Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Proofpoint. Show all posts
US Healthcare
Cyber Attacks cybersecurity research Healthcare Data Healthcare organizations Proofpoint US Healthcare

88% of Healthcare Organizations Have Suffered a Cybersecurity Incident in Past Year


Organizations included in the healthcare sector, like hospitals and clinics, have struggled with a series of cyberattacks in recent years, resulting in their inability to provide even the minimum services because of computer outages and loss of important files in the data breaches.

In a recent report published on Wednesday by research conducted by Proofpoint, an email security company, around 90% of healthcare organizations have experienced at least one cybersecurity incident in the past year. 

In the past two years, more than half of the healthcare organizations have reported to have experienced an average of four ransomware attacks. 68% of the organizations surveyed noted that the attacks “negatively impacted patient safety and care.”

The aforementioned report conducted by Proofpoint includes a survey of more than 650 IT and cybersecurity professionals in the US healthcare sector, highlighting the healthcare sector's ongoing susceptibility to common attack methods. It occurs as the Cybersecurity and Infrastructure Security Agency works to provide greater assistance to small, rural hospitals that are underfunded and wilting under constant cyberattacks.

As healthcare organizations struggle to find alternatives to their outdated technology so they can keep providing services, these efforts are using up more and more of their resources. Between 2022 and 2023, the cost of the time spent minimizing the attacks' consequences on patient care rose by 50%, from around $660,000 to $1 million.

In the case of ransomware assault in hospital systems, where computer networks shut down, the impact is rapid and extensive. 

Stephen Leffler, president and chief operating officer of the University of Vermont Medical Center, spoke about how a ransomware assault in October 2020 brought about a catastrophe at his facility during a congressional hearing in September. For 28 days, senior physicians had to train junior physicians on how to use paper records as the National Guard assisted the IT department in a round-the-clock operation to wipe and reconfigure every computer in the network.

Leffler remarked, "We literally went to Best Buy and bought every walkie-talkie they had." This was due to their internet-based phone system being offline. Between 2022 and 2023, the cost of patient care grew by 50%, from about $660,000 to $1 million.

Leffler, who has been an emergency medicine doctor for 30 years, further commented “I've been a hospital president for four years. The cyberattack was much harder than the pandemic by far.” 

Read more »
SVB
BEC Attacks Cyber Security Domain Phishing Attack Proofpoint SVB

Cybercriminals Exploit SVB's Downfall for Phishing

The downfall of Silicon Valley Bank (SVB) on March 10, 2023, has caused instability all across the global financial system, but for hackers, scammers, and phishing schemes, it's evolving into a huge opportunity.

Security experts have already observed a variety of schemes that take advantage of the situation, which has severely hurt tech companies. Proofpoint researchers reported on Twitter that they have observed scammers sending fraudulent emails pertaining to a cryptocurrency company impacted by the failure of SVB.

On March 12, a considerable amount of domain names with the name SVB were registered. Threat actors are preparing for business email compromise (BEC) attacks by registering suspicious domains, creating phishing pages, and more. These operations seek to defraud targets by stealing money, account information, or malware.

A campaign using lures related to USDC, a digital stablecoin linked to the USD that was impacted by the SVB collapse, was found, as per Proofpoint. Fraudulent cryptocurrency businesses were defamed in messages sent through malicious SendGrid accounts that pointed users to URLs where they could claim their cryptocurrency.

A substantial KYC phishing campaign using SVB branding and a template with a DocuSign theme was found, as per Cloudflare. Within hours of the campaign's inception, 79 instances were where it was discovered. An assault that included HTML code with a first link that changed four times before linking to an attacker-controlled website was also intended at the company's CEO.

The HTML file used in the attack directs the user to a WordPress instance with the capacity to do the recursive redirection, however, it is unclear if this specific WordPress installation has been hijacked or if a plugin was set up to enable the redirect.







Read more »
URL
Cyber Security JavaScript Malicious actor Microsoft PDFs Phishing Attacks Proofpoint Russian Hackers URL

Cybercrime Utilizes Screenshotter to Find Targets in US

Organizations in Germany and the United States are targets of a new threat actor identified as TA886 that requires new, proprietary malware to spy on users and steal their data from affected devices. Proofpoint reported that it initially identified the previously unidentified cluster of activity in October 2022 and that it persisted into 2023.

Malicious Microsoft Publisher (.pub) attachments with macros, URLs leading to.pub files with macros, or PDFs with URLs that download risky JavaScript files are some of the ways the threat actor targets victims.

According to the researchers, which gave the operation the name Screentime, it is being carried out by a brand-new malicious attacker known as TA866. Although it is possible that the group is well-known to the larger cybersecurity sector, no one has been able to connect to any other groups or initiatives.

According to Proofpoint, TA866 is an "organized actor capable of performing well-planned attacks at scale based on their availability of custom tools, ability and connections to buy tools and services from other vendors, and increasing activity volumes."

