world theft. He shares firsthand stories of engaging with scammers directly, taking down fraudulent domains in real time, and even halting shipments in transit.

Selena and Tim break down how these schemes operate, the sophistication of scammers and why smaller, specialized companies are often targeted. They also provide practical tips for spotting and avoiding these scams, from verifying domains and emails to independently confirming contacts and addresses.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/net-rfq-request-quote-scammers-casting-wide-net-steal-real-goods

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Direct Send Exploitation & URL Rewrite Attacks: What Security Teams Must Know

Tue, 26 Aug 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Squirrels! In this extra-packed episode of Discarded, host Selena Larson welcomes Proofpoint Principal Research Engineer Jason Ford for his first appearance on the show. Together, they dive into two resurging email attack techniques—Microsoft 365 Direct Send abuse and URL rewrite abuse—and why defending against them requires more than just traditional email security.

Jason explains what Direct Send is, why attackers exploit this legacy feature, and how it enables phishing campaigns that appear to originate from inside an organization. From QR code phishing kits to “to-do list” themed lures, Selena and Jason break down attack chains, share real-world examples, and highlight the red flags that indicate exploitation. They also explore how adversaries weaponize URL rewrites in redirect chains, to deliver malware and credential phishing.

We also unpack:

How Direct Send works under the hood and why legacy features are a prime target
Common signs in email headers that reveal Direct Send abuse
The role of URL rewrites in modern phishing campaigns
Why credential phishing has overtaken malware as the go-to tactic
Practical steps organizations can take—including when it makes sense to disable Direct Send
The importance of layered defenses, user education, and risk awareness across SaaS apps
Predictions on which “old school” techniques might resurface next

This episode offers a clear, actionable look at how threat actors adapt and why everything old in cybercrime eventually becomes new again.

Resources Mentioned:

https://www.proofpoint.com/us/blog/email-and-cloud-threats/attackers-abuse-m365-for-internal-phishing

http://www.jasonsford.com

https://github.com/jasonsford/directsendanalyzer

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Phish, Chips & Voldemort: Inside China’s Cyber Targeting of Taiwan

Tue, 12 Aug 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Panda Bears! In this extra-packed episode of Discarded, host Selena Larson and guest host, Sarah Sabotka reunite with Staff Threat Researcher Mark Kelly to dive deep into China-aligned espionage activity—this time with a focus on Taiwan’s semiconductor ecosystem and the strange, stealthy tools threat actors are using to get in.

Mark walks us through Proofpoint’s latest research on custom malware (yes, “Voldemort” is back), threat clusters with pun-filled names like UNK_SparkyCarp and UNK_DropPitch, and why Taiwan’s chip industry has become such a hot target. From design and manufacturing to financial analysts and supply chains, Chinese state-aligned actors are getting more creative—and more persistent.

We also unpack:

The “Phish & Chips” campaign and how it fits into China’s broader geopolitical strategy
Why pop culture references like Voldemort and Mr. Robot keep showing up in espionage infrastructure
Attribution headaches, including Proofpoint’s tracking of multiple unattributed threat clusters with UNK designators
How AI, LLMs, and adversary-in-the-middle phishing are influencing espionage tactics
The use of RMM tools and spoofed MacOS folders for stealth
Why basic backdoors are making a strategic comeback
A threat intel team’s deep love for vegetables, puns, and report titles

Whether you're tracking state-sponsored cyber activity, curious about weird malware names, or just here for the expert banter, this episode has you covered.

Resources Mentioned:

Phish & Chips: Chinese Espionage Activity Targeting Taiwan's Semiconductor Ecosystem

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Threat Actor Theater: TA2541, TA558, and the Cyber Heist Crew TA582

Tue, 29 Jul 2025 04:00:00 -0400

Send us fan mail!

Hello to all our cyber pals! In this episode of Discarded, host Selena Larson and co-host, Tim Kromphardt, are joined by Joe Wise, Senior Threat Researcher at Proofpoint for a deep dive into the chaotic brilliance of mid-tier eCrime actors—including the elusive TA582.

We explore recent activity from TA2541 and TA558—two groups known for their uncanny consistency and precision targeting—before shifting focus to TA582: a standout in today’s threat landscape. TA582’s multilayered, region-specific lures (think vintage car sales and fake speeding tickets) and complex delivery models are impressive compared to your typical cybercriminal.

Topics Include:

🔍 What you’ll hear:

How TA2541 and TA558 maintain eerily consistent lures and targeting year after year
The regional flavor behind lures in Latin America and Europe—especially during tax season
Why TA582 feels like a digital jigsaw puzzle, with simultaneous email, web inject, and compromised site vectors
A breakdown of TA582’s evolving payloads, from GhostWeaver to Interlock RAT
The surprising links between threat actor collaboration, initial access brokers, and shifting loader trends
How weird or silly variable names can enable threat actor tracking
And yes—13 URLs that needs the Tron soundtrack playing in the background to explore

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

10 Things I Hate About Attribution: A Clustering Conundrum

Tue, 15 Jul 2025 04:00:00 -0400

Send us fan mail!

Hello to all our cyber detectives and pedantic CTI friends! In this episode of Discarded, host Selena Larson is joined by Greg Lesnewich, Staff Threat Researcher at Proofpoint for a behind-the-scenes look at one of the most frustratingly fascinating attribution cases yet.

What begins as a lighthearted rant: “10 Things I Hate About Attribution,” quickly turns into a deep dive into the murky overlap between TA829 (aka RomCom), TA289, and the elusive GreenSec cluster. From TransferLoader and malware panels to REM proxy infrastructure and attack chain similarities, Greg and Selena dissect the breadcrumb trail that led to a 25-page blog, a mountain of malware chains (Dusty Hammock? Single Camper?), and an attribution headache.

Topics Include:

TA829 (aka RomCom) and the elusive GreenSec cluster: What’s the difference?
Vertical targeting overlap (and divergence)
Malware breakdown: TransferLoader vs. RomCom and related malware
Use of REM proxy and rebrand.ly infrastructure
Attribution logic and the perils of shared tooling
Bonus: Existential mysteries and karaoke mic commentary

The attribution game isn’t always about getting it right—it’s about asking better questions. Join us in the mess, and keep connecting the dots.

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Comic Sans and Cybercrime: Inside North Korea’s Global Cyber Playbook

Tue, 01 Jul 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Pals! In this episode of Discarded, host Selena Larson and co-host Sara Sabotka are joined by Saher Naumaan and Greg Lesnewich, teammates on the espionage threat research team at Proofpoint to unravel the multifaceted—and often bizarre—world of North Korean cyber operations.

The team explores:

What sets DPRK’s threat actors apart from other nation-state groups
A closer look at North Korea’s cyber and physical support for Russia in Ukraine
How cyber activity plays a central role in North Korea’s national strategy—not just a supporting one
The phishing-heavy tactics of groups like TA427 (“Old Reliable”) and the emergence of oddball clusters like “Contagious Interview” and “UNK RageQuit”
How North Korean actors blur the lines between espionage and financially motivated cybercrime
The murky world of North Korean IT workers infiltrating global tech companies under false identities—raising critical questions about workplace exposure, ethics, and potential defections
The surprising ways some of these operatives sabotage themselves, including infections with common malware that expose their digital behavior
And yes, a Microsoft spoofing campaign actually using Comic Sans

North Korean cyber activity is evolving fast and they explain why it deserves far more attention than it gets.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front

https://spycloud.com/blog/spycloud-march-cybercrime-update/

https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-threat-insight-paper-triple-threat-N-Korea-aligned-TA406-steals-scams-spies.pdf

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Signatures and Surprises: Inside the Emerging Threats Team

Wed, 18 Jun 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Masked Vigilantes! In this episode of Discarded, host Selena Larson and co-host Tim Kromhardt are joined by James Emery-Callcott, a Security Researcher on Proofpoint’s Emerging Threats team, for an insider’s look at the technical, tactical, and collaborative forces shaping modern network detection.

James takes us behind the curtain of rule writing, CVE coverage, and malware detection, breaking down how signatures are developed, validated, and deployed to protect against a constantly shifting threat landscape. From the fading heyday of exploit kits to the rise of infostealers and ClickFix, we explore how detections evolve—and why the most persistent threats often hinge on the fundamentals of networking.

You’ll also hear how the team maps detection rules to frameworks like MITRE ATT&CK and CISA KEV, using metadata tags to reduce alert fatigue and prioritize real-world risks. James shares why this kind of tagging isn’t just technical polish—it’s operational gold.

But detection doesn’t happen in a vacuum. James explains how the community—through Discord chats, support tickets, and collaborative research—plays a vital role in surfacing false positives, sharing POCs, and suggesting metadata improvements.

Bonus highlights include:

Why writing reliable detection rules is still too nuanced for AI
The anatomy of a CVE rollout (and the surprising role of an Xbox controller)
Signature performance testing and hardware challenges
Why older vulnerabilities still matter
A sneak peek at a free Suricata training series in the works

Whether it’s a shoutout to Tony for pushing tagging innovation or a nod to students eager to get started, the message is clear: everyone can contribute to better detection.

Resources Mentioned:

CrazyHunter: https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html

https://www.proofpoint.com/us/blog/threat-insight/emerging-threats-updates-improve-metadata-including-mitre-attck-tags

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

DBIR Deep Dive: Identity, Access, and the Expanding Attack Surface

Wed, 04 Jun 2025 15:00:00 -0400

Send us fan mail!

Hello to all our Cyber Stars! Join host Selena Larson, and guest host, Sarah Sabotka, as they sit down with Alex Pinto, Associate Director of Threat Intelligence at Verizon Business and the lead author behind the industry-defining Verizon Data Breach Investigations Report (DBIR). Together, they unpack the most pressing findings from the brand new VZDBIR, offering a behind-the-scenes look at how the reports are built—and what they reveal about today’s rapidly evolving threat landscape.

Alex shares how the editorial strategy behind the DBIR helps translate raw data from 100+ contributors into actionable insights and compelling narratives.

The conversation dives into:

The surge in zero-day vulnerabilities and growing threats tied to network edge devices
Why third-party risk is skyrocketing, and what that means for vendor relationships
How ransomware groups are maturing and reinvesting like modern businesses
The alarming rise of credential abuse via MFA-bypassing phishing kits and information stealers
Why identity is now the primary target—and how defenders can introduce friction without killing usability
The limitations of current threat categorization and whether full attack chain visualizations should be next

Whether you're here for the acronyms, the insights, or just want to win at cyber threat bingo, this episode is a must-listen for anyone navigating the modern security landscape.

