DISCARDED: Tales From the Threat Research Trenches
DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.Welcome to DISCARDED
S1 E75 · Tue, March 25, 2025
RMM Tools: The New Cybercrime Trick?
Hello to all our Remote Cyber Pals! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Staff Threat Researcher, Ole Villadsen, from Proofpoint. They explore the broader shift from traditional malware to commercially available tools that fly under the radar and how cybercriminals are increasingly abusing Remote Monitoring and Management (RMM) tools (sometimes called Remote Access Software) to gain initial access in email-based attacks. Topics Covered: The growing use of such tools like ScreenConnect, Atera, and NetSupport in cyberattacks How threat actors are shifting from traditional malware loaders to commercially available tools TA583’s adoption of RMM tools as a primary attack method The role of social engineering in phishing lures, including Social Security scams The impact of cybersecurity influencers and scam-baiting YouTubers on threat awareness The ongoing arms race between cybercriminals and defenders From stealthy intrusions to shifting cybercrime trends, this conversation uncovers the critical threats organizations face in 2025. Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!
S1 E74 · Tue, March 11, 2025
Your Best Defense against Social Engineering: The Gray-Matter Firewall
Hello to all our Cyber Pals! Join host Selena Larson and guest hosts, Sarah Sabotka and Tim Kromphardt, both Senior Threat Researchers from Proofpoint, as they dive into the realities of current social engineering schemes —especially during high-risk times like tax season. Cybercriminals exploit fear, urgency, and excitement to manipulate victims, from IRS impersonation scams and fraudulent tax payment requests to deepfake cons and TikTok frauds. Our hosts dive into real-world examples, including: tax-themed phishing attacks tech support scams targeting the elderly job scams leveraging Taylor Swift’s tour They explore how AI is reshaping fraud tactics, why scammers still rely on outdated schemes like overseas financial windfalls, and how platforms like WhatsApp and Telegram play a role in modern cybercrime. Tune in to learn how these scams work, why they succeed, and—most importantly—how you can protect yourself. Check out our show notes for additional resources, and don’t forget to share this episode with friends and colleagues! For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!
Tue, February 25, 2025
Hiding in Plain Sight: How Defenders Get Creative with Image Detection
Hello to all our Cyber Pals! Join host Selena Larson and guest host, Sarah Sabotka, as they speak with Kyle Eaton, Senior Security Research Engineer at Proofpoint. They explore the evolving world of image-based threat detection and the deceptive tactics cybercriminals use to evade defenses. From image lures embedded in emails, PDFs, and Office documents to the surprising ways attackers reuse visuals across campaigns, this conversation break down how detection engineering is adapting to counter new threats. There is also examination of how AI is shaping both cyber deception and detection, raising the question of how generative AI is influencing image-based security. Listeners will gain insights into real-world detection successes, persistent threats like TA505 and Emotet, and the role of instincts in cybersecurity—because, as Selena notes, sometimes good detection is all about the vibes. Key Topics Covered: Characteristics of Image-Based Threats Groups like TA505 and Emotet historically using recognizable image lures OneNote-Based Malware Detection (2023) & the Challenges with OneNote Shift to PDF-Based Threats PDF Object Hashing for Attribution & Detection Image-Based Threat Detection Insights Generative AI’s Impact on Image-Based Threats Join us as we uncover real-world detection wins, explore persistent threats like TA505 and Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes. Resources mentioned: https://github.com/target/halogen https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Wed, February 05, 2025
Cyber Groundhog Day and romance scams, featuring Only Malware in the Building
Hey Cyber Pals! This week we are doing a very special spotlight on a recent episode from Only Malware in the Building. Our very own, Selena Larson, also co-hosts on this fabulous podcast. Be sure to check it out and enjoy! Find more OMIB: https://thecyberwire.com/podcasts/only-malware-in-the-building/9/notes —------------------------------------------------ Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode and since it is February (the month of love as Selena calls it), we talk about romance scams known throughout the security world as pig butchering. And, Rick's experiencing a bit of a Cyber Groundhog Day in his newly-realized retirement.
Wed, January 22, 2025
The Power of Partnerships: An Interview with the NSA’s Kristina Walter
Hello to all our Cyber Magicians! Join host Selena Larson and guest host, Joshua Miller, as they speak with Kristina Walter, the Chief of NSA’s Cybersecurity Collaboration Center. They explore the cutting-edge collaborations between the NSA and industry partners to combat cyber threats, with a deep dive into the NSA’s Cybersecurity Collaboration Center (Triple C). Kristina sheds light on the growing awareness around cyber hygiene, the importance of collective defense, and the role of partnerships between government and private sectors in tackling malicious activity. She also offers practical advice for those looking to break into government cybersecurity roles, dispelling myths about the need for a STEM background and highlighting the relevance of "core skills" like public speaking, decision-making, and risk management. Key Topics Covered: Public-private partnership success stories NSA’s approach to global collaboration The shift from information consumption to actionable intelligence sharing The average American's cybersecurity concerns Insights into the collaborative efforts needed to counter cyber threats Naming malware campaigns The episode wraps up with tips on staying current in the fast-paced world of cybersecurity, from leveraging NSA advisories to building communities for information sharing. Whether you're an aspiring cybersecurity professional or an industry veteran, this episode is packed with actionable advice and thought-provoking perspectives. Resources mentioned: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3805947/nsa-announces-kristina-walter-as-the-new-chief-of-cybersecurity-collaboration-c/ https://www.nsa.gov/Press-Room/News-Highlights/ https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3669141/nsa-and-partners-spotlight-peoples-republic-of-china-targeting-of-us-critical-i/ https://www.nsa.gov/about/cybersecurity-collaboration-center/ For more information about Proofpoint, check out our website . Subscribe & Follow:Don't miss out on future epis
Tue, January 07, 2025
The Battle for a Safer Internet: Inside Domain Takedowns and Threat Actor Tactics
Hello to all our Cyber Magicians! Join host Selena Larson and guest host,Tim Kromphardt, as they speak with Hannah Rapetti, the Takedown Services Manager at Proofpoint. Hannah shares her fascinating journey from librarian to cybersecurity expert, detailing her path into the industry through certifications, CTFs (Capture the Flag), and the Women in Cybersecurity (WiCyS) community.The conversation dives into real-world examples, techniques, and strategies used to identify, track, and eliminate malicious domains. Key Topics Covered: Collaborative Efforts: How teams work together to identify scam websites, gather evidence, and escalate for takedown. Tools and Techniques: Using tools like domain search, backend kits identification, and IP-based connections to uncover related sites. Challenges in Takedowns: Managing lists of hundreds of domains across multiple providers, verifying live activity, and the need for ongoing monitoring. Threat Actor Behavior: How threat actors use multiple registrars or re-register domains to evade detection. Best Practices for Organizations: Preemptively purchasing lookalike domains. Monitoring new domain registrations for suspicious activity. Educating users to identify and avoid malicious domains. Ethical Considerations: Balancing infrastructure disruption with the need for ongoing research, particularly for cyber espionage threats. Favorite Wins: Memorable investigations, such as takedowns during the Super Bowl, fake Olympics ticket scams, and real-time disruption of pig-butchering schemes. The episode highlights the importance of domain takedowns not just for individual companies but for contributing to a safer internet ecosystem. It’s a mix of practical advice, real-life stories, and insights into the ongoing battle against cybercrime. Resources mentioned: Genina Po Discarded Episode https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers https://www.wicys.org/ https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000677061400 <a href='ht
Tue, December 17, 2024
Hackers, Heists, and Heroes: The Evolving Ransomware Game
Hello to all our Cyber Pals! Join host Selena Larson and guest, ransomware expert, Allan Liska, CSIRT at Recorded Future, drops by to share his creative take on cyber-themed graphic novels, proving there’s nothing ransomware can’t inspire—even superheroes. In this episode, we uncover the shadowy ecosystem driving ransomware attacks, from the industrialization of cybercrime to the rise of "small-batch" threat actors redefining chaos. Explore how Operation Endgame dealt a devastating blow to malware powerhouses like Pikabot and SmokeLoader, shaking trust within underground networks and leaving cybercriminals scrambling to regroup. We’ll also decode the evolving tactics of ransomware gangs, from slick AI-powered voice disguises to the surprising shift toward consumer scams. Plus, we’ll discuss whether law enforcement’s crackdown will make ransomware too expensive for crooks, forcing them to rethink their game plans—or at least settle for less glamorous schemes like crypto theft. Don’t miss the Champagne pick that pairs perfectly with ransomware disruptions! 🥂 Resources mentioned: https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/ https://www.marketplace.org/shows/marketplace-tech/how-scammers-hijack-their-victims-brains/ https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware https://therecord.media/russian-national-in-custody-extradited https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a https://unit42.paloaltonetworks.
