What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-04-24 10:25:39 | ProofPoint célèbre les résultats du premier trimestre au milieu de forte demande du marché pour la sécurité centrée sur l'homme Proofpoint Celebrates Q1 Results Amidst Strong Market Demand for Human-Centric Security (lien direct) |
La protection de la couche humaine n'a jamais été aussi haut de gamme.Cela apparaît dans chaque conversation que j'ai eue avec nos clients au cours de mes six premiers mois en tant que PDG de ProofPoint.Et tandis que Gartner a identifié la sécurité centrée sur l'homme comme l'un des trois seuls impératifs stratégiques pour les CISO en 2024 et 20251, la protection contre le risque humain est notre mission principale depuis des années. Chez Proofpoint, nous continuons à mettre nos clients résolus dans notre vision comme le partenaire de cybersécurité de choix pour les organisations du monde entier et à résoudre certains des cyber-risques les plus complexes ciblant leur entreprise.Aujourd'hui, nous sommes fiers de servir plus de 500 000 clients dans le monde qui nous ont confié à protéger leur peuple et à défendre leurs données. En mission pour protéger les organisations les plus soucieuses de la sécurité du monde Nous avons fourni de solides résultats au premier trimestre de 2024, montrant une énorme dynamique commerciale, avec des clients nouveaux et existants adoptant notre pile complète de solutions de sécurité centrées sur l'homme, dans nos solutions stratégiques de protection contre les menaces et de protection de l'information.Les faits saillants notables incluent: Nous avons eu un premier trimestre avec des revenus et des revenus récurrents annuels (ARR) au milieu de l'adolescence. Nous avons ajouté de nouveaux clients, avec plus de 440 nouvelles organisations contestant Proof Point comme partenaire de cybersécurité de choix au premier trimestre 2024. Nous avons continué à voir une grande validation du marché de notre offre avec un taux de rétention net sain de 110 +%. Célébrer la reconnaissance et la validation du marché Nous sommes fiers d'avoir été reconnus pour notre leadership produit et l'excellence dans la vision des entreprises. Notre leadership dans l'espace DLP a également été appelé par les analystes, avec Proofpoint le seul fournisseur évalué à être reconnu avec une distinction de clients de choix, qui met en évidence les vendeurs qui rencontrent ou dépassent les moyennes de marché pour l'expérience globale et l'intérêt des utilisateurs et la reconnaissance de l'adoption dansle 2024 Gartner & Reg;Peer Insights ™ Voice of the Client pour la prévention de la perte de données. Le leadership de Proofpoint \\ dans la protection des menaces a également été approuvé en tant que leader global de KuppingerCole Leadership Compass for Security Report, réalisant une note "forte positive" dans toutes les catégories, notamment le chef de produit, le leader de l'innovation et le leader du marché. Enfin, Proofpoint a été reconnu dans les prix des meilleurs endroits trimestriels des meilleurs endroits pour travailler dans plusieurs catégories importantes, y compris les meilleures perspectives de l'entreprise, la meilleure culture mondiale, les meilleures équipes d'ingénierie, les meilleures équipes de vente et les meilleures équipes RH, avec des évaluations des employés mettant en évidence Proofpoint Pointpoint\'s Positive Company Outlook et exemplaires Départements fonctionnels. Accueillir les nouveaux membres de l'équipe Nous embauchons les talents les plus innovants au monde pour aider à défendre nos clients et la propriété intellectuelle des clients des acteurs de la menace.Nous avons accueilli des centaines de nouveaux employés au premier trimestre, y compris les membres talentueux de l'équipe de Tessian après la clôture de l'acquisition, et avons poursuivi notre expansion mondiale avec un nouveau centre d'excellence à Cork, en Irlande. Le Q1 nous a également vus accueillir de nouveaux cadres auprès de notre équipe de direction-kim-kim Sullivan nous a rejoints en tant que directeur des personnes en chef, Rohit Dixit a été nommé vice-président exécutif et directeur de la clientèle et Satya Jena a rejoint Proofpoint en tant que vice-président directeur, plateforme numérique. L'innovation de sécurité cen | Threat | ★★★ | |
|
2024-04-18 06:00:36 | FAQ à partir de l'état du rapport Phish 2024, partie 2: comportements et attitudes des utilisateurs envers la sécurité FAQs from the 2024 State of the Phish Report, Part 2: User Behaviors and Attitudes Toward Security (lien direct) |
Welcome to the second installment of our two-part blog series where we answer the most frequently asked questions about the 2024 State of the Phish Report. In our previous article, we answered questions related to the threat landscape findings. Here, we answer questions related to user behaviors and attitudes, as well as how to grow your security awareness program. One of the most interesting findings that came out of the 2024 State of the Phish report was the fact that 71% of users admitted to engaging in a risky action and 96% of those users understood the risk. This suggests that people are not acting out of ignorance. Despite knowing that their actions could compromise themselves or their organization, people chose to proceed anyway. This information is crucial for the growth of any security awareness program. It enables organizations to tailor their efforts. By observing and analyzing how users interact with security policies, organizations can identify knowledge gaps and areas of resistance. When you engage users in this manner, you not only educate them but also transform them into active participants in protecting your organization. 96% of users who took a risky action knew that it was risky. (Source: 2024 State of the Phish from Proofpoint.) Our findings inspired hundreds of questions from audiences across the world. What follows are some of the questions that repeatedly came up. Frequently asked questions What are some ways to get users to care about security and get engaged? Two-way communication is key. Take a moment to explain to your employees why you\'re running a behavior change program, what the expectations are and what projected outcomes you foresee. Make it personal. Let people know that cybersecurity isn\'t just a work skill but a portable skill they can take home to help themselves and their families be safer in life. Keep your employees up to speed on what\'s happening in the current threat landscape. For example: What types of threats does your business see? Which departments are under attack? How does the security team handle these incidents? What can people do to defend against emerging threats that target them? Research for the 2024 State of the Phish report found that 87% of end users are more motivated to prioritize security when they see increased engagement from leadership or the security team. In short: You need to open up the lines of communication, listen to your employees and incorporate their feedback, and establish a security champion network to help facilitate communication more effectively. Any ideas on why the click rate for phishing simulations went up for many industries this year? There may be a few possible reasons. For starters, there has been an increase in the number of phishing tests sent. Our customers sent out a total of 183 million simulated phishing tests over a 12-month period, up from 135 million in the previous 12-month period. This 36% increase suggests that our customers may have either tested their users more frequently or tested more users in general. Also, some users might be new to these tests, resulting in a higher click rate. Regardless, if you are conducting a phishing campaign throughout the year, the click rates of phishing tests are expected to go up and down because you want to challenge your employees with new attack tactics they have not seen. Otherwise, the perception would be, “Oh, this is the face of a phish,” if you keep phishing your users with the same test. At Proofpoint, we use machine learning-driven leveled phishing to provide a more reliable way to accurately assess user vulnerability. This unique feature allows security teams to examine the predictability of a phishing template and obtain more consistent outcomes while improving users\' resilience against human-activated threats. People need to understand how attackers exploit human vulnerability. Phishing tests should reflect reality and be informed by real-world threats. They are designed to help people spot and re | Tool Vulnerability Threat | ★★ | |
|
2024-04-17 18:00:31 | Réduire le désabonnement d'incitation avec une composition de modèle explosive Reducing Prompting Churn with Exploding Template Composition (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. In the nascent world of large language models (LLMs), prompt engineering has emerged as a critical discipline. However, as LLM applications expand, it is becoming a more complex challenge to manage and maintain a library of related prompts. At Proofpoint, we developed Exploding Prompts to manage the complexity through exploding template composition. We first created the prompts to generate soft labels for our data across a multitude of models and labeling concerns. But Exploding Prompts has also enabled use cases for LLMs that were previously locked away because managing the prompt lifecycle is so complex. Recently, we\'ve seen exciting progress in the field of automated prompt generation and black-box prompt optimization through DSPy. Black-box optimization requires hand-labeled data to generate prompts automatically-a luxury that\'s not always an option. You can use Exploding Prompts to generate labels for unlabeled data, as well as for any prompt-tuning application without a clear (or tractable) objective for optimization. In the future, Exploding Prompts could be used with DSPy to achieve a human-in-the-loop feedback cycle. We are also thrilled to announce that Exploding Prompts is now an open-source release. We encourage you to explore the code and consider how you might help make it even better. The challenge: managing complexity in prompt engineering Prompt engineering is not just about crafting queries that guide intelligent systems to generate the desired outputs; it\'s about doing it at scale. As developers push the boundaries of what is possible with LLMs, the need to manage a vast array of prompts efficiently becomes more pressing. Traditional methods often need manual adjustments and updates across numerous templates, which is a process that\'s both time-consuming and error-prone. To understand this problem, just consider the following scenario. You need to label a large quantity of data. You have multiple labels that can apply to each piece of data. And each label requires its own prompt template. You timebox your work and find a prompt template that achieves desirable results for your first label. Happily, most of the template is reusable. So, for the next label, you copy-paste the template and change the portion of the prompt that is specific to the label itself. You continue doing this until you figure out the section of the template that has persisted through each version of your labels can be improved. Now you now face the task of iterating through potentially dozens of templates to make a minor update to each of the files. Once you finish, your artificial intelligence (AI) provider releases a new model that outperforms your current model. But there\'s a catch. The new model requires another small update to each of your templates. To your chagrin, the task of managing the lifecycle of your templates soon takes up most of your time. The solution: exploding prompts from automated dependency graphs Prompt templating is a popular way to manage complexity. Exploding Prompts builds on prompt templating by introducing an “explode” operation. This allows a few single-purpose templates to explode into a multitude of prompts. This is accomplished by building dependency graphs automatically from the directory structure and the content of prompt template files. At its core, Exploding Prompts embodies the “write it once” philosophy. It ensures that every change made in a template correlates with a single update in one file. This enhances efficiency and consistency, as updates automatically propagate across all relevant generated prompts. This separation ensures that updates can be made with speed and efficiency so you can focus on innovation rather th | Malware Tool Threat Studies Cloud Technical | ★★★ | |
|
2024-04-16 06:00:54 | De l'ingénierie sociale aux abus DMARC: Ta427 \\'s Art of Information Gathering From Social Engineering to DMARC Abuse: TA427\\'s Art of Information Gathering (lien direct) |
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime. In addition to using specially crafted lure content, TA427 heavily leverages think tank and non-governmental organization-related personas to legitimize its emails and increase the chances that targets will engage with the threat actor. To craftily pose as its chosen personas, TA427 uses a few tactics including DMARC abuse in concert with free email addresses, typosquatting, and private email account spoofing. TA427 has also incorporated web beacons for initial reconnaissance of its targets, establishing basic information like that the email account is active. Overview Proofpoint researchers track numerous state-sponsored and state-aligned threat actors. TA427 (also known as Emerald Sleet, APT43, THALLIUM or Kimsuky), a Democratic People\'s Republic of Korea (DPRK or North Korea) aligned group working in support of the Reconnaissance General Bureau, is particularly prolific in email phishing campaigns targeting experts for insight into US and the Republic of Korea (ROK or South Korea) foreign policy. Since 2023, TA427 has directly solicited foreign policy experts for their opinions on nuclear disarmament, US-ROK policies, and sanction topics via benign conversation starting emails. In recent months, Proofpoint researchers have observed (Figure 1) a steady, and at times increasing, stream of this activity. While our researchers have consistently observed TA427 rely on social engineering tactics and regularly rotating its email infrastructure, in December 2023 the threat actor began to abuse lax Domain-based Message Authentication, Reporting and Conformance (DMARC) policies to spoof various personas and, in February 2024, began incorporating web beacons for target profiling. It is this initial engagement, and the tactics successfully leveraged by TA427, which this blog is focused on. Figure 1. Volume of TA427 phishing campaigns observed between January 2023 and March 2024. Social engineering TA427 is a savvy social engineering expert whose campaigns are likely in support of North Korea\'s strategic intelligence collection efforts on US and ROK foreign policy initiatives. Based on the targets identified and the information sought, it is believed that TA427\'s goal is to augment North Korean intelligence and inform its foreign policy negotiation tactics (example Figure 2). TA427 is known to engage its targets for extended periods of time through a series of benign conversations to build a rapport with targets that can occur over weeks to months. They do so by constantly rotating which aliases are used to engage with the targets on similar subject matter. Figure 2. Example of TA427 campaign focused on US policy during an election year. Using timely, relevant lure content (as seen in Figure 3) customized for each victim, and often spoofing individuals in the DPRK research space with whom the victim is familiar to encourage engagement, targets are often requested to share their thoughts on these topics via email or a formal research paper or article. Malware or credential harvesting are never directly sent to the targets without an exchange of multiple messages, and based on Proofpoint visibility, rarely utilized by the threat actor. It is possible that TA427 can fulfill its intelligence requirements by directly asking targets for their opinions or analysis rather than from an infection. Additionally, insight gained from the correspondence is likely used to improve targeting of the victim organization and establish rapport for later questions and engagement. Figure 3. Timeline of real-world events based on international press reporting, side-by-side with Proofpoint observed subject lures. Lure content often includes invitations to attend events about North Korean policies regarding international affairs, questions regarding topics such as how deterr | Malware Tool Threat Conference | APT 37 APT 43 | ★★ |
|
2024-04-15 06:00:31 | Comment la protection d'identification de la preuve peut vous aider à répondre aux exigences de conformité CMMC How Proofpoint Impersonation Protection Can Help You Meet CMMC Compliance Requirements (lien direct) |
The Cybersecurity Maturity Model Certification (CMMC) program enforces the protection of sensitive unclassified information that the U.S. Department of Defense (DoD) shares with its contractors and subcontractors. Threat actors know how to hijack your trusted organization communications. They can impersonate you, your brand or your organization partners. And they can make a nice profit doing it. The FBI\'s 2023 Internet Crime Report notes that last year\'s adjusted losses from organization email compromise (BEC) cases exceeded $2.9 billion-up 7.4% from 2022. Bad actors use spoofed domains, lookalike domains, compromised supplier accounts and other tactics in their attacks. So it\'s important to keep communications with trusted partners, customers and suppliers safe. This should be a top focus for government agencies and the organizations that they work with since they are key targets for bad actors. Proofpoint helps you mitigate the risk of impersonation abuse with a holistic, multilayered approach. With Proofpoint Impersonation Protection, you can: Protect your organization\'s communications from impersonation threats Stop attackers from impersonating your brand Detect and defend against risky suppliers, including compromised supplier accounts Secure user and application emails so that they can be trusted We help our federal and defense industrial base customers with Level 3 CMMC controls around the Risk Assessment (RA) and Identification and Authentication (IA) Practices. Here\'s how. CMMC overviews for Level 3 controls In this section, we match CMMC compliance requirements with the capabilities of Proofpoint Impersonation Protection. CMMC Level 3 – Risk Assessment Practice RA.L3-3.11.1e – Threat-Informed Risk Assessment CMMC compliance requirement Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities. RA.L3-3.11.3e – Advanced Risk Identification CMMC compliance requirement Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems and system components. RA.L3-3.11.6e – Supply Chain Risk Response CMMC compliance requirement Assess, respond to and monitor supply chain risks associated with organizational systems and system components. RA.L3-3.11.7e – Supply Chain Risk Plan CMMC compliance requirement Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident. How Proofpoint Impersonation Protection meets the Risk Assessment (RA) Practice needs above Proofpoint Nexus Supplier Risk Explorer gives you insights into supplier risk. This includes threats where attackers are impersonating your agency as well as compromised suppliers and third parties. Supplier Risk can also be used as part of a vendor risk management process when sourcing and choosing new vendors/suppliers. Proofpoint provides visibility into supply chain threats, lookalike detection, and impersonations of your brand with Supplier Risk and Domain Discover. This helps to create the supply chain risk plans that are needed to comply with CMMC. Supplier Risk Explorer identifies supplier domains and shows you which suppliers pose a risk to your organization. As noted above, Supplier Risk Explorer assesses the risk level of supplier domains by evaluating several dimensions, including: Threats sent to your organization Threats sent to other Proofpoint customers The lookalikes of supplier domains Whether a domain was recently registered Whether a domain has a DMARC reject policy By ranking an | Threat Industrial Prediction Commercial | ★★ | |
|
2024-04-12 06:00:03 | Arrêt de cybersécurité du mois: vaincre les attaques de création d'applications malveillantes Cybersecurity Stop of the Month: Defeating Malicious Application Creation Attacks (lien direct) |