🎧 Tune in to hear why “DBIR Day” matters—and how this year’s findings may be more personal than ever.

Resources Mentioned:

https://www.verizon.com/business/resources/reports/dbir/

For more information about Proofpoint, check out our website.

The ClickFix Convergence: How Threat Actors Blur the Lines

Wed, 14 May 2025 12:00:00 -0400

Send us fan mail!

Hello to all our Cyber Spring Chickens! Join host Selena Larson, and guest host, Sarah Sabotka, as they chat with Saher Naumaan, Senior Threat Researcher at Proofpoint, for a deep dive into how modern espionage and cybercrime are increasingly blurring lines.

At the center of the conversation is ClickFix—a fast-evolving social engineering technique originally used by cybercriminals but now adopted by espionage actors across at least three countries in just 90 days.

We explore:

how threat actors are borrowing each other’s tactics, techniques, and procedures (TTPs), creating “muddled attribution” as espionage groups mimic high-volume e-crime methods
how these techniques are being tailored to target high-value, often non-technical individuals
what defenders can do in the face of increasingly sophisticated psychological attacks

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

The Art of the Innocent Ask: How Threat Actors Use Benign Conversations

Tue, 29 Apr 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Spring Chickens! Join host Selena Larson and guest hosts, Tim Kromphardt and Sarah Sabotka, both Senior Threat Researchers at Proofpoint.

These top sleuths crack open Proofpoint’s new Human Factor series and explore one of the most deceptively dangerous tactics in a threat actor’s playbook: the benign conversation.

What exactly is a benign conversation—and why is it anything but harmless? Whether it’s a simple “Do you have a minute?” or a seemingly legit job offer, these messages are often the opening moves in complex social engineering attacks used for fraud, malware delivery, and even nation-state espionage.

The team dives into:

The top five fraud-related benign conversation themes, including the rise of advanced fee fraud
Real-world examples of job scams, gift card requests, and a Taylor Swift-themed lure
The difference between financially motivated lures and espionage-style social engineering
How Iranian and North Korean threat actors are perfecting the art of trust-building through impersonation and tailored messages
TOAD scams (Telephone-Oriented Attack Delivery) and the power of fear and urgency
The critical role of spoofing in making these attacks believable
The human toll and psychological manipulation behind scams like pig butchering—and why acknowledging the abuse behind them matters

From hijacked contact forms and fake antivirus invoices to AI-generated phone calls and scam compounds, this episode blends serious security insight with Friday vibes and candid discussion.

Whether you're a seasoned threat analyst or just here for the “lure-palooza,” you’ll walk away with a sharper eye for red flags—and a deeper understanding of the evolving cyber threat landscape.

Resources Mentioned:

🔍 [Read the full report] https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Diving Into Cyber Journalism: FOIA, Fraud, and the Fight Against Online Threats

Wed, 09 Apr 2025 09:00:00 -0400

Send us fan mail!

Hello to all our Cyber Cherry Blossoms! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Andrew Couts, Senior Editor, Security and Investigations at WIRED.

Andrew shares insights into his work overseeing cybersecurity coverage and investigative reporting, collaborating with newsrooms, and uncovering the hidden threats lurking in the digital world.

We dive into how cybersecurity and privacy reporting has evolved, the growing risks posed by data collection and surveillance, and the challenges of informing the public around security experimentation.

We also discuss:

Recent investigations on ad tech, police drone surveillance, and the unintended consequences of data tracking
The rise of "pig butchering" scams and the difficulties in shutting them down
How the Freedom of Information Act (FOIA) serves as a powerful tool for uncovering hidden government actions
The real-world dangers journalists face when reporting on cybercriminals—such as swatting and online retaliation
The double-edged sword of privacy—how encryption and digital anonymity can both protect individuals and make it harder to track cybercriminals

Join us for a fascinating deep dive into the world of digital security, investigative journalism, and the real-life implications of living in an era where our data is constantly at risk.

Resources Mentioned:

Leveling Up Your Cybersecurity–WIRED Guide

https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/

https://www.wired.com/story/the-age-of-the-drone-police-is-here/

https://www.wired.com/story/starlink-scam-compounds/

https://www.wired.com/story/alan-filion-torswats-swatting-arrest/

https://www.wired.com/story/no-lives-matter-764-violence/ (Content warning: self-harm, violence)

https://www.wired.com/story/the-wired-guide-to-protecting-yourself-from-government-surveillance/

https://www.wired.com/story/how-to-take-photos-at-protests/

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy

RMM Tools: The New Cybercrime Trick?

Tue, 25 Mar 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Remote Cyber Pals! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Staff Threat Researcher, Ole Villadsen, from Proofpoint. They explore the broader shift from traditional malware to commercially available tools that fly under the radar and how cybercriminals are increasingly abusing Remote Monitoring and Management (RMM) tools (sometimes called Remote Access Software) to gain initial access in email-based attacks.

Topics Covered:

The growing use of such tools like ScreenConnect, Atera, and NetSupport in cyberattacks
How threat actors are shifting from traditional malware loaders to commercially available tools
TA583’s adoption of RMM tools as a primary attack method
The role of social engineering in phishing lures, including Social Security scams
The impact of cybersecurity influencers and scam-baiting YouTubers on threat awareness
The ongoing arms race between cybercriminals and defenders

From stealthy intrusions to shifting cybercrime trends, this conversation uncovers the critical threats organizations face in 2025.

Resources Mentioned:

https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Your Best Defense against Social Engineering: The Gray-Matter Firewall

Tue, 11 Mar 2025 04:00:00 -0400

Send us fan mail!

Hello to all our Cyber Pals! Join host Selena Larson and guest hosts, Sarah Sabotka and Tim Kromphardt, both Senior Threat Researchers from Proofpoint, as they dive into the realities of current social engineering schemes —especially during high-risk times like tax season. Cybercriminals exploit fear, urgency, and excitement to manipulate victims, from IRS impersonation scams and fraudulent tax payment requests to deepfake cons and TikTok frauds.

Our hosts dive into real-world examples, including:

tax-themed phishing attacks
tech support scams targeting the elderly
job scams leveraging Taylor Swift’s tour

They explore how AI is reshaping fraud tactics, why scammers still rely on outdated schemes like overseas financial windfalls, and how platforms like WhatsApp and Telegram play a role in modern cybercrime.

Tune in to learn how these scams work, why they succeed, and—most importantly—how you can protect yourself. Check out our show notes for additional resources, and don’t forget to share this episode with friends and colleagues!

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Stay ahead of emerging threats, and subscribe! Happy hunting!

Hiding in Plain Sight: How Defenders Get Creative with Image Detection

Tue, 25 Feb 2025 04:00:00 -0500

Send us fan mail!

Hello to all our Cyber Pals! Join host Selena Larson and guest host, Sarah Sabotka, as they speak with Kyle Eaton, Senior Security Research Engineer at Proofpoint.

They explore the evolving world of image-based threat detection and the deceptive tactics cybercriminals use to evade defenses. From image lures embedded in emails, PDFs, and Office documents to the surprising ways attackers reuse visuals across campaigns, this conversation break down how detection engineering is adapting to counter new threats.

There is also examination of how AI is shaping both cyber deception and detection, raising the question of how generative AI is influencing image-based security.

Listeners will gain insights into real-world detection successes, persistent threats like TA505 and Emotet, and the role of instincts in cybersecurity—because, as Selena notes, sometimes good detection is all about the vibes.

Key Topics Covered:

Characteristics of Image-Based Threats
Groups like TA505 and Emotet historically using recognizable image lures
OneNote-Based Malware Detection (2023) & the Challenges with OneNote
Shift to PDF-Based Threats
PDF Object Hashing for Attribution & Detection
Image-Based Threat Detection Insights
Generative AI’s Impact on Image-Based Threats

Join us as we uncover real-world detection wins, explore persistent threats like TA505 and Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes.

Resources mentioned:

https://github.com/target/halogen

https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Cyber Groundhog Day and romance scams, featuring Only Malware in the Building

Wed, 05 Feb 2025 10:00:00 -0500

Send us fan mail!

Hey Cyber Pals! This week we are doing a very special spotlight on a recent episode from Only Malware in the Building. Our very own, Selena Larson, also co-hosts on this fabulous podcast.

Be sure to check it out and enjoy!

Find more OMIB: https://thecyberwire.com/podcasts/only-malware-in-the-building/9/notes

—------------------------------------------------

Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks.

Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode and since it is February (the month of love as Selena calls it), we talk about romance scams known throughout the security world as pig butchering. And, Rick's experiencing a bit of a Cyber Groundhog Day in his newly-realized retirement.

The Power of Partnerships: An Interview with the NSA’s Kristina Walter

Wed, 22 Jan 2025 12:15:29 -0500

Send us fan mail!

Hello to all our Cyber Magicians! Join host Selena Larson and guest host, Joshua Miller, as they speak with Kristina Walter, the Chief of NSA’s Cybersecurity Collaboration Center. They explore the cutting-edge collaborations between the NSA and industry partners to combat cyber threats, with a deep dive into the NSA’s Cybersecurity Collaboration Center (Triple C).

Kristina sheds light on the growing awareness around cyber hygiene, the importance of collective defense, and the role of partnerships between government and private sectors in tackling malicious activity. She also offers practical advice for those looking to break into government cybersecurity roles, dispelling myths about the need for a STEM background and highlighting the relevance of "core skills" like public speaking, decision-making, and risk management.

Key Topics Covered:

Public-private partnership success stories
NSA’s approach to global collaboration
The shift from information consumption to actionable intelligence sharing
The average American's cybersecurity concerns
Insights into the collaborative efforts needed to counter cyber threats
Naming malware campaigns

The episode wraps up with tips on staying current in the fast-paced world of cybersecurity, from leveraging NSA advisories to building communities for information sharing. Whether you're an aspiring cybersecurity professional or an industry veteran, this episode is packed with actionable advice and thought-provoking perspectives.

Resources mentioned:
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3805947/nsa-announces-kristina-walter-as-the-new-chief-of-cybersecurity-collaboration-c/

https://www.nsa.gov/Press-Room/News-Highlights/

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3669141/nsa-and-partners-spotlight-peoples-republic-of-china-targeting-of-us-critical-i/

https://www.nsa.gov/about/cybersecurity-collaboration-center/

For more information about Proofpoint, check out our website.

Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Battle for a Safer Internet: Inside Domain Takedowns and Threat Actor Tactics

Tue, 07 Jan 2025 04:00:08 -0500

Send us fan mail!