As a result of some variable names and phrases in their stage-two payloads being written in Russian, the researchers further speculate that the threat actors may be Russian. In Screentime, TA866 would send phishing emails in an effort to get victims to download the harmful WasabiSeed payload. According to the stage-two payloads that the threat actors deem appropriate at the time, this malware develops persistence on the target endpoint.

AHK Bot has been seen downloading and loading the Rhadamanthys information thief into memory while also deploying a script to inspect the victim's computer's Active Directory (AD) domain. According to Proofpoint, the AD profile may result in the compromising of additional domain-joined hosts.

As per Proofpoint, the activity continued into 2023 after the first indications of Screentime advertisements appeared in October 2022. The campaigns have an indiscriminate impact on all industries in terms of verticals.


Read more »
ZIP File
iOS malware Payloads Phishing Attacks Proofpoint ZIP File

TA558 Malware Attacks Travel and Hospitality Services

A persistent wave of attacks on Latin American hospitality, hotel, and travel firms with the intention of planting malware on compromised systems have been attributed to a financially motivated cybercrime ring.

Proofpoint researchers are keeping tabs on a malware campaign being run by the TA558 malware gang. The organization used Loda RAT, Vjw0rm, and Revenge RAT among other malware in its attacks. 

The gang has been active at a faster rate than usual in 2022, with intrusions mostly targeted at Latin American Portuguese and Spanish speakers and to a lesser level at Western European and North American speakers.

The group uses phishing campaigns that involve sending malicious spam messages with lures that have a travel theme, like hotel reservations, that contain weaponized documents or URLs in an effort to persuade unwitting users to install trojans that can conduct reconnaissance, steal data, and distribute add-on payloads.

To download and install a variety of malware, including AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm, the assaults conducted between 2018 and 2021 made use of emails with malicious Word documents that either contained VBA macros or exploits for vulnerabilities like CVE-2017-11882 and CVE-2017-8570.

In more recent attacks, the cybercriminal organization has started distributing malware using Office documents, RAR attachments, ISO attachments, and malicious URLs. The action is in response to Microsoft's decision to make Office products' default settings for macros disabled.

According to Proofpoint, 27 of the 51 campaigns that hackers ran in 2022 made use of URLs linking to ZIP and ISO archives, compared to just five efforts from 2018 through 2021.

Since 2018, at least 15 different malware families have been employed by TA558, sometimes using the same C2 infrastructure, according to Proofpoint. To host the malware payloads, the gang uses websites that have been infiltrated by hotels.

In an effort to prevent detection and obscure the source of the attacks, the threat actor frequently changes languages within the same week.

A number of noticeable patterns are also being used by TA558 in the campaign data, including the use of specific strings, naming conventions, keywords, domains, etc. 











Read more »
TTPs
Cyber Security Emotet HTML ICedID ISO files Proofpoint Qakbot TTPs

Microsoft: Hackers Exploring New Attack Techniques

Malicious actors are adapting their strategies, techniques, and procedures in response to Microsoft's move to automatically block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros across Office programs (TTPs).

Malicious Microsoft Office document attachments sent in phishing emails often contain VBA and XL4 Macros, two short programs designed to automate repetitive processes in Microsoft Office applications that threat actors use to load, drop, or install malware.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, stated "the threat landscape has changed significantly as a result of threat actors shifting away from directly disseminating macro-based email attachments."

The change was made as a result of Microsoft's announcement that it will stop the widespread exploitation of the Office subsystem by making it more challenging to activate macros and automatically banning them by default.

New tactics 

Use of ISO, RAR, and Windows Shortcut (LNK) attachments to get around the block has multiplied by 66%, according to security firm Proofpoint, which calls this activity 'one of the largest email threat landscape shifts in recent history.' Actors spreading the Emotet malware are also involved in this activity.

The use of container files like ISOs, ZIPs, and RARs has also increased rapidly, increasing by about 175 percent. These are rapidly being used as initial access mechanisms by threat actors, between October 2021 and June 2022, the use of ISO files surged by over 150 percent.

Since October 2021, the number of campaigns including LNK files has climbed by 1,675%. Proofpoint has been tracking a variety of cybercriminal and advanced persistent threat (APT) actors who frequently use LNK files.

Emotet, IcedID, Qakbot, and Bumblebee are some of the famous malware families disseminated using these new techniques.

According to Proofpoint, the usage of HTML attachments employing the HTML smuggling approach to put a botnet on the host system has also increased significantly. Their distribution volumes, however, are still quite limited.

Finally, with a restricted range of potential threats to assess, email security systems are now more likely to detect hazardous files.

Read more »
Proofpoint
APT attacks China Cyber Attacks Iranian hackers Lazarus Group Malicious Emails Proofpoint

Proofpoint Analysis : APT Groups Target Journalists


APT organizations that are allegedly affiliated with China, North Korea, Iran, and Turkey are described in detail by researchers in a Proofpoint report released on Thursday. Attacks started in early 2021 and are still happening, according to researchers.