This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. The goal of this series is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain-reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation Supply chain compromise Multilayered malicious QR code attack In this post, we examine an emerging threat-the use of malicious cloud applications created within compromised cloud tenants following account takeover. We refer to it as MACT, for short. Background Cloud account takeover (ATO) attacks are a well-known risk. Research by Proofpoint found that last year more than 96% of businesses were actively targeted by these attacks and about 60% had at least one incident. Financial damages reached an all-time high. These findings are unsettling. But there is more for businesses to worry about. Cybercriminals and state-sponsored entities are rapidly adopting advanced post-ATO techniques. And they have embraced the use of malicious and abused OAuth apps. In January 2024, Microsoft revealed that a nation-state attacker had compromised its cloud environments and stolen valuable data. This attack was attributed to TA421 (aka Midnight Blizzard and APT29), which are threat groups that have been attributed to Russia\'s Foreign Intelligence Service (SVR). Attackers exploited existing OAuth apps and created new ones within hijacked cloud tenants. After the incident, CISA issued a new advisory for businesses that rely on cloud infrastructures. Proofpoint threat researchers observed attackers pivoting to the use of OAuth apps from compromised-and often verified-cloud tenants. Threat actors take advantage of the trust that\'s associated with verified or recognized identities to spread cloud malware threats as well as establish persistent access to sensitive resources. The scenario Proofpoint monitors a malicious campaign named MACT Campaign 1445. It combines a known tactic used by cloud ATO attackers with new tactics, techniques and procedures. So far, it has affected dozens of businesses and users. In this campaign, attackers use hijacked user accounts to create malicious internal apps. In tandem, they also conduct reconnaissance, exfiltrate data and launch additional attacks. Attackers use a unique anomalous URL for the malicious OAuth apps\' reply URL-a local loopback with port 7823. This port is used for TCP traffic. It is also associated with a known Windows Remote Access Trojan (RAT). Recently, Proofpoint researchers found four accounts at a large company in the hospitality industry compromised by attackers. In a matter of days, attackers used these accounts to create four distinct malicious OAuth apps. The threat: How did the attack happen? Here is a closer look at how the attack unfolded. Initial access vectors. Attackers used a reverse proxy toolkit to target cloud user accounts. They sent individualized phishing lures to these users, which enabled them to steal their credentials as well as multifactor authentication (MFA) tokens. A shared PDF file with an embedded phishing URL that attackers used to steal users\' credentials. Unauthorized access (cloud account takeover). Once attackers had stolen users\' credentials, they established unauthorized access to the four targeted accounts. They logged in to several native Microsoft 365 sign-in apps, including “Azure Portal” and “Office Home.” Cloud malware (post-access OAuth app creat | Spam Malware Tool Threat Cloud | APT 29 | ★★★ |
|
2024-04-11 13:27:54 | Revisiter MACT: Applications malveillantes dans des locataires cloud crédibles Revisiting MACT: Malicious Applications in Credible Cloud Tenants (lien direct) |
For years, the Proofpoint Cloud Research team has been particularly focused on the constantly changing landscape of cloud malware threats. While precise future predictions remain elusive, a retrospective examination of 2023 enabled us to discern significant shifts and trends in threat actors\' behaviors, thereby informing our projections for the developments expected in 2024. There is no doubt that one of the major, and most concerning, trends observed in 2023 was the increased adoption of malicious and abused OAuth applications by cybercriminals and state-sponsored actors. In January, Microsoft announced they, among other organizations, were targeted by a sophisticated nation-state attack. It seems that the significant impact of this attack, which was attributed to TA421 (AKA Midnight Blizzard and APT29), largely stemmed from the strategic exploitation of pre-existing OAuth applications, coupled with the creation of new malicious applications within compromised environments. Adding to a long list of data breaches, this incident emphasizes the inherent potential risk that users and organizations face when using inadequately protected cloud environments. Expanding on early insights shared in our 2021 blog, where we first explored the emerging phenomenon of application creation attacks and armed with extensive recent discoveries, we delve into the latest developments concerning this threat in our 2024 update. In this blog, we will: Define key fundamental terms pertinent to the realm of cloud malware and OAuth threats. Examine some of the current tactics, techniques, and procedures (TTPs) employed by threat actors as part of their account-takeover (ATO) kill chain. Provide specific IOCs related to recently detected threats and campaigns. Highlight effective strategies and solutions to help protect organizations and users against cloud malware threats. Basic terminology OAuth (Open Authorization) 2.0. OAuth is an open standard protocol that enables third-party applications to access a user\'s data without exposing credentials. It is widely used to facilitate secure authentication and authorization processes. Line-of-business (LOB) applications. LOB apps (also known as second-party apps) typically refer to applications created by a user within their cloud environment in order to support a specific purpose for the organization. Cloud malware. A term usually referring to malicious applications created, utilized and proliferated by threat actors. Malicious apps can be leveraged for various purposes, such as: mailbox access, file access, data exfiltration, internal reconnaissance, and maintaining persistent access to specific resources. MACT (Malicious Applications Created in Compromised Credible Tenants). A common technique wherein threat actors create new applications within hijacked environments, exploiting unauthorized access to compromised accounts to initiate additional attacks and establish a persistent foothold within impacted cloud tenants. Apphish. A term denoting the fusion of cloud apps-based malware with phishing tactics, mainly by utilizing OAuth 2.0 infrastructure to implement open redirection attacks. Targeted users could be taken to a designated phishing webpage upon clicking an app\'s consent link. Alternatively, redirection to a malicious webpage could follow authorizing or declining an application\'s consent request. Abused OAuth applications. Benign apps that are authorized or used by attackers, usually following a successful account takeover, to perform illegitimate activities. What we are seeing Already in 2020, we witnessed a rise in malicious OAuth applications targeting cloud users, with bad actors utilizing increasingly sophisticated methods such as application impersonation and diverse lures. In October 2022, Proofpoint researchers demonstrated how different threat actors capitalized on the global relevance of the COVID-19 pandemic to spread malware and phishing threats. Proofpoint has also seen this trend include the propagation of malicious OAuth applications seamlessly integ | Malware Threat Prediction Cloud | APT 29 | ★★★ |
|
2024-04-11 06:23:43 | FAQS de l'état de l'État 2024 du rapport Phish, partie 1: Le paysage des menaces FAQs from the 2024 State of the Phish Report, Part 1: The Threat Landscape (lien direct) |
In this two-part blog series, we will address many of the frequently asked questions submitted by attendees. In our first installment, we address questions related to the threat landscape. Understanding the threat landscape is paramount in crafting a human-centric security strategy. That\'s the goal behind our 10th annual State of the Phish report. When you know what threats are out there and how people are interacting with them, you can create a modern cybersecurity strategy that puts the complexity of human behavior and interaction at the forefront. Our report was launched a month ago. Since then, we\'ve followed up with a few webinars to discuss key findings from the report, including: Threat landscape findings: Over 1 million phishing threats involved EvilProxy, which bypasses multifactor authentication (MFA). Yet, 89% of security pros still believe that MFA provides complete protection against account takeover. BEC threat actors benefit from generative AI. Proofpoint detected and stopped over 66 million targeted business email compromise (BEC) attacks per month on average in 2023. User behavior and attitude findings: 71% of surveyed users took at least one risky action, and 96% of them knew that those actions were associated with risk. 58% of those risky actions were related to social engineering tactics. 85% of security pros believed that most employees know they are responsible for security. Yet nearly 60% of employees either weren\'t sure or disagreed. These findings inspired hundreds of questions from audiences across the world. What follows are some of the questions that repeatedly came up. Frequently asked questions What are the definitions of BEC and TOAD? Business email compromise (BEC) essentially means fraud perpetrated through email. It can take many forms, such as advance fee fraud, payroll redirection, fraudulent invoicing or even extortion. BEC typically involves a deception, such as the spoofing of a trusted third party\'s domain or the impersonation of an executive (or literally anyone the recipient trusts). BEC is hard to detect because it is generally pure social engineering. In other words, there is often no credential harvesting portal or malicious payload involved. Threat actors most often use benign conversation to engage the victim. Once the victim is hooked, attackers then convince that person to act in favor of them, such as wiring money to a specified account. Similarly, telephone-oriented attack delivery (TOAD) attacks also use benign conversations. But, in this case, a threat actor\'s goal is to motivate the victim to make a phone call. From there, they will walk their target through a set of steps, which usually involve tricking the victim into giving up their credentials or installing a piece of malware on their computer. TOAD attacks have been associated with high-profile malware families known to lead to ransomware, as well as with a wide variety of remote access tools like AnyDesk that provide the threat actors direct access to victims\' machines. The end goal might still be fraud; for example, there have been cases where payment was solicited for “IT services” or software (Norton LifeLock). But the key differentiator for TOAD, compared with BEC, is the pivot out of the email space to a phone call., is the pivot out of the email space to the phone. What is the difference between TOAD and vishing? TOAD often starts with an email and requires victims to call the fraudulent number within that email. Vishing, on the other hand, generally refers to fraudulent solicitation of personally identifiable information (PII) and may or may not involve email (it could result from a direct call). Some TOAD attempts may fall into this category, but most perpetrators focus on getting software installed on a victim\'s machine. How do you see artificial intelligence (AI) affecting phishing? What are security best practices to help defend against these novel phishing attacks? AI allows threat actors to tighten up grammatical and s | Ransomware Malware Tool Threat Cloud Technical | ★★★ | |
|
2024-04-10 10:12:47 | Mémoire de sécurité: TA547 cible les organisations allemandes avec Rhadamanthys Stealer Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer (lien direct) |
Ce qui s'est passé Proofpoint a identifié TA547 ciblant les organisations allemandes avec une campagne de courriel livrant des logiciels malveillants de Rhadamanthys.C'est la première fois que les chercheurs observent TA547 utiliser des Rhadamanthys, un voleur d'informations utilisé par plusieurs acteurs de menaces cybercriminaux.De plus, l'acteur a semblé utiliser un script PowerShell que les chercheurs soupçonnent a été généré par un modèle grand langage (LLM) tel que Chatgpt, Gemini, Copilot, etc. Les e-mails envoyés par l'acteur de menace ont usurpé l'identité de la société de vente au détail allemande Metro prétendant se rapporter aux factures. De: Metro! Sujet: Rechnung No: 31518562 Attachement: in3 0gc- (94762) _6563.zip Exemple TA547 Courriel imitant l'identité de la société de vente au détail allemande Metro. Les e-mails ont ciblé des dizaines d'organisations dans diverses industries en Allemagne.Les messages contenaient un fichier zip protégé par mot de passe (mot de passe: mar26) contenant un fichier LNK.Lorsque le fichier LNK a été exécuté, il a déclenché PowerShell pour exécuter un script PowerShell distant.Ce script PowerShell a décodé le fichier exécutable Rhadamanthys codé de base64 stocké dans une variable et l'a chargé en tant qu'assemblage en mémoire, puis a exécuté le point d'entrée de l'assemblage.Il a par la suite chargé le contenu décodé sous forme d'un assemblage en mémoire et a exécuté son point d'entrée.Cela a essentiellement exécuté le code malveillant en mémoire sans l'écrire sur le disque. Notamment, lorsqu'il est désabuscée, le deuxième script PowerShell qui a été utilisé pour charger les rhadamanthys contenait des caractéristiques intéressantes non couramment observées dans le code utilisé par les acteurs de la menace (ou les programmeurs légitimes).Plus précisément, le script PowerShell comprenait un signe de livre suivi par des commentaires grammaticalement corrects et hyper spécifiques au-dessus de chaque composant du script.Il s'agit d'une sortie typique du contenu de codage généré par LLM et suggère que TA547 a utilisé un certain type d'outil compatible LLM pour écrire (ou réécrire) le PowerShell, ou copié le script à partir d'une autre source qui l'avait utilisé. Exemple de PowerShell soupçonné d'être écrit par un LLM et utilisé dans une chaîne d'attaque TA547. Bien qu'il soit difficile de confirmer si le contenu malveillant est créé via LLMS & # 8211;Des scripts de logiciels malveillants aux leurres d'ingénierie sociale & # 8211;Il existe des caractéristiques d'un tel contenu qui pointent vers des informations générées par la machine plutôt que générées par l'homme.Quoi qu'il en soit, qu'il soit généré par l'homme ou de la machine, la défense contre de telles menaces reste la même. Attribution TA547 est une menace cybercriminale à motivation financière considérée comme un courtier d'accès initial (IAB) qui cible diverses régions géographiques.Depuis 2023, TA547 fournit généralement un rat Netsupport mais a parfois livré d'autres charges utiles, notamment Stealc et Lumma Stealer (voleurs d'informations avec des fonctionnalités similaires à Rhadamanthys).Ils semblaient favoriser les pièces javascript zippées comme charges utiles de livraison initiales en 2023, mais l'acteur est passé aux LNK compressées début mars 2024. En plus des campagnes en Allemagne, d'autres ciblage géographique récent comprennent des organisations en Espagne, en Suisse, en Autriche et aux États-Unis. Pourquoi est-ce important Cette campagne représente un exemple de certains déplacements techniques de TA547, y compris l'utilisation de LNK comprimés et du voleur Rhadamanthys non observé auparavant.Il donne également un aperçu de la façon dont les acteurs de la menace tirent parti de contenu probable généré par LLM dans les campagnes de logiciels malveillants. Les LLM peuvent aider les acteurs de menace à comprendre les chaînes d'attaque plus sophistiquées utilisées | Malware Tool Threat | ChatGPT | ★★ |
|
2024-04-09 06:00:39 | 3 raisons pour lesquelles l'objectivité dans vos tests de phishing réduit le risque 3 Reasons Why Objectivity in Your Phishing Tests Reduces Risk (lien direct) |
Phishing attacks are a constant challenge for businesses everywhere. As threat actors increase the sophistication of their methods, security awareness teams can use phishing simulations to help train employees to recognize and respond safely to real-life phishing attempts. This approach can be especially effective when the difficulty level of a simulated phishing scenario fits each person. That\'s why security practitioners need to make impartial, data-driven decisions when they choose those difficulty levels. In this post, we discuss the importance of objectivity-both for security practitioners who send phishing tests and for security leaders who evaluate the outcomes. With a reliable way to score phishing simulations, you can: Efficiently test and find your employees\' knowledge gaps Reliably target and improve user behavior on an ongoing basis Report a trusted big picture of human risk reduction 1: Efficiently test and find your employees\' knowledge gaps The big question is, how do you find the right phishing difficulty level for each person? Security practitioners must have a reliable, consistent way to evaluate the phishing simulation templates. And they must avoid subjective guesswork. It is vital to be correct in your assessments of the difficulty levels of phishing templates. Otherwise, the templates may be too easy or too challenging for people. And that will make it hard for you to know what your employees will do in real-world attack scenarios. An objectively measured difficulty scale is a must. It sets the foundation for sending phishing tests that fit the right level of difficulty for each employee so that you can assess what they do and don\'t know. Once you can effectively evaluate their knowledge gaps about cybersecurity, you have reliable context that will help you decide what targeted training each person requires. With Proofpoint Security Awareness, we run a machine-learning algorithm that automatically calculates the difficulty level of our phishing templates. Difficulty cues are based on the NIST PhishScale. This is an industry-accepted rating by the National Institute of Standards and Technology (NIST), which was created through rigorous research and analysis. Our Machine-Learning Leveled Phishing uses this combined methodology to avoid the errors that come from manual calculation and subjective assumptions. For instance, if security practitioners manually rate the difficulty level of phishing templates, they might each evaluate the suspicious cues with degrees of variance. They might use personal judgment that has logical mistakes or inadvertently apply their own biases, or they might interpret the cues from a limited viewpoint. Also, since many people typically run an awareness program, each person\'s definition of easy versus difficult will be different. 2: Reliably target and improve user behavior on an ongoing basis How do you know whether a phishing simulation is effective? When you trust the objectivity of a difficulty scoring system, you can trust that a phishing template is accurately rated as low, medium or high difficulty. This gives context to why a phishing campaign has a low or high click rate, or a low or high reporting rate. A low click rate for a high-difficulty simulation means that your employees are resilient about those cues for spotting a phish. A decrease over time in the click rate for that template shows an improvement in people\'s resilience. Security practitioners have predictable baseline data to help target and change people\'s behavior on an ongoing basis. You can look at who falls for each difficulty level and know that the metrics are a reliable analysis of the user\'s performance. That, in turn, makes you more effective in your efforts to target performance outcomes. In contrast, if you take a subjective approach when you rate the difficulty scoring, the effectiveness of a phishing template could be murky. When people score based on their perception and judgment, the assessment becomes inherently flawed. And when | Threat | ★★ | |
|
2024-04-08 16:24:08 | Évolution du paysage des menaces: une plongée profonde dans les attaques multicanaux ciblant les détaillants Evolving Threat Landscape: A Deep Dive into Multichannel Attacks Targeting Retailers (lien direct) |