Hello to all our Cyber Magicians! Join host Selena Larson and guest host,Tim Kromphardt, as they speak with Hannah Rapetti, the Takedown Services Manager at Proofpoint. Hannah shares her fascinating journey from librarian to cybersecurity expert, detailing her path into the industry through certifications, CTFs (Capture the Flag), and the Women in Cybersecurity (WiCyS) community.The conversation dives into real-world examples, techniques, and strategies used to identify, track, and eliminate malicious domains.

Key Topics Covered:

Collaborative Efforts: How teams work together to identify scam websites, gather evidence, and escalate for takedown.
Tools and Techniques: Using tools like domain search, backend kits identification, and IP-based connections to uncover related sites.
Challenges in Takedowns: Managing lists of hundreds of domains across multiple providers, verifying live activity, and the need for ongoing monitoring.
Threat Actor Behavior: How threat actors use multiple registrars or re-register domains to evade detection.
Best Practices for Organizations:
- Preemptively purchasing lookalike domains.
- Monitoring new domain registrations for suspicious activity.
- Educating users to identify and avoid malicious domains.
Ethical Considerations: Balancing infrastructure disruption with the need for ongoing research, particularly for cyber espionage threats.
Favorite Wins: Memorable investigations, such as takedowns during the Super Bowl, fake Olympics ticket scams, and real-time disruption of pig-butchering schemes.

The episode highlights the importance of domain takedowns not just for individual companies but for contributing to a safer internet ecosystem. It’s a mix of practical advice, real-life stories, and insights into the ongoing battle against cybercrime.

Resources mentioned:
Genina Po Discarded Episode

https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers

https://www.wicys.org/
https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers
https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000677061400
https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hackers, Heists, and Heroes: The Evolving Ransomware Game

Tue, 17 Dec 2024 04:00:07 -0500

Send us fan mail!

Hello to all our Cyber Pals! Join host Selena Larson and guest, ransomware expert, Allan Liska, CSIRT at Recorded Future, drops by to share his creative take on cyber-themed graphic novels, proving there’s nothing ransomware can’t inspire—even superheroes.

In this episode, we uncover the shadowy ecosystem driving ransomware attacks, from the industrialization of cybercrime to the rise of "small-batch" threat actors redefining chaos. Explore how Operation Endgame dealt a devastating blow to malware powerhouses like Pikabot and SmokeLoader, shaking trust within underground networks and leaving cybercriminals scrambling to regroup.

We’ll also decode the evolving tactics of ransomware gangs, from slick AI-powered voice disguises to the surprising shift toward consumer scams. Plus, we’ll discuss whether law enforcement’s crackdown will make ransomware too expensive for crooks, forcing them to rethink their game plans—or at least settle for less glamorous schemes like crypto theft.

Don’t miss the Champagne pick that pairs perfectly with ransomware disruptions! 🥂

Resources mentioned:
https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/

https://www.marketplace.org/shows/marketplace-tech/how-scammers-hijack-their-victims-brains/

https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report

https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown

https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware

https://therecord.media/russian-national-in-custody-extradited

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/

https://therecord.media/chamelgang-china-apt-ransomware-distraction

https://urldefense.com/v3/__https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware__;!!ORgEfCBsr282Fw!pYnNQZUQJLJTFlj5w7PcWRjyr6rh-logFnqo03_Mz19RUrK4rftQU1qbTj_iql3KNjn4Ub7a5LsDLpCJgdJQSA$

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Stealth, Scale, and Strategy: Exploring China’s Covert Network Tactics

Tue, 03 Dec 2024 04:00:07 -0500

Send us fan mail!

Hello to all our Cyber Frogs! Join host Selena Larson and guest host, Sarah Sabotka, explore the evolving tactics of China-based nation-state threat actors with guest Mark Kelly, Staff Threat Researcher at Proofpoint. They focus on TA415 (APT41 or Brass Typhoon), examining its combination of cybercrime and state-sponsored espionage. From the Voldemort malware campaign to targeting critical infrastructure, Mark sheds light on how these actors leverage tools like Google Sheets for command and control, exploit vulnerabilities, and adapt to evade detection.

The discussion also highlights:

the strategic importance of edge devices, pre-positioning for geopolitical escalations, and the intersection of espionage, gaming, and cybercrime
Operational Relay Boxes (ORBs), covert networks used by Chinese Advanced Persistent Threat (APT) groups to mask cyber activities
exploitation of non-traditional systems and vulnerabilities
the impact of compromised consumer devices on global cybersecurity

Resources mentioned:
https://www.nytimes.com/2024/10/26/us/politics/salt-typhoon-hack-what-we-know.html
https://cyberscoop.com/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report/
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Scams, Smishing, and Safety Nets: How Emerging Threats Catches Phish

Fri, 15 Nov 2024 04:00:06 -0500

Send us fan mail!

Hello to all our Cyber Pals! Join host Selena Larson and guest, Genina Po, Threat Researcher at Emerging Threats at Proofpoint. She shares how she tackles emerging cyber threats, breaking down the process of turning data into detection signatures. Using tools like Suricata to create detections for malicious activity, she maps out her approach to writing rules that identify and block these threats.

The goal? Equip companies to stay secure, and encourage listeners with the skills to spot and prevent scams on their own. Genina shares her journey tracking pig butchering scams through thousands of domains and URLs. She reveals patterns—certain headers and markers—that help identify these sites amid a flood of data, and she describes the challenges in detection, as scammers increasingly vary their setups to evade filters.

Also discussed:

proactive measures against phishing and fraud sites, with Proofpoint using "takedown" services to remove malicious domains, disrupting scams before they impact users
the importance of questioning biases, particularly in cyber threat intelligence where assumptions can shape classifications and responses
collaboration with Chainalysis to connect various scams through cryptocurrency wallets, showing cross-over between different fraud types

Resources mentioned:
Book: Why Fish Don’t Exist by Lulu Miller

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Pig Butcher Scammers Put Job Seekers On The Menu

Tue, 29 Oct 2024 14:21:50 -0400

Send us fan mail!

A note to our listeners, this episode contains some content our listeners might find upsetting including mentions of human trafficking.

Hello to all our Pumpkin Spice Cyber Friends! Join host Selena Larson and guest host, Sarah Sabotka as they chat with senior threat researcher and fraud expert Tim Kromphardt. They talk about the world of pig butchering and crypto romance scams, where Tim discusses how these scams manipulate victims' feelings, making it incredibly hard to escape, even when presented with evidence of the scam. And how these threat actors have expanded their enterprises to include job scamming. He explains the challenges of tracking funds through cryptocurrency systems, and why these scams are so profitable.

The episode highlights the need for victims to speak out and share their stories without shame, breaking the cycle and raising awareness.

Also discussed:

how psychological manipulation can be just as damaging as technical vulnerabilities
resources for victims, and how people can identify hallmarks of these types of scams
the role of automation and AI in scaling scams

Resources mentioned:
globalantiscam.org

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Under Siege: How Hackers Exploit Cloud Vulnerabilities

Tue, 15 Oct 2024 13:30:36 -0400

Send us fan mail!

Hello to all our Cyber Ghosts! Join host Selena Larson as she chats with Eilon Bendet– Cloud Threat Researcher from Proofpoint. From account takeovers to state-sponsored hacks, they uncover how cybercriminals are outsmarting traditional defenses – and why even multi-factor authentication might not be enough to keep them out.

Together, they discuss the complexities of cloud threat detection, including the role of User and Entity Behavior Analytics (UEBA) in identifying suspicious activities and preventing account takeovers (ATO). Eilon breaks down two primary ATO threat vectors—credential-based brute force attacks and precision-targeted phishing campaigns.

Also discussed:

how these groups exploit cloud environments
concerning trends such as the rise of reverse proxy-based toolkits and MFA bypass techniques
the importance of identity-focused defense strategies and how threat actors customize tools to infiltrate cloud systems, steal data, and monetize compromised accounts

Resources mentioned:
MACT or malicious applications blog: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Champagne Attack Chains on a Kool-Aid Budget

Mon, 30 Sep 2024 04:00:01 -0400

Send us fan mail!

Hello to all our Pumpkin Spice cyber friends! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joe Wise, Senior Threat Researcher and Kyle Cucci, Staff Threat Researcher both from Proofpoint.

Together, they unpack recent campaigns involving the abuse of legitimate services, particularly focusing on the clever tactics used by cybercriminals to evade detection.Joe and Kyle discuss a fascinating trend where attackers are leveraging Cloudflare’s temporary tunnels, bundling Python packages, and deploying a range of malware like Xworm and Venom Rat. They explore the increasing abuse of legitimate services like Google Drive, Adobe Acrobat, and Dropbox, which allow attackers to blend in with regular business traffic. The conversation also touches on a range of threat clusters, including Exormactor and Voldemort malware, and TA2541, who have consistently leveraged Google Drive URLs to spread malicious content.

Also discussed:

the challenge of detecting and mitigating these types of threats and the importance of staying ahead of the evolving attack strategies
the motivations behind these campaigns
why traditional defense mechanisms may fall short

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort
https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Guarding the Vote: Unmasking Cyber Threats in Election Season

Tue, 17 Sep 2024 04:00:02 -0400

Send us fan mail!

Hello to all our cyber citizens! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joshua Miller, Senior Threat Researcher and Rob Kinner, Senior Threat Analyst both from Proofpoint.

With election season on the horizon, cyber attackers are sharpening their tactics—impersonating government agencies, emailing journalists, and crafting sophisticated phishing schemes. But how real is the threat? And what can be done to protect our democracy from the digital shadows? Today, we pull back the curtain on the unseen battles being fought in cyberspace and what it means for voters, journalists, and defenders alike.

The discussion covers a range of election threats, from malicious domains, impersonation, and typo-squatting to sophisticated credential phishing campaigns that exploit government and election-related themes.

Also discussed:

how state-sponsored actors from DPRK, Russia, and China are interested in espionage around election related topics
the impersonation of various government entities for phishing purposes, revealing the creativity and resourcefulness of threat actors
while cyber threats are pervasive, the integrity of the voting process remains strong, backed by robust defenses and ongoing efforts by dedicated professionals

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence

https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Very Mindful, Very APT: Inside the Activity of Current Espionage Actors

Wed, 04 Sep 2024 04:00:02 -0400

Send us fan mail!

Hello to all our mindful and demure cyber sleuths! Join host Selena Larson and today’s co-host, Sarah Sabotka as they chat with Joshua Miller and Greg Lesnewich, Threat Researchers at Proofpoint about the ever-evolving world of advanced persistent threats (APTs).