Targeted phishing attacks are linked to several threat actors who have independently focused on acquiring journalist credentials and sensitive data as well as tracking their locations. 

Targeting journalist

Proofpoint monitored the activities of the APT group TA412 also known as Zirconium, which attacked journalists based in the US. The nation-state hackers implanted a hyperlinked invisible item within an email body by using phishing emails that contained web beacons such as tracking pixels, tracking beacons, and web bugs.

Journalists based in the US who were being targeted were investigating matters of domestic politics and national security and writing about subjects that favored Beijing.
  • By February 2022, Zirconium had resumed its operations against journalists using the same tactics, with a particular emphasis on those who were reporting the Russia-Ukraine conflict.
  • Proofpoint discovered another Chinese APT organization known as TA459 in April 2022 that was targeting journalists with RTF files that, when viewed, released a copy of the Chinoxy malware. These hackers specifically targeted journalists covering Afghan foreign affairs.
  • Early in 2022, the TA404 group, also known as Lazarus, targeted a media company with a base in the United States. As lures, the attackers utilized phishing messages with job offers.
  • Finally, Turkish threat actors identified as TA482 planned campaigns to harvest credentials from journalists' social media accounts.
Not all hackers, however, are motivated to work hard to breach journalist data. This strategy has mostly been used by Iranian actors, like TA453 or Charming Kitten, who had sent emails to academics and Middle East policy experts while pretending to be reporters.

Finally, Proofpoint draws attention to the activities of Iranian hackers TA457, who initiated media-targeting efforts every 2 to 3 weeks between September 2021 and March 2022.

It's also essential to understand the wide attack surface—all the various web channels used for information and news sharing—that an APT attacker can exploit. Finally, exercising caution and confirming an email's identity or source can stop an APT campaign in its early stages.
Read more »
Windows
Cyber Security cybercriminals DLL Emotet Trojan Excel File Mallicious URLs Proofpoint TTPs Windows

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.
Read more »
Security Researchers
Cyber Security Cybercrime Actors Proofpoint Research Security Researchers

Growing Cyber-Underground Market for Initial-Access Brokers

 

Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a "lucrative criminal ecosystem" that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that "conducts broad targeting across numerous businesses and regions" to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.
Read more »
TrickBot
fake websites Hackers malware Proofpoint Ryuk Ransomware TrickBot

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.
Read more »
Proofpoint
CopperStealer Facebook Hijacked malware Proofpoint

CopperStealer Malware Steals Social Media Credentials

 

Researchers discovered a certain malware that was so far unidentified which silently hijacked Facebook, Apple, Amazon, Google, and other web giants' online accounts and then used them for nefarious activities. 

Cybercriminals have launched a new campaign to rob Facebook login credentials from Chrome, Edge, Yandex, Opera, and Firefox using malware 'CopperStealer.' 

The threat actors have used unauthorized access to Facebook and Instagram business accounts to run nefarious commercials and provide further malware in subsequent malware advertising campaigns as per the blog post published by the researchers at cyber safety company Proofpoint. In late January, researchers were first notified of the malware sample. The first samples found dated back from July 2019. 

Furthermore, CopperStealer versions targeting other major service providers such as Apple, Amazon, Bing, Google, PayPal, Tumblr, and Twitter have been discovered in the proven analytic evaluation. The malware aims to steal login credentials for some of the most famous internet services from large technological platforms and service providers. 

Researchers suspect that CopperStealer is a family that has originally been undocumented in the same malware class as SilentFade and StressPaint. Facebook attributed the invention of SilentFade to ILikeAD Media International Ltd, a Hong Kong-based company, and reported over $4 million in damages during the 2020 virus bulletin conference. 

Researchers found dubious websites, which include keygenninja[.]com, piratewares[.]com, startcrack[.]com and crackheap[.]net, that was advertised as 'KeyGen' or 'Crack' sites, which included samples from several families of malware, including CopperStealer. 

“These sites advertise themselves to offer “cracks”, “keygen” and “serials” to circumvent licensing restrictions of legitimate software. However, we observed these sites ultimately provide Potentially Unwanted Programs/Applications (PUP/PUA) or run other malicious executables capable of installing and downloading additional payloads,” said Proofpoint researchers. 

Malware also helps to find and send the saved passwords on one’s browser and uses stored cookies in order to extract a Facebook User Access Token. Once the User Access token has been collected, the malware will request multiple Facebook and Instagram API endpoints to gain additional contexts including the list of friends, any user's pay-out, and research listing the user's pages. "CopperStealer is going after big service provider logins like social media and search engine accounts to spread additional malware or other attacks," says Sherrod DeGrippo, senior director of threat research at Proofpoint. "These are commodities that can be sold or leveraged. Users should turn on two-factor authentication for their service providers."
Read more »
Subscribe to: Posts (Atom)