Les acteurs de la menace ne fonctionnent plus dans les silos.Aujourd'hui, ils utilisent plusieurs canaux tels que SMS, e-mail, fausses pages Web et comptes cloud compromis.Ils utilisent ces différents canaux pour établir la persistance et compromettre les identités afin qu'ils puissent augmenter les privilèges et se déplacer latéralement. ProofPoint Research Threat a récemment observé des campagnes dans lesquelles les acteurs de la menace ont utilisé des attaques multicanaux pour cibler l'industrie du commerce de détail.La chaîne d'attaque et la chronologie montrent comment les acteurs de la menace (TA) passent d'une organisation ciblée à l'autre.Chaque fois que leur accès non autorisé est révoqué ou épuisé, les attaquants passent à la prochaine cible. La chaîne d'attaque multicanal qui cible les détaillants mondiaux. Dans nos recherches, ces campagnes commencent par une attaque de smims.Une attaque de smims, également connue sous le nom de phishing SMS, utilise des SMS pour inciter les destinataires à faire ce que l'attaquant veut qu'ils fassent.Cela pourrait fournir leurs informations personnelles ou financières, en cliquant sur des liens malveillants ou en téléchargeant des applications logicielles nocives.Les messages de smirs utilisent des thèmes de billets de support courts pour attirer les victimes des sites de phishing de l'acteur de menace. Exemples de messages de phishing SMS avec des thèmes de billets de support. Dans la campagne que nous avons observée, l'AT a utilisé une page de phishing Microsoft personnalisée qui comprenait la marque de l'organisation ciblée \\.Cette page a conduit les utilisateurs via le flux d'autorisation MFA pour collecter leurs informations d'identification. Exemple de page Microsoft Phish personnalisée avec la marque Target Organisation \\. Une fois que l'AT a capturé les informations d'identification, ils ont compromis les comptes d'utilisateurs.Takever post-compte (ATO), les attaquants ont utilisé plusieurs méthodes pour maintenir un accès persistant et masquer leurs activités non autorisées.Ceux-ci inclus: Manipulation MFA.Les attaquants ont utilisé des comptes détournés pour enregistrer leurs propres méthodes MFA. Inscription de nouveaux appareils via des applications Microsoft natives (telles que l'inscription Intune).Cela a aidé les attaquants à cacher leurs activités non autorisées et à accéder à certaines ressources. Utilisation malveillante du VPN d'entreprise.Le TA a utilisé les produits VPN et ZTNA de la victime et plusieurs de leurs propres clients VPN pour accéder à des ressources telles que les produits de sécurité et les environnements de production. Les attaquants ont eu accès au portail SSO de l'organisation, qui à son tour a donné accès à de nombreux autres services internes et applications tierces (3PA).Les attaquants ont énuméré toutes les applications connectées au PDI et ont tenté de trouver des liens API qu'ils pourraient abuser.Ensuite, ils sont entrés dans une application commerciale spécifique pour créer des cartes-cadeaux contrefaits. Attribution L'acteur de menace de cette attaque est appelé "atlas lion" qui a des zones potentielles de chevauchement avec l'acteur Microsoft Tracks sous le nom de Storm-0539.Cet acteur de menace est «connu pour cibler les organisations de vente au détail pour la fraude et le vol de cartes-cadeaux en utilisant des e-mails et un phishing SMS très sophistiqués pendant la saison des achats des fêtes».Bien que ces attaques ne soient pas originaires de courriels, leur chevauchement dans les TTP (tactiques, techniques et procédures) nous amène à croire que l'ensemble d'activités peut s'aligner sur l'acteur de menace que nous suivons en tant que TA4901.Cet TA cible les sociétés dans les secteurs de télécommunications et de vente au détail depuis au moins 2018. Le pouvoir des idées de bout en bout Ce qui fait que Proofpoint se démarque des autres fournisseurs de sécurité, c'est que nous avons des informations de bout en bout sur | Tool Threat Mobile Cloud | ★★ | |
|
2024-04-05 06:00:25 | Amélioration de la détection et de la réponse: plaider en matière de tromperies Improving Detection and Response: Making the Case for Deceptions (lien direct) |
Let\'s face it, most enterprises find it incredibly difficult to detect and remove attackers once they\'ve taken over user credentials, exploited hosts or both. In the meantime, attackers are working on their next moves. That means data gets stolen and ransomware gets deployed all too often. And attackers have ample time to accomplish their goals. In July 2023, the reported median dwell time was eight days. That\'s the time between when an attacker accesses their victim\'s systems and when the attack is either detected or executed. Combine that data point with another one-that attackers take only 16 hours to reach Active Directory once they have landed-and the takeaway is that threats go undetected for an average of seven days. That\'s more than enough time for a minor security incident to turn into a major business-impacting breach. How can you find and stop attackers more quickly? The answer lies in your approach. Let\'s take a closer look at how security teams typically try to detect attackers. Then, we can better understand why deceptions can work better. What is the problem with current detection methods? Organizations and their security vendors have evolved when it comes to techniques for detecting active threats. In general, detection tools have focused on two approaches-finding files or network traffic that are “known-bad” and detecting suspicious or risky activity or behavior. Often called signature-based detection, finding “known-bad” is a broadly used tool in the detection toolbox. It includes finding known-bad files like malware, or detecting traffic from known-bad IPs or domains. It makes you think of the good old days of antivirus software running on endpoints, and about the different types of network monitoring or web filtering systems that are commonplace today. The advantage of this approach is that it\'s relatively inexpensive to build, buy, deploy and manage. The major disadvantage is that it isn\'t very effective against increasingly sophisticated threat actors who have an unending supply of techniques to get around them. Keeping up with what is known-bad-while important and helpful-is also a bit like a dog chasing its tail, given the infinite internet and the ingenuity of malicious actors. The rise of behavior-based detection About 20 years ago, behavioral-based detections emerged in response to the need for better detection. Without going into detail, these probabilistic or risk-based detection techniques found their way into endpoint and network-based security systems as well as SIEM, email, user and entity behavior analytics (UEBA), and other security systems. The upside of this approach is that it\'s much more nuanced. Plus, it can find malicious actors that signature-based systems miss. The downside is that, by definition, it can generate a lot of false positives and false negatives, depending on how it\'s tuned. Also, the high cost to build and operate behavior-based systems-considering the cost of data integration, collection, tuning, storage and computing-means that this approach is out of reach for many organizations. This discussion is not intended to discount the present and future benefits of newer analytic techniques such as artificial intelligence and machine learning. I believe that continued investments in behavior-based detections can pay off with the continued growth of security data, analytics and computing power. However, I also believe we should more seriously consider a third and less-tried technique for detection. Re-thinking detection Is it time to expand our view of detection techniques? That\'s the fundamental question. But multiple related questions are also essential: Should we be thinking differently about what\'s the best way to actively detect threats? Is there a higher-fidelity way to detect attackers that is cost-effective and easy to deploy and manage? Is there another less-tried approach for detecting threat actors-beyond signature-based and behavior-based methods-that can dra | Ransomware Malware Tool Vulnerability Threat | ★★ | |
|
2024-04-04 11:47:34 | Latrodectus: ces octets d'araignée comme la glace Latrodectus: This Spider Bytes Like Ice (lien direct) |
Proofpoint\'s Threat Research team joined up with the Team Cymru S2 Threat Research team, in a collaborative effort to provide the information security community with a comprehensive view of the threat activity described. Key takeaways Proofpoint first observed new malware named Latrodectus appear in email threat campaigns in late November 2023. While use of Latrodectus decreased in December 2023 through January 2024, Latrodectus use increased in campaigns throughout February and March 2024. It was first observed in Proofpoint data being distributed by threat actor TA577 but has been used by at least one other threat actor, TA578. Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. While similar to IcedID, Proofpoint researchers can confirm it is an entirely new malware, likely created by the IcedID developers. Latrodectus shares infrastructure overlap with historic IcedID operations. While investigating Latrodectus, researchers identified new, unique patterns in campaign IDs designating threat actor use in previous IcedID campaigns. Overview Proofpoint identified a new loader called Latrodectus in November 2023. Researchers have identified nearly a dozen campaigns delivering Latrodectus, beginning in February 2024. The malware is used by actors assessed to be initial access brokers (IABs). Latrodectus is a downloader with the objective of downloading payloads and executing arbitrary commands. While initial analysis suggested Latrodectus was a new variant of IcedID, subsequent analysis confirmed it was a new malware most likely named Latrodectus, based on a string identified in the code. Based on characteristics in the disassembled sample and functionality of the malware, researchers assess the malware was likely written by the same developers as IcedID. This malware was first observed being distributed by TA577, an IAB known as a prolific Qbot distributor prior to the malware\'s disruption in 2023. TA577 used Latrodectus in at least three campaigns in November 2023 before reverting to Pikabot. Since mid-January 2024, researchers observed it being used almost exclusively by TA578 in email threat campaigns. Campaign details TA577 TA577 was only observed using Latrodectus in three campaigns, all occurring in November 2023. Notably, a campaign that occurred on 24 November 2023 deviated from previously observed TA577 campaigns. The actor did not use thread hijacking, but instead used contained a variety of different subjects with URLs in the email body. The URLs led to the download of a JavaScript file. If executed, the JavaScript created and ran several BAT files that leveraged curl to execute a DLL and ran it with the export “scab”. Figure 1: Example TA577 campaign delivering Latrodectus. On 28 November 2023, Proofpoint observed the last TA577 Latrodectus campaign. The campaign began with thread hijacked messages that contained URLs leading to either zipped JavaScript files or zipped ISO files. The zipped JavaScript file used curl to download and execute Latrodectus. The zipped ISO file contained a LNK file used to execute the embedded DLL, Latrodectus. Both attack chains started the malware with the export “nail”. TA578 Since mid-January 2024, Latrodectus has been almost exclusively distributed by TA578. This actor typically uses contact forms to initiate a conversation with a target. In one campaign observed on 15 December 2023, Proofpoint observed TA578 deliver the Latrodectus downloader via a DanaBot infection. This December campaign was the first observed use of TA578 distributing Latrodectus. On 20 February 2024, Proofpoint researchers observed TA578 impersonating various companies to send legal threats about alleged copyright infringement. The actor filled out a contact form on multiple targets\' websites, with text containing unique URLs and included in the URI both the domain of the site that initiated the contact form (the target), and the name of the impersonated company (to further the legitimacy | Ransomware Malware Tool Threat Prediction | ★★★ | |
|
2024-04-03 06:00:40 | Les acteurs de la menace offrent des logiciels malveillants via les fissures du jeu vidéo YouTube Threat Actors Deliver Malware via YouTube Video Game Cracks (lien direct) |
Key takeaways Proofpoint identified multiple YouTube channels distributing malware by promoting cracked and pirated video games and related content. The video descriptions include links leading to the download of information stealers. The activity likely targets consumer users who do not have the benefits of enterprise-grade security on their home computers. Overview Threat actors often target home users because they do not have the same resources or knowledge to defend themselves from attackers compared to enterprises. While the financial gain might not be as large as attacks perpetrated on corporations, the individual victims likely still have data like credit cards, cryptocurrency wallets, and other personal identifiable information (PII) stored on their computers which can be lucrative to criminals. Proofpoint Emerging Threats has observed information stealer malware including Vidar, StealC, and Lumma Stealer being delivered via YouTube in the guise of pirated software and video game cracks. The videos purport to show an end user how to do things like download software or upgrade video games for free, but the link in the video descriptions leads to malware. Many of the accounts that are hosting malicious videos appear to be compromised or otherwise acquired from legitimate users, but researchers have also observed likely actor-created and controlled accounts that are active for only a few hours, created exclusively to deliver malware. Third-party researchers have previously published details on fake cracked software videos used to deliver malware. The distribution method is particularly notable due to the type of video games the threat actors appear to promote. Many of them appear to be targeted to younger users including games popular with children, a group that is less likely to be able to identify malicious content and risky online behaviors. During our investigation, Proofpoint Emerging Threats reported over two dozen accounts and videos distributing malware to YouTube, which removed the content. Example account The following is an example of a suspected compromised account (or potentially sold to a new “content creator”) used to deliver malware. Indicators of a suspected compromised or otherwise acquired account include significant gaps of time between the videos posted, content that vastly differs from previously published videos, differences in languages, and descriptions of the videos containing likely malicious links, among other indicators. The account has around 113,000 subscribers, and the account displays a grey check mark which indicates the account owner has met verified channel requirements including verifying their identity. Example of a verified YouTube account with a large following, suspected to be compromised. When Proofpoint researchers identified the account, the majority of the account\'s videos had been posted one year or more previously, and all had titles written in Thai. However, when the account was identified, twelve (12) new English language videos had been posted within a 24-hour period, all related to popular video games and software cracks. All of the new video descriptions included links to malicious content. Some of the videos had over 1,000 views, possibly artificially increased by bots to make the videos seem more legitimate. Screenshot of a suspected compromised YouTube account distributing malware comparing upload dates. In one example, a video purported to contain a character enhancement for a popular video game with a MediaFire link in the description. The MediaFire URL led to a password-protected file (Setup_Pswrd_1234.rar) containing an executable (Setup.exe) that, if executed, downloaded and installed Vidar Stealer malware. The video was uploaded to the suspected compromised account seven (7) hours prior to our investigation. Around the same time the video was posted, several comments purported to attest to the legitimacy of the software crack. It is likely those accounts and comments were created by the video | Malware Tool Threat | ★★★ | |
|
2024-04-02 09:34:09 | ProofPoint en tête de KuppingerCole Leadership Compass pour la sécurité des e-mails Proofpoint Tops KuppingerCole Leadership Compass for Email Security (lien direct) |
Email is the primary threat vector for cybersecurity threats. And these days, many malware, phishing and social engineering schemes target your people. The 2023 Verizon Data Breach Investigations Report notes that 74% of all data breaches include a human element. Threats are constantly evolving, too. It doesn\'t matter how sophisticated or complex your business is, it is a daunting task to protect your people from modern threats. At Proofpoint, we understand how critical it is for any business to protect its people from today\'s email threats. That\'s why we innovate every day. Recently, the industry has once again recognized our efforts to help our customers protect their people and their businesses. This time, our email security was recognized by major industry analyst firm KuppingerCole. Here is what they said about Proofpoint Threat Protection-and what makes it stand out from the competition. Proofpoint named an Overall Leader KuppingerCole just named Proofpoint an Overall Leader in the KuppingerCole Leadership Compass for Email Security Report, 2023. This is the third time in the past year that our email security has been named a leader by a major industry analyst firm. This recognition “triple crown” is the direct result of our commitment to helping businesses protect their people from modern email threats and change user behavior for the better. It keeps us innovating year after year. In the report from KuppingerCole, Proofpoint Threat Protection received the highest “strong positive” rating in all categories, including: Security Functionality Deployment Interoperability Usability With its ratings, KuppingerCole positioned Proofpoint as a leader in all evaluation categories, including product, technology, innovation and market. KuppingerCole named Proofpoint a leader in the product, technology, innovation and market categories. What makes Proofpoint stand out Here is a closer look at how we can help you protect your people from advanced email threats. Stop the widest variety of threats with accuracy Proofpoint uses a multilayered detection stack to identify a wide array of email threats with accuracy. Because we have a broad set of detection technology, we can apply the right technique to the right threat. For example, we have robust sandbox technology to detect URL-based threats, like quick response codes (QR Codes) and behavioral analysis for business email compromise (BEC) and telephone-oriented attack delivery (TOAD) threats. Our machine learning (ML) and artificial intelligence (AI) models are trained by our experts using one of the richest sets of data in the industry. This ensures we provide superior accuracy. Every year, we analyze more than 3 trillion messages across our 230,000+ customer, global ecosystem. Our modular detection stack enables agility and speed to adapt to changes in the threat landscape. It allows us to quickly deploy new models to address new threats like BEC, TOAD and QR Codes. And it enables us to tune our existing detection models more frequently. Prevent email threats before they reach your people\'s inboxes Predelivery detection from Proofpoint stops known and emerging threats at the front door of your business-not after they are delivered. Proofpoint threat intelligence and research found that nearly 1 in 7 malicious URL clicks happen within one minute of an email\'s arrival. That\'s why predelivery protection is so critical. If a threat ends up in your users\' inboxes, it increases your risk of a cyberattack or data breach. We analyze all messages, links and attachments with our robust detection stack before they can reach an inbox. This analysis, combined with our predelivery sandboxing and behavioral analysis of suspicious QR codes, allows us to stop malicious messages before they become a risk to your business. Gain actionable insights into your human risks Proofpoint quantifies your people\'s risk so that you can prioritize budget and resources to focus o | Data Breach Malware Threat Mobile Commercial | ★★★ | |