The team unravels the latest espionage tactics of threat actors from Iran, North Korea, and Russia, exploring everything from Iran’s sophisticated social engineering campaigns to North Korea’s customized Mac malware.

They also highlight the increasing interest in MacOS malware in the cybercrime landscape and examine examine the threat posed by a group targeting AI researchers with unique malware like "SugarGh0st RAT."

Also discussed:

the quirky and often amusing names given to malware campaigns in the cybersecurity world.
unexpected connections between cybersecurity and pop culture, featuring a discussion on how celebrities like Taylor Swift handle digital security.
what recent activity suggests about the actors’ changing tactics.

Resources mentioned:
SleuthCon Talk: Presenter, Selena Larson

Rivers of Phish from CitizenLab

https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering

https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn

https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

https://www.theguardian.com/music/shortcuts/2019/jan/29/digital-security-taylor-swift-facetime-privacy-bug-breaches

https://www.youtube.com/watch?v=LYHmTjFW-nY

https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american

For more information about Proofpoint, check out ou

Rebel Security Training: Cyber Lessons from A Galaxy Far, Far Away

Tue, 20 Aug 2024 04:00:02 -0400

Send us fan mail!

Hello, cyber rebels! Ever wondered what lightsabers, the Force, and intergalactic battles have in common with the world of cybersecurity? Welcome to a special episode of the Discarded Podcast. Join host Selena and co-host Greg Lesnewich, Senior Threat Researcher at Proofpoint, along with our guest, Eric Geller, cybersecurity reporter and host of the Hoth Takes Star Wars podcast, as they dive into the fascinating intersection of Star Wars and cybersecurity. He reveals how the tactics and strategies from a galaxy far, far away can be applied to modern-day digital defense.

Greg and Eric share their love for Star Wars while drawing parallels between iconic moments from the saga and modern cybersecurity practices. Ever wondered how the Rebels' infiltration of the Death Star reflects real-world hacking techniques? Or how the Empire's security flaws could be lessons for today's digital defenses? We've got you covered. They highlight how living off the land techniques, identity protection failures, and internal security oversights in the Star Wars universe can teach us valuable lessons for defending against cyber threats.

From red teaming with Han and Chewbacca to intelligence analysis with Princess Leia, and even hardware hacking with Babu Frik, we cover a broad spectrum of cyber roles through the lens of Star Wars. We also delve into who would make the best CISO in the Star Wars universe, with some surprising nominations and entertaining analogies.

Whether you're a Star Wars enthusiast or a cybersecurity professional, this episode provides a unique and entertaining perspective on the skills and strategies essential for both realms. Tune in for a fun and insightful conversation that bridges the gap between fiction and reality in the most engaging way possible.

Resources mentioned:

Hoth Takes (podcast)
NIST Framework
https://www.wired.com/author/eric-geller/

For more information about Proofpoint, check out our website.

Subscribe & Follow:

Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Art of Frustrating Hackers: Diving Into the DEaTH Cycle with Randy Pargman

Tue, 06 Aug 2024 04:00:03 -0400

Send us fan mail!

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by Randy Pargman, Director of Threat Detection at Proofpoint. Randy shares his extensive experience in cybersecurity, from working at the FBI and understanding law enforcement’s role in cyber defense, to endpoint detection and response, to his current role at Proofpoint.

We explore the relentless cat-and-mouse game between cyber defenders and threat actors. Randy discusses the importance of Detection Engineering and Threat Hunting (DEATH) and how these disciplines work together to outsmart cybercriminals. He also highlights the significance of log data retention and how investing in longer retention periods can drastically improve the efficacy of detection measures.

Randy touches on the upcoming DEATHCon, a must-attend event for cybersecurity professionals. He shares fascinating stories and analogies, making complex cybersecurity concepts accessible and engaging.

We also talk about:

the concept of the "pyramid of pain" and how spending too much time on IOCs can be a losing battle against agile threat actors
the value of empathy and collaboration among security teams
practical steps for building shared lab environments

Resources mentioned:

DeathCON
Operation Endgame
Clipboard to Compromise Blog: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
DFIR Report Labs: https://thedfirreport.com/services/dfir-labs/

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Hunt for Cyber Criminals: A Deep Dive with Wired's Andy Greenberg

Wed, 24 Jul 2024 11:46:18 -0400

Send us fan mail!

Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Pim Trouerbach are joined by Andy Greenberg, Senior Writer at WIRED. Known for his deep dives into the world of hacking, cybersecurity, and surveillance, Andy shares his journey of uncovering and telling compelling stories about the digital underworld.

The conversation kicks off with Andy detailing his extensive experience in cybersecurity journalism and his knack for long-form storytelling. He shares insights into his acclaimed Wired article on the Mirai botnet hackers and discusses his latest book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

We also talk about:

the intricate world of cryptocurrency and its unintended consequence of fueling ransomware attacks
the rise of pig butchering scams, now dwarfing ransomware in financial impact
the ethical dilemmas and real-world consequences of cybercrime

Resources mentioned:
Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg
Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency by Andy Greenberg
https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/
https://www.wired.com/story/crypto-home-invasion-crime-ring/
https://www.wired.com/story/tigran-gambaryan-us-congress-resolution-hostage-nigeria/

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Have you heard: Only Malware in the Building?

Mon, 15 Jul 2024 09:36:18 -0400

Send us fan mail!

Check out new episodes of Only Malware in the Building wherever you listen to podcasts:
https://thecyberwire.com/podcasts/only-malware-in-the-building

Malware Evasion Uncovered: The Battle Against Evolving Malware Techniques

Tue, 09 Jul 2024 14:10:09 -0400

Send us fan mail!

Hello, Cyber Pirates! In today's episode of the Discarded Podcast, hosts Selena Larson and Tim Kromphardt are joined by Kyle Cucci, Staff Threat Researcher at Proofpoint. Dive with us into the world of cyber attacks as Kyle breaks down the intricacies of evasion techniques used by threat actors. From defense evasion to anti-sandboxing and anti-reversing methods, Kyle sheds light on how modern malware ensures its survival. Discover the evolution and increasing sophistication of these techniques, and learn about specific malware families like WikiLoader, Remcos, and the notorious Loki Bot.

We then move into how teams of threat hunters, intelligence analysts, and malware reversers work closely to identify new malware techniques and develop robust defenses within sandbox environments. Kyle shares insights into the constant feedback loop between intelligence and detection teams, highlighting how they stay ahead of evolving threats.

We also talk about:

evasion strategies, including temperature checks, geofencing, and human detection mechanisms
the use of publicly available tools by malware authors
the future of AI and large language models (LLMs) in both aiding and combating cyber threats

Resources mentioned:

Evasive Malware by Kyle Cucci
SentinelOne Research: https://www.sentinelone.com/blog/blackmamba-chatgpt-polymorphic-malware-a-case-of-scareware-or-a-wake-up-call-for-cyber-security/

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Checkmate: Breaking Down Operation Endgame

Tue, 25 Jun 2024 13:56:09 -0400

Send us fan mail!

Hello, cyber sleuths! In today's exciting episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by the brilliant Pim Trouerbach, Senior Reverse Engineer at Proofpoint. Pim gives us the lowdown on this massive law enforcement operation targeting multiple high-profile botnets across the globe, called Operation Endgame, and how this coordinated takedown affects the cybercrime landscape and the significance of arresting the individuals behind these operations.

He also breaks down the different malware impacted including SystemBC, IcedID, Pikabot, Bumblebee, and more.

We also talk about:

the rise and fall of Bumblebee, comparing it to its predecessor, Baza Loader, and contemplating why it didn't quite live up to its anticipated potential despite its advanced features
the collaborative efforts between law enforcement and private sector partners, emphasizing the effectiveness of these joint operations in curbing cyber threats
the high-quality, cinematic videos released as part of Operation Endgame

Resources mentioned:
https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown
https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
https://operation-endgame.com/
https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
https://x.com/Shadowserver/status/1797945864004210843

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

Hacking the Human Mind: How Cyber Attackers Exploit Our Brains

Tue, 11 Jun 2024 04:00:04 -0400

Send us fan mail!

Hello to all our cyber squirrels! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Dr. Bob Hausmann, Proofpoint's Manager of Learning Architecture and Assessments and a seasoned psychologist.

Our conversation explores how cyber threat actors exploit the different systems of thought in our brains and how attackers leverage our rapid, emotionally-driven responses (system one thinking) to bypass our more deliberate, rational processes (system two thinking).

Dr. Bob introduces us to the concept of cognitive biases, particularly normalcy bias, and how these mental shortcuts can shape our cyber defense strategies. He explains how organizations often fall into the trap of thinking "it won't happen to us," leading to underinvestment in critical security measures. Drawing parallels to historical events like the sinking of the Titanic and the COVID-19 pandemic, he underscores the importance of overcoming these biases to enhance preparedness.

We also talk about:

Real-world implications and examples of social engineering attacks.
The impact of urgency and stress on decision-making in cybersecurity.
The alarming rise and mechanics of pig butchering scams.
The role of AI in scams and cybersecurity
Empathetic approaches to helping scam victims

Resources mentioned:

Book: "Thinking, Fast and Slow" by Daniel Kahneman

Book: "The Art of Deception" by Kevin Mitnick

Previous Discarded Episode on Pig Butchering

Have I Been Pwned

PhishMe

Cybersecurity and Infrastructure Security Agency (CISA)

SANS Institute

https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online

https://therecord.media/southeast-asian-scam-syndicates-stealing-billions-annually

https://www.cfr.org/in-brief/how-myanmar-became-global-center-cyber-scams

https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests

For more information about Proofpoint,

Decrypting Cyber Threats: Tactics, Takedowns, and Resilience

Wed, 29 May 2024 04:00:05 -0400

Send us fan mail!

Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors.

We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem.

We also talk about:

Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptions
How other groups rise to prominence despite disruptions
Differences between malware disruptions and business email compromise (BEC) or fraud-focused disruptions
The evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniques

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

It Works on My Machine: Why and How Engineering Skills Matter in Threat Research

Wed, 08 May 2024 04:00:05 -0400

Send us fan mail!

The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy!

Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share.

They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.

Join us as we also discuss:
[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.
[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.
[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.
[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.

For more information, check out our website.

Decoding TA4903: Exploring the Dual Objectives of a Unique Cyber Threat Actor

Tue, 02 Apr 2024 11:42:21 -0400

Send us fan mail!

Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena!

We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises.