Tue, December 03, 2024
Stealth, Scale, and Strategy: Exploring China’s Covert Network Tactics
Hello to all our Cyber Frogs! Join host Selena Larson and guest host, Sarah Sabotka, explore the evolving tactics of China-based nation-state threat actors with guest Mark Kelly, Staff Threat Researcher at Proofpoint. They focus on TA415 (APT41 or Brass Typhoon), examining its combination of cybercrime and state-sponsored espionage. From the Voldemort malware campaign to targeting critical infrastructure, Mark sheds light on how these actors leverage tools like Google Sheets for command and control, exploit vulnerabilities, and adapt to evade detection. The discussion also highlights: the strategic importance of edge devices, pre-positioning for geopolitical escalations, and the intersection of espionage, gaming, and cybercrime Operational Relay Boxes (ORBs), covert networks used by Chinese Advanced Persistent Threat (APT) groups to mask cyber activities exploitation of non-traditional systems and vulnerabilities the impact of compromised consumer devices on global cybersecurity Resources mentioned: https://www.nytimes.com/2024/10/26/us/politics/salt-typhoon-hack-what-we-know.html https://cyberscoop.com/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report/ https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Fri, November 15, 2024
Scams, Smishing, and Safety Nets: How Emerging Threats Catches Phish
Hello to all our Cyber Pals! Join host Selena Larson and guest, Genina Po, Threat Researcher at Emerging Threats at Proofpoint. She shares how she tackles emerging cyber threats, breaking down the process of turning data into detection signatures. Using tools like Suricata to create detections for malicious activity, she maps out her approach to writing rules that identify and block these threats. The goal? Equip companies to stay secure, and encourage listeners with the skills to spot and prevent scams on their own. Genina shares her journey tracking pig butchering scams through thousands of domains and URLs. She reveals patterns—certain headers and markers—that help identify these sites amid a flood of data, and she describes the challenges in detection, as scammers increasingly vary their setups to evade filters. Also discussed: proactive measures against phishing and fraud sites, with Proofpoint using "takedown" services to remove malicious domains, disrupting scams before they impact users the importance of questioning biases, particularly in cyber threat intelligence where assumptions can shape classifications and responses collaboration with Chainalysis to connect various scams through cryptocurrency wallets, showing cross-over between different fraud types Resources mentioned: Book: Why Fish Don’t Exist by Lulu Miller For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, October 29, 2024
Pig Butcher Scammers Put Job Seekers On The Menu
A note to our listeners, this episode contains some content our listeners might find upsetting including mentions of human trafficking. Hello to all our Pumpkin Spice Cyber Friends! Join host Selena Larson and guest host, Sarah Sabotka as they chat with senior threat researcher and fraud expert Tim Kromphardt. They talk about the world of pig butchering and crypto romance scams, where Tim discusses how these scams manipulate victims' feelings, making it incredibly hard to escape, even when presented with evidence of the scam. And how these threat actors have expanded their enterprises to include job scamming. He explains the challenges of tracking funds through cryptocurrency systems, and why these scams are so profitable. The episode highlights the need for victims to speak out and share their stories without shame, breaking the cycle and raising awareness. Also discussed: how psychological manipulation can be just as damaging as technical vulnerabilities resources for victims, and how people can identify hallmarks of these types of scams the role of automation and AI in scaling scams Resources mentioned: globalantiscam.org For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, October 15, 2024
Under Siege: How Hackers Exploit Cloud Vulnerabilities
Hello to all our Cyber Ghosts! Join host Selena Larson as she chats with Eilon Bendet– Cloud Threat Researcher from Proofpoint. From account takeovers to state-sponsored hacks, they uncover how cybercriminals are outsmarting traditional defenses – and why even multi-factor authentication might not be enough to keep them out. Together, they discuss the complexities of cloud threat detection, including the role of User and Entity Behavior Analytics (UEBA) in identifying suspicious activities and preventing account takeovers (ATO). Eilon breaks down two primary ATO threat vectors—credential-based brute force attacks and precision-targeted phishing campaigns. Also discussed: how these groups exploit cloud environments concerning trends such as the rise of reverse proxy-based toolkits and MFA bypass techniques the importance of identity-focused defense strategies and how threat actors customize tools to infiltrate cloud systems, steal data, and monetize compromised accounts Resources mentioned: MACT or malicious applications blog: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Mon, September 30, 2024
Champagne Attack Chains on a Kool-Aid Budget
Hello to all our Pumpkin Spice cyber friends! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joe Wise, Senior Threat Researcher and Kyle Cucci, Staff Threat Researcher both from Proofpoint. Together, they unpack recent campaigns involving the abuse of legitimate services, particularly focusing on the clever tactics used by cybercriminals to evade detection.Joe and Kyle discuss a fascinating trend where attackers are leveraging Cloudflare’s temporary tunnels, bundling Python packages, and deploying a range of malware like Xworm and Venom Rat. They explore the increasing abuse of legitimate services like Google Drive, Adobe Acrobat, and Dropbox, which allow attackers to blend in with regular business traffic. The conversation also touches on a range of threat clusters, including Exormactor and Voldemort malware, and TA2541, who have consistently leveraged Google Drive URLs to spread malicious content. Also discussed: the challenge of detecting and mitigating these types of threats and the importance of staying ahead of the evolving attack strategies the motivations behind these campaigns why traditional defense mechanisms may fall short Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort https://www.proofpoint.com/us/blog/threat-insight/scammer-abuses-microsoft-365-tenants-relaying-through-proofpoint-servers-deliver For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, September 17, 2024
Guarding the Vote: Unmasking Cyber Threats in Election Season
Hello to all our cyber citizens! Join host Selena Larson and today’s co-host, Tim Kromphardt, as they chat with Joshua Miller, Senior Threat Researcher and Rob Kinner, Senior Threat Analyst both from Proofpoint. With election season on the horizon, cyber attackers are sharpening their tactics—impersonating government agencies, emailing journalists, and crafting sophisticated phishing schemes. But how real is the threat? And what can be done to protect our democracy from the digital shadows? Today, we pull back the curtain on the unseen battles being fought in cyberspace and what it means for voters, journalists, and defenders alike. The discussion covers a range of election threats, from malicious domains, impersonation, and typo-squatting to sophisticated credential phishing campaigns that exploit government and election-related themes. Also discussed: how state-sponsored actors from DPRK, Russia, and China are interested in espionage around election related topics the impersonation of various government entities for phishing purposes, revealing the creativity and resourcefulness of threat actors while cyber threats are pervasive, the integrity of the voting process remains strong, backed by robust defenses and ongoing efforts by dedicated professionals Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists https://www.proofpoint.com/us/blog/threat-insight/media-coverage-doesnt-deter-actor-threatening-democratic-voters For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Wed, September 04, 2024
Very Mindful, Very APT: Inside the Activity of Current Espionage Actors
Hello to all our mindful and demure cyber sleuths! Join host Selena Larson and today’s co-host, Sarah Sabotka as they chat with Joshua Miller and Greg Lesnewich, Threat Researchers at Proofpoint about the ever-evolving world of advanced persistent threats (APTs). The team unravels the latest espionage tactics of threat actors from Iran, North Korea, and Russia, exploring everything from Iran’s sophisticated social engineering campaigns to North Korea’s customized Mac malware. They also highlight the increasing interest in MacOS malware in the cybercrime landscape and examine examine the threat posed by a group targeting AI researchers with unique malware like "SugarGh0st RAT." Also discussed: the quirky and often amusing names given to malware campaigns in the cybersecurity world. unexpected connections between cybersecurity and pop culture, featuring a discussion on how celebrities like Taylor Swift handle digital security. what recent activity suggests about the actors’ changing tactics. Resources mentioned: SleuthCon Talk : Presenter, Selena Larson Rivers of Phish from CitizenLab https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds https://www.theguardian.com/music/shortcuts/2019/jan/29/digital-security-taylor-swift-facetime-privacy-bug-breach
Tue, August 20, 2024
Rebel Security Training: Cyber Lessons from A Galaxy Far, Far Away
Hello, cyber rebels! Ever wondered what lightsabers, the Force, and intergalactic battles have in common with the world of cybersecurity? Welcome to a special episode of the Discarded Podcast. Join host Selena and co-host Greg Lesnewich, Senior Threat Researcher at Proofpoint, along with our guest, Eric Geller, cybersecurity reporter and host of the Hoth Takes Star Wars podcast, as they dive into the fascinating intersection of Star Wars and cybersecurity. He reveals how the tactics and strategies from a galaxy far, far away can be applied to modern-day digital defense. Greg and Eric share their love for Star Wars while drawing parallels between iconic moments from the saga and modern cybersecurity practices. Ever wondered how the Rebels' infiltration of the Death Star reflects real-world hacking techniques? Or how the Empire's security flaws could be lessons for today's digital defenses? We've got you covered. They highlight how living off the land techniques, identity protection failures, and internal security oversights in the Star Wars universe can teach us valuable lessons for defending against cyber threats. From red teaming with Han and Chewbacca to intelligence analysis with Princess Leia, and even hardware hacking with Babu Frik, we cover a broad spectrum of cyber roles through the lens of Star Wars. We also delve into who would make the best CISO in the Star Wars universe, with some surprising nominations and entertaining analogies. Whether you're a Star Wars enthusiast or a cybersecurity professional, this episode provides a unique and entertaining perspective on the skills and strategies essential for both realms. Tune in for a fun and insightful conversation that bridges the gap between fiction and reality in the most engaging way possible. Resources mentioned: Hoth Takes (podcast) NIST Framework https://www.wired.com/author/eric-geller/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, August 06, 2024