|
2024-03-29 06:00:11 | Déverrouiller l'efficacité de la cybersécurité dans les soins de santé: utiliser des informations sur les menaces pour naviguer dans la surface d'attaque humaine Unlocking Cybersecurity Efficiency in Healthcare: Using Threat Insights to Navigate the Human Attack Surface (lien direct) |
Understanding your organization\'s human attack surface is not just a good idea in today\'s threat landscape; it\'s essential. Why? Because it can make all the difference in your efforts to allocate your limited resources efficiently. Let\'s face it-in the world of cybersecurity, one size does not fit all. It is not feasible to adopt a uniform approach to secure your business. And while most of your users may pose a minimal risk, there are smaller, high-risk groups that attract the lion\'s share of attention from cyberthreat actors. Identifying these groups and understanding what makes these users so enticing to attackers is key to creating an effective defense. At Proofpoint, we recognize the importance of understanding the human attack surface. Our approach to cybersecurity revolves around a human-centric defense strategy. And email serves as a valuable window into the most vulnerable parts of your business. We analyze inbound threats directed at email addresses and enrich them with directory information. This is a Proofpoint Targeted Attack Protection (TAP) feature that\'s available to all customers. As a result, we provide valuable insights into the job roles and departments that are prime targets for attackers. In this blog, we\'ll go through some of our most recent insights for the healthcare industry-and the job roles that attracted the most interest from attackers. 2023 research overview For our research in 2023, we created a healthcare peer group of over 50 similar hospital systems to track within the Proofpoint TAP platform. We meticulously analyzed “people data” from these systems to identify trends in attack patterns. We tracked: Attack index Click rates Malicious message volume Total clicks across various departments More specifically, we looked for outlier clusters that exhibited movement beyond the average. What follows are a few of our insights. Threat actors target roles related to finance and the revenue cycle back-end As it turns out, attackers have a penchant for people in finance-related jobs and those who are involved in transactions. These users were consistently attacked more than others. When we drill down further on our findings, we see that departments involved in the supply chain and facilities management exhibit similar deviations from the average. The reason? These roles often require people to be involved in transactions, making them attractive targets for attackers. 2023 department-level average attack index: Finance and transactional job roles averaged a significantly higher attack index per month per user. Money is a bigger draw than data But here is where it gets interesting. When we compare job roles and departments based on access to transactions versus access to health information, the difference is stark. It seems that attackers are more determined to interdict financial transactions than to gain access to users with large amounts of health data. 2023 department-level average attack index; medical and information services departments averaged a significantly lower attack index per month per user than financial and transactional job roles. Threat actors go after roles that deal with patient service revenue Going a step further, we wanted to understand the impact of threats on people in administrative and clinical roles who help capture, manage and collect patient service revenue. We examined the revenue cycle by categorizing job roles and departments in the following ways. Front-end (admin and pre-visit) Middle (visit, claim submission) Back-end (inbound processing, payer, patient) The disparity between groups with access to transactions and those with access to health data is evident. The revenue cycle back-end category exhibits the highest average attack index among revenue cycle labeled data, which we attribute to finance job roles associated with billing. 2023 average of attack index trends; revenue cycle quarterly comparison. The interest of attackers in finance-related job roles comes | Threat Medical | ★★ | |
|
2024-03-28 10:21:02 | Améliorations de la sensibilisation à la sécurité de ProofPoint: 2024 Release hivernale et au-delà Proofpoint Security Awareness Enhancements: 2024 Winter Release and Beyond (lien direct) |
Proofpoint Security Awareness has long been at the forefront of innovative awareness strategies. In today\'s complex threat landscape, a human-centric strategy has never been more important. And we have never been more dedicated to creating a program that helps users change their behavior. In this post, we share a few enhancements that show how committed we are to helping users transform their behavior. We cover a key educational campaign and outline the benefits of several new functional enhancements within four focus areas. 1: Keeping users engaged There are two recent and upcoming enhancements in this focus area. We launched the Yearlong campaign: Cybersecurity Heroes We released this pioneering, comprehensive educational program late last year. It provides an ongoing, curriculum-based approach to cybersecurity training. It is a testament to our belief in the power of continuous learning and helping users change their behavior. The Cybersecurity Heroes campaign covers an array of key security topics in detail every month. Here are a few examples: Elements of data encryption Intricacies of strong password protocols Deceptive nature of ransomware Long-term training schedules can be an administrative burden. That\'s why we\'ve made this training available through stand-alone monthly modules. This flexibility helps ease administrative workloads. An article from the Cybersecurity Heroes campaign. QR code phishing simulations will launch soon In the second quarter of 2024, we will be releasing QR code phishing simulations. They are our proactive response to a novel and alarming trend. Recent intelligence from industry-leading analyses, including an eye-opening blog on QR code phishing from Tessian, underscores the urgent need for education. QR code phishing attacks are on the rise. Yet, 80% of end users perceive QR codes as safe. This highlights a dangerous gap in threat perception. How a QR code phishing attack works. Our new simulations will provide administrative visibility into which users are most vulnerable to an attack, as well as a dynamic environment for users to hone their threat detection abilities in alignment with real-world scenarios. They are based on our threat intelligence and designed to challenge and refine user reactions. With an understanding of who is most at risk and how users may react to a QR code phishing attack, administrators will be able to design a program that is tailored to each individual, resulting in maximum learning comprehension and retention. QR code phishing simulations will be available in the second quarter of 2024. 2: Enhancing how people learn We want to help businesses maximize their users\' learning comprehension and behavior change. One recent enhancement in this focus area is the integration of “Phish Hooks” into Teachable Moments. It was released in late 2023. Here\'s how it helps users learn better and retain what they\'ve learned. “Phish Hooks” is now integrated with Teachable Moments This enhancement helps users understand why a phishing simulation would have been an actual threat. Users get immediate and clear feedback so that they know what to look out for next time. A view of Teachable Moments with “Phish Hooks.” By dissecting the anatomy of a phishing attack, we can give a big boost to a user\'s ability to critically assess an attack. That, in turn, helps them to improve their understanding and retention of safe cybersecurity behaviors. 3: Gaining visibility into vulnerable users Proofpoint recognizes that security administrators play a critical role in orchestrating awareness efforts. That is why we refined our Repeat Behavior Report. It\'s designed to help administrators identify the users who can benefit from targeted training about phishing risks. Here\'s how. The Repeat Behavior Report is more detailed This enhancement gives you actionable insights that can help you identify vulnerability trends. To this end, the report now provides a more de | Vulnerability Threat Prediction | ★★★ | |
|
2024-03-26 06:00:09 | Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM (lien direct) | Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information. Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations. How did the new attack happen? Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails. The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking. The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections. However, the attackers\' objective was clear-to capture the details of the challenge/response transaction and the NTLM hashes of the user\'s Windows machine, which include the user\'s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password. Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack. What was the attackers\' intent? As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies\' networks more deeply. As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577\'s activities is to go well beyond the initial account or system compromise. What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: Usernames Passwords Session hashes Domain names Computer names More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023. If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program. The impacts on businesses This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group\'s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns. This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authenti | Malware Threat Patching | ★★★ | |
|
2024-03-26 06:00:09 | ProofPoint révèle la technique PIVOT par un groupe d'attaquant TA577: Cibler Windows NTLM Proofpoint Discloses Technique Pivot by Attacker Group TA577: Targeting Windows NTLM (lien direct) |
Proofpoint was the first to uncover a concerning new development in the world of cyberthreats that involves a group known as TA577. These cybercriminals, which typically act as initial access brokers (IAB), have pivoted to attacking an old, but widely deployed Windows service to steal sensitive information. Specifically, they aim to steal at scale the hash of the NT LAN Manager (NTLM) authentication session details. Then it is expected that they either sell the data, or they exploit it for various downstream activities like stealing sensitive data and ransoming systems. The planned end result is the same, a significant business-impacting breach of the targeted organizations. How did the new attack happen? Proofpoint detected two distinct email-based campaigns that TA577 carried out on February 26 and 27, 2024. The campaigns targeted hundreds of businesses globally via tens of thousands of emails. The attackers cleverly disguised the emails as replies to previous emails. This is an effective social engineering tactic known as thread hijacking. The emails contained HTML attachments compressed into zip files. Each malicious attachment had its own unique identifier. And the HTML files contained within the attachment were customized for each recipient. Because all the hashes were unique, a simple signature-based detection system could not consistently detect and block these emails. When the email recipient opened the files, it triggered a connection to a Server Message Block (SMB) server that the threat actor controlled. No malware was directly delivered through these connections. However, the attackers\' objective was clear-to capture the details of the challenge/response transaction and the NTLM hashes of the user\'s Windows machine, which include the user\'s password authentication data. The attackers can use this data in the next stage of the attack either in hash form or by cracking the hash first to retrieve the password. Note: In this case, the use of multifactor authentication (MFA) would not stop the attack, as TA577 targeted previously authenticated users on active Windows machines. If targeted businesses used MFA, that authentication step would have already occurred; thus, it would not significantly hinder this attack. What was the attackers\' intent? As noted earlier, TA577 usually acts as an IAB. So, the group likely aimed to exploit the data that they collected by cracking password hashes or facilitating “pass-the-hash” attacks. They could sell access to other threat actors who seek to penetrate targeted companies\' networks more deeply. As part of our investigation, Proofpoint identified the use of a well-known toolkit, Impacket, on the SMB servers involved in the attack. This discovery further confirmed that the malicious intent behind TA577\'s activities is to go well beyond the initial account or system compromise. What is especially concerning about this attack approach is that any connection to the SMB servers would compromise sensitive information that includes: Usernames Passwords Session hashes Domain names Computer names More troubling is the fact that the attackers delivered the malicious HTML files within zip archives. That means they bypassed measures in Outlook mail clients last patched before July 2023. If your email security provider did not block the inbound email and a user engaged with the message, your last hope to avoid the compromise is the timeliness of your software patching program. The impacts on businesses This attack is based on an old protocol (NTLM) from the 1990s. But this new twist by TA577 is noteworthy because it represents a departure from the group\'s usual tactics of delivering malware and bots directly. It suggests that the group is adapting and evolving. They are seeking new ways to bypass security measures and monetize their campaigns. This cyberthreat poses a significant risk to businesses that run Microsoft Windows. Through the theft of NTLM authenti | Malware Threat Patching | ★★★ | |
|
2024-03-25 06:00:56 | DNS pendante: nettoyage de printemps pour protéger contre le risque d'identification Dangling DNS: Spring Cleaning to Protect Against Impersonation Risk (lien direct) |
It is well-established that email is the number one threat vector for cyberattacks. It\'s a go-to for many bad actors because they don\'t need to be highly skilled to initiate an email-based attack. Nor do they need to do elaborate work upfront. Their success hinges on their ability to be convincing. Targets must believe that they are interacting with a trusted source if they\'re going to voluntarily hand over sensitive data, provide their authentication credentials, make a wire transfer or install malware. That\'s why a critical part of any company\'s security posture is using protocols and policies that reduce impersonation risk. And a major step in this direction is to enable and enforce email authentication methods across all your domains. These include: Sender Policy Framework (SPF). This is a published authoritative list of approved sending IP addresses. It can help recipient email systems confirm that an email is coming from a legitimate source and is not impersonating a person or entity through spoofing. DomainKeys Identified Mail (DKIM). This email authentication method stamps a digital signature to outgoing emails. It helps recipient email systems verify, with proper alignment, that the email was sent by the domain it claims to be from and that it hasn\'t been altered in transit. Domain-based Message Authentication, Reporting, and Conformance (DMARC). This email authentication protocol builds on SPF and DKIM by allowing senders to set policies for handling emails that fail these authentication checks. If you don\'t maintain your systems, bad actors can exploit out-of-date information and nullify your email authentication efforts. In this blog, we will highlight a key bad actor impersonation tactic to inspire you to regularly spring clean your records moving forward. The tactic in focus: “dangling DNS” Dangling DNS refers to a misconfiguration in your email-related domain name system (DNS) records. A reference domain or subdomain is left pointing to a domain that no longer exists or is not under the control of the original domain owner. The term “dangling" implies that the DNS entry is pointing to something that is hanging without proper support. In this case, it is a domain that has expired. Bad actors have gotten wise to the fact that these expired domains create a crack in your defense that they can exploit. The risk of subdomain takeover If a subdomain is left pointing to an external service that the domain owner no longer controls, an attacker can register that domain to gain control of any DNS records that are pointed toward it. So, when they initiate their impersonation-based attack, they have the added benefit of passing email authentication! Using SPF records with all your sending infrastructure listed, rather than hidden behind an SPF macro, also discloses sensitive data about your company\'s infrastructure. Attackers can use this data to plan and execute targeted attacks. Actions you can take to reduce risk To mitigate the risks associated with dangling DNS records, domain owners must review their email-related DNS configurations regularly. It is especially important when you decommission or change services. Here are some actions that can help you to reduce your risk exposure. Regularly review and remove unused DNS records You should promptly remove DNS records that point to deprecated or unused services: SPF records. Review and minimize the entries that are posted within your SPF record. Review every “Include” and “Reference”, especially for third parties and expired domains, or if domains change owners. Access to SPF telemetry data can help simplify your investigations. DKIM selector records. Review CNAMEd DKIM selector records that point to third parties for expired domains, or if domains change owners. DMARC policy records. Review CNAMEd DMARC records that point to third parties for expired domains, or if domains change owners. MX records. Review MX records for your domains to see if any old entries are still inc | Malware Threat Cloud | ★★★ | |
|
2024-03-22 06:00:42 | La solution centrée sur l'homme à un problème centré sur l'homme défiant vos données critiques The Human-Centric Solution to a Human-Centric Problem-Defending Your Critical Data (lien direct) |