We also dive into:

TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victims
Use of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaigns
Rising trends in cryptocurrency-related scams and other financial frauds

Resources mentioned:
MFA Bypass (Blog) by Timothy Kromphardt

IC3 2023 FBI Report

New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

For more information, check out our website.

A Trip Down Malware Lane: How Today's Hottest Malware Stacks Up Against Predecessors

Tue, 19 Mar 2024 04:00:02 -0400

Send us fan mail!

It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader.

The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.

We also dive into:

a valuable lesson about the consequences of malware running rampant in a sandbox environment
the shifts in attack chains and tactics employed by threat actors
the need for adaptive detection methods to combat evolving cyber threats

Resources mentioned:
Countdown to Zero Day by Kim Zetter

Shareable Links:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion

https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft

https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black

https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax

Pim’s Favorite Malware:

* Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a

* IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

* Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a

* Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

* Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot

* Hikit (APT): https://attack.mitre.org/software/S0009/

* Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/

* Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail

For more information, check out our website.

Hiding In Plain Sight: Unique Methods Of C2 From Infostealers

Tue, 05 Mar 2024 04:00:02 -0500

Send us fan mail!

Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities.

Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information.

We also dive into:

the unique challenges of crafting effective signatures
the specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructure
the distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims

Resources mentioned:

Intro to Traffic Analysis w/ Issac Shaughnessy
Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats
Threat Insight Mastodon: https://infosec.exchange/@threatinsight
Vidar Stealer Picks Up Steam!

For more information, check out our website.

From Attribution to Advancement: Red Canary’s Katie Nickels Tackles CTI’s Biggest Questions

Tue, 20 Feb 2024 04:00:02 -0500

Send us fan mail!

The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming.

Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity.

We also dive into:

Communication and attribution challenges including the confusion of different naming conventions
Marketing and the personification of threat actors
Strategic approaches in handling incidents and avoiding panic

For more information, check out our website.

Beyond the Headlines: Reporting on Sensitive Cybersecurity Topics to Resonate with Everyone

Tue, 06 Feb 2024 04:00:02 -0500

Send us fan mail!

*This episode contains content warnings of suicide and self-harm*

“It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks.

Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face.

They also dive into:

The poignant reporting process on a story of pig butchering scams
The normalization of cyber threats, such as ransomware, and the role of the media in shaping public perception
The process of convincing stakeholders to prioritize certain topics
The emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection.

Resources mentioned: trigger warning for content of suicide and self-harm

“Online romance scams are netting millions of dollars — and pushing some to self-harm” by Kevin Collier

Discarded Episode with Tim Utzig

Colonial Pipeline Blog by CISA.gov

For more information, check out our website.

Strategies for Defense and Disruption: Part Two of Predicting Cyber Threats in 2024

Tue, 23 Jan 2024 04:00:02 -0500

Send us fan mail!

Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so!

Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams.

While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community.

Other topics discussed include:

Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities
The positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defenses
Hopeful vision for the industry, advocating for understanding, education, & increased diversity

For more information, check out our website.

Phishing, Elections, and Costly Attacks: Part One of Predicting Cyber Threats in 2024

Tue, 09 Jan 2024 04:00:03 -0500

Send us fan mail!

To move forward, it’s good to take a minute and reflect on what’s happened.

Today’s episode focuses on insights from Daniel Blackford and Alexis Dorais-Joncas, both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024.

Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware.

Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains.

They also dive into:

Threat actor activity during the elections and Olympics
Specific threat actor groups that caught their attention in 2023, TA473 and TA577
Living off the Land concepts

For more information, check out our website.

Jingle Bells, Phishing Tales: Reflecting on Cybersecurity in the Holiday Spirit

Tue, 26 Dec 2023 04:00:02 -0500

Send us fan mail!

In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves.

This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023.

The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year:

Pim Trouerbach
Kelsey Merriman
Tommy Madjar
Bryan Campbell
Greg Lesnewich
Kyle Eaton
Joe Wise
Emerging Threats team
The overall Proofpoint Team, including, but not limited to our PR and marketing teams

Resources mentioned:

Youtube: Katie Nickels Sans Threat Analysis Rundown

https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/

https://www.networkdefense.co/courses/investigationtheory/

https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252

https://medium.com/mitre-attack/attack-v14-fa473603f86b

https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a

https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36

https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/

https://www.wired.com/story/gadget-lab-podcast-621/

https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/

For more information, check out our website.

I Know This Might Sound Crazy but Russia’s TA422 Blasted Lots of Exploits

Tue, 12 Dec 2023 04:00:03 -0500

Send us fan mail!

Tis the season for understanding TA422’s latest activity AND for singing podcast guests!

Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability.

They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access.

The conversation continues on the following topics:

[11:17] TA422 Recent Activity
[13:30] Campaign’s using CVE 2023 23397
[18:35] Winrar activity
[22:50] October & November activity
[26:50] Guest Singing Spotlight
[29:30] Noticeable differences in campaigns

Resources mentioned:
TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

Google TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/

Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-T

Wired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/

For more information, check out our website.

MITRE ATT&CK Evolves with Cyber Threat Sophistication

Wed, 29 Nov 2023 04:00:03 -0500

Send us fan mail!

Take a deep dive with us into the incomparable MITRE ATT&CK Framework, a comprehensive knowledge base that catalogs real-world threat actor behaviors derived from threat intelligence.

Today’s guests are our great friends at MITRE ATT&CK, Adam Pennington (Attack Lead), and Patrick Howell O’Neill, (Lead Cyber Operations Analyst). They explore how the Framework serves as a common language for communicating adversary threat behaviors and discuss its evolution from an internal project to a community-driven resource.

The latest version of the MITRE ATT&CK Framework version 14 was released on Halloween, emphasizing new features like the addition of new defensive information and techniques they previously said no to including. They discuss the decision-making process behind incorporating new techniques, such as Financial Theft, Impersonation, Phishing: Spearphishing Voice, and Phishing for Information: Spearphishing Voice.

The conversation continues on the following topics:
[5:00] MITRE ATT&CK Framework
[9:25] Improving cybersecurity detection
[13:00] New ATT&CK techniques
[16:00] Decisions about which techniques to add
[23:00] Mobile ATT&CK
[30:00] Decisions about which trends to include
[37:00] Feedback about the Framework

Resources mentioned:
What is the MITRE ATT&CK Framework?
https://attack.mitre.org/
https://medium.com/mitre-attack/attack-v14-fa473603f86b

For more information, check out our website.

Looking Behind the Curtain at the Palestinian-Aligned TA402

Tue, 14 Nov 2023 04:00:03 -0500

Send us fan mail!

While the current Israeli/Palestinian conflict is on everyone’s minds, how many are thinking about the repercussions of cyber security?

Today’s guest is returning guest, Joshua Miller, Senior Threat Researcher on the APT team at Proofpoint. While he focuses on different Middle East, North African state-aligned threats, he is talking today about a Palestinian-aligned threat group coined TA402.

While there is no direct link to Hamas, their activities support the Palestinian Territories. Joshua paints a vivid picture of TA402's usual targets, strategies, and tactics, highlighting their geofencing techniques and their crafty use of compromised government agency accounts. The recent evolution of their attack chain, involving Dropbox and DLL side loading, is dissected in intricate detail, offering a glimpse into the evolving landscape of cyber threats.

This discussion not only provides insights into TA402's modus operandi but also emphasizes its distinctiveness from its previous malware campaigns.

TIMESTAMPS
[1:35] Length of time tracking TA402
[3:00] Differences between known government threat actors vs TA402
[7:00] Other groups involved in the Israeli/Palestinian War
[10:40] Normal victimology from this type of threat actor
[12:30] Comparison of tactics that TA402 is deploying
[19:20] Difficulties in tracking TA402

Resources mentioned:
Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
New TA402 Molerats Malware Targets Governments in the Middle East
https://malpedia.caad.fkie.fraunhofer.de/actor/aridviper
https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic

For more information, check out our website.

Unmasking the Tricksters: The World of Fake Browser Updates

Tue, 31 Oct 2023 04:00:04 -0400

Send us fan mail!

How can you tell when a website (yes, a website) is compromised? These threats are pretty crafty because they aren't out to target specific individuals; they just wait for folks like you and me to innocently click on compromised websites during our regular browsing.

But these threats don't stop at casual browsing. They sneak into emails, social media, search engines, and even web alerts. They're like chameleons, adapting to different situations.
Our guest today is Dusty Miller, a Threat Detection Analyst at Proofpoint. He identifies four key groups: SocGholish, RogueRaticate/FakeSG, ZPHP/SmartApeSG, and ClearFake. Each has its own style and tricks, but they all love using that tempting fake browser update ruse.

These threats work because they exploit our trust in websites we've visited before. Users tend to trust websites they've visited before, making them more susceptible to clicking on fake browser update prompts.

Responding to these threats isn't a walk in the park for defenders. To tackle them effectively, you need to pinpoint which specific threat you're dealing with and respond accordingly. It's like playing a game with multiple rulebooks; you've got to know which one you're up against.

TIMESTAMPS
[1:45] Fake Browser Opportunities
[5:00] Threat Actors Using Malware
[9:00] Browser Malware Clusters & Tactics
[18:00] Combating Fake Updates
[19:00] Naming New Malware
[28:00] Why These Threats

Resources mentioned:
Dr. Bob Hausmann Episode
“Are You Sure Your Browser is Up to Date?...” by Dusty Miller

For more information, check out our website.

Decoding the Malware Maze: Insights From a Threat Researcher

Tue, 17 Oct 2023 04:30:03 -0400

Send us fan mail!

Oh the days when spam was the only concern for email security!

Our guest today is Chris Wakelin, a Senior Threat Researcher at Proofpoint. He recounts the era when email attachments were plain text, and the concept of malicious URLs had yet to become prevalent. Chris was a pioneer in implementing email security measures and recalled introducing Spam Assassin, an early open-source program for spam detection, at his university.

Chris emphasized his belief in not shipping emails into a black hole (where emails are never seen by humans and they do not return error but instead directing them to spam folders or rejecting them at the gateway.) He stressed the importance of precision in cybersecurity, a lesson learned from his mathematical background.

TIMESTAMPS
[5:00] First Spam Filtering Implementation
[6:00] Spam Assassin
[12:15] Differences between static/dynamic detections and various signatures
[14:00] Running the Sandbox
[19:00] Naming New Malware
[23:50] Best Practices

Resources mentioned:
LCG Kit Blog
TA 558 Blog
ET Open Rule Set

For more information, check out our website.

Obfuscated: Online Threats and the Visually Impaired

Wed, 04 Oct 2023 04:00:03 -0400

Send us fan mail!