The Art of Frustrating Hackers: Diving Into the DEaTH Cycle with Randy Pargman
Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by Randy Pargman, Director of Threat Detection at Proofpoint. Randy shares his extensive experience in cybersecurity, from working at the FBI and understanding law enforcement’s role in cyber defense, to endpoint detection and response, to his current role at Proofpoint. We explore the relentless cat-and-mouse game between cyber defenders and threat actors. Randy discusses the importance of Detection Engineering and Threat Hunting (DEATH) and how these disciplines work together to outsmart cybercriminals. He also highlights the significance of log data retention and how investing in longer retention periods can drastically improve the efficacy of detection measures. Randy touches on the upcoming DEATHCon, a must-attend event for cybersecurity professionals. He shares fascinating stories and analogies, making complex cybersecurity concepts accessible and engaging. We also talk about: the concept of the "pyramid of pain" and how spending too much time on IOCs can be a losing battle against agile threat actors the value of empathy and collaboration among security teams practical steps for building shared lab environments Resources mentioned: DeathCON Operation Endgame Clipboard to Compromise Blog: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn DFIR Report Labs: https://thedfirreport.com/services/dfir-labs/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Wed, July 24, 2024
The Hunt for Cyber Criminals: A Deep Dive with Wired's Andy Greenberg
Hello, Cyber Stars! In today's episode of the Discarded Podcast, hosts Selena Larson and Pim Trouerbach are joined by Andy Greenberg, Senior Writer at WIRED. Known for his deep dives into the world of hacking, cybersecurity, and surveillance, Andy shares his journey of uncovering and telling compelling stories about the digital underworld. The conversation kicks off with Andy detailing his extensive experience in cybersecurity journalism and his knack for long-form storytelling. He shares insights into his acclaimed Wired article on the Mirai botnet hackers and discusses his latest book, Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. We also talk about: the intricate world of cryptocurrency and its unintended consequence of fueling ransomware attacks the rise of pig butchering scams, now dwarfing ransomware in financial impact the ethical dilemmas and real-world consequences of cybercrime Resources mentioned: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency by Andy Greenberg https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/ https://www.wired.com/story/crypto-home-invasion-crime-ring/ https://www.wired.com/story/tigran-gambaryan-us-congress-resolution-hostage-nigeria/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Mon, July 15, 2024
Have you heard: Only Malware in the Building?
Check out new episodes of Only Malware in the Building wherever you listen to podcasts: https://thecyberwire.com/podcasts/only-malware-in-the-building
Tue, July 09, 2024
Malware Evasion Uncovered: The Battle Against Evolving Malware Techniques
Hello, Cyber Pirates! In today's episode of the Discarded Podcast, hosts Selena Larson and Tim Kromphardt are joined by Kyle Cucci, Staff Threat Researcher at Proofpoint. Dive with us into the world of cyber attacks as Kyle breaks down the intricacies of evasion techniques used by threat actors. From defense evasion to anti-sandboxing and anti-reversing methods, Kyle sheds light on how modern malware ensures its survival. Discover the evolution and increasing sophistication of these techniques, and learn about specific malware families like WikiLoader, Remcos, and the notorious Loki Bot. We then move into how teams of threat hunters, intelligence analysts, and malware reversers work closely to identify new malware techniques and develop robust defenses within sandbox environments. Kyle shares insights into the constant feedback loop between intelligence and detection teams, highlighting how they stay ahead of evolving threats. We also talk about: evasion strategies, including temperature checks, geofencing, and human detection mechanisms the use of publicly available tools by malware authors the future of AI and large language models (LLMs) in both aiding and combating cyber threats Resources mentioned: Evasive Malware by Kyle Cucci SentinelOne Research: https://www.sentinelone.com/blog/blackmamba-chatgpt-polymorphic-malware-a-case-of-scareware-or-a-wake-up-call-for-cyber-security/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, June 25, 2024
Checkmate: Breaking Down Operation Endgame
Hello, cyber sleuths! In today's exciting episode of the Discarded Podcast, hosts Selena Larson and Sarah Sabotka are joined by the brilliant Pim Trouerbach, Senior Reverse Engineer at Proofpoint. Pim gives us the lowdown on this massive law enforcement operation targeting multiple high-profile botnets across the globe, called Operation Endgame, and how this coordinated takedown affects the cybercrime landscape and the significance of arresting the individuals behind these operations. He also breaks down the different malware impacted including SystemBC, IcedID, Pikabot, Bumblebee, and more. We also talk about: the rise and fall of Bumblebee, comparing it to its predecessor, Baza Loader, and contemplating why it didn't quite live up to its anticipated potential despite its advanced features the collaborative efforts between law enforcement and private sector partners, emphasizing the effectiveness of these joint operations in curbing cyber threats the high-quality, cinematic videos released as part of Operation Endgame Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits https://operation-endgame.com/ https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation https://x.com/Shadowserver/status/1797945864004210843 For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Tue, June 11, 2024
Hacking the Human Mind: How Cyber Attackers Exploit Our Brains
Hello to all our cyber squirrels! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Dr. Bob Hausmann, Proofpoint's Manager of Learning Architecture and Assessments and a seasoned psychologist. Our conversation explores how cyber threat actors exploit the different systems of thought in our brains and how attackers leverage our rapid, emotionally-driven responses (system one thinking) to bypass our more deliberate, rational processes (system two thinking). Dr. Bob introduces us to the concept of cognitive biases, particularly normalcy bias, and how these mental shortcuts can shape our cyber defense strategies. He explains how organizations often fall into the trap of thinking "it won't happen to us," leading to underinvestment in critical security measures. Drawing parallels to historical events like the sinking of the Titanic and the COVID-19 pandemic, he underscores the importance of overcoming these biases to enhance preparedness. We also talk about: Real-world implications and examples of social engineering attacks. The impact of urgency and stress on decision-making in cybersecurity. The alarming rise and mechanics of pig butchering scams. The role of AI in scams and cybersecurity Empathetic approaches to helping scam victims Resources mentioned: Book: "Thinking, Fast and Slow" by Daniel Kahneman Book: "The Art of Deception" by Kevin Mitnick Previous Discarded Episode on Pig Butchering Have I Been Pwned PhishMe Cybersecurity and Infrastructure Security Agency (CISA) SANS Institute https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online
Wed, May 29, 2024
Decrypting Cyber Threats: Tactics, Takedowns, and Resilience
Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors. We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem. We also talk about: Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptions How other groups rise to prominence despite disruptions Differences between malware disruptions and business email compromise (BEC) or fraud-focused disruptions The evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniques For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.
Wed, May 08, 2024
It Works on My Machine: Why and How Engineering Skills Matter in Threat Research
The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy! Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors. Join us as we also discuss: [02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment. [11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory. [13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap. [17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows. For more information, check out our website .
Tue, April 02, 2024
Decoding TA4903: Exploring the Dual Objectives of a Unique Cyber Threat Actor
Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena! We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises. We also dive into: TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victims Use of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaigns Rising trends in cryptocurrency-related scams and other financial frauds Resources mentioned: MFA Bypass (Blog) by Timothy Kromphardt IC3 2023 FBI Report New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids For more information, check out our website .
Tue, March 19, 2024
A Trip Down Malware Lane: How Today's Hottest Malware Stacks Up Against Predecessors
I t has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader. The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware. We also dive into: a valuable lesson about the consequences of malware running rampant in a sandbox environment the shifts in attack chains and tactics employed by threat actors the need for adaptive detection methods to combat evolving cyber threats Resources mentioned: Countdown to Zero Day by Kim Zetter Shareable Links: https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax Pim’s Favorite Malware: * Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a * IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid * Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a * Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor * Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot * Hikit (APT): https://attack.mitre.org/software/S0009/ * Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/ * Cutwail: <a href='https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail' targe
Tue, March 05, 2024
Hiding In Plain Sight: Unique Methods Of C2 From Infostealers
Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities. Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information. We also dive into: the unique challenges of crafting effective signatures the specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructure the distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims Resources mentioned: Intro to Traffic Analysis w/ Issac Shaughnessy Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats Threat Insight Mastodon: https://infosec.exchange/@threatinsight Vidar Stealer Picks Up Steam! For more information, check out our website .