This cybersecurity lore is well on its way to becoming cliché. But like most clichés, it\'s true: Data doesn\'t leave your organization on its own. People let your data out. They either take it with them, or they leave the door open for someone else to help themselves. In this environment, where cybercriminals are less inclined to target software vulnerabilities and far more focused on our identities, the perimeter as we once knew it has disappeared. Today, our people are the perimeter-wherever they are, on-premises or in the cloud, and whatever systems, devices and credentials they use to access our data. Needless to say, if cyberattacks are targeted at our people (or rather, their identities), then our cyber defenses must be targeted, too. But with large and often remote workforces accessing our networks across various endpoints, this is increasingly challenging. To protect our people-and, in turn, our businesses-we need a deep understanding of who is accessing our data as well as how, when, where and why. It\'s only when we have all this information that we can begin to place protections where they are needed most, educate users on the risks they face and fight threat actors on the new frontier of our identities. Tackling insider threats As if defending a new, more fluid perimeter wasn\'t difficult enough, the increased focus on our identities presents another problem. Our people are already within our traditional defenses. So, to protect against malicious, compromised or careless users who are enabling data loss, we need to defend from the inside out. Email remains the number one entry point for common and advanced threats, so any effective defense starts in the inbox. Our people must understand the importance of strong credentials, the risk of password reuse and sharing, and the dangers posed by phishing emails, malicious links and bogus attachments. In our research for the 2024 State of the Phish report, Proofpoint found that security professionals in Europe and the Middle East rated password reuse as the riskiest behavior-and the second-most common behavior among end users. Email protection tools can assist here, too, by filtering malicious messages before they reach the inbox. That helps to mitigate the compromised employee use case. However, security teams must always assume that threats will get through these lines of defense, even with detection rates above 99% being the norm. And when they do, additional layers of security are needed to stop them in their tracks. Advanced enterprise data loss prevention (DLP) and insider threat management (ITM) tools provide this additional layer. By analyzing content, behavior and threat telemetry, these tools highlight anomalous or suspicious behavior that can lead to data loss. Careless users were the most cited cause of data loss in our inaugural 2024 Data Loss Landscape report. To handle this use case you might want to interrupt their careless behavior with a security prompt. For example, suppose an employee attempts to send confidential files in a plain text email. A simple pop-up advising them to reconsider their action could prevent this data from being exposed. A complete log of the incident is also captured, which can add real-world context to security awareness training. Another action that a careless user may perform is to send an email to the wrong recipient. According to our research, 1 in 3 users misdirected one or two emails to the wrong recipient. In the event of a malicious insider, intelligent DLP and ITM tools will spot and alert security teams to any high-risk behaviors. This could be a user who downloads an unauthorized app to a corporate machine or renames files to hide their intentions and cover their tracks. As for leavers-who remain one of the primary reasons for insider-driven data loss-security teams can take a more proactive approach. By focusing on these high-risk employees, you can build an evidential picture of intent. With the right tools in place, you can capture activity l | Tool Vulnerability Threat Cloud | ★★ | |
|
2024-03-21 07:53:21 | Mémoire de sécurité: TA450 utilise des liens intégrés dans les pièces jointes PDF dans la dernière campagne Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign (lien direct) |
Ce qui s'est passé Les chercheurs de ProofPoint ont récemment observé une nouvelle activité par l'acteur de menace aligné par l'Iran TA450 (également connu sous le nom de Muddywater, Mango Sandstorm et Static Kitten), dans lequel le groupe a utilisé un leurre d'ingénierie social lié aux salaires pour cibler les employés israéliens dans de grandes organisations multinationales.TA450 est connu pour cibler les entités israéliennes, en particulier depuis au moins octobre 2023 avec le début de la guerre des Israël-Hamas et cela se poursuit qui se concentre sur les sociétés mondiales de fabrication, de technologie et de sécurité de l'information. Dans la campagne de phishing, qui a commencé le 7 mars et s'est poursuivie tout au long de la semaine du 11 mars 2024, TA450 a envoyé des e-mails avec des pièces jointes PDF qui contenaient des liens malveillants.Bien que cette méthode ne soit pas étrangère à TA450, l'acteur de menace s'est récemment appuyé sur des liens malveillants directement dans les corps de messagerie électronique au lieu d'ajouter cette étape supplémentaire.Les chercheurs de ProofPoint ont observé que les mêmes cibles reçoivent plusieurs e-mails de phishing avec des pièces jointes PDF qui avaient des liens intégrés légèrement différents.Les liens étaient vers une variété de sites de partage de fichiers, notamment EGnyte, OneHub, Sync et Terabox.Les e-mails ont également utilisé un compte .il d'expéditeur probable compromis, ce qui est conforme à l'activité récente de cette menace. Comme le montre les figures 1 et 2, si une cible ouvrait la pièce jointe et cliquait sur le lien inclus, il conduirait au téléchargement d'une archive zip contenant un MSI compressé qui installerait finalement AteraAgent, logiciel d'administration à distance connue pour être abusépar TA450. Figure 1. Attachement PDF ouvert avec un lien malveillant (Traduction machine: Titre du document: Signon de paie; Body of PDF: Bonjour, à partir de maintenant, recevez votre bordereau de paie via le logiciel suivant). Figure 2. Zip Archive via OneHub qui mène au téléchargement du logiciel d'administration à distance. Attribution Les chercheurs de ProofPoint attribuent cette campagne à TA450 sur la base de tactiques, techniques et procédures connues de TA450, ciblage de la campagne et analyse de logiciels malveillants.En janvier 2022, les États-Unis ont cyber-commandant ce groupe au ministère de l'Iran \\ du renseignement et de la sécurité. Pourquoi est-ce important Cette activité est remarquable pour plusieurs raisons, notamment qu'elle marque un tour des tactiques de Ta450 \\.Bien que cette campagne ne soit pas la première instance observée de TA450 en utilisant des pièces jointes avec des liens malveillants dans le cadre de la chaîne d'attaque de l'acteur de menace, il est la première fois que les chercheurs ont observé que TA450 tentative de livrer une URL malveillante dans une attachement PDF plutôt plutôtque lier directement le fichier dans un e-mail.De plus, cette campagne est la première fois que Proofpoint a observé TA450 à l'aide d'un compte de messagerie d'expéditeur qui correspond au contenu de leurre.Par exemple, cette campagne a utilisé un compte de messagerie de salaire [@] co [.] Il, qui est aligné sur les différentes lignes d'objet sur le thème de la rémunération. Enfin, cette activité continue la tendance de Ta450 \\ de tirer parti des leurres de langue hébraïque et de compromis compromis. Signatures de menace émergente (ET) Sid Nom de règle 2051743 ET ouvre la requête DNS au domaine de partage de fichiers (EGNYTE .com) 2051745 ET Open 2051745 - DNS Query to File Share Domain (Sync .Com) 2051749 ET ouvre la requête DNS au domaine de partage de fichiers (Terabox .com) 2051750 ET Open Domaine de partage de fichiers observé (Terabox .com dans TLS SNI) 2051746 ET Open Domaine de partage de fichiers observé (EGNYTE .com dans TLS SNI) 2051748 ET Open Domaine de partage de fichiers observé (Sync .com d | Malware Threat Prediction | ★★★ | |
|
2024-03-19 05:00:28 | Le rapport du paysage de la perte de données 2024 explore la négligence et les autres causes communes de perte de données The 2024 Data Loss Landscape Report Explores Carelessness and Other Common Causes of Data Loss (lien direct) |
La perte de données est un problème de personnes, ou plus précisément, un problème de personnes imprudentes.C'est la conclusion de notre nouveau rapport, le paysage de la perte de données 2024, que Proofpoint lance aujourd'hui. Nous avons utilisé des réponses à l'enquête de 600 professionnels de la sécurité et des données de la protection des informations de Proofpoint pour explorer l'état actuel de la prévention de la perte de données (DLP) et des menaces d'initiés.Dans notre rapport, nous considérons également ce qui est susceptible de venir ensuite dans cet espace à maturation rapide. De nombreuses entreprises considèrent aujourd'hui toujours leur programme DLP actuel comme émergent ou évoluant.Nous voulions donc identifier les défis actuels et découvrir des domaines d'opportunité d'amélioration.Les praticiens de 12 pays et 17 industries ont répondu aux questions allant du comportement des utilisateurs aux conséquences réglementaires et partageaient leurs aspirations à l'état futur de DLP \\. Ce rapport est une première pour Proofpoint.Nous espérons que cela deviendra une lecture essentielle pour toute personne impliquée dans la tenue de sécuriser les données.Voici quelques thèmes clés du rapport du paysage de la perte de données 2024. La perte de données est un problème de personnes Les outils comptent, mais la perte de données est définitivement un problème de personnes.2023 Données de Tessian, une entreprise de point de preuve, montre que 33% des utilisateurs envoient une moyenne d'un peu moins de deux e-mails mal dirigés chaque année.Et les données de la protection de l'information ProofPoint suggèrent que à peu de 1% des utilisateurs sont responsables de 90% des alertes DLP dans de nombreuses entreprises. La perte de données est souvent causée par la négligence Les initiés malveillants et les attaquants externes constituent une menace significative pour les données.Cependant, plus de 70% des répondants ont déclaré que les utilisateurs imprudents étaient une cause de perte de données pour leur entreprise.En revanche, moins de 50% ont cité des systèmes compromis ou mal configurés. La perte de données est répandue La grande majorité des répondants de notre enquête ont signalé au moins un incident de perte de données.Les incidents moyens globaux par organisation sont de 15. L'échelle de ce problème est intimidante, car un travail hybride, l'adoption du cloud et des taux élevés de roulement des employés créent tous un risque élevé de données perdues. La perte de données est dommageable Plus de la moitié des répondants ont déclaré que les incidents de perte de données entraînaient des perturbations commerciales et une perte de revenus.Celles-ci ne sont pas les seules conséquences dommageables.Près de 40% ont également déclaré que leur réputation avait été endommagée, tandis que plus d'un tiers a déclaré que leur position concurrentielle avait été affaiblie.De plus, 36% des répondants ont déclaré avoir été touchés par des pénalités réglementaires ou des amendes. Préoccupation croissante concernant l'IA génératrice De nouvelles alertes déclenchées par l'utilisation d'outils comme Chatgpt, Grammarly et Google Bard ne sont devenus disponibles que dans la protection des informations de Proofpoint cette année.Mais ils figurent déjà dans les cinq règles les plus implémentées parmi nos utilisateurs.Avec peu de transparence sur la façon dont les données soumises aux systèmes d'IA génératives sont stockées et utilisées, ces outils représentent un nouveau canal dangereux pour la perte de données. DLP est bien plus que de la conformité La réglementation et la législation ont inspiré de nombreuses initiatives précoces du DLP.Mais les praticiens de la sécurité disent maintenant qu'ils sont davantage soucieux de protéger la confidentialité des utilisateurs et des données commerciales sensibles. Des outils de DLP ont évolué pour correspondre à cette progression.De nombreux outils | Tool Threat Legislation Cloud | ChatGPT | ★★★ |
|
2024-03-18 12:03:01 | Rapport IC3 de FBI \\: pertes de la cybercriminalité dépasse 12,5 milliards de dollars - un nouveau record FBI\\'s IC3 Report: Losses from Cybercrime Surpass $12.5 Billion-a New Record (lien direct) |
The 2023 Internet Crime Report from the FBI\'s Internet Crime Complaint Center (IC3) is out. And for defenders, it\'s a troubling read. The FBI saw only a minor uptick in reported cybercrime complaints last year from the American public. On the surface, this seems like positive news. There were only 79,474 more complaints filed than in 2022. However, that total is much more significant when you consider the potential losses from cybercrime. Losses surpassed $12.5 billion last year, a 22% increase from 2022 and a new record high. That staggering figure is part of a far more complex story about cybercrime in 2023. The report notes that: Investment fraud losses surged, jumping from $3.31 billion in 2022 to $4.57 billion in 2023-a 38% increase Business email compromise (BEC) cases were a top concern, with 21,489 complaints and adjusted losses exceeding $2.9 billion-up 7.4% from 2022 The allure of cryptocurrency played a pivotal role in both investment fraud and BEC incidents Tech support scams were the third-costliest cybercrime category among the crime types that the IC3 tracks In this post, we will examine these trends in more detail. And we will explain how Proofpoint can help businesses improve their defenses and meet these threats head-on. Complaints and losses from cybercrime reported over the last five years. (Source: FBI\'s IC3 2023 Internet Crime Report.) The rise of investment fraud Investment scams have become the most reported and costliest type of crime that the IC3 tracks. In these scams, bad actors lure victims with promises of big returns on investments. Attackers have been targeting cryptocurrency investors, in particular. The rise of this fraud highlights why due diligence and user self-awareness is so important. Users need to think twice and use caution when they are approached with investment opportunities, especially those that relate to cryptocurrencies. Investment fraud losses reported over the last five years. (Source: FBI\'s IC3 2023 Internet Crime Report.) An escalation in BEC threats BEC is the second-most prevalent cyberthreat highlighted in the latest Internet Crime Report. The actors behind these scams aim to deceive users and businesses into making unauthorized fund transfers or divulging corporate information. These attacks involve sophisticated tactics like: The compromise of legitimate business email accounts Social engineering attacks Impersonation scams As more people use cryptocurrency exchanges and rely on third-party payment processors, it\'s increasingly important to stop BEC threats before they reach users. There is also a pressing need for automated remediation and heightened user vigilance to protect against these threats. Vulnerable populations at risk for impersonation scams The FBI\'s IC3 reports that impersonation scams led to over $1.3 billion in losses last year. To carry out these scams, bad actors use deceptive tactics, like directing victims to send cash through shipping companies or online wire services. Adults over the age of 60 accounted for half of tech support scams last year. This amounted to $3.6 billion in losses. Individuals 30-39 years old were most likely to report these incidents to the FBI\'s IC3. The prevalence of impersonation scams underscores the need to raise awareness among the vulnerable populations that are targeted by attackers. Understanding this risk will help them to be more wary and avoid becoming victims. Ransomware attacks Ransomware attacks encrypt data and cause service disruptions and financial losses. They are also a persistent threat. The FBI\'s IC3 received over 2,800 complaints about this attack type last year. Reported losses from these incidents exceeded $59.6 million-an 18% increase from 2022. To understand just how costly these attacks can be, consider the plight of MGM Resorts. In September 2023, a targeted ransomware attack cost the entertainment giant over $100 million. MGM Resorts\' filing with the Securities and Exchange Commission notes that i | Ransomware Threat Medical | ★★ | |
|
2024-03-14 06:00:19 | Comment nous avons déployé Github Copilot pour augmenter la productivité des développeurs How We Rolled Out GitHub Copilot to Increase Developer Productivity (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. Inspired by the rapid rise of generative artificial intelligence (GenAI), we recently kicked off several internal initiatives at Proofpoint that focused on using it within our products. One of our leadership team\'s goals was to find a tool to help increase developer productivity and satisfaction. The timing was perfect to explore options, as the market had become flush with AI-assisted coding tools. Our project was to analyze the available tools on the market in-depth. We wanted to choose an AI assistant that would provide the best productivity results while also conforming to data governance policies. We set an aggressive timeline to analyze the tools, collaborate with key stakeholders from legal, procurement, finance and the business side, and then deploy the tool across our teams. In the end, we selected GitHub Copilot, a code completion tool developed by GitHub and OpenAI, as our AI coding assistant. In this post, we walk through how we arrived at this decision. We also share the qualitative and quantitative results that we\'ve seen since we\'ve introduced it. Our analysis: approach and criteria When you want to buy a race car-or any car for that matter-it is unlikely that you\'ll look at just one car before making a final decision. As engineers, we are wired to conduct analyses that dive deeply into all the possible best options as well as list all the pros and cons of each. And that\'s what we did here, which led us to a final four list that included GitHub Copilot. These are the criteria that we considered: Languages supported IDEs supported Code ownership Stability AI models used Protection for intellectual property (IP) Licensing terms Security Service-level agreements Chat interface Innovation Special powers Pricing Data governance Support for a broad set of code repositories We took each of the four products on our shortlist for a test drive using a specific set of standard use cases. These use cases were solicited from several engineering teams. They covered a wide range of tasks that we anticipated would be exercised with an AI assistant. For example, we needed the tool to assist not just developers, but also document writers and automation engineers. We had multiple conversations and in-depth demos from the vendors. And when possible, we did customer reference checks as well. Execution: a global rollout Once we selected a vendor, we rolled out the tool to all Proofpoint developers across the globe. We use different code repos, programming languages and IDEs-so, we\'re talking about a lot of permutations and combinations. Our initial rollout covered approximately 50% of our team from various business units and roles for about 30 days. We offered training sessions internally to share best practices and address challenges. We also built an internal community of experts to answer questions. Many issues that came up were ironed out during this pilot phase so that when we went live, it was a smooth process. We only had a few issues. All stakeholders were aware of the progress, from our operations/IT team to our procurement and finance teams. Our journey from start to finish was about 100 days. This might seem like a long time, but we wanted to be sure of our choice. After all, it is difficult to hit “rewind” on an important initiative of this magnitude. Monitoring and measuring results We have been using GitHub Copilot for more than 150 days and during that period we\'ve been collecting telemetry data from the tool and correlating it with several productivity and quality metrics. Our results have been impressive. When it comes to quantitative results, we have seen a general increase in | Tool Cloud Technical | ★★★ | |
|
2024-03-12 07:03:40 | Si vous utilisez l'archivage de Veritas, quelle est votre prochaine étape? If You\\'re Using Veritas Archiving, What\\'s Your Next Step? (lien direct) |