Billions of dollars in losses is bad enough. But when a friend loses $1,000 on a platform he trusted, online fraud gets personal.

In this podcast episode, we dive deep into the world of online fraud with the personal account of Tim Utzig, a Senior Associate Analyst at Anser and friend of his Selena Larson. Utzig, who is blind, lost $1,000 in an online scam. His story highlights the difficulties and risksof being a person with a disability in an online world that enables cyber crime and often neglects accessibility.

Timothy Kromphardt, an email fraud researcher at Proofpoint, used his expertise tracking scams and engaging directly with threat actors to help Utzif recover. He explains the complexities of cyber crime investigations and the roadblocks to bringing scammers to justice.

TIMESTAMPS
[1:00] Twitter scam story
[6:00] Viewing images with a screen reader
[8:45] Scam Busting
[12:30] Cautions to scam busting
[17:40] Unraveling the Twitter scam follow up
[20:20] Involvement of the police force & government
[26:35] Protection techniques for people with disabilities
[27:20] Key characteristics of fraud

Resources mentioned:
https://www.wired.com/story/twitter-laptop-scam-hunters/

For more information, check out our website.

DISCARDED: Live with John Hultquist!

Fri, 22 Sep 2023 04:00:02 -0400

Send us fan mail!

Live from New York City, it’s your Discarded podcast team at Protect 2023! Joining Selena Larson, is our special guest, John Hultquist, Chief Analyst at Mandiant, now part of Google Cloud.

They discuss various cybersecurity threats and activities of nation-states like Russia, China, and North Korea. China stands out as it hasn't executed significant destructive cyberattacks like its peers. Most of China's cyber activity involves intellectual property theft, targeting dissidents, and espionage. However, there's growing concern about their interest in critical infrastructure, particularly in times of geopolitical tension. Russia, on the other hand, has a history of destructive and disruptive attacks, such as those seen in the Middle East and South Korea.

They also discuss the role of threat intelligence and information sharing in combating cyber threats, emphasizing the importance of responsible government involvement in providing leads to the cybersecurity community.

Of course, the influence of AI in cyber threat creation is also covered, particularly in generating fake media and content.

[4:00] China sets themselves apart
[8:00] Concerns about cyber enabled kinetic impacts
[14:00] Thoughts about Russia and Ukraine
[20:00] Techniques that analysts would find helpful
[24:00] Target anticipations for 2024

Resources mentioned:

https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limited
https://www.cyberwarcon.com/https://www.goodreads.com/en/book/show/41436213
https://www.reuters.com/article/us-france-election-macron-cyber-idUSKBN17Q200
https://www.helpnetsecurity.com/2015/07/08/sophisticated-successful-morpho-apt-group-is-after-corporate-data/
https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton
https://podcast.silverado.org/episodes/how-russian-intelligence-operatives-have-attacked-ukraine-in-cyberspace-interview-with-ukrainian-security-service

For more information, check out our website.

From Rio to Madrid: Unmasking the Brazilian Banking Malware Wave

Tue, 05 Sep 2023 10:10:07 -0400

Send us fan mail!

Regardless of location, it’s important to understand what is happening in the global threat landscape because we are a global economy. What affects one region may affect one closer to home.

Part of the reason Brazil has become a recent hotbed is the amount of online population is expanding rapidly. Today’s guest, Jared Peck (Senior Threat Researcher at Proofpoint), dives deeper into his knowledge of this region and breaks down the unusual characteristics.

[3:30] The threat landscape in Brazil
[5:20] Brazilian banking malware being financially motivated
[9:10] Credential theft in Brazil
[13:30] Identifying threat actor clusters
[17:00] Types of Brazilian campaigns
[21:00] Diversity of malware leaders

For more information, check out our website.

Everything Comes Back in Style: How Old TTPs are Remerging in China's E-Crime Ecosystem

Tue, 22 Aug 2023 04:00:03 -0400

Send us fan mail!

Just like a forensic scientist, the job of a threat analyst is to search for the digital fingerprints. The key is to have a starting reference point, and then being able to see what is off from there.

Our guest today is Bryan Campbell, a Staff Threat Analyst at Proofpoint. He breaks down what is happening on the China cybercrime threat landscape, as well as, the importance of staying aware of past trends.

Join us as we also discuss:
[7:09] The Renaissance of Chinese malware in email data
[12:05] Chinese themed malware and malware families
[13:55] The campaigns delivering this type of malware
[20:00] How the China cybercrime landscape has changed
[25:04] Expectations for the future
[28:32] LLMs being used for these circumstances

For more information, check out our website.

It Works on My Machine: Why and How Engineering Skills Matter in Threat Research

Tue, 08 Aug 2023 04:00:02 -0400

Send us fan mail!

Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share.

They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.

Join us as we also discuss:
[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.

[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.

[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.

[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.

[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.

For more information, check out our website.

An Apple a Day Won't Keep Iranian APT Away: How TA453 Targets Macs

Tue, 25 Jul 2023 04:00:03 -0400

Send us fan mail!

What is new with Iranian actor TA453, and what is happening with their attack chains?
To answer these questions, today’s guest is Joshua Miller, a Senior Threat Researcher on the APT team at Proofpoint. Since his last visit, Joshua has published new research on TA453, highlighting new malware and social engineering techniques, which can be found here.

Join us as we discuss the following:
[1:25] What’s new with threat actor T453
[2:35] Multi Persona Impersonation
[6:25] Use case of LNKs in the attack chain
[8:10] Use of free cloud services
[11:15] Attacking different operating systems
[16:15] Convoluted attack chains
[27:40] Collaborating with researchers, like Dropbox

For more information, check out our website.

Threats and Risks in the Global South

Tue, 11 Jul 2023 04:00:03 -0400

Send us fan mail!

When researching cyber threats, there is a bias towards to the West and most of Europe. But what about the global majority?

Today’s guest is Martijn Grooten, a Digital Security Threat Analyst with Internews. With 16 years of experience in cybersecurity, he has recently focused on the impact of security for at risk groups and people.

Join us as we discuss the following:

Outdated ideas of security for the general public
Common trends geographically
The distinction of threats between devices

For more information, check out our website.

Resources:
Martijn’s BotConf talk: https://youtu.be/CcqOy6WdUjw
Martijn on social media: Twitter, Mastodon, LinkedIn

Weird & Wacky Researcher Summer: The Artifacts & Detections Edition

Tue, 27 Jun 2023 04:00:03 -0400

Send us fan mail!

It's shaping up to be a weird and wacky summer for threat researchers.

While it’s been quieter on the front end, there are still many stories to share with some weird and wacky incidents. This episode also includes a fun, dramatized read of an email tactic.

Join us as we discuss the following:

Where the team identifies on the Cyber Alignment Chart
Use of celebrity names within email lures
Recent PDF antics
Updates about activity from current threat actors

For more information, check out our website!

It's Summertime: What’s the E-crime Vibe?

Wed, 14 Jun 2023 13:16:11 -0400

Send us fan mail!

Who’s quiet and who’s making noise? What’s the backchannel chatter over at Proofpoint?

Proofpoint threat researchers Joe Wise and Pim Trouerbach join this week’s episode to discuss the e-crime vibe for the first half of 2023.

Join us as we discuss the following:

Emotet’s activity, or lack thereof
Chaotic vibes from IcedID
TA570 and TA577 setting trends

When the Threat Profile is High: Protecting At-Risk Individuals Online

Tue, 30 May 2023 13:12:32 -0400

Send us fan mail!

How does cybercrime threaten individual reporters? What about an entire newsroom?
What if you’re an average person who suddenly becomes the center of a dark conspiracy theory?

Welcome to the world of cybersecurity for at-risk individuals. In this episode, renowned cybersecurity expert, Runa Sandvik joins to talk about her work protecting journalists and newsrooms from powerful attackers.

Join us as we discuss the following:

Protecting personal and corporate devices and accounts for high risk individuals
Common security gaps found in highly targeted organizations
Effectively using cybersecurity tools
Communicating cybersecurity guidance in the workplace

Resources:

The Spies and Stalkers of Surveillance Capitalism

Tue, 16 May 2023 10:45:05 -0400

Send us fan mail!

A brief note on content for today's episode, we are going to be discussing or mentioning stalking, domestic abuse, and sex trafficking in today's show.

If you’re a threat actor with a million dollar budget targeting high ranked targets like dissidents, activists, journalists and politicians, how do you do it? What if you’d like to stalk your neighbor, or your ex?

In this episode, Proofpoint security research engineer, Chris Talib discusses high-ticket mobile spyware, the proliferation of low-cost stalkerware, surveillance capitalism and why he believes technology can’t solve social problems.

Join us as we discuss the following:

Mobile spyware tools
The impact of low cost stalkerware
Moral and ethical implications of developing spyware
The role of governments,organizations and activists in protecting citizen’s right to privacy

Resources:

Beyond Banking: IcedID Gets Forked

Tue, 02 May 2023 08:00:02 -0400

Send us fan mail!

At least three threat actors are ushering in a new era for IcedID, originally classified as banking malware in 2017. In this episode, Proofpoint researchers, Joe Wise and Pim Trouerbach, are here to share their research on the Lite and Forked IcedID variants

Join us as we discuss the following:

Lite IcedID Variant
Forked IcedID Variant
The key differences between the variants
Which operators the Proofpoint team hypothesizes are behind the attacks

Resources:
https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid

“Did I miss you in Orlando?”: The Rise of SMS Phishing

Tue, 18 Apr 2023 03:00:02 -0400

Send us fan mail!

In this podcast episode, Proofpoint senior threat researcher, Adam McNeil, joins us to talk about conversational SMS phishing. These campaigns target mobile devices and often start with a simple, innocuous question.

“Are you coming to dinner tomorrow?” can lead to anything from fraud to impersonation to financial schemes and is considered a $3 billion threat.
In this episode, we discuss the following:

Why a threat actor would choose a conversational SMS campaign
Different scams associated with conversational SMS phishing
Lack of awareness surrounding mobile threats

Staying Ahead of Cloud-Based Threats: Insights on today's threat landscape

Fri, 07 Apr 2023 13:18:50 -0400

Send us fan mail!

Cloud threats are a growing concern due to users' and organizations' increasing adoption of cloud computing. It's crucial to develop the skills needed to identify and analyze cloud-based threats and know the latest security tools and techniques to detect, prevent, and respond to cloud-based attacks.

