DISCARDED: Tales From the Threat Research Trenches

Threat actors are disarming their victims with a new approach: The long game. Instead of asking for money or gift cards upfront, they build a connection and confidence until they cash in on the big payout. In this episode of Discarded, Selena Larson and Crista Giering are joined by Proofpoint team members: Tim Kromphardt, Email Fraud Researcher, and Genina Po, Threat Analyst, to discuss socially engineered attacks and how victims are tricked. Join us as we discuss:Understanding what pig butchering isHow the scam blindsides victimsThe evolution of the fraud from China to other countries in AsiaResources mentioned: https://www.rappler.com/business/chinese-mafia-trafficking-filipinos-lure-lonely-professionals-cryptocurrency-scam/https://finance.yahoo.com/news/chinese-mafia-forcing-filipinos-crypto-034555327.htmlhttps://www.youtube.com/watch?v=720qUBQZJZ0https://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-onlinehttps://www.vice.com/en/article/n7zb5d/pig-butchering-scam-cambodia-traffickingKeep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

As the end of year is rapidly approaching, it's important to reflect back on some of the top learnings for the year. In this special holiday edition of The Discarded podcast, Selena and Crista are joined by Mindy Semling, Podcast Producer at Proofpoint, to answer questions on their favorite things from threat research over the past year — from blogs to malware to holiday songs, we cover it all. Join us as we discuss:Celebrating the yearThe 12 favorites A thank you to our guestsResources mentioned: https://www.proofpoint.com/us/blog/threat-insight/exploiting-covid-19-how-threat-actors-hijacked-pandemichttps://www.proofpoint.com/us/blog/threat-insight/broken-dreams-and-piggy-banks-pig-butchering-crypto-fraud-growing-onlinehttps://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming https://medium.com/mitre-attack/intelligence-failures-of-lincolns-top-spies-what-cti-analysts-can-learn-from-the-civil-war-35be8d12884For more research, check out the Proofpoint Threat Insight blog: https://www.proofpoint.com/us/blog/threat-insight Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this highly entertaining episode of DISCARDED, Selena Larson and Crista Giering host a wild round of “Ask Me Anything,” with Sherrod DeGrippo, VP of Threat Research and Detection, and Daniel Blackford, Threat Researcher at Proofpoint. Featuring insightful questions from listeners and former guests, these industry experts cover a wide range of topics, from silly to serious.Join us as we discuss:The most boring malware and common threat actor mistakesNew developments in Ukraine and the Global SouthA proliferation of mobile malware and sports-related attacksKeep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Social proof is a potent tool, even in the absence of direct support. When someone is pressured to do something in the presence of trusted peers, they are more likely to follow through unless someone objects. Unfortunately, threat actors have taken notice and are investing significant time and resources into looking like a trusted party to gain access to your personal information. Josh Miller and Sam Scholten join this episode to share their experiences with the evolving intellect of attackers and their multifaceted breach strategies. Using multi-persona impersonation (MPI), attackers establish multiple accounts and increase trust by manipulating social validation — a psychological tool. Join us as we discuss: The evolution of MPIs Email fraud taxonomy The role of MPI in business email compromise Resources:  https://www.proofpoint.com/us/blog/threat-insight/ta453-uses-multi-persona-impersonation-capitalize-fomo https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Dr. Zachary Abzug, Manager and Tech Lead of Data Science at Proofpoint joins the show to discuss a machine learning enabled tool called Camp Discovery, AKA Camp Disco and the importance of the human interaction required for making use of machine learning in malware detection. Join us as we discuss: What exactly Camp Disco is and the need/idea behind its creation How Camp Disco played a role in the discovery of Chocolatey threat activity Why Camp Disco uses its own neural network language model instead of an existing language model Natural Language Processing and how to teach a computer to speak “malware”    Check out these resources we mentioned: https://www.proofpoint.com/us/blog/engineering-insights/using-neural-network-language-model-instead-of-bert-gpt  https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails  https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques  https://www.proofpoint.com/us/company/careers    Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Joe Wise, Threat Researcher at Proofpoint, joins the show to discuss his and Selena's research into a small e-crime actor, TA558 and its targeting against the hospitality and travel e-crime sector since at least 2018. Join us as we discuss: Classifying threat actors and how it relates to s'mores Understanding e-crime vs. APT actors Why hospitality and travel e-crimes are still successful TA558's TTPs and how their consistencies have aided in Proofpoint's attribution of their activity over the years Joe shares his theories on why TA558 uses so many different malware types Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel  https://embed.sounder.fm/play/299042   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Cybersecurity doesn't have to be spooky this Halloween. In this episode, Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint, joins the show to discuss all things cybersecurity awareness so you can be prepared, not scared, this October. So grab a sweet treat and pull up a seat, the Hallow-queen is about to give her hot takes! Join us as we discuss: The growing risk of TOADs (Telephone Oriented Attack Delivery) Benign phishing reconnaissance emails by threat actors What you need to know to adapt to this ever changing threat landscape Bring awareness to cybersecurity this October, even on ghost tours Check out these resources we mentioned: https://www.proofpoint.com/us/cybersecurity-awareness-hub  https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