Tue, February 20, 2024
From Attribution to Advancement: Red Canary’s Katie Nickels Tackles CTI’s Biggest Questions
The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming. Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity. We also dive into: Communication and attribution challenges including the confusion of different naming conventions Marketing and the personification of threat actors Strategic approaches in handling incidents and avoiding panic For more information, check out our website .
Tue, February 06, 2024
Beyond the Headlines: Reporting on Sensitive Cybersecurity Topics to Resonate with Everyone
*This episode contains content warnings of suicide and self-harm* “It’s not about preventing something from happening, it’s being prepared for when it does.” This episode is filled with stories from the different scenarios that have been plaguing people with cyber security attacks. Today’s guest is Kevin Collier, a cybersecurity reporter at NBC. He joins us to discuss his experiences covering cybersecurity stories for a mainstream audience. As the first and only dedicated cybersecurity reporter at NBC, Collier reflects on the evolving nature of media coverage in the cybersecurity space, emphasizing the increasing need for dedicated coverage in major news publications. He highlights the rise of scams facilitated through text messages, emails, and zero-day exploits, emphasizing the geopolitical circumstances that enable these threats, and also helping audiences understand the reality behind the cyber threats they face. They also dive into: The poignant reporting process on a story of pig butchering scams The normalization of cyber threats, such as ransomware, and the role of the media in shaping public perception The process of convincing stakeholders to prioritize certain topics The emotional toll of reporting on sensitive cybersecurity topics and the importance of self-care in navigating this challenging intersection. Resources mentioned: trigger warning for content of suicide and self-harm “Online romance scams are netting millions of dollars — and pushing some to self-harm” by Kevin Collier Discarded Episode with Tim Utzig Colonial Pipeline Blog by CISA.gov For more information, check out our website .
Tue, January 23, 2024
Strategies for Defense and Disruption: Part Two of Predicting Cyber Threats in 2024
Is 2024 the year of adaptability and collaboration within the security community? Let’s hope so! Today’s episode is Part Two of what to expect in cybersecurity in 2024, and our guests are Randy Pargman and Rich Gonzalez. Randy sheds light on the crucial role of the Detections Team and emphasizes the constant innovation of malware authors, and the team’s mission to outsmart them. Rich discusses the Emerging Threats team and dives into open source and paid resources as force multipliers for security teams. While some reflections were shared about 2023, namely multiple high-profile vulnerability events and the challenges posed by QR codes, the conversation focused on the upcoming year. They anticipate increased creativity from threat actors, and emphasize the constant battle between red and blue teams. The conversation underscores the need for constant adaptation, response to emerging threats, and collaboration within the security community. Other topics discussed include: Incidents like WinRAR, Citrix NetScaler ADC, and ScreenConnect vulnerabilities The positive impact of public-private partnerships and international cooperation in enhancing cybersecurity defenses Hopeful vision for the industry, advocating for understanding, education, & increased diversity For more information, check out our website .
Tue, January 09, 2024
Phishing, Elections, and Costly Attacks: Part One of Predicting Cyber Threats in 2024
To move forward, it’s good to take a minute and reflect on what’s happened. Today’s episode focuses on insights from Daniel Blackford and Alexis Dorais-Joncas , both Senior Managers of Threat Research at Proofpoint. This is the first in our two-part series looking at what’s on the horizon for 2024. Reflecting on 2023, they discuss the use of QR codes, major technique shifts from the biggest ecrime and APT actors, and the ongoing problem of ransomware. Looking ahead to 2024, the emphasis goes to the gradual shift of attacks outside corporate-managed infrastructure, leveraging personal email accounts to bypass extensive security measures. On the cybercrime side, there’s a prediction of the continued development of as-a-service models, particularly focusing on traffic distribution services, leading to more modular and challenging-to-attribute attack chains. They also dive into: Threat actor activity during the elections and Olympics Specific threat actor groups that caught their attention in 2023, TA473 and TA577 Living off the Land concepts For more information, check out our website .
Tue, December 26, 2023
Jingle Bells, Phishing Tales: Reflecting on Cybersecurity in the Holiday Spirit
In this special Holiday edition of Discarded, the tables are turned with hosts, Selena and Crista, becoming the answer-ers, our returning Moderator, Mindy Semling, as the question asker, and our wonderful audience is transformed into Cyber Elves. This conversation is lively and filled with questions from a variety of engaged audience members. (Thank you to everyone who contributed). Questions range from career advice for aspiring Cyber Threat Analysts, to certain threats exploding in popularity, to a reflection of 2023. The Discarded Podcast team would like to take a moment and thank the following people for their contributions to the Cyber Security Landscape this year: Pim Trouerbach Kelsey Merriman Tommy Madjar Bryan Campbell Greg Lesnewich Kyle Eaton Joe Wise Emerging Threats team The overall Proofpoint Team, including, but not limited to our PR and marketing teams Resources mentioned: Youtube: Katie Nickels Sans Threat Analysis Rundown https://www.sans.org/cyber-security-courses/cyber-threat-intelligence/ https://www.networkdefense.co/courses/investigationtheory/ https://www.nbcnews.com/tech/tech-news/how-online-romance-scams-netting-millions-self-harm-rcna85252 https://medium.com/mitre-attack/attack-v14-fa473603f86b https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36 https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/ https://www.wired
Tue, December 12, 2023
I Know This Might Sound Crazy but Russia’s TA422 Blasted Lots of Exploits
Tis the season for understanding TA422’s latest activity AND for singing podcast guests! Today’s returning guest is Greg Lesnewich, Senior Threat Researcher at Proofpoint. He sheds light on the tactics, techniques, and procedures (TTPs) employed by TA422. The conversation touches on the significance of the high volumes observed starting in late summer, the exploitation of vulnerabilities for NTLM credential harvesting, and the brief usage of the WinRAR vulnerability. They touch upon the potential reasons behind the group's choices, considering factors such as resourcing, tactical decisions, and a shift towards speed and efficiency. There is also consideration about connecting TA422's activities to broader trends in threat actor behavior, such as a shift towards living off the land techniques and a focus on social engineering for initial access. The conversation continues on the following topics: [11:17] TA422 Recent Activity [13:30] Campaign’s using CVE 2023 23397 [18:35] Winrar activity [22:50] October & November activity [26:50] Guest Singing Spotlight [29:30] Noticeable differences in campaigns Resources mentioned: TA422 Proofpoint Blog: https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week Google TAG Report on WinRAR Exploits: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/amp/ Selena’s Cyber Tunes Playlist: https://open.spotify.com/playlist/7GqH7SefgiI1UtYNjQ5svg?si=vO2Ao-lTTSuCCVfgfgcUfw&pt=97da5ebbd320a4f79014b1f205fc8438&pi=u--xbfwSuHSE-T Wired story on Sandworm: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/ For more information, check out our website .
Wed, November 29, 2023
MITRE ATT&CK Evolves with Cyber Threat Sophistication
Take a deep dive with us into the incomparable MITRE ATT&CK Framework, a comprehensive knowledge base that catalogs real-world threat actor behaviors derived from threat intelligence. Today’s guests are our great friends at MITRE ATT&CK, Adam Pennington (Attack Lead), and Patrick Howell O’Neill, (Lead Cyber Operations Analyst). They explore how the Framework serves as a common language for communicating adversary threat behaviors and discuss its evolution from an internal project to a community-driven resource. The latest version of the MITRE ATT&CK Framework version 14 was released on Halloween, emphasizing new features like the addition of new defensive information and techniques they previously said no to including. They discuss the decision-making process behind incorporating new techniques, such as Financial Theft, Impersonation, Phishing: Spearphishing Voice, and Phishing for Information: Spearphishing Voice. The conversation continues on the following topics: [5:00] MITRE ATT&CK Framework [9:25] Improving cybersecurity detection [13:00] New ATT&CK techniques [16:00] Decisions about which techniques to add [23:00] Mobile ATT&CK [30:00] Decisions about which trends to include [37:00] Feedback about the Framework Resources mentioned: What is the MITRE ATT&CK Framework? https://attack.mitre.org/ https://medium.com/mitre-attack/attack-v14-fa473603f86b For more information, check out our website .