Ultimately, security researchers and analysts play a critical role in helping organizations mitigate cloud-related risks and ensure the security of their cloud environments. In this episode, Eilon Bendet, from the Proofpoint cloud threat research team, joins us to discuss the cloud threats he is seeing.
In this episode, we discuss the following:

Cloud threat Detection and landscape
Main objectives for threat actors when they leverage the cloud
How users and organization can best protect themselves

Additional Resources:
Cloud Threats & Cloud Threat Landscape

https://www.proofpoint.com/us/threat-reference/casb

https://www.proofpoint.com/us/corporate-blog/post/dont-let-cloud-threats-rain-your-parade

https://www.proofpoint.com/us/corporate-blog/post/microsoft-office-365-attacks-circumvent-multi-factor-authentication-lead-account

https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality

https://www.proofpoint.com/us/blog/cloud-security/proofpoint-analyzes-potentially-dangerous-functionality-microsoft-sway-enables

https://www.proofpoint.com/us/resources/webinars/deep-dive-latest-cloud-threats-microsoft-environments

Cat-phishing Dogfighters

Tue, 21 Mar 2023 13:01:37 -0400

Send us fan mail!

In the cyber threat intelligence and cybersecurity world, there is a growing recognition of the value of professionals with diverse backgrounds and skillsets. While many individuals in the field come from traditional computer science or engineering backgrounds, there is also a trend of people entering the field from unexpected paths. Sarah Sabotka, Senior Threat Researcher at Proofpoint, joins us on this episode to discuss her background in animal cruelty investigations.
In this episode, we discuss the following:

What a typical day in the life of an animal cruelty investigator looks like
How Sarah used social engineering and open-source intelligence (OSINT) to build cases
How non-traditional skills and experiences have translated to success in infosec

Resources:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Prank or Propaganda? TA499 Pesters Politics

Tue, 07 Mar 2023 14:57:20 -0500

Send us fan mail!

In this episode, Zydeca Cass, Senior Threat Researcher at Proofpoint, joins the show to discuss Russia-aligned threat actor TA499. Zydeca dives into what makes tracking this threat actor so unique.

Join us as we discuss:

Who TA499 are and what they do
What makes their activity a cyber threat others should pay attention to
What their activity tells us about Russia-aligned groups
How to prevent being exploited

Check out these resources we mentioned:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

A Venture Mindset: North Korean Actors Go Beyond Espionage

Tue, 21 Feb 2023 11:31:19 -0500

Send us fan mail!

We’ve discussed a handful of APT actors on the Discarded podcast, like Russia, Iran, China and Turkey. In this episode, we dive into the isolated world of North Korean aligned actors with Sr. Threat Researcher, Greg Lesnewich.

In this episode, we discuss the following:

The role DPRK’s culture of isolation has played in its approach to cyber espionage
Overview of TA444 and what makes them different in the landscape
TA444s relationship with cryptocurrency

Resources:

Why Do We Click? Understanding the Psychology of Social Engineering

Wed, 08 Feb 2023 09:35:54 -0500

Send us fan mail!

Social engineering is a technique used by attackers to manipulate individuals into performing actions that may put their personal or sensitive information at risk. Attackers know the biggest weakness in cybersecurity is humans—and with this, leverage socially engineered phishing emails to manipulate the human psychology. In this episode, we have Dr. Bob Hausmann, Learning and Assessment Architect, joining us to discuss the psychology behind user engagement with phishing.

In this episode, we discuss the following:

The Zone of Proximal Development
What the Adaptive Learning Framework is
Where ethical lines should be drawn with phishing simulations
Psychology of social engineering in threat actor approaches

Additional resources:

https://www.proofpoint.com/us/blog/security-awareness-training/adaptive-learning-framework-security-awareness-training
https://www.forrester.com/report/the-future-of-security-awareness-and-training/RES178339
https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working
https://twitter.com/threatinsight/status/1612888307645485086
Daniel Pink Autonomy, Mastery & Purpose: https://www.youtube.com/watch?v=rbR2V1UeB_A&feature=youtu.be
https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic
Stay Puft Marshmallow Man: https://www.youtube.com/watch?v=2zhDfUAQSbs&ab_channel=Ghostbusters
2023 State of the Phish Report: Publishing on February 28, 2023 on proofpoint.com

New Year, New Threats: Prepping for the 2023 Threat Landscape

Tue, 24 Jan 2023 14:55:19 -0500

Send us fan mail!

A new year has arrived! The 2022 threat landscape had some extremely notable activity, from Russian APT actors to Microsoft's blocking of macros. We saw a lot and can guarantee threat actors won't be slowing down in 2023 and will continue to be a major threat to organizations. In this episode, Threat Research Managers, Alexis Dorais-Joncas, Rich Gonzalaz and Daniel Blackford, join us to share their perspectives on the 2023 threat landscape. Join us as we discuss the following:

What our experts are anticipating in 2023
How vulnerabilities help in detection creation
Emerging techniques that could be used by malicious actors

Additional resources:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Confidence, confusion, cashout: How pig butchering is blindsiding victims

Tue, 10 Jan 2023 10:58:36 -0500

Send us fan mail!

Threat actors are disarming their victims with a new approach: The long game. Instead of asking for money or gift cards upfront, they build a connection and confidence until they cash in on the big payout. In this episode of Discarded, Selena Larson and Crista Giering are joined by Proofpoint team members: Tim Kromphardt, Email Fraud Researcher, and Genina Po, Threat Analyst, to discuss socially engineered attacks and how victims are tricked.

Join us as we discuss:

Understanding what pig butchering is
How the scam blindsides victims
The evolution of the fraud from China to other countries in Asia

Resources mentioned:

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Holiday Happy Hour: 12 Faves of Threat Research

Wed, 28 Dec 2022 12:02:53 -0500

Send us fan mail!

As the end of year is rapidly approaching, it’s important to reflect back on some of the top learnings for the year. In this special holiday edition of The Discarded podcast, Selena and Crista are joined by Mindy Semling, Podcast Producer at Proofpoint, to answer questions on their favorite things from threat research over the past year — from blogs to malware to holiday songs, we cover it all. Join us as we discuss:

Celebrating the year
The 12 favorites
A thank you to our guests

Resources mentioned:

https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic
https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming
https://medium.com/mitre-attack/intelligence-failures-of-lincolns-top-spies-what-cti-analysts-can-learn-from-the-civil-war-35be8d12884
For more research, check out the Proofpoint Threat Insight blog: https://www.proofpoint.com/us/blog/threat-insight

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

AMA Answers From the Threat Research Trenches

Tue, 13 Dec 2022 11:46:53 -0500

Send us fan mail!

In this highly entertaining episode of DISCARDED, Selena Larson and Crista Giering host a wild round of “Ask Me Anything,” with Sherrod DeGrippo, VP of Threat Research and Detection, and Daniel Blackford, Threat Researcher at Proofpoint.
Featuring insightful questions from listeners and former guests, these industry experts cover a wide range of topics, from silly to serious.
Join us as we discuss:
The most boring malware and common threat actor mistakes
New developments in Ukraine and the Global South
A proliferation of mobile malware and sports-related attacks

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Many-Faced Threat: Multi-Persona Impersonation (MPI) In Your Inbox

Tue, 29 Nov 2022 14:23:14 -0500

Send us fan mail!

Social proof is a potent tool, even in the absence of direct support. When someone is pressured to do something in the presence of trusted peers, they are more likely to follow through unless someone objects. Unfortunately, threat actors have taken notice and are investing significant time and resources into looking like a trusted party to gain access to your personal information.
Josh Miller and Sam Scholten join this episode to share their experiences with the evolving intellect of attackers and their multifaceted breach strategies. Using multi-persona impersonation (MPI), attackers establish multiple accounts and increase trust by manipulating social validation — a psychological tool.
Join us as we discuss:
The evolution of MPIs
Email fraud taxonomy
The role of MPI in business email compromise

Resources:
https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo
https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Machine Learning Is a Party With Camp Disco!

Tue, 08 Nov 2022 19:04:43 -0500

Send us fan mail!

In this episode, Dr. Zachary Abzug, Manager and Tech Lead of Data Science at Proofpoint joins the show to discuss a machine learning enabled tool called Camp Discovery, AKA Camp Disco and the importance of the human interaction required for making use of machine learning in malware detection.
Join us as we discuss:
What exactly Camp Disco is and the need/idea behind its creation
How Camp Disco played a role in the discovery of Chocolatey threat activity
Why Camp Disco uses its own neural network language model instead of an existing language model
Natural Language Processing and how to teach a computer to speak “malware”

Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/engineering-insights/using-neural-network-language-model-instead-of-bert-gpt
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques
https://www.proofpoint.com/us/company/careers

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Reservation Confirmed: Threat Actors Visiting the Hospitality World

Tue, 25 Oct 2022 11:47:12 -0400

Send us fan mail!

In this episode, Joe Wise, Threat Researcher at Proofpoint, joins the show to discuss his and Selena’s research into a small e-crime actor, TA558 and its targeting against the hospitality and travel e-crime sector since at least 2018.
Join us as we discuss:
Classifying threat actors and how it relates to s’mores
Understanding e-crime vs. APT actors
Why hospitality and travel e-crimes are still successful
TA558’s TTPs and how their consistencies have aided in Proofpoint’s attribution of their activity over the years
Joe shares his theories on why TA558 uses so many different malware types

Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel
https://embed.sounder.fm/play/299042

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Hallow-queen of Cybersecurity: Spooky and Sweet Takes with Sherrod DeGrippo

Tue, 11 Oct 2022 15:16:32 -0400

Send us fan mail!

Cybersecurity doesn't have to be spooky this Halloween.
In this episode, Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, joins the show to discuss all things cybersecurity awareness so you can be prepared, not scared, this October. So grab a sweet treat and pull up a seat, the Hallow-queen is about to give her hot takes!
Join us as we discuss:
The growing risk of TOADs (Telephone Oriented Attack Delivery)
Benign phishing reconnaissance emails by threat actors
What you need to know to adapt to this ever changing threat landscape
Bring awareness to cybersecurity this October, even on ghost tours

Check out these resources we mentioned:
https://www.proofpoint.com/us/cybersecurity-awareness-hub
https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Investigating Wine Fraud with the Ransomware Sommelier

Tue, 27 Sep 2022 10:53:04 -0400

Send us fan mail!