All for wine, and wine for all. But only if it isn't fraudulent. In July 2022, Allan Liska, an analyst at Recorded Future and wine expert, released some new research on counterfeit wine, spirits and cheese. Allan joins the show as our first ever external guest to give us an overview of what that research entailed and the different types of wine fraud he's observed. By the end of this episode, we'll all be partners in cybercrime and wine. Join us as we discuss: What is wine fraud and the different types of fraud that fall under the counterfeit umbrella How the pandemic impacted wine fraud due to happy hours Some of the techniques that wine fraudsters are using to try to legitimize the fake wines Allan's favorite fall wines and recommendations for food pairings Check out these resources we mentioned: https://www.recordedfuture.com/lockdown-rise-wine-domain-scammer https://www.recordedfuture.com/counterfeit-wine-spirits-cheese https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-invoice-fraud https://www.decanter.com/wine-news/worlds-most-expensive-bottle-claimed-fake-as-renowned-collector-sued-93457/#:~:text=A%20billionaire%20Florida%20wine%20collector,to%20Thomas%20Jefferson%20are%20fakes https://www.cbsnews.com/news/billionaire-spends-35m-to-investigate-400k-wine-fraud/ https://kermitlynch.com/ https://twitter.com/uuallan/status/1561124207727153153 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Joshua Miller and Michael Raggi, Senior Threat Researchers at Proofpoint, join the show to discuss APT groups targeting and impersonating journalists. Joshua, Michael, and Crista discovered during their research how APT actors use journalist and their leads as a form of espionage to collect sensitive information. Join us as we discuss: Proofpoint's unique report on APTs targeting journalists and insight into the motivations behind these attacks Understanding the “why” behind threat actors targeting or posing as journalists and media organizations The most common methods APT actors use in these campaigns to target or pose as journalists Stories about threat actors from China, Iran, Turkey, and more Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists Previous episode with Joshua: https://podcasts.apple.com/us/podcast/apt-attribution-trials-and-tribulations-from-the-field/id1612506550?i=1000571269986 Previous episode with Michael: https://podcasts.apple.com/us/podcast/web-bugs-the-tubthumping-tactics-of-chinese-threat/id1612506550?i=1000558705940 Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Sara Sabotka Senior Threat Researcher on the field-facing team at Proofpoint, joins the show to chat about Misfit Malware. Although it is sometimes referred to as commodity malware, this kind of malicious software is anything but boring. You'll want to stick around to find out who belongs on the Island of Misfit Malware and the importance of paying attention to the little gang of misfits. Join us as we discuss: How do foreign threat actors go about acquiring commodity malware and how much does it cost? Why Misfit Malware is sometimes easily overlooked by security researchers and defenders Key characteristics of lures that are commonly used by threat actors who use Misfit Malware  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Konstantin Klinger, Senior Security Research Engineer at Proofpoint, joins the show to chat about his role on the threat research team, focusing on DDX (Detonation, Detection, and Extraction). You won't want to miss his breakdown of the Pyramid of Pain and how to utilize it for threat detection engineering. Join us as we discuss: Real-life examples of complex attack chain with multiple steps and how to they can be detected Utilizing the Pyramid of Pain for threat detection engineering How to write detections for geofencing The perks of incorporating automated MITRE ATT&CK detections into your sandbox  Resources: https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Joshua Miller and Zydeca Cass, Senior Threat Researchers at Proofpoint, join the show to discuss attribution, specifically APT actor attribution. Joshua and Zydeca dive into their experiences of attribution successes and failures, sharing tales of threat actors impersonating Russian opposition leaders and an Iranian kidnapping plot in New York. As Crista says, the good, the bad and the ugly. Join us as we discuss: Understanding the difference between the two types of attribution How attribution can be used in e-crime versus state-aligned investigation Stories from Josh and Zydeca of threat actors they are tracking based in Russia and Iran Check out these resources we mentioned: https://twitter.com/ChicagoCyber/status/1521492543707430912 https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-kidnapping-conspiracy-charges-against-iranian Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