Tue, November 14, 2023
Looking Behind the Curtain at the Palestinian-Aligned TA402
While the current Israeli/Palestinian conflict is on everyone’s minds, how many are thinking about the repercussions of cyber security? Today’s guest is returning guest, Joshua Miller, Senior Threat Researcher on the APT team at Proofpoint. While he focuses on different Middle East, North African state-aligned threats, he is talking today about a Palestinian-aligned threat group coined TA402. While there is no direct link to Hamas, their activities support the Palestinian Territories. Joshua paints a vivid picture of TA402's usual targets, strategies, and tactics, highlighting their geofencing techniques and their crafty use of compromised government agency accounts. The recent evolution of their attack chain, involving Dropbox and DLL side loading, is dissected in intricate detail, offering a glimpse into the evolving landscape of cyber threats. This discussion not only provides insights into TA402's modus operandi but also emphasizes its distinctiveness from its previous malware campaigns. TIMESTAMPS [1:35] Length of time tracking TA402 [3:00] Differences between known government threat actors vs TA402 [7:00] Other groups involved in the Israeli/Palestinian War [10:40] Normal victimology from this type of threat actor [12:30] Comparison of tactics that TA402 is deploying [19:20] Difficulties in tracking TA402 Resources mentioned: Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage New TA402 Molerats Malware Targets Governments in the Middle East https://malpedia.caad.fkie.fraunhofer.de/actor/aridviper https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic For more information, check out our website .
Tue, October 31, 2023
Unmasking the Tricksters: The World of Fake Browser Updates
How can you tell when a website (yes, a website) is compromised? These threats are pretty crafty because they aren't out to target specific individuals; they just wait for folks like you and me to innocently click on compromised websites during our regular browsing. But these threats don't stop at casual browsing. They sneak into emails, social media, search engines, and even web alerts. They're like chameleons, adapting to different situations. Our guest today is Dusty Miller, a Threat Detection Analyst at Proofpoint. He identifies four key groups: SocGholish, RogueRaticate/FakeSG, ZPHP/SmartApeSG, and ClearFake. Each has its own style and tricks, but they all love using that tempting fake browser update ruse. These threats work because they exploit our trust in websites we've visited before. Users tend to trust websites they've visited before, making them more susceptible to clicking on fake browser update prompts. Responding to these threats isn't a walk in the park for defenders. To tackle them effectively, you need to pinpoint which specific threat you're dealing with and respond accordingly. It's like playing a game with multiple rulebooks; you've got to know which one you're up against. TIMESTAMPS [1:45] Fake Browser Opportunities [5:00] Threat Actors Using Malware [9:00] Browser Malware Clusters & Tactics [18:00] Combating Fake Updates [19:00] Naming New Malware [28:00] Why These Threats Resources mentioned: Dr. Bob Hausmann Episode “Are You Sure Your Browser is Up to Date?...” by Dusty Miller For more information, check out our website .
Tue, October 17, 2023
Decoding the Malware Maze: Insights From a Threat Researcher
Oh the days when spam was the only concern for email security! Our guest today is Chris Wakelin, a Senior Threat Researcher at Proofpoint. He recounts the era when email attachments were plain text, and the concept of malicious URLs had yet to become prevalent. Chris was a pioneer in implementing email security measures and recalled introducing Spam Assassin, an early open-source program for spam detection, at his university. Chris emphasized his belief in not shipping emails into a black hole (where emails are never seen by humans and they do not return error but instead directing them to spam folders or rejecting them at the gateway.) He stressed the importance of precision in cybersecurity, a lesson learned from his mathematical background. TIMESTAMPS [5:00] First Spam Filtering Implementation [6:00] Spam Assassin [12:15] Differences between static/dynamic detections and various signatures [14:00] Running the Sandbox [19:00] Naming New Malware [23:50] Best Practices Resources mentioned: LCG Kit Blog TA 558 Blog ET Open Rule Set For more information, check out our website .
Wed, October 04, 2023
Obfuscated: Online Threats and the Visually Impaired
Billions of dollars in losses is bad enough. But when a friend loses $1,000 on a platform he trusted, online fraud gets personal. In this podcast episode, we dive deep into the world of online fraud with the personal account of Tim Utzig, a Senior Associate Analyst at Anser and friend of his Selena Larson. Utzig, who is blind, lost $1,000 in an online scam. His story highlights the difficulties and risksof being a person with a disability in an online world that enables cyber crime and often neglects accessibility. Timothy Kromphardt, an email fraud researcher at Proofpoint, used his expertise tracking scams and engaging directly with threat actors to help Utzif recover. He explains the complexities of cyber crime investigations and the roadblocks to bringing scammers to justice. TIMESTAMPS [1:00] Twitter scam story [6:00] Viewing images with a screen reader [8:45] Scam Busting [12:30] Cautions to scam busting [17:40] Unraveling the Twitter scam follow up [20:20] Involvement of the police force & government [26:35] Protection techniques for people with disabilities [27:20] Key characteristics of fraud Resources mentioned: https://www.wired.com/story/twitter-laptop-scam-hunters/ For more information, check out our website .
Fri, September 22, 2023
DISCARDED: Live with John Hultquist!
Live from New York City, it’s your Discarded podcast team at Protect 2023! Joining Selena Larson, is our special guest, John Hultquist, Chief Analyst at Mandiant, now part of Google Cloud. They discuss various cybersecurity threats and activities of nation-states like Russia, China, and North Korea. China stands out as it hasn't executed significant destructive cyberattacks like its peers. Most of China's cyber activity involves intellectual property theft, targeting dissidents, and espionage. However, there's growing concern about their interest in critical infrastructure, particularly in times of geopolitical tension. Russia, on the other hand, has a history of destructive and disruptive attacks, such as those seen in the Middle East and South Korea. They also discuss the role of threat intelligence and information sharing in combating cyber threats, emphasizing the importance of responsible government involvement in providing leads to the cybersecurity community. Of course, the influence of AI in cyber threat creation is also covered, particularly in generating fake media and content. [4:00] China sets themselves apart [8:00] Concerns about cyber enabled kinetic impacts [14:00] Thoughts about Russia and Ukraine [20:00] Techniques that analysts would find helpful [24:00] Target anticipations for 2024 Resources mentioned: https://www.mandiant.com/resources/blog/threat-actors-generative-ai-limited https://www.cyberwarcon.com/ https://www.goodreads.com/en/book/show/41436213 https://www.reuters.com/article/us-france-election-macron-cyber-idUSKBN17Q200 https://www.helpnetsecurity.com/2015/07/08/sophisticated-successful-morpho-apt-group-is-after-corporate-data/ https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton <a href='https://podcast.s
Tue, September 05, 2023
From Rio to Madrid: Unmasking the Brazilian Banking Malware Wave
Regardless of location, it’s important to understand what is happening in the global threat landscape because we are a global economy. What affects one region may affect one closer to home. Part of the reason Brazil has become a recent hotbed is the amount of online population is expanding rapidly. Today’s guest, Jared Peck (Senior Threat Researcher at Proofpoint), dives deeper into his knowledge of this region and breaks down the unusual characteristics. [3:30] The threat landscape in Brazil [5:20] Brazilian banking malware being financially motivated [9:10] Credential theft in Brazil [13:30] Identifying threat actor clusters [17:00] Types of Brazilian campaigns [21:00] Diversity of malware leaders For more information, check out our website .
Tue, August 22, 2023
Everything Comes Back in Style: How Old TTPs are Remerging in China's E-Crime Ecosystem
Just like a forensic scientist, the job of a threat analyst is to search for the digital fingerprints. The key is to have a starting reference point, and then being able to see what is off from there. Our guest today is Bryan Campbell, a Staff Threat Analyst at Proofpoint. He breaks down what is happening on the China cybercrime threat landscape, as well as, the importance of staying aware of past trends. Join us as we also discuss: [7:09] The Renaissance of Chinese malware in email data [12:05] Chinese themed malware and malware families [13:55] The campaigns delivering this type of malware [20:00] How the China cybercrime landscape has changed [25:04] Expectations for the future [28:32] LLMs being used for these circumstances For more information, check out our website .
Tue, August 08, 2023
It Works on My Machine: Why and How Engineering Skills Matter in Threat Research
Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors. Join us as we also discuss: [02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment. [11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory. [13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap. [17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods. [21:42] The importance of context and experience in writing tools and understanding researchers' workflows. For more information, check out our website .
Tue, July 25, 2023
An Apple a Day Won't Keep Iranian APT Away: How TA453 Targets Macs
What is new with Iranian actor TA453, and what is happening with their attack chains? To answer these questions, today’s guest is Joshua Miller, a Senior Threat Researcher on the APT team at Proofpoint. Since his last visit, Joshua has published new research on TA453, highlighting new malware and social engineering techniques, which can be found here . Join us as we discuss the following: [1:25] What’s new with threat actor T453 [2:35] Multi Persona Impersonation [6:25] Use case of LNKs in the attack chain [8:10] Use of free cloud services [11:15] Attacking different operating systems [16:15] Convoluted attack chains [27:40] Collaborating with researchers, like Dropbox For more information, check out our website .