By now, much of the industry has seen the big news about Cohesity acquiring the enterprise data protection business of Veritas Technologies. The transaction will see the company\'s NetBackup technology-software, appliances and cloud (Alta Data Protection)-integrated into the Cohesity ecosystem. But what about other Veritas products? As stated in the Cohesity and Veritas press releases, the “remaining assets of Veritas\' businesses will form a separate company, \'DataCo.\' \'DataCo\' will comprise Veritas\' InfoScale, Data Compliance, and Backup Exec businesses.” Data Compliance includes Veritas Enterprise Vault (EV), which might raise concerns for EV customers. As a new, standalone entity, \'DataCo\' has no innovation track record. In this blog, I provide my opinion on the questionable future of Veritas archiving products, why EV customers should start looking at alternative archiving tools, and why you should trust Proofpoint as your next enterprise archiving solution. EV architecture isn\'t future-proof EV gained a following because it came onto the market just when it was needed. With its big, robust on-premises architecture, EV was ideal to solve the challenges of bloated file and email servers. Companies had on-premises file and email servers that were getting bogged down with too much data. They needed a tool to offload legacy data to keep working and so they could be backed up in a reasonable amount of time. However, with key applications having moved to the cloud over the last decade-plus, storage optimization is no longer a primary use case for archiving customers. While EV has adapted to e-discovery and compliance use cases, its underlying on-premises architecture has struggled to keep up. EV customers still have headaches with infrastructure (hardware and software) planning, budgeting and maintenance, and archive administration. What\'s more, upgrades often require assistance from professional services and support costs are rising. And the list goes on. Today, most cloud-native archives remove virtually all of these headaches. And just like you moved on from DVDs and Blu-ray discs to streaming video, it\'s time to migrate from legacy on-premises archiving architectures, like EV, to cloud-native solutions. Future investments are uncertain When you look back over EV\'s last 5-6 years, you might question what significant innovations Veritas has delivered for EV. Yes, Veritas finally released supervision in the cloud. But that was a direct response to the EOL of AdvisorMail for EV.cloud many years ago. Yes, Veritas added dozens of new data sources for EV. But that was achieved through the acquisition of Globanet-and their product Merge1-in 2020. (They still list Merge1 as an independent product on their website.) Yes, they highlight how EV can store to “Azure, AWS, Google Cloud Storage, and other public cloud repositories” via storage tiering. But that just means that EV extends the physical storage layer of a legacy on-prem archiving architecture to the cloud-it doesn\'t mean it runs a cloud-native archiving solution. Yes, Veritas has cloud-based Alta Archiving. But that\'s just a rebranding and repackaging of EV.cloud, which they retired more than two years ago. Plus, Alta Archiving and Enterprise Vault are separate products. With the Cohesity data protection acquisition, EV customers have a right to question future investments in their product. Will EV revenue alone be able to sustain meaningful, future innovation in the absence of the NetBackup revenue “cash cow”? Will you cling to hope, only to be issued an EOL notice like Dell EMC SourceOne customers? Now is the time to migrate from EV to a modern cloud-native archiving solution. How Proofpoint can help Here\'s why you should trust Proofpoint for your enterprise archiving. Commitment to product innovation and support Year after year, Proofpoint continues to invest a double-digit percentage of revenue into all of our businesses, including Proofpoint Int | Tool Studies Cloud Technical | ★★ | |
|
2024-03-11 06:00:16 | How Proofpoint aide les agences gouvernementales fédérales à se défendre contre les cybercriminels et les menaces d'initiés How Proofpoint Helps Federal Government Agencies Defend Against Cybercriminals and Insider Threats (lien direct) |
Protecting people and defending data are ongoing priorities for federal agencies whose missions are constantly under attack. These entities struggle to keep pace with an array of potent threats, like insiders who steal secrets about missile technology and threat actors who use living off the land techniques (LOTL). Proofpoint can provide agencies with a critical edge in their efforts to defend data from risky users and detect real-time identity threats. Products to help with these challenges include: Proofpoint Insider Threat Management Proofpoint Identity Threat Defense This blog takes a closer look at these products and how they help our federal customers. Understand the context behind user behavior with Proofpoint ITM Across all levels of government, data loss is costly-these incidents have cost agencies $26 billion over the past eight years. A critical first step toward preventing data loss and risky behavior is to understand that data does not lose itself. People lose it. Employees, third parties and contractors have access to more data than ever-on their laptops, in email and the cloud. But you can\'t reduce the risk of insider threats without first understanding the context behind user behavior. Context also helps you to choose the best response when an insider-led incident occurs, whether it\'s due to a malicious, compromised or careless user. Proofpoint ITM can help you gain that vital context. It also helps you to move swiftly to address insider threats. Here\'s how: Get a clear picture of threats. You can gain complete context into users and their data activity on endpoints, and web and cloud applications. User attribution is easy thanks to a clear, visual timeline and flexible, real-time screenshots. Identify risks proactively. Proofpoint includes preconfigured indicators of risk that can help you catch user activities in real time, like data exfiltration, privilege abuse, unauthorized access and security controls bypass. The out-of-the-box Insider Threat Library was built using feedback from our customers as well as guidelines from NIST, MITRE and the CERT Division of the Software Engineering Institute at Carnegie Mellon. Investigate faster. You can investigate incidents with more efficiency when you can see user intent. With Proofpoint ITM, you can gather, package and export the evidence (who, what, where, when and user intent) and share it easily with groups outside of security such as HR, legal and privacy. This saves time and reduces the cost of investigations. Get better time to value. Proofpoint ITM has a single, lightweight user-mode agent that is easy to install and invisible to your users. With a converged DLP and ITM solution, you can monitor everyday and risky users. Gain efficiencies and manage risks Here are more ways that Proofpoint ITM helps federal agencies: Manage alert rules efficiently. Alert rules are grouped by categories and assigned to user lists, which streamlines management. Comply with privacy laws. Agencies can protect privacy by anonymizing users in the dashboard, which helps eliminate bias in investigations. Manage risks at a department level. Large agencies can manage employee risks based on their department or group by using Active Directory group-based permissions. Each group has a dedicated security team member or manager. Meet zero trust and CMMC needs Agencies can use ITM to meet their zero trust and Cybersecurity Maturity Model Certification (CMMC) needs as well. Proofpoint ITM capabilities support several pillars of Zero Trust and more than seven domains of CMMC. For Zero Trust, Proofpoint ITM helps agencies align to these pillars: Department of Defense: Data and Visibility and Analytics Pillar Cybersecurity and Infrastructure Security Agency: Data and Devices Pillars Proofpoint Information Protection products help our customers with these CMMC domains: Access Controls Asset Management Audit and Accountability Configuration Management Incident Response Media Protect | Ransomware Vulnerability Threat Cloud | ★★★ | |
|
2024-03-07 07:11:54 | Arrêt de cybersécurité du mois: détection d'une attaque de code QR malveillante multicouche Cybersecurity Stop of the Month: Detecting a Multilayered Malicious QR Code Attack (lien direct) |
This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. The goal of this series is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Business email compromise (BEC) EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation Supply chain compromise In this post, we delve into a new and sophisticated QR code attack that we recently detected and stopped. It shows how attackers constantly innovate-and how Proofpoint stays ahead of the curve. The scenario Typically, in a QR code attack a malicious QR code is directly embedded in an email. But recently, attackers have come up with a new and sophisticated variation. In these multilayered attacks, the malicious QR code is hidden in what seems like a harmless PDF attachment. To slow down automated detection and confuse traditional email security tools, attackers use anti-evasion tactics like adding a Cloudflare CAPTCHA. This means that tools using traditional URL reputation detection face an uphill battle in trying to identify them. Proofpoint recently found one of these threats as it conducted a threat assessment at a U.S.-based automotive company with 11,000 employees. The company\'s incumbent security tools-an API-based email security tool and its native security-both boasted QR scanning capabilities. Yet both classified the email as clean and delivered it to the end user. The threat: How did the attack happen? Here\'s a closer look at how the attack unfolded. 1. A deceptive lure. The email was designed to appear legitimate, and it played on the urgency of tax season. This prompted the recipient to open an attached PDF. The initial email to the end user. 2. Malicious QR code embedded in the PDF. Unlike previous QR code attacks, the malicious URL in this attack was not directly visible in the email. Instead, it was hidden in the attached PDF. Given the ubiquity of QR codes, this might not have seemed suspicious to the recipient. The attached PDF with the embedded QR code (obscured). 3. Cloudflare CAPTCHA hurdle. The attacker added another layer of deception. They used a Cloudflare CAPTCHA on the landing page from the QR code URL to further hide the underlying threat. This step aimed to bypass security detection tools that rely solely on analyzing a URL\'s reputation. Cloudflare CAPTCHA on the QR code URL landing page. 4. Credential phishing endgame. Once the CAPTCHA was solved, the malicious QR code led to a phishing landing page set up to steal user credentials. The theft of user credentials can give a malicious actor access to a user\'s account to spread attacks internally for lateral movement. Or they might use them externally to deceive partners or suppliers as with supplier email compromise attacks. Detection: How did Proofpoint prevent this attack? The use of optical character recognition (OCR) or other QR code scanning techniques plays a vital role in defending against QR code threats. But QR code scanning is only the mechanism used to extract the hidden URL. It does not act as a detection mechanism to decipher between legitimate or malicious QR codes. Many tools, including the incumbent email security tools used by the automotive company, claim to parse QR codes and extract the URL for analysis. However, they lack the ability to scan URLs within an embedded image in an attachment. Few tools have engineered the ability to use in-depth URL analysis on a scale like Proofpoint. Proofpo | Tool Threat | ★★★ | |
|
2024-03-06 13:55:16 | TA4903: acteur usurpation du gouvernement américain, petites entreprises en phishing, BEC BIDS TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids (lien direct) |
Key takeaways TA4903 is a unique threat actor that demonstrates at least two distinct objectives: (1) credential phishing and (2) business email compromise (BEC). TA4903 routinely conducts campaigns spoofing various U.S. government entities to steal corporate credentials. The actor also spoofs organizations in various sectors including construction, finance, healthcare, food and beverage, and others. The campaign volumes range from hundreds of messages to tens of thousands of messages per campaign. The messages typically target entities in the U.S., although additional global targeting has been observed. TA4903 has been observed using the EvilProxy MFA bypass tool. In late 2023, TA4903 began adopting QR codes in credential phishing campaigns. Overview TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Proofpoint began observing a series of campaigns spoofing federal U.S. government entities in December 2021. The campaigns, which were subsequently attributed to TA4903, first masqueraded as the U.S. Department of Labor. In 2022 campaigns, the threat actors purported to be the U.S. Departments of Housing and Urban Development, Transportation, and Commerce. During 2023, the actor began to spoof the U.S. Department of Agriculture. In mid-2023 through 2024, Proofpoint observed an increase in credential phishing and fraud campaigns using different themes from TA4903. The actor began spoofing various small and medium-sized businesses (SMBs) across various industries including construction, manufacturing, energy, finance, food and beverage, and others. Proofpoint observed an increase in the tempo of BEC themes as well, including using themes such as “cyberattacks” to prompt victims to provide payment and banking details. Most credential phishing messages associated with this actor contain URLs or attachments leading to credential phishing websites. In some cases, including the government-themed campaigns, messages contain PDF attachments that contain embedded links or QR codes leading to websites that appear to be direct clones of the spoofed government agency. Based on Proofpoint\'s research and tactics, techniques, and procedures (TTPs) observed in open-source intelligence, activity related to TA4903\'s impersonation of U.S. government entities goes back to at least mid-2021. TTPs associated with the actor\'s broader credential phishing and BEC activities are observable as long ago as 2019. Campaign details Government bid spoofing Historically, Proofpoint mostly observed TA4903 conducting credential theft campaigns using PDF attachments leading to portals spoofing U.S. government entities, typically using bid proposal lures. In late 2023, TA4903 began spoofing the USDA and began incorporating QR codes into their PDFs, a technique previously unobserved by this actor. Messages may purport to be, for example: From: U.S. Department of Agriculture Subject: Invitation To Bid Attachment: usda2784748973bid.pdf Example of one page of a multi-page PDF spoofing the USDA. The “Bid Now” button is hyperlinked to the same URL as the QR code. In these campaigns, the PDF attachments are typically multiple pages long and have both embedded URLs and QR codes that lead to government-branded phishing websites. Example credential phishing website operated by TA4903, designed to capture O365 and other email account credentials. In 2023, Proofpoint observed TA4903 spoof the U.S. Department of Transportation, the U.S. Small Business Administration (SBA), and the USDA us | Tool Threat Medical | ★★★ | |
|
2024-03-04 06:00:36 | La chaîne d'attaque inhabituelle de TA577 \\ mène au vol de données NTLM TA577\\'s Unusual Attack Chain Leads to NTLM Data Theft (lien direct) |
Ce qui s'est passé Proofpoint a identifié l'acteur de menace cybercriminale notable TA577 en utilisant une nouvelle chaîne d'attaque pour démontrer un objectif inhabituellement observé: voler des informations d'authentification NT LAN Manager (NTLM).Cette activité peut être utilisée à des fins de collecte d'informations sensibles et pour permettre l'activité de suivi. Proofpoint a identifié au moins deux campagnes en tirant parti de la même technique pour voler des hachages NTLM les 26 et 27 février 2024. Les campagnes comprenaient des dizaines de milliers de messages ciblant des centaines d'organisations dans le monde.Les messages sont apparus sous forme de réponses aux e-mails précédents, appelés détournement de fil, et contenaient des pièces jointes HTML zippées. Exemple de message utilisant le détournement de thread contenant une pièce jointe zippée contenant un fichier HTML. Chaque pièce jointe .zip a un hachage de fichiers unique, et les HTML dans les fichiers compressés sont personnalisés pour être spécifiques pour chaque destinataire.Lorsqu'il est ouvert, le fichier HTML a déclenché une tentative de connexion système à un serveur de blocs de messages (SMB) via un actualisation Meta à un schéma de fichier URI se terminant par .txt.Autrement dit, le fichier contacterait automatiquement une ressource SMB externe appartenant à l'acteur de menace.ProofPoint n'a pas observé la livraison de logiciels malveillants de ces URL, mais les chercheurs évaluent à la grande confiance que l'objectif de Ta577 \\ est de capturer les paires de défi / réponse NTLMV2 du serveur SMB pour voler des hachages NTLM en fonction des caractéristiques de la chaîne d'attaque et des outils utilisés. Exemple HTML contenant l'URL (en commençant par «File: //») pointant vers la ressource SMB. Ces hachages pourraient être exploités pour la fissuration du mot de passe ou faciliter les attaques "pass-the-hash" en utilisant d'autres vulnérabilités au sein de l'organisation ciblée pour se déplacer latéralement dans un environnement touché.Les indications à l'appui de cette théorie comprennent des artefacts sur les serveurs SMB pointant vers l'utilisation de l'impaquette de boîte à outils open source pour l'attaque.L'utilisation d'Impacket sur le serveur SMB peut être identifiée par le défi du serveur NTLM par défaut "aaaaaaaaaaaaaaaaa" et le GUID par défaut observé dans le trafic.Ces pratiques sont rares dans les serveurs SMB standard. Capture de paquets observée (PCAP) de la campagne TA577. Toute tentative de connexion autorisée à ces serveurs SMB pourrait potentiellement compromettre les hachages NTLM, ainsi que la révélation d'autres informations sensibles telles que les noms d'ordinateurs, les noms de domaine et les noms d'utilisateur dans un texte clair. Il est à noter que TA577 a livré le HTML malveillant dans une archive zip pour générer un fichier local sur l'hôte.Si le schéma de fichiers URI était envoyé directement dans l'organisme de messagerie, l'attaque ne fonctionnerait pas sur les clients d'Outlook Mail patchés depuis juillet 2023. La désactivation de l'accès des clients à SMB n'atteint pas l'attaque, car le fichier doit tenter de s'authentifier auprès du serveur externe SMB ServerPour déterminer s'il doit utiliser l'accès des clients. Attribution TA577 est un acteur de menace de cybercriminalité éminent et l'un des principaux affiliés de QBOT avant la perturbation du botnet.Il est considéré comme un courtier d'accès initial (IAB) et Proofpoint a associé des campagnes TA577 avec des infections de ransomware de suivi, notamment Black Basta.Récemment, l'acteur favorise Pikabot comme charge utile initiale. Pourquoi est-ce important Proof Point observe généralement TA577 menant des attaques pour livrer des logiciels malveillants et n'a jamais observé cet acteur de menace démontrant la chaîne d'attaque utilisée pour voler des informations d'identification NTLM observées le 26 février.Récemment, TA577 a été observé pour fou | Ransomware Malware Tool Vulnerability Threat | ★★ | |
|
2024-02-29 06:00:13 | Briser la chaîne d'attaque: des mouvements décisifs Break the Attack Chain: Decisive Moves (lien direct) |
In our “Break the Attack Chain” blog series, we have looked at how threat actors compromise our defenses and move laterally within our networks to escalate privileges and prepare for their endgame. Now, we come to the final stage of the attack chain where it\'s necessary to broaden our outlook a little. While most external threat actors will follow the same playbook, they aren\'t our only adversaries. The modern reality is that data often just walks out of the door because our employees take it with them. More than 40% of employees admit to taking data when they leave. At the same time, careless employees who make security mistakes are responsible for more than half of insider-led data loss incidents. So, while it\'s important to detect and deter cybercriminals who want to exfiltrate our data, we must also watch out for our users. Whether they are malicious or careless, our users are just as capable of exposing sensitive data. In this third and final installment, we discuss how companies tend to lose data-and how we can better protect it from all manner of risks. Understanding data loss As with every stage in the attack chain, we must first understand threats before we can put protections in place. Let\'s start with the case of a cybercriminal following the typical attack chain. While this may not sound like a traditional insider attack, it\'s often aided by careless or reckless employees. Users expose data and open themselves and your business up to compromise in a multitude of ways, like using weak passwords, reusing credentials, forgoing security best practices and clicking on malicious links or attachments. Any of these risky moves give cybercriminals a way into your networks where they can embark on lateral movement and escalation. Incidents like these are so common that careless or compromised users cause over 80% of insider-led data loss. Malicious insiders make up the remainder. Insider threats could be a disgruntled employee looking to cause disruption, a user compromised by cybercriminals, or, increasingly, an employee who will soon leave your organization. In most cases, data exfiltration follows a three-stage pattern: Access. Users, whether malicious or compromised, will attempt to take as much information as possible. This could mean excessive downloading or copying from corporate drives or exporting data from web interfaces or client apps. Obfuscation. Both cybercriminals and malicious insiders will be aware of the kinds of activity likely to trigger alarms and will take steps to avoid them. Changing file names and extensions, deleting logs and browsing history, and encrypting files are typical strategies. Exfiltration. With targets acquired and tracks covered, data exfiltration is then carried out by copying files to a personal cloud or removable storage device and sharing files with personal or burner email accounts. Defending from the inside out As we explained in our webinar series, while the initial stage of the attack chain focuses on keeping malicious actors outside our organization, the final two stages are far more concerned with what\'s happening inside it. Therefore, any effective defense must work from the inside out. It must detect and deter suspicious activity before data can slip past internal protections and be exposed to the outside world. Of course, data can do many things-but it cannot leave an organization on its own. Whether compromised, careless or malicious, a human is integral to any data loss incident. That\'s why traditional data loss prevention (DLP) tools are not as effective as they used to be. By focusing on the content of an incident, they only address a third of the problem. Instead, a comprehensive defense against data loss must merge content classification with threat telemetry and user behavior. Proofpoint Information Protection is the only solution that uses all three across channels in a unified, cloud-native interface. With this information, security teams can identify who is accessing and moving data-when, where and why. And | Tool Threat Cloud | ★★★ | |