In this episode, Jared Peck, Senior Threat Researcher at Proofpoint, explains cryptocurrency and how bad actors are causing trouble with these new decentralized, anonymous currencies. Join us as we discuss: Credential harvesting and phishing Malicious campaigns and extortion Digital money laundering Resources: https://www.proofpoint.com/us/blog/threat-insight/how-cyber-criminals-target-cryptocurrency https://twitter.com/ChicagoCyber/status/1521492543707430912 https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html https://www.proofpoint.com/us/podcasts/threat-digest#113131 https://www.proofpoint.com/us/blog/threat-insight/advance-fee-fraud-emergence-elaborate-crypto-schemes Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Tony Robinson, Threat Researcher, joins the podcast to share his expertise as a member of the Emerging Threats team at Proofpoint. Tony gives us an inside look into a day in his life as he and his teammates discover new strains of malware, respond to major vulnerabilities, and ensure that customers are protected. He also shares his advice for those interested in a career in Threat Research. Join us as we discuss: How the Emerging Threats team at Proofpoint impacts customers daily lives Using cybersecurity rule-sets to find new strains of malware Utilizing the open source security community to write new rules and stay up to date on the developing threat landscape The difference between rules detecting threat behaviors vs. indicators of compromise  Check out these resources we mentioned: https://www.proofpoint.com/us/products/advanced-threat-protection/et-intelligence  https://twitter.com/da_667/status/1512255056573255693 https://twitter.com/da_667/status/1503876806478385168  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Float like a butterfly. Sting like Bumblebee malware. In this episode, Kelsey Merriman, Threat Research Analyst, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, share their insights from their research of the new malware downloader called Bumblebee. You won't want to miss their breakdown of Bumblebee's unique characteristics and their predictions of how its features will develop over time. Join us as we discuss: The difference in tracking Crimeware versus AAPT How threat actors are using Bumblebee The exit of BazaLoader malware and its connection to Bumblebee  Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/isnt-optimus-primes-bumblebee-its-still-transforming https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Threat actors always take the path of least resistance to their payday. But it's a mistake to think they aren't willing to put in the work to get a human to hand feed them. Their attempts to manipulate their targets into taking action are called social engineering. What role do people play in cybersecurity? In this episode, Daniel Blackford, Threat Researcher at Proofpoint, explains how bad actors capitalize on our humanity to attack us. Join us as we discuss: What lies beneath 95% of cyber attacks The two factors that reduce people's sensitivity to threats When social engineering content might be waiting for you     Check out these resources we mentioned: https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steal https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453 https://www.bankinfosecurity.com/kansas-man-faces-federal-charges-over-water-treatment-hack-a-16328 https://twitter.com/selenalarson/status/1224674562882834432   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