Tue, July 11, 2023
Threats and Risks in the Global South
When researching cyber threats, there is a bias towards to the West and most of Europe. But what about the global majority? Today’s guest is Martijn Grooten, a Digital Security Threat Analyst with Internews. With 16 years of experience in cybersecurity, he has recently focused on the impact of security for at risk groups and people. Join us as we discuss the following: Outdated ideas of security for the general public Common trends geographically The distinction of threats between devices For more information, check out our website . Resources: Martijn’s BotConf talk: https://youtu.be/CcqOy6WdUjw Martijn on social media: Twitter , Mastodon , LinkedIn
Tue, June 27, 2023
Weird & Wacky Researcher Summer: The Artifacts & Detections Edition
It's shaping up to be a weird and wacky summer for threat researchers. While it’s been quieter on the front end, there are still many stories to share with some weird and wacky incidents. This episode also includes a fun, dramatized read of an email tactic. Join us as we discuss the following: Where the team identifies on the Cyber Alignment Chart Use of celebrity names within email lures Recent PDF antics Updates about activity from current threat actors For more information, check out our website !
Wed, June 14, 2023
It's Summertime: What’s the E-crime Vibe?
Who’s quiet and who’s making noise? What’s the backchannel chatter over at Proofpoint? Proofpoint threat researchers Joe Wise and Pim Trouerbach join this week’s episode to discuss the e-crime vibe for the first half of 2023. Join us as we discuss the following: Emotet’s activity, or lack thereof Chaotic vibes from IcedID TA570 and TA577 setting trends
Tue, May 30, 2023
When the Threat Profile is High: Protecting At-Risk Individuals Online
How does cybercrime threaten individual reporters? What about an entire newsroom? What if you’re an average person who suddenly becomes the center of a dark conspiracy theory? Welcome to the world of cybersecurity for at-risk individuals. In this episode, renowned cybersecurity expert, Runa Sandvik joins to talk about her work protecting journalists and newsrooms from powerful attackers. Join us as we discuss the following: Protecting personal and corporate devices and accounts for high risk individuals Common security gaps found in highly targeted organizations Effectively using cybersecurity tools Communicating cybersecurity guidance in the workplace Resources: https://www.reuters.com/business/media-telecom/reuters-reporters-online-accounts-faked-approach-china-activists-2023-02-28/ https://www.nbcnews.com/tech/misinformation/tiffany-dover-conspiracy-theorists-silence-rcna69401
Tue, May 16, 2023
The Spies and Stalkers of Surveillance Capitalism
A brief note on content for today's episode, we are going to be discussing or mentioning stalking, domestic abuse, and sex trafficking in today's show. If you’re a threat actor with a million dollar budget targeting high ranked targets like dissidents, activists, journalists and politicians, how do you do it? What if you’d like to stalk your neighbor, or your ex? In this episode, Proofpoint security research engineer, Chris Talib discusses high-ticket mobile spyware, the proliferation of low-cost stalkerware, surveillance capitalism and why he believes technology can’t solve social problems. Join us as we discuss the following: Mobile spyware tools The impact of low cost stalkerware Moral and ethical implications of developing spyware The role of governments,organizations and activists in protecting citizen’s right to privacy Resources: https://www.laquadrature.net/en/ https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ https://www.forbes.com/sites/thomasbrewster/2023/04/06/sex-traffickers-use-parenting-apps-like-life360-to-spy-on-victims/?sh=110a6e2464c3 https://www.eff.org/ https://tacticaltech.org/ https://defensive-lab.agency/ https://echap.eu.org/
Tue, May 02, 2023
Beyond Banking: IcedID Gets Forked
At least three threat actors are ushering in a new era for IcedID, originally classified as banking malware in 2017. In this episode, Proofpoint researchers, Joe Wise and Pim Trouerbach, are here to share their research on the Lite and Forked IcedID variants Join us as we discuss the following: Lite IcedID Variant Forked IcedID Variant The key differences between the variants Which operators the Proofpoint team hypothesizes are behind the attacks Resources: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid
Tue, April 18, 2023
“Did I miss you in Orlando?”: The Rise of SMS Phishing
In this podcast episode, Proofpoint senior threat researcher, Adam McNeil, joins us to talk about conversational SMS phishing. These campaigns target mobile devices and often start with a simple, innocuous question. “Are you coming to dinner tomorrow?” can lead to anything from fraud to impersonation to financial schemes and is considered a $3 billion threat. In this episode, we discuss the following: Why a threat actor would choose a conversational SMS campaign Different scams associated with conversational SMS phishing Lack of awareness surrounding mobile threats
Fri, April 07, 2023
Staying Ahead of Cloud-Based Threats: Insights on today's threat landscape
Cloud threats are a growing concern due to users' and organizations' increasing adoption of cloud computing. It's crucial to develop the skills needed to identify and analyze cloud-based threats and know the latest security tools and techniques to detect, prevent, and respond to cloud-based attacks. Ultimately, security researchers and analysts play a critical role in helping organizations mitigate cloud-related risks and ensure the security of their cloud environments. In this episode, Eilon Bendet, from the Proofpoint cloud threat research team, joins us to discuss the cloud threats he is seeing. In this episode, we discuss the following: Cloud threat Detection and landscape Main objectives for threat actors when they leverage the cloud How users and organization can best protect themselves Additional Resources: Cloud Threats & Cloud Threat Landscape https://www.proofpoint.com/us/threat-reference/casb https://www.proofpoint.com/us/corporate-blog/post/dont-let-cloud-threats-rain-your-parade https://www.proofpoint.com/us/corporate-blog/post/microsoft-office-365-attacks-circumvent-multi-factor-authentication-lead-account https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality https://www.proofpoint.com/us/blog/cloud-security/proofpoint-analyzes-potentially-dangerous-functionality-microsoft-sway-enables https://www.proofpoint.com/us/resources/webinars/deep-dive-latest-cloud-threats-microsoft-environments
Tue, March 21, 2023
Cat-phishing Dogfighters
In the cyber threat intelligence and cybersecurity world, there is a growing recognition of the value of professionals with diverse backgrounds and skillsets. While many individuals in the field come from traditional computer science or engineering backgrounds, there is also a trend of people entering the field from unexpected paths. Sarah Sabotka, Senior Threat Researcher at Proofpoint, joins us on this episode to discuss her background in animal cruelty investigations. In this episode, we discuss the following: What a typical day in the life of an animal cruelty investigator looks like How Sarah used social engineering and open-source intelligence (OSINT) to build cases How non-traditional skills and experiences have translated to success in infosec Resources: https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-1-968b5a8daf9a https://medium.com/katies-five-cents/a-cyber-threat-intelligence-self-study-plan-part-2-d04b7a529d36 https://www.mandiant.com/resources/blog/cti-analyst-core-competencies-framework Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, March 07, 2023
Prank or Propaganda? TA499 Pesters Politics
In this episode, Zydeca Cass, Senior Threat Researcher at Proofpoint, joins the show to discuss Russia-aligned threat actor TA499. Zydeca dives into what makes tracking this threat actor so unique. Join us as we discuss: Who TA499 are and what they do What makes their activity a cyber threat others should pay attention to What their activity tells us about Russia-aligned groups How to prevent being exploited Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/dont-answer-russia-aligned-ta499-beleaguers-targets-video-call-requests https://www.theguardian.com/world/2022/mar/21/video-released-showing-russian-hoax-call-with-uk-defence-secretary Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, February 21, 2023
A Venture Mindset: North Korean Actors Go Beyond Espionage
We’ve discussed a handful of APT actors on the Discarded podcast, like Russia, Iran, China and Turkey. In this episode, we dive into the isolated world of North Korean aligned actors with Sr. Threat Researcher, Greg Lesnewich. In this episode, we discuss the following: The role DPRK’s culture of isolation has played in its approach to cyber espionage Overview of TA444 and what makes them different in the landscape TA444s relationship with cryptocurrency Resources: https://www.technologyreview.com/2020/09/10/1008282/north-korea-hackers-money-laundering-cryptocurrency-bitcoin/ https://cyberscoop.com/north-korea-lazarus-group-bangladesh-bank-donald-trump-xi-jinping/ https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds https://www.recordedfuture.com/north-korea-internet-tool - https://go.recordedfuture.com/hubfs/reports/cta-2020-0209.pdf
Wed, February 08, 2023
Why Do We Click? Understanding the Psychology of Social Engineering
Social engineering is a technique used by attackers to manipulate individuals into performing actions that may put their personal or sensitive information at risk. Attackers know the biggest weakness in cybersecurity is humans—and with this, leverage socially engineered phishing emails to manipulate the human psychology. In this episode, we have Dr. Bob Hausmann, Learning and Assessment Architect, joining us to discuss the psychology behind user engagement with phishing. In this episode, we discuss the following: The Zone of Proximal Development What the Adaptive Learning Framework is Where ethical lines should be drawn with phishing simulations Psychology of social engineering in threat actor approaches Additional resources: https://www.proofpoint.com/us/blog/security-awareness-training/adaptive-learning-framework-security-awareness-training https://www.forrester.com/report/the-future-of-security-awareness-and-training/RES178339 https://www.ncsc.gov.uk/blog-post/telling-users-to-avoid-clicking-bad-links-still-isnt-working https://twitter.com/threatinsight/status/1612888307645485086 Daniel Pink Autonomy, Mastery & Purpose: https://www.youtube.com/watch?v=rbR2V1UeB_A&feature=youtu.be https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic Stay Puft Marshmallow Man: https://www.youtube.com/watch?v=2zhDfUAQSbs&ab_channel=Ghostbusters 2023 State of the Phish Report: Publishing on February 28, 2023 on proofpoint.com