All for wine, and wine for all. But only if it isn’t fraudulent.
In July 2022, Allan Liska, an analyst at Recorded Future and wine expert, released some new research on counterfeit wine, spirits and cheese. Allan joins the show as our first ever external guest to give us an overview of what that research entailed and the different types of wine fraud he’s observed. By the end of this episode, we’ll all be partners in cybercrime and wine.
Join us as we discuss:
What is wine fraud and the different types of fraud that fall under the counterfeit umbrella
How the pandemic impacted wine fraud due to happy hours
Some of the techniques that wine fraudsters are using to try to legitimize the fake wines
Allan’s favorite fall wines and recommendations for food pairings

Check out these resources we mentioned:
https://www.recordedfuture.com/lockdown-rise-wine-domain-scammer
https://www.recordedfuture.com/counterfeit-wine-spirits-cheese
https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-invoice-fraud
https://www.decanter.com/wine-news/worlds-most-expensive-bottle-claimed-fake-as-renowned-collector-sued-93457/#:~:text=A%20billionaire%20Florida%20wine%20collector,to%20Thomas%20Jefferson%20are%20fakes
https://www.cbsnews.com/news/billionaire-spends-35m-to-investigate-400k-wine-fraud/
https://kermitlynch.com/
https://twitter.com/uuallan/status/1561124207727153153

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Hot off the Press: APT Actors Posing as Journalists

Tue, 13 Sep 2022 12:38:17 -0400

Send us fan mail!

In this episode, Joshua Miller and Michael Raggi, Senior Threat Researchers at Proofpoint, join the show to discuss APT groups targeting and impersonating journalists. Joshua, Michael, and Crista discovered during their research how APT actors use journalist and their leads as a form of espionage to collect sensitive information.
Join us as we discuss:
Proofpoint’s unique report on APTs targeting journalists and insight into the motivations behind these attacks
Understanding the “why” behind threat actors targeting or posing as journalists and media organizations
The most common methods APT actors use in these campaigns to target or pose as journalists
Stories about threat actors from China, Iran, Turkey, and more

Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
Previous episode with Joshua: https://podcasts.apple.com/us/podcast/apt-attribution-trials-and-tribulations-from-the-field/id1612506550?i=1000571269986
Previous episode with Michael: https://podcasts.apple.com/us/podcast/web-bugs-the-tubthumping-tactics-of-chinese-threat/id1612506550?i=1000558705940

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Misfits Managed: Breaking Down Misfit Malware

Tue, 23 Aug 2022 11:00:39 -0400

Send us fan mail!

In this episode, Sara Sabotka Senior Threat Researcher on the field-facing team at Proofpoint, joins the show to chat about Misfit Malware. Although it is sometimes referred to as commodity malware, this kind of malicious software is anything but boring. You’ll want to stick around to find out who belongs on the Island of Misfit Malware and the importance of paying attention to the little gang of misfits.
Join us as we discuss:
How do foreign threat actors go about acquiring commodity malware and how much does it cost?
Why Misfit Malware is sometimes easily overlooked by security researchers and defenders
Key characteristics of lures that are commonly used by threat actors who use Misfit Malware

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Art of Threat Detection Engineering

Tue, 09 Aug 2022 13:19:51 -0400

Send us fan mail!

In this episode, Konstantin Klinger, Senior Security Research Engineer at Proofpoint, joins the show to chat about his role on the threat research team, focusing on DDX (Detonation, Detection, and Extraction). You won’t want to miss his breakdown of the Pyramid of Pain and how to utilize it for threat detection engineering.
Join us as we discuss:
Real-life examples of complex attack chain with multiple steps and how to they can be detected
Utilizing the Pyramid of Pain for threat detection engineering
How to write detections for geofencing
The perks of incorporating automated MITRE ATT&CK detections into your sandbox

Resources:
https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook
https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

APT Attribution: Trials and Tribulations From the Field

Tue, 26 Jul 2022 17:44:30 -0400

Send us fan mail!

In this episode, Joshua Miller and Zydeca Cass, Senior Threat Researchers at Proofpoint, join the show to discuss attribution, specifically APT actor attribution. Joshua and Zydeca dive into their experiences of attribution successes and failures, sharing tales of threat actors impersonating Russian opposition leaders and an Iranian kidnapping plot in New York. As Crista says, the good, the bad and the ugly.
Join us as we discuss:
Understanding the difference between the two types of attribution
How attribution can be used in e-crime versus state-aligned investigation
Stories from Josh and Zydeca of threat actors they are tracking based in Russia and Iran

Check out these resources we mentioned:
https://twitter.com/ChicagoCyber/status/1521492543707430912
https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-kidnapping-conspiracy-charges-against-iranian

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Dark-Side of Cryptocurrency

Tue, 12 Jul 2022 10:21:17 -0400

Send us fan mail!

In this episode, Jared Peck, Senior Threat Researcher at Proofpoint, explains cryptocurrency and how bad actors are causing trouble with these new decentralized, anonymous currencies.
Join us as we discuss:
Credential harvesting and phishing
Malicious campaigns and extortion
Digital money laundering

Resources:
https://www.proofpoint.com/us/blog/threat-insight/how-cyber-criminals-target-cryptocurrency
https://twitter.com/ChicagoCyber/status/1521492543707430912
https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html
https://www.proofpoint.com/us/podcasts/threat-digest#113131
https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

A Day in the Life of a Threat Researcher: Emerging Threats Edition

Tue, 21 Jun 2022 15:24:46 -0400

Send us fan mail!

Tony Robinson, Threat Researcher, joins the podcast to share his expertise as a member of the Emerging Threats team at Proofpoint. Tony gives us an inside look into a day in his life as he and his teammates discover new strains of malware, respond to major vulnerabilities, and ensure that customers are protected. He also shares his advice for those interested in a career in Threat Research.
Join us as we discuss:
How the Emerging Threats team at Proofpoint impacts customers daily lives
Using cybersecurity rule-sets to find new strains of malware
Utilizing the open source security community to write new rules and stay up to date on the developing threat landscape
The difference between rules detecting threat behaviors vs. indicators of compromise

Check out these resources we mentioned:
https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence
https://twitter.com/da_667/status/1512255056573255693
https://twitter.com/da_667/status/1503876806478385168

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Buzz on Bumblebee Malware

Tue, 07 Jun 2022 14:15:00 -0400

Send us fan mail!

Float like a butterfly. Sting like Bumblebee malware.
In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won’t want to miss their breakdown of Bumblebee’s unique characteristics and their predictions of how its features will develop over time.
Join us as we discuss:
The difference in tracking Crimeware versus AAPT
How threat actors are using Bumblebee
The exit of BazaLoader malware and its connection to Bumblebee

Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforming
https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Social Engineering: How Threat Actors Manipulate Their Targets

Tue, 24 May 2022 17:15:00 -0400

Send us fan mail!

Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them.
Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity?
In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us.
Join us as we discuss:
What lies beneath 95% of cyber attacks
The two factors that reduce people's sensitivity to threats
When social engineering content might be waiting for you

Check out these resources we mentioned:
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steal
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328
https://twitter.com/selenalarson/status/1224674562882834432

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Paying Attention to BEC: The Most Costly Threat by Individual Losses

Tue, 10 May 2022 14:00:00 -0400

Send us fan mail!

When you think about the most costly threat by personal losses, most people will assume ransomware.
The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then?
In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention.
Join us as we discuss:
The definition of BEC & why companies are paying so little attention
Using Supernova to defend against email attacks
Reporting on employment fraud

Check out these resources we mentioned:
BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework
Supernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-and
IC3 Report: https://www.ic3.gov/
TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery
Railroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index.html

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Web Bugs & the Tubthumping Tactics of Chinese Threat Actor TA416

Tue, 26 Apr 2022 02:00:00 -0400

Send us fan mail!

Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again.
In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape.
Join us as we discuss:
The evolving tactics of TA416
PlugX malware and control flow flattening
Tips for dealing with emerging threats

Check out these resources we mentioned:
Michael’s Twitter: https://twitter.com/aRtAGGI/status/1501030779480125441
https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european
https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/
Tubthumping by Chumbawamba

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Defending Against Cyber Criminals: Emotet’s Resurrection & Conti’s Implosion

Tue, 12 Apr 2022 04:30:00 -0400

Send us fan mail!

Cybercriminals. They’re just like us.
With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction.
Which begs the question: Are these organizations as impenetrable as we thought?
In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders.
Join us as we discuss:
The journey leading to Emotet’s return
The importance of the Conti group leaks
What defenders should be thinking about against cyber threats

Check out this resource we mentioned:
Andrew's Twitter: https://mobile.twitter.com/ex_raritas
https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf
https://www.wired.com/story/conti-ransomware-russia/
https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Threat Actor 2541: The Latest Tricks & Patterns

Tue, 29 Mar 2022 06:00:00 -0400

Send us fan mail!

How are threat actors like Olympic snowboard halfpipe athletes?
When their good tricks get stolen by competitors, they add new ones to their repertoire.
In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it’s so fun to research that group).
Join us as we discuss:
Changes that TA2541 has made over time
Their current strategies and patterns
Snowboarding, Home Alone, and what makes TA2541 unique

Check out this resource we mentioned:
Charting TA2541's Flight | Proofpoint US

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

The Troubling Rise of MFA Kits

Tue, 15 Mar 2022 18:53:41 -0400

Send us fan mail!

Until recently, threat actors haven’t really invested much time in MFA phish kits because not a lot of people used MFA. (Everyone needs MFA, full stop.)
Consequently, threat actors are using more advanced multi-factor authentication-enabled phish kits.
Find out why in our first episode of DISCARDED, where we hear from Tim Kromphardt, Email Threat Researcher at Proofpoint, about why MFA kits are sort of like Justin Bieber ticket thieves.
Join us as we discuss:
How MFA kits differ from ordinary phish kits
What threat actors and researchers have in common
A technical dive into transparent reverse proxies
Why you need multifactor authentication despite the rise of MFA kits

Check out these resources we mentioned during the podcast:
MFA PSA, Oh My!
Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits

Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Discussing RTF Template Injection: A Malicious Phishing Attempt

Wed, 02 Mar 2022 14:07:00 -0500

Send us fan mail!

If you asked for M&M’s and received Skittles, you might pop a few in your mouth, but it won’t take long to realize something’s off.
This is exactly what’s happening with RTF files: Instead of the intended attachment, unaware companies are delivering these files and realizing later that they were actually malicious.
On this episode of Protecting People, hosts Selena Larson and Crista Giering chat with Michael Raggi, Senior Threat Research Engineer at Proofpoint, about RTF files, template injection, and campaigns using the technique in an effort to make sure customers aren’t being surprised with “Skittles.”
Join us as we discuss:
The importance of template injection
Campaigns using the technique
Widespread adoption of the RTF injection
Mitigating and monitoring the technique

Resource mentioned:
https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread

For more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.