|
2024-02-28 06:00:52 | Briser la chaîne d'attaque: développer la position pour détecter les attaques de mouvement latérales Break the Attack Chain: Developing the Position to Detect Lateral Movement Attacks (lien direct) |
In this three-part “Break the Attack Chain” blog series, we look at how threat actors compromise our defenses and move laterally within our networks to escalate privileges and prepare for their final endgame. If one phrase could sum up the current state of the threat landscape, it is this: Threat actors don\'t break in. They log in. Rather than spend time trying to circumnavigate or brute force their way through our defenses, today\'s cybercriminals set their sights firmly on our users. Or to be more accurate, their highly prized credentials and identities. This remains true at almost every stage of the attack chain. Identities are not just an incredibly efficient way into our organizations, they also stand in the way of the most valuable and sensitive data. As a result, the cat-and-mouse game of cybersecurity is becoming increasingly like chess, with the traditional smash-and-grab approach making way for a more methodical M.O. Cybercriminals are now adept at moving laterally through our networks, compromising additional users to escalate privileges and lay the necessary groundwork for the endgame. While this more tactical gambit has the potential to do significant damage, it also gives security teams many more opportunities to spot and thwart attacks. If we understand the threat actor\'s playbook from the initial compromise to impact, we can follow suit and place protections along the length of the attack chain. Understanding the opening repertoire To continue our chess analogy, the more we understand our adversary\'s opening repertoire, the better equipped we are to counter it. When it comes to lateral movement, we can be sure that the vast majority of threat actors will follow the line of least resistance. Why attempt to break through defenses and risk detection when it is much easier to search for credentials that are stored on the compromised endpoint? This could be a search for password.txt files, stored Remote Desktop Protocol (RDP) credentials, and anything of value that could be sitting in the recycle bin. If it sounds scarily simple, that\'s because it is. This approach does not require admin privileges. It is unlikely to trigger any alarms. And unfortunately, it\'s successful time and time again. Proofpoint has found through our research that one in six endpoints contain an exploitable identity risk that allows threat actors to escalate privileges and move laterally using this data. (Learn more in our Analyzing Identity Risks report.) When it comes to large-scale attacks, DCSync is also now the norm. Nation-states and many hacking groups use it. It is so ubiquitous that if it were a zero-day, security leaders would be crying out for a patch. However, as there is general acceptance that Active Directory is so difficult to secure, there is also an acceptance that vulnerabilities like this will continue to exist. In simple terms, a DCSync attack allows a threat actor to simulate the behavior of a domain controller and retrieve password data on privileged users from Active Directory. And, once again, it is incredibly easy to execute. With a simple PowerShell command, threat actors can find users with the permissions they require. Add an off-the-shelf tool like Mimikatz into the mix, and within seconds, they can access every hash and every Active Directory privilege on the network. Mastering our defense With threat actors inside our organizations, it is too late for traditional perimeter protections. Instead, we must take steps to limit attackers\' access to further privileges and encourage them to reveal their movements. This starts with an assessment of our environment. Proofpoint Identity Threat Defense offers complete transparency, allowing security teams to see where they are most vulnerable. With this information, we can shrink the potential attack surface by increasing protections around privileged users and cleaning up endpoints to make it harder for cybercriminals to access valuable identities. With Proofpoin | Tool Vulnerability Threat | ★★★ | |
|
2024-02-27 05:00:31 | Risque et ils le savent: 96% des utilisateurs de prise de risque sont conscients des dangers mais le font quand même, 2024 State of the Phish révèle Risky and They Know It: 96% of Risk-Taking Users Aware of the Dangers but Do It Anyway, 2024 State of the Phish Reveals (lien direct) |
We often-and justifiably-associate cyberattacks with technical exploits and ingenious hacks. But the truth is that many breaches occur due to the vulnerabilities of human behavior. That\'s why Proofpoint has gathered new data and expanded the scope of our 2024 State of the Phish report. Traditionally, our annual report covers the threat landscape and the impact of security education. But this time, we\'ve added data on risky user behavior and their attitudes about security. We believe that combining this information will help you to: Advance your cybersecurity strategy Implement a behavior change program Motivate your users to prioritize security This year\'s report compiles data derived from Proofpoint products and research, as well as from additional sources that include: A commissioned survey of 7,500 working adults and 1,050 IT professionals across 15 countries 183 million simulated phishing attacks sent by Proofpoint customers More than 24 million suspicious emails reported by our customers\' end users To get full access to our global findings, you can download your copy of the 2024 State of the Phish report now. Also, be sure to register now for our 2024 State of the Phish webinar on March 5, 2024. Our experts will provide more insights into the key findings and answer your questions in a live session. Meanwhile, let\'s take a sneak peek at some of the data in our new reports. Global findings Here\'s a closer look at a few of the key findings in our tenth annual State of the Phish report. Survey of working adults In our survey of working adults, about 71%, said they engaged in actions that they knew were risky. Worse, 96% were aware of the potential dangers. About 58% of these users acted in ways that exposed them to common social engineering tactics. The motivations behind these risky actions varied. Many users cited convenience, the desire to save time, and a sense of urgency as their main reasons. This suggests that while users are aware of the risks, they choose convenience. The survey also revealed that nearly all participants (94%) said they\'d pay more attention to security if controls were simplified and more user-friendly. This sentiment reveals a clear demand for security tools that are not only effective but that don\'t get in users\' way. Survey of IT and information security professionals The good news is that last year phishing attacks were down. In 2023, 71% of organizations experienced at least one successful phishing attack compared to 84% in 2022. The bad news is that the consequences of successful attacks were more severe. There was a 144% increase in reports of financial penalties. And there was a 50% increase in reports of damage to their reputation. Another major challenge was ransomware. The survey revealed that 69% of organizations were infected by ransomware (vs. 64% in 2022). However, the rate of ransom payments declined to 54% (vs. 64% in 2022). To address these issues, 46% of surveyed security pros are increasing user training to help change risky behaviors. This is their top strategy for improving cybersecurity. Threat landscape and security awareness data Business email compromise (BEC) is on the rise. And it is now spreading among non-English-speaking countries. On average, Proofpoint detected and blocked 66 million BEC attacks per month. Other threats are also increasing. Proofpoint observed over 1 million multifactor authentication (MFA) bypass attacks using EvilProxy per month. What\'s concerning is that 89% of surveyed security pros think MFA is a “silver bullet” that can protect them against account takeover. When it comes to telephone-oriented attack delivery (TOAD), Proofpoint saw 10 million incidents per month, on average. The peak was in August 2023, which saw 13 million incidents. When looking at industry failure rates for simulated phishing campaigns, the finance industry saw the most improvement. Last year the failure rate was only 9% (vs. 16% in 2022). “Resil | Ransomware Tool Vulnerability Threat Studies Technical | ★★★★ | |
|
2024-02-26 05:03:36 | Les tenants et aboutissants de la confidentialité des données, partie 2: confidentialité par conception en protection de l'information The Ins and Outs of Data Privacy, Part 2: Privacy by Design in Information Protection (lien direct) |
This is the second blog in a two-part series about data privacy. In our previous post, we discussed how data privacy has become increasingly important. And we covered why data loss protection (DLP) and insider threat management (ITM) tools are critical to ensuring data privacy. The shift to “work from anywhere” and the increase in cloud adoption have caused a rise in data loss and insider threats. To defend data from careless, malicious and compromised insiders-and the harm that they cause-security teams must implement data security tools like data loss prevention (DLP) and insider threat management (ITM) platforms. These tools monitor and control how employees interact with data. At the same time, companies are collecting more and more data about employees themselves, like protected health information (PHI). The abundance of all this data-which is being collected and processed in the cloud-creates a critical challenge for security teams. They must protect employee privacy without impeding productivity. In this post, we\'ll explore the topic of privacy by design, which aims to strike a balance between these two challenges. We\'ll cover why it\'s so important. And we\'ll discuss how Proofpoint Information Protection can help you build a modern DLP program and comply with data privacy laws. Why privacy by design matters for DLP and ITM Privacy by design is a framework that embeds privacy into the design of IT systems, infrastructure and business processes. Privacy is not an afterthought. It is considered right from the start-in the initial design phase. What\'s more, it\'s a core component that integrates visibility, transparency and user-centricity into its design. In short, privacy by design ensures that everything is built with the user in mind. Privacy by design is important to DLP and ITM because it helps to: Protect employee rights. Personal data is sacred. Employees expect their personal data to be safe and their rights protected. When a company takes a proactive, transparent approach to data privacy, it helps maintain trust with employees. Comply with privacy laws. Data privacy laws protect people by requiring businesses to keep their data safe and avoid sharing it unethically with third parties. These laws often require companies to tell users exactly how their data is used and collected, and to notify them in the event of a data breach. Failure to comply can lead to hefty fines and penalties, which can damage a firm\'s finances and brand image. Prevent bias in investigations. When user data is kept secure and private, it ensures insider threat investigations maintain their integrity and objectivity. If a user is identified, it could influence a security analyst\'s response to an incident. User privacy helps take emotion and subjectivity out of the picture. Ensure data privacy with Proofpoint DLP and ITM Proofpoint Information Protection includes administration and access controls. These controls can help your business keep data private and meet compliance requirements. Data residency and storage Proofpoint uses regional data centers in the U.S., Europe, Australia and Japan to meet data privacy and data residency requirements. You can control exactly where your data is stored at all of these data centers. For example, you can group your endpoints and map each group to a regional data center. This ensures that data on all those endpoints are stored in that regional center. So, a U.S. realm can manage U.S. endpoint data, which is sent to the U.S. data center. Attribute-based access controls Attribute-based access controls give you a flexible and easy way to manage access to data. You can use these controls to ensure that security analysts have visibility into data on a need-to-know basis only. For instance, you can write granular policies and assign access so that a U.S.-based security analyst can only see U.S. data. They cannot see data in Europe or the Asia-Pacific region. And when an analyst needs to access a specific user\'s data for an | Data Breach Tool Threat Cloud | ★★ | |
|
2024-02-21 13:46:06 | Comprendre la loi UE AI: implications pour les agents de conformité des communications Understanding the EU AI Act: Implications for Communications Compliance Officers (lien direct) |
The European Union\'s Artificial Intelligence Act (EU AI Act) is set to reshape the landscape of AI regulation in Europe-with profound implications. The European Council and Parliament recently agreed on a deal to harmonize AI rules and will soon bring forward the final text. The parliament will then pass the EU AI Act into law. After that, the law is expected to become fully effective in 2026. The EU AI Act is part of the EU\'s digital strategy. When the act goes into effect, it will be the first legislation of its kind. And it is destined to become the “gold standard” for other countries in the same way that the EU\'s General Data Protection Regulation (GDPR) became the gold standard for privacy legislation. Compliance and IT executives will be responsible for the AI models that their firms develop and deploy. And they will need to be very clear about the risks these models present as well as the governance and the oversight that they will apply to these models when they are operated. In this blog post, we\'ll provide an overview of the EU AI Act and how it may impact your communications practices in the future. The scope and purpose of the EU AI Act The EU AI Act establishes a harmonized framework for the development, deployment and oversight of AI systems across the EU. Any AI that is in use in the EU falls under the scope of the act. The phrase “in use in the EU” does not limit the law to models that are physically executed within the EU. The model and the servers that it operates on could be located anywhere. What matters is where the human who interacts with the AI is located. The EU AI Act\'s primary goal is to ensure that AI used in the EU market is safe and respects the fundamental rights and values of the EU and its citizens. That includes privacy, transparency and ethical considerations. The legislation will use a “risk-based” approach to regulate AI, which considers a given AI system\'s ability to cause harm. The higher the risk, the stricter the legislation. For example, certain AI activities, such as profiling, are prohibited. The act also lays out governance expectations, particularly for high-risk or systemic-risk systems. As all machine learning (ML) is a subset of AI, any ML activity will need to be evaluated from a risk perspective as well. The EU AI Act also aims to foster AI investment and innovation in the EU by providing unified operational guidance across the EU. There are exemptions for: Research and innovation purposes Those using AI for non-professional reasons Systems whose purpose is linked to national security, military, defense and policing The EU AI Act places a strong emphasis on ethical AI development. Companies must consider the societal impacts of their AI systems, including potential discrimination and bias. And their compliance officers will need to satisfy regulators (and themselves) that the AI models have been produced and operate within the Act\'s guidelines. To achieve this, businesses will need to engage with their technology partners and understand the models those partners have produced. They will also need to confirm that they are satisfied with how those models are created and how they operate. What\'s more, compliance officers should collaborate with data scientists and developers to implement ethical guidelines in AI development projects within their company. Requirements of the EU AI Act The EU AI Act categorizes AI systems into four risk levels: Unacceptable risk High risk Limited risk Minimal risk Particular attention must be paid to AI systems that fall into the “high-risk” category. These systems are subject to the most stringent requirements and scrutiny. Some will need to be registered in the EU database for high-risk AI systems as well. Systems that fall into the “unacceptable risk” category will be prohibited. In the case of general AI and foundation models, the regulations focus on the transparency of models and the data used and avoiding the introduction of system | Vulnerability Threat Legislation | ★★ | |
|
2024-02-20 08:45:00 | Guardians of the Digital Realm: Comment vous protéger de l'ingénierie sociale Guardians of the Digital Realm: How to Protect Yourself from Social Engineering (lien direct) |