Tue, January 24, 2023
New Year, New Threats: Prepping for the 2023 Threat Landscape
A new year has arrived! The 2022 threat landscape had some extremely notable activity, from Russian APT actors to Microsoft's blocking of macros. We saw a lot and can guarantee threat actors won't be slowing down in 2023 and will continue to be a major threat to organizations. In this episode, Threat Research Managers, Alexis Dorais-Joncas, Rich Gonzalaz and Daniel Blackford, join us to share their perspectives on the 2023 threat landscape. Join us as we discuss the following: What our experts are anticipating in 2023 How vulnerabilities help in detection creation Emerging techniques that could be used by malicious actors Additional resources: https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, January 10, 2023
Confidence, confusion, cashout: How pig butchering is blindsiding victims
Threat actors are disarming their victims with a new approach: The long game. Instead of asking for money or gift cards upfront, they build a connection and confidence until they cash in on the big payout. In this episode of Discarded, Selena Larson and Crista Giering are joined by Proofpoint team members: Tim Kromphardt, Email Fraud Researcher, and Genina Po, Threat Analyst, to discuss socially engineered attacks and how victims are tricked. Join us as we discuss: Understanding what pig butchering is How the scam blindsides victims The evolution of the fraud from China to other countries in Asia Resources mentioned: https://www.rappler.com/business/chinese-mafia-trafficking-filipinos-lure-lonely-professionals-cryptocurrency-scam/ https://finance.yahoo.com/news/chinese-mafia-forcing-filipinos-crypto-034555327.html https://www.youtube.com/watch?v=720qUBQZJZ0 https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online https://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-trafficking Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Wed, December 28, 2022
Holiday Happy Hour: 12 Faves of Threat Research
As the end of year is rapidly approaching, it’s important to reflect back on some of the top learnings for the year. In this special holiday edition of The Discarded podcast, Selena and Crista are joined by Mindy Semling, Podcast Producer at Proofpoint, to answer questions on their favorite things from threat research over the past year — from blogs to malware to holiday songs, we cover it all. Join us as we discuss: Celebrating the year The 12 favorites A thank you to our guests Resources mentioned: https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemic https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-online https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming https://medium.com/mitre-attack/intelligence-failures-of-lincolns-top-spies-what-cti-analysts-can-learn-from-the-civil-war-35be8d12884 For more research, check out the Proofpoint Threat Insight blog: https://www.proofpoint.com/us/blog/threat-insight Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, December 13, 2022
AMA Answers From the Threat Research Trenches
In this highly entertaining episode of DISCARDED, Selena Larson and Crista Giering host a wild round of “Ask Me Anything,” with Sherrod DeGrippo, VP of Threat Research and Detection, and Daniel Blackford, Threat Researcher at Proofpoint. Featuring insightful questions from listeners and former guests, these industry experts cover a wide range of topics, from silly to serious. Join us as we discuss: The most boring malware and common threat actor mistakes New developments in Ukraine and the Global South A proliferation of mobile malware and sports-related attacks Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, November 29, 2022
The Many-Faced Threat: Multi-Persona Impersonation (MPI) In Your Inbox
Social proof is a potent tool, even in the absence of direct support. When someone is pressured to do something in the presence of trusted peers, they are more likely to follow through unless someone objects. Unfortunately, threat actors have taken notice and are investing significant time and resources into looking like a trusted party to gain access to your personal information. Josh Miller and Sam Scholten join this episode to share their experiences with the evolving intellect of attackers and their multifaceted breach strategies. Using multi-persona impersonation (MPI), attackers establish multiple accounts and increase trust by manipulating social validation — a psychological tool. Join us as we discuss: The evolution of MPIs Email fraud taxonomy The role of MPI in business email compromise Resources: https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Wed, November 09, 2022
Machine Learning Is a Party With Camp Disco!
In this episode, Dr. Zachary Abzug, Manager and Tech Lead of Data Science at Proofpoint joins the show to discuss a machine learning enabled tool called Camp Discovery, AKA Camp Disco and the importance of the human interaction required for making use of machine learning in malware detection. Join us as we discuss: What exactly Camp Disco is and the need/idea behind its creation How Camp Disco played a role in the discovery of Chocolatey threat activity Why Camp Disco uses its own neural network language model instead of an existing language model Natural Language Processing and how to teach a computer to speak “malware” Check out these resources we mentioned: https://www.proofpoint.com/us/blog/engineering-insights/using-neural-network-language-model-instead-of-bert -gpt https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military -emails https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery -techniques https://www.proofpoint.com/us/company/careers Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, October 25, 2022
Reservation Confirmed: Threat Actors Visiting the Hospitality World
In this episode, Joe Wise, Threat Researcher at Proofpoint, joins the show to discuss his and Selena’s research into a small e-crime actor, TA558 and its targeting against the hospitality and travel e-crime sector since at least 2018. Join us as we discuss: Classifying threat actors and how it relates to s’mores Understanding e-crime vs. APT actors Why hospitality and travel e-crimes are still successful TA558’s TTPs and how their consistencies have aided in Proofpoint’s attribution of their activity over the years Joe shares his theories on why TA558 uses so many different malware types Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and -travel https://embed.sounder.fm/play/299042 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, October 11, 2022
The Hallow-queen of Cybersecurity: Spooky and Sweet Takes with Sherrod DeGrippo
Cybersecurity doesn't have to be spooky this Halloween. In this episode, Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, joins the show to discuss all things cybersecurity awareness so you can be prepared, not scared, this October. So grab a sweet treat and pull up a seat, the Hallow-queen is about to give her hot takes! Join us as we discuss: The growing risk of TOADs (Telephone Oriented Attack Delivery) Benign phishing reconnaissance emails by threat actors What you need to know to adapt to this ever changing threat landscape Bring awareness to cybersecurity this October, even on ghost tours Check out these resources we mentioned: https://www.proofpoint.com/us/cybersecurity-awareness -hub https://www.proofpoint.com/us/products/advanced-threat-protection/et -intelligence Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, September 27, 2022
Investigating Wine Fraud with the Ransomware Sommelier
All for wine, and wine for all. But only if it isn’t fraudulent. In July 2022, Allan Liska, an analyst at Recorded Future and wine expert, released some new research on counterfeit wine, spirits and cheese. Allan joins the show as our first ever external guest to give us an overview of what that research entailed and the different types of wine fraud he’s observed. By the end of this episode, we’ll all be partners in cybercrime and wine. Join us as we discuss: What is wine fraud and the different types of fraud that fall under the counterfeit umbrella How the pandemic impacted wine fraud due to happy hours Some of the techniques that wine fraudsters are using to try to legitimize the fake wines Allan’s favorite fall wines and recommendations for food pairings Check out these resources we mentioned: https://www.recordedfuture.com/lockdown-rise-wine-domain-scammer https://www.recordedfuture.com/counterfeit-wine-spirits-cheese https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-invoice-fraud https://www.decanter.com/wine-news/worlds-most-expensive-bottle-claimed-fake-as-renowned-collector-sued-93457/# :~:text=A%20billionaire%20Florida%20wine%20collector,to%20Thomas%20Jefferson%20are%20fakes https://www.cbsnews.com/news/billionaire-spends-35m-to-investigate-400k-wine-fraud/ https://kermitlynch.com/ https://twitter.com/uuallan/status /1561124207727153153 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, September 13, 2022
Hot off the Press: APT Actors Posing as Journalists
In this episode, Joshua Miller and Michael Raggi, Senior Threat Researchers at Proofpoint, join the show to discuss APT groups targeting and impersonating journalists. Joshua, Michael, and Crista discovered during their research how APT actors use journalist and their leads as a form of espionage to collect sensitive information. Join us as we discuss: Proofpoint’s unique report on APTs targeting journalists and insight into the motivations behind these attacks Understanding the “why” behind threat actors targeting or posing as journalists and media organizations The most common methods APT actors use in these campaigns to target or pose as journalists Stories about threat actors from China, Iran, Turkey, and more Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists Previous episode with Joshua: https://podcasts.apple.com/us/podcast/apt-attribution-trials-and-tribulations-from-the-field/id1612506550?i=1000571269986 Previous episode with Michael: https://podcasts.apple.com/us/podcast/web-bugs-the-tubthumping-tactics-of-chinese-threat/id1612506550?i=1000558705940 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, August 23, 2022
Misfits Managed: Breaking Down Misfit Malware