When you think about the most costly threat by personal losses, most people will assume ransomware. The real threat, however, is business email compromise (BEC). But why aren't more companies talking about it, then? In this episode, Tim Kromphardt and Jake G. explain BEC and why organizations need to start paying more attention. Join us as we discuss: The definition of BEC & why companies are paying so little attention Using Supernova to defend against email attacks Reporting on employment fraud    Check out these resources we mentioned: BEC Taxonomy: https://www.proofpoint.com/us/blog/threat-insight/bec-taxonomy-proofpoint-framework Supernova: https://www.proofpoint.com/us/newsroom/press-releases/proofpoint-launches-industrys-first-cloud-native-information-protection-and IC3 Report: https://www.ic3.gov/ TOAD blog post: https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery Railroad theft: https://www.cnn.com/2022/01/14/economy/la-freight-railroad-theft/index.html   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Chinese Threat Actor TA416, otherwise known as Mustang Panda, has been active for a long time, and every time they get knocked down, they get up again.  In this episode, Michael Raggi, Senior Threat Researcher, and Pim Trouerbach, Senior Reverse Engineer, both with Proofpoint, give us an overview of TA416 — the “Tubthumping” villains of the threat landscape.  Join us as we discuss: The evolving tactics of TA416 PlugX malware and control flow flattening Tips for dealing with emerging threats  Check out these resources we mentioned: Michael's Twitter: https://twitter.com/aRtAGGI/status/1501030779480125441  https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european https://www.theregister.com/2022/03/09/china_apt41_mandiant_usaherds/  Tubthumping by Chumbawamba   Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Cybercriminals. They're just like us.  With the Russia Ukraine conflict, Conti found itself at odds with internal team members over the issue — Eventually leading to self destruction. Which begs the question: Are these organizations as impenetrable as we thought?  In this episode, we hear from Andrew Northern, Senior Threat Researcher at Proofpoint, about the resurrection of the Emotet malware, the Conti implosion, and advice to cyber defenders.  Join us as we discuss: The journey leading to Emotet's return The importance of the Conti group leaks What defenders should be thinking about against cyber threats   Check out this resource we mentioned: Andrew's Twitter: https://mobile.twitter.com/ex_raritas  https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf  https://www.wired.com/story/conti-ransomware-russia/ https://www.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/index.html    Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

How are threat actors like Olympic snowboard halfpipe athletes? When their good tricks get stolen by competitors, they add new ones to their repertoire. In this episode, we hear from Joe Wise, Threat Researcher at Proofpoint, about the latest tricks from TA2541 (and why it's so fun to research that group). Join us as we discuss: Changes that TA2541 has made over time Their current strategies and patterns Snowboarding, Home Alone, and what makes TA2541 unique Check out this resource we mentioned: Charting TA2541's Flight | Proofpoint US Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

Until recently, threat actors haven't really invested much time in MFA phish kits because not a lot of people used MFA. (Everyone needs MFA, full stop.) Consequently, threat actors are using more advanced multi-factor authentication-enabled phish kits. Find out why in our first episode of DISCARDED, where we hear from Tim Kromphardt, Email Threat Researcher at Proofpoint, about why MFA kits are sort of like Justin Bieber ticket thieves. Join us as we discuss: How MFA kits differ from ordinary phish kits What threat actors and researchers have in common A technical dive into transparent reverse proxies Why you need multifactor authentication despite the rise of MFA kits  Check out these resources we mentioned during the podcast: MFA PSA, Oh My! Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits  Keep up with the latest tales from the threat research trenches by subscribing to DISCARDED in Apple Podcasts, Spotify, or wherever you get podcasts. Thanks for listening!

If you asked for M&M's and received Skittles, you might pop a few in your mouth, but it won't take long to realize something's off. This is exactly what's happening with RTF files: Instead of the intended attachment, unaware companies are delivering these files and realizing later that they were actually malicious. On this episode of Protecting People, hosts Selena Larson and Crista Giering chat with Michael Raggi, Senior Threat Research Engineer at Proofpoint, about RTF files, template injection, and campaigns using the technique in an effort to make sure customers aren't being surprised with “Skittles.” Join us as we discuss: The importance of template injection Campaigns using the technique Widespread adoption of the RTF injection Mitigating and monitoring the technique Resource mentioned: https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread For more episodes like this one, subscribe to us on Apple Podcasts, Spotify, and the Proofpoint website, or just search for Protecting People in your favorite podcast player.