DISCARDED: Tales From the Threat Research Trenches Proofpoint

Hello to all our cyber pals! Joining our series host, Selena Larson, is our co-host today, Tim Kromphardt. Together they welcome our special guest–Daniel Blackford, the Director of Threat Research at Proofpoint. The conversation dives into the intricate world of cyber threats and the impact of law enforcement disruptions on malware, botnets, and ransomware actors.

We'll explore how threat actors react when their preferred infrastructures or ransomware-as-a-service systems get taken down, offering insights into their various responses—from rebuilding and rebranding to the emergence of new power players in the cybercriminal ecosystem.

We also talk about: 
Analysis of the Hive ransomware takedown and the massive Qbot operation, including the technical and human aspects of these disruptionsHow other groups rise to prominence despite disruptionsDifferences between malware disruptions and business email compromise (BEC) or fraud-focused disruptionsThe evolution of threat actor techniques, such as, legitimate remote management tools and living off the land techniques

For more information about Proofpoint, check out our website.

Subscribe & Follow:
Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.

The Discarded Podcast team is gearing up and working hard for a new season! Until then we have a special Re-Run treat--one of our favorite episodes! Enjoy!

Engineering skills can play a massively beneficial role in cyber security, as Pim Trouerbach, a Senior Reverse Engineer at Proofpoint and Jacob Latonis, Senior Threat Research Engineer at Proofpoint, are able to share. 

They emphasize the importance of understanding the requirements and context of security researchers to build effective tools. The conversation touches on the potential impact of AI and LLMs (large language models) in threat research. While AI tools can be valuable for entry-level tasks, the context, experience, and expertise of human engineers are essential for handling complex code and understanding threat actors' behaviors.

Join us as we also discuss:
[02:59] The uniqueness of engineering skills in understanding researchers' requirements for data cleaning, tool development, and working in a security environment.
[11:06] How the versioning in malware samples can provide insights into the threat actors' behavior and trajectory.
[13:24] How malware is simply software with malicious intent, and how practices of developers and threat actors can overlap.
[17:10] The tools and techniques used by threat actors, including obfuscation and encryption methods.[21:42] The importance of context and experience in writing tools and understanding researchers' workflows.

For more information, check out our website.

Today’s focus is on the elusive threat actor known as TA4903. But that's not all - we've got a special treat for you as well. Our longtime producer, Mindy, is joining us as a co-host, bringing her expertise and insights to the table, as we turn the mic around and interview, Selena! 

We explore recent research conducted by Selena and her team on TA4903’s distinct objectives. Unlike many cybercrime actors, TA4903 demonstrates a unique combination of tactics, targeting both high-volume credential phishing campaigns and lower-volume direct business email compromises.

We also dive into:
TA4903 spoofs government entities like the Department of Transportation and the Department of Labor to lure victimsUse of advanced techniques including evil proxy for multi-factor authentication token theft and QR codes for phishing campaignsRising trends in cryptocurrency-related scams and other financial frauds
Resources mentioned:
MFA Bypass (Blog) by Timothy Kromphardt

IC3 2023 FBI Report 

New TA4903 research: https://www.proofpoint.com/us/blog/threat-insight/ta4903-actor-spoofs-us-government-small-businesses-phishing-bec-bids

For more information, check out our website.

It has been a busy first quarter for the Proofpoint Threat Research team! Today we have returning guest, Pim Trouerbach, to share his personal stories about his favorite malware and discuss the current landscape, including insights on Pikabot, Latrodectus, and WikiLoader. 

The conversation explores the evolution from old school banking trojans to the current favored payloads from major cybercrime actors, and the changes in malware development through the years. Pim shares the different meticulous analysis and research efforts, and we learn about mechanisms to combat the malware.  

We also dive into:
a valuable lesson about the consequences of malware running rampant in a sandbox environmentthe shifts in attack chains and tactics employed by threat actorsthe need for adaptive detection methods to combat evolving cyber threats

Resources mentioned:
Countdown to Zero Day by Kim Zetter

Shareable Links:
https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion 

https://www.proofpoint.com/us/blog/threat-insight/ta577s-unusual-attack-chain-leads-ntlm-data-theft

https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates

https://www.proofpoint.com/us/blog/threat-insight/bumblebee-buzzes-back-black

https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax 

Pim’s Favorite Malware: 

* Emotet: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a 

* IcedID: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid  

* Dridex: https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a 

* Hancitor: https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor 

* Qbot: https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot 

* Hikit (APT): https://attack.mitre.org/software/S0009/ 

* Stuxnet (APT): https://www.penguinrandomhouse.com/books/219931/countdown-to-zero-day-by-kim-zetter/ 

* Cutwail: https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail

For more information, check out our website.

Network-based detections, such as those developed by threat detection engineers using tools like suricata and snort signatures, play a crucial role in identifying and mitigating cyber threats by scrutinizing and analyzing network traffic for malicious patterns and activities.

Today’s guest is Isaac Shaughnessy, a Threat Detection Engineer at Proofpoint. Isaac shares his insights into the challenges of detecting and mitigating malware, especially those using social platforms for command and control. He emphasizes the team's engagement with the InfoSec community, highlighting the value of platforms like Twitter and Mastodon for sharing and receiving information.

We also dive into:
the unique challenges of crafting effective signaturesthe specifics of malware, focusing on Vidar stealer and highlighting the dynamic nature of Vidar's command and control infrastructurethe distribution methods of these malware strains, from email campaigns to unconventional tactics like using video game platforms and social media for luring victims
Resources mentioned:

Intro to Traffic Analysis w/ Issac Shaughnessy
Emerging Threats Mastodon: https://infosec.exchange/@emergingthreats
Threat Insight Mastodon: https://infosec.exchange/@threatinsight
Vidar Stealer Picks Up Steam!

For more information, check out our website.

The esteemed Katie Nickels joins us on the show today! Katie is the Director of Intelligence Operations at Red Canary, and our conversation with her explores a wide array of topics, ranging from career growth in threat intelligence to the intricacies of attribution and threat actor naming.

Katie delves into her diverse career journey and transitions to advice for those entering the field, emphasizing persistence, creativity, and considering entry-level roles like SOC analyst positions. There is also talk of avoiding burnout while pursuing one’s passion, especially in cybersecurity.

We also dive into:
Communication and attribution challenges including the confusion of different naming conventionsMarketing and the personification of threat actorsStrategic approaches in handling incidents and avoiding panic
For more information, check out our website.