In this episode, Sara Sabotka Senior Threat Researcher on the field-facing team at Proofpoint, joins the show to chat about Misfit Malware. Although it is sometimes referred to as commodity malware, this kind of malicious software is anything but boring. You’ll want to stick around to find out who belongs on the Island of Misfit Malware and the importance of paying attention to the little gang of misfits. Join us as we discuss: How do foreign threat actors go about acquiring commodity malware and how much does it cost? Why Misfit Malware is sometimes easily overlooked by security researchers and defenders Key characteristics of lures that are commonly used by threat actors who use Misfit Malware Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, August 09, 2022
The Art of Threat Detection Engineering
In this episode, Konstantin Klinger, Senior Security Research Engineer at Proofpoint, joins the show to chat about his role on the threat research team, focusing on DDX (Detonation, Detection, and Extraction). You won’t want to miss his breakdown of the Pyramid of Pain and how to utilize it for threat detection engineering. Join us as we discuss: Real-life examples of complex attack chain with multiple steps and how to they can be detected Utilizing the Pyramid of Pain for threat detection engineering How to write detections for geofencing The perks of incorporating automated MITRE ATT&CK detections into your sandbox Resources: https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, July 26, 2022
APT Attribution: Trials and Tribulations From the Field
In this episode, Joshua Miller and Zydeca Cass, Senior Threat Researchers at Proofpoint, join the show to discuss attribution, specifically APT actor attribution. Joshua and Zydeca dive into their experiences of attribution successes and failures, sharing tales of threat actors impersonating Russian opposition leaders and an Iranian kidnapping plot in New York. As Crista says, the good, the bad and the ugly. Join us as we discuss: Understanding the difference between the two types of attribution How attribution can be used in e-crime versus state-aligned investigation Stories from Josh and Zydeca of threat actors they are tracking based in Russia and Iran Check out these resources we mentioned: https://twitter.com/ChicagoCyber/status/1521492543707430912 https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-kidnapping-conspiracy-charges-against-iranian Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, July 12, 2022
The Dark-Side of Cryptocurrency
In this episode, Jared Peck, Senior Threat Researcher at Proofpoint, explains cryptocurrency and how bad actors are causing trouble with these new decentralized, anonymous currencies. Join us as we discuss: Credential harvesting and phishing Malicious campaigns and extortion Digital money laundering Resources: https://www.proofpoint.com/us/blog/threat-insight/how-cyber-criminals-target-cryptocurrency https://twitter.com/ChicagoCyber/status/1521492543707430912 https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html https://www.proofpoint.com/us/podcasts/threat-digest#113131 https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, June 21, 2022
A Day in the Life of a Threat Researcher: Emerging Threats Edition
Tony Robinson, Threat Researcher, joins the podcast to share his expertise as a member of the Emerging Threats team at Proofpoint. Tony gives us an inside look into a day in his life as he and his teammates discover new strains of malware, respond to major vulnerabilities, and ensure that customers are protected. He also shares his advice for those interested in a career in Threat Research. Join us as we discuss: How the Emerging Threats team at Proofpoint impacts customers daily lives Using cybersecurity rule-sets to find new strains of malware Utilizing the open source security community to write new rules and stay up to date on the developing threat landscape The difference between rules detecting threat behaviors vs. indicators of compromise Check out these resources we mentioned: https://www.proofpoint.com/us/products/advanced-threat-protection/et -intelligence https://twitter.com/da_667/status/1512255056573255693 https://twitter.com/da_667/status /1503876806478385168 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, June 07, 2022
The Buzz on Bumblebee Malware
Float like a butterfly. Sting like Bumblebee malware. In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won’t want to miss their breakdown of Bumblebee’s unique characteristics and their predictions of how its features will develop over time. Join us as we discuss: The difference in tracking Crimeware versus AAPT How threat actors are using Bumblebee The exit of BazaLoader malware and its connection to Bumblebee Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforming https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties -conti Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, May 24, 2022
Social Engineering: How Threat Actors Manipulate Their Targets
Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them. Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity? In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us. Join us as we discuss: What lies beneath 95% of cyber attacks The two factors that reduce people's sensitivity to threats When social engineering content might be waiting for you Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steal https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328 https://twitter.com/selenalarson/status /1224674562882834432 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, May 10, 2022
Paying Attention to BEC: The Most Costly Threat by Individual Losses
When you think about the most costly threat to individual losses, most people will assume ransomware. The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then? In this episode, Tim Kromphardt, Email threat teacher at Proofpoint , and Jake G. explain BEC and why organizations need to start paying more attention. Join us as we discuss: The definition of BEC & why companies are paying so little attention Using Supernova to defend against email attacks Reporting on employment fraud Check out these resources we mentioned: IC3 Report: https://www.ic3.gov/ TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, May 10, 2022
Paying Attention to BEC: The Most Costly Threat by Individual Losses
When you think about the most costly threat by personal losses, most people will assume ransomware. The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then? In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention. Join us as we discuss: The definition of BEC & why companies are paying so little attention Using Supernova to defend against email attacks Reporting on employment fraud Check out these resources we mentioned: BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework Supernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-and IC3 Report: https://www.ic3.gov/ TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery Railroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index .html Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, April 26, 2022
Web Bugs & the Tubthumping Tactics of Chinese Threat Actor TA416
Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again. In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape. Join us as we discuss: The evolving tactics of TA416 PlugX malware and control flow flattening Tips for dealing with emerging threats Check out these resources we mentioned: Michael’s Twitter: https://twitter.com/aRtAGGI/status /1501030779480125441 https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds / Tubthumping by Chumbawamba Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, April 12, 2022
Defending Against Cyber Criminals: Emotet’s Resurrection & Conti’s Implosion
Cybercriminals. They’re just like us. With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction. Which begs the question: Are these organizations as impenetrable as we thought? In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders. Join us as we discuss: The journey leading to Emotet’s return The importance of the Conti group leaks What defenders should be thinking about against cyber threats Check out this resource we mentioned: Andrew's Twitter: https://mobile.twitter.com/ex _raritas https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22 .pdf https://www.wired.com/story/conti-ransomware-russia/ https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, March 29, 2022
Threat Actor 2541: The Latest Tricks & Patterns
How are threat actors like Olympic snowboard halfpipe athletes? When their good tricks get stolen by competitors, they add new ones to their repertoire. In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it’s so fun to research that group). Join us as we discuss: Changes that TA2541 has made over time Their current strategies and patterns Snowboarding, Home Alone, and what makes TA2541 unique Check out this resource we mentioned: Charting TA2541's Flight | Proofpoint US Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Tue, March 15, 2022
The Troubling Rise of MFA Kits
Until recently, threat actors haven’t really invested much time in MFA phish kits because not a lot of people used MFA. (Everyone needs MFA, full stop.) Consequently, threat actors are using more advanced multi-factor authentication-enabled phish kits. Find out why in our first episode of DISCARDED, where we hear from Tim Kromphardt, Email Threat Researcher at Proofpoint, about why MFA kits are sort of like Justin Bieber ticket thieves. Join us as we discuss: How MFA kits differ from ordinary phish kits What threat actors and researchers have in common A technical dive into transparent reverse proxies Why you need multifactor authentication despite the rise of MFA kits Check out these resources we mentioned during the podcast: MFA PSA, Oh My! Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!
Wed, March 02, 2022
Discussing RTF Template Injection: A Malicious Phishing Attempt
If you asked for M&M’s and received Skittles, you might pop a few in your mouth, but it won’t take long to realize something’s off. This is exactly what’s happening with RTF files: Instead of the intended attachment, unaware companies are delivering these files and realizing later that they were actually malicious. On this episode of Protecting People, hosts Selena Larson and Crista Giering chat with Michael Raggi, Senior Threat Research Engineer at Proofpoint, about RTF files, template injection, and campaigns using the technique in an effort to make sure customers aren’t being surprised with “Skittles.” Join us as we discuss: The importance of template injection Campaigns using the technique Widespread adoption of the RTF injection Mitigating and monitoring the technique Resource mentioned: https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread For more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.
loading...