Social engineering has been around for as long as coveted information has existed. In the digital realm, threat actors use this psychological manipulation tactic to drive people to break normal security procedures. It is a con game that relies on human error rather than digital hacking. These are some common forms of social engineering in digital communications: Impersonation. In these attacks, bad actors pose as trusted entities. Pretexting. Bad actors use fake stories to bait their targets into revealing sensitive information. Baiting. Attackers use promises of rewards or benefits to lure in their targets. In social engineering attacks, bad actors exploit psychological principles like trust, the fear of missing out, authority and the desire to be helpful. When you and your users learn to recognize these triggers, you can build a strong defense. In this blog post, we\'ll cover three more steps you can take to protect yourself and your business. 1. Build a human firewall If you want your employees to be able to recognize social engineering attacks, you need to educate them. Training should cover various types of social engineering tactics. Some top examples include: Phishing Telephone-oriented attack delivery (TOAD) Pretexting Baiting Quid pro quo Tailgating It\'s a good idea to keep your employees informed of the latest attack trends. That is why continuous education has more of an impact than one-off training sessions. Regular updates can help you keep your workforce up to speed. You may want to support your training efforts with a comprehensive security awareness platform. It can provide content that\'s designed to increase user participation and help lessons stick, like gamification and microlearning. Quizzes, interactive modules and mock phishing scenarios can all help your users learn how to become better defenders, too. Actionable tips: Test your team with simulated phishing emails at least once a month Conduct security awareness training sessions at least once per quarter Build a yearlong campaign that also provides employees with other training information, like digital newsletters or packets that they can take home 2. Slow down and ask questions You might assume your security team has put technology in place to defend against social engineering. However, there is no silver bullet to stop these attacks. That\'s why you need to approach digital communications with a critical eye, especially when they include requests for sensitive information or prompts to take urgent actions. You want to complete your work quickly and be responsive to your leadership team, of course. But threat actors count on these types of triggers. Instead, do your best to: Slow down This is a crucial move in the fight against social engineering. It enables you to evaluate the situation with a critical eye and recognize potential red flags. When you slow down, you transform automatic, reflexive responses into thoughtful, deliberate actions. Practice skepticism When you stop to question whether an interaction is legitimate, you can spot inconsistencies. You can ask questions like: “Is this request from a person or entity I can trust?”, “Can I verify their identity?” and “Is this request truly urgent?” You might consult with colleagues or managers or refer to company policies. Or you might even do a quick internet search to validate claims. Actionable tips: Examine emails for unusual language or requests Double-check that email addresses and domain names are authentic Verify requests that come through alternative communication channels 3. Use a multilayered defense If you want to have an edge in combatting social engineering, you need to adopt a multilayered security approach. In other words, you need to combine the human element of user vigilance with advanced tools. A core part of this strategy is to deploy an advanced email security solution that can stop an initial attack. Ideally, it should use a combination of behaviora | Tool Threat Prediction | ★★★ | |
|
2024-02-16 06:00:45 | Les tenants et aboutissants de la confidentialité des données, partie 1: la complexité importante et croissante d'assurer la confidentialité des données The Ins and Outs of Data Privacy, Part 1: The Importance-and Growing Complexity-of Ensuring Data Privacy (lien direct) |
This blog is the first in a series where we explore data privacy. In these two blogs, we\'ll cover why data privacy is increasingly important as well as some tips for keeping data safe. We\'ll also discuss how data loss protection (DLP) and insider threat management tools (ITM) are critical to ensuring data privacy. Data Privacy Week in January 2024 highlighted the increasing importance and challenges of data privacy. Trends like digital transformation, remote work and the proliferation of cloud applications have made the task of protecting sensitive data harder than ever. As the volume and perceived value of data grows, so does the risk of data loss and theft, including by insiders. Despite these challenges, businesses can\'t afford missteps when it comes to keeping sensitive data safe. Companies everywhere are under pressure to meet strict data privacy laws that promote data security and data privacy. Noncompliance can be costly. Hefty fines and market loss are common. Research from our 2023 Voice of the CISO report underscores the risk. One-third of the CISOs who told us that their company suffered a material loss of sensitive data within the past 12 months also reported their business was hit with regulatory sanctions as a result. In this blog post, we take a closer look at data privacy and how it relates to data security. We also discuss how laws around data privacy are evolving. And we cover how data loss prevention (DLP) and insider threat management (ITM) tools can help you stay on top of your data compliance challenges. What is data privacy? Data privacy is about protecting sensitive data that belongs to individuals or entities. This includes personally identifiable information (PII), which can be used to identify an individual or a corporate customer. Examples of PII include names, addresses, Social Security or tax ID numbers, credit card data and dates of birth. A business that stores or manages this type of information must follow data privacy laws. These laws ensure that data is kept confidential and secure and that it is only used for authorized purposes. They are intended to help a business: Protect personal information Safeguard critical business data Preserve users\' autonomy Maintain trust with customers and employees Data privacy is also about trust. The misuse or theft of sensitive data can lead to email fraud, insurance fraud, identity theft and more. So, customers need to trust that the companies they share their private data with will guard it carefully. An evolving regulatory landscape Data privacy laws are designed to compel businesses to keep sensitive data safe. Data compliance mandates often require businesses to tell users exactly how their data is used and collected. They may also require companies to notify users when a data breach happens. As noted earlier, not following these laws can result in stiff penalties. Multiple data privacy laws around the globe govern regulations based on their type, the user\'s location and other criteria. Some examples include the: GDPR in the European Union CCPA in the U.S. HIPAA in the U.S. LGPD in Brazil Several state governments in the United States are stepping up efforts to enact data privacy laws. California, Colorado, Connecticut, Utah and Virginia enacted comprehensive consumer privacy laws before 2023. Those laws became enforceable last year. In 2023, these states enacted privacy laws: Delaware Florida Indiana Iowa Montana Oregon Tennessee Texas As data privacy laws emerge or evolve, the definition of sensitive data may change. For example, GDPR expanded the definition of PII to include data elements like email and IP addresses. That is why it is so important for companies to stay attuned to this ever-changing landscape. The rise of generative AI sites has also sparked new concerns about data privacy. New laws are likely to be developed soon. The Biden Administration\'s new executive order will also have an impact on data use in the year ahead. Why | Data Breach Malware Tool Threat Cloud | ★★ | |
|
2024-02-14 06:00:59 | Comment Proofpoint peut vous aider à répondre aux exigences de conformité CMMC 2.0 et 3.0 How Proofpoint Can Help You Meet CMMC 2.0 and 3.0 Compliance Requirements (lien direct) |
The Cybersecurity Maturity Model Certification (CMMC) program enforces the protection of sensitive unclassified information that the U.S. Department of Defense (DoD) shares with its contractors and subcontractors. You can learn more about the CMMC here. In this blog post, we provide an overview of how Proofpoint Security Awareness training can help you meet CMMC 2.0 and 3.0 compliance requirements. CMMC overviews for awareness and training (AT) In this section, we\'ll match compliance requirements with what\'s provided by Proofpoint Security Awareness. CMMC Level 2 AT.L2-3.2.1 – Role-Based Risk Awareness AT.L2-3.2.2 – Role-Based Training CMMC compliance requirement Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. How Proofpoint Security Awareness meets this need We offer targeted training that is based on: User ability (basic, beginner, intermediate and advanced) Role and function (21 options) Which users are most targeted by threats Which users click the most (the riskiest users) Proofpoint also offers training that is relevant for users in specific industries. An overview of the 21 different role-based training dropdowns. There are 13 industry training options offered by Proofpoint. AT.L2-3.2.3 – Insider Threat Awareness CMMC compliance requirement Provide security awareness training on recognizing and reporting potential indicators of insider threat. How Proofpoint Security Awareness meets this need Insider threats are a security concern for businesses across industries. That\'s why we offer more than 120 training modules on this critical topic. A selected view of the more than 120 insider threat modules. CMMC Level 3 AT.L3-3.2.1e – Advanced Threat Awareness CMMC compliance requirement Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. How Proofpoint Security Awareness meets this need Our Threat Alerts and phish simulations stem from our industry-leading threat intelligence program where Proofpoint protects 26% of the world\'s email. We use our data to provide our customers with updates weekly, if not more often, on the threat landscape. Our Threat Alerts and phish simulation campaigns cover the following topics and much more: Social engineering QR codes Voicemail lures Telephone-oriented attack delivery TOAD) threats Advanced Persistent Threats (APTs) E-crime actors Impostor threats Proofpoint Email Protection is updated hundreds of times daily as we see and block new threats. The Proofpoint Threat Intelligence team also works with the Proofpoint Security Awareness team to update the threat landscape weekly. Together, these teams ensure that cybersecurity training always reflects the latest threats. AT.L3-3.2.2e – Practical Training Exercises CMMC compliance requirement Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. How Proofpoint Security Awareness meets this need Your users can be trained based on their role, experience level, vertical, “targeted-ness,” risky clicking behavior in the wild, and other factors. We can provide feedback to them right after they pass or fail a phishing test. We can also supply | Threat | ★★ | |
|
2024-02-13 07:32:08 | Bumblebee bourdonne en noir Bumblebee Buzzes Back in Black (lien direct) |
What happened Proofpoint researchers identified the return of Bumblebee malware to the cybercriminal threat landscape on 8 February 2024 after a four-month absence from Proofpoint threat data. Bumblebee is a sophisticated downloader used by multiple cybercriminal threat actors and was a favored payload from its first appearance in March 2022 through October 2023 before disappearing. In the February campaign, Proofpoint observed several thousand emails targeting organizations in the United States with the subject "Voicemail February" from the sender "info@quarlesaa[.]com" that contained OneDrive URLs. The URLs led to a Word file with names such as "ReleaseEvans#96.docm" (the digits before the file extension varied). The Word document spoofed the consumer electronics company Humane. Screenshot of the voicemail-themed email lure. Screenshot of the malicious Word document. The document used macros to create a script in the Windows temporary directory, for example "%TEMP%/radD7A21.tmp", using the contents of CustomDocumentProperties SpecialProps, SpecialProps1, SpecialProps2 and SpecialProps3. The macro then executed the dropped file using "wscript". Inside the dropped temporary file was a PowerShell command that downloads and executes the next stage from a remote server, stored in file “update_ver”: The next stage was another PowerShell command which in turn downloaded and ran the Bumblebee DLL. The Bumblebee configuration included: Campaign ID: dcc3 RC4 Key: NEW_BLACK It is notable that the actor is using VBA macro-enabled documents in the attack chain, as most cybercriminal threat actors have nearly stopped using them, especially those delivering payloads that can act as initial access facilitators for follow-on ransomware activity. In 2022, Microsoft began blocking macros by default, causing a massive shift in the landscape to attack chains that began using more unusual filetypes, vulnerability exploitation, combining URLs and attachments, chaining scripting files, and much more. Another noteworthy feature of this campaign is that the attack chain is significantly different from previously observed Bumblebee campaigns. Examples used in prior campaigns that distributed Bumblebee with the “NEW_BLACK” configuration included: Emails that contained URLs leading to the download of a DLL which, if executed, started Bumblebee. Emails with HTML attachments that leveraged HTML smuggling to drop a RAR file. If executed, it exploited the WinRAR vulnerability CVE-2023-38831 to install Bumblebee. Emails with zipped, password-protected VBS attachments which, if executed, used PowerShell to download and execute Bumblebee. Emails that contained zipped LNK files to download an executable file. If executed, the .exe started Bumblebee. Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros. Attribution At this time Proofpoint does not attribute the activity to a tracked threat actor. The voicemail lure theme, use of OneDrive URLs, and sender address appear to align with previous TA579 activities. Proofpoint will continue to investigate and may attribute this activity to a known threat actor in the future. Proofpoint assesses with high confidence Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads such as ransomware. Why it matters Bumblebee\'s return to the threat landscape aligns with a surge of cybercriminal threat activity after a notable absence of many threat actors and malware. Recently, two threat actors-tax-themed actor TA576 and the sophisticated TA866-appeared once again in email campaign data after months-long gaps in activity. Post-exploitation operator TA582 and aviation and aerospace targeting ecrime actor TA2541 both reappeared in the threat landscape in late January after being absent since the end of November. Additionally, DarkGate malware reappeared | Ransomware Malware Vulnerability Threat | ★★ | |
|
2024-02-12 08:02:39 | 4 étapes pour empêcher le compromis des e-mails des fournisseurs dans votre chaîne d'approvisionnement 4 Steps to Prevent Vendor Email Compromise in Your Supply Chain (lien direct) |
Supply chains have become a focal point for cyberattacks in a world where business ecosystems are increasingly connected. Email threats are a significant risk factor, as threat actors are keen to use compromised email accounts to their advantage. Every month, a staggering 80% of Proofpoint customers face attacks that originate from compromised vendor, third-party or supplier email accounts. Known as supplier account compromise, or vendor email compromise, these attacks involve threat actors infiltrating business communications between trusted partners so that they can launch internal and external attacks. Their ultimate goal might be to steal money, steal data, distribute malware or simply cause havoc. In this blog post, we\'ll explain how vendor emails are compromised and how you can stop these attacks. Finally, we\'ll tell you how Proofpoint can help. What\'s at stake Supply chain compromise attacks can be costly for businesses. IBM, in its latest Cost of a Data Breach Report, says that the average total cost of a cyberattack that involves supply chain compromise is $4.76 million. That is almost 12% higher than the cost of an incident that doesn\'t involve the supply chain. In addition to the financial implications, compromised accounts can lead to: Phishing scams that result in even more compromised accounts Reputational and brand damage Complex legal liabilities between business partners How does vendor email compromise occur? Supply chain compromise attacks are highly targeted. They can stretch out over several months. And typically, they are structured as a multistep process. The bad actor initiates the assault by gaining access to the email account of a vendor or supplier through various means. Phishing attacks are one example. Once the attacker gains access, they will lay low for an extended period to observe the vendor\'s email communications. During this time, the adversary will study the language and context of messages so that they can blend in well and avoid detection. Attackers might also use this observation period to establish persistence. They will create mail rules and infrastructure so that they can continue to receive and send messages even after the vendor has regained control of the account. Once they establish access and persistence, the attackers will begin to insert themselves into conversations within the supplier\'s company as well as with external partners and customers. By posing as the sender, the attacker takes advantage of established trust between parties to increase their chances of success. Overview of a vendor email compromise attack. Proofpoint has observed a growing trend of attackers targeting accounts within smaller businesses and using them to gain entry into larger companies. Threat actors often assume that small businesses have less protection than large companies. They see them as targets that can help them achieve a bigger payday. How to stop vendor email compromise If you want to defend against these attacks, it\'s critical to understand the methods behind them. Such a formidable problem requires a strategic and multilayered solution. The four broad steps below can help. Step 1: Know your suppliers Your first line of defense against these email attacks sounds simple, but it\'s challenging. It is the ability to intimately “know your supplier” and understand their security strategy. This requires more than a one-time vendor assessment. Your security teams will need to prioritize continuous monitoring of your company\'s business partnerships. On top of that knowledge, you need a thorough understanding of the access and privileges that your business grants to each vendor. Compromised accounts that have uncontrolled access may be able to exfiltrate sensitive data or upload malware like ransomware. So, when you know what your suppliers can (and can\'t) access, you can identify a data breach faster. Other steps, like requiring multifactor authentication (MFA) for vendor accounts, can | Ransomware Data Breach Malware Tool Threat Studies Prediction Cloud | ★★★ | |
|
2024-02-12 07:37:05 | Alerte communautaire: campagne malveillante en cours impactant les environnements cloud Azure Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments (lien direct) |
Over the past weeks, Proofpoint researchers have been monitoring an ongoing cloud account takeover campaign impacting dozens of Microsoft Azure environments and compromising hundreds of user accounts, including senior executives. This post serves as a community warning regarding the attack and offers suggestions that affected organizations can implement to protect themselves from it. What are we seeing? In late November 2023, Proofpoint researchers detected a new malicious campaign, integrating credential phishing and cloud account takeover (ATO) techniques. As part of this campaign, which is still active, threat actors target users with individualized phishing lures within shared documents. For example, some weaponized documents include embedded links to “View document” which, in turn, redirect users to a malicious phishing webpage upon clicking the URL. Threat actors seemingly direct their focus toward a wide range of individuals holding diverse titles across different organizations, impacting hundreds of users globally. The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, "Chief Financial Officer & Treasurer" and "President & CEO" were also among those targeted. The varied selection of targeted roles indicates a practical strategy by threat actors, aiming to compromise accounts with various levels of access to valuable resources and responsibilities across organizational functions. Following the attack\'s behavioral patterns and techniques, our threat analysts identified specific indicators of compromise (IOCs) associated with this campaign. Namely, the use of a specific Linux user-agent utilized by attackers during the access phase of the attack chain: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Attackers predominantly utilize this user-agent to access the \'OfficeHome\' sign-in application along with unauthorized access to additional native Microsoft365 apps, such as: \'Office365 Shell WCSS-Client\' (indicative of browser access to Office365 applications) \'Office 365 Exchange Online\' (indicative of post-compromise mailbox abuse, data exfiltration and email threats proliferation) \'My Signins\' (used by attackers for MFA manipulation; for more info about this technique, see our recent Cybersecurity Stop of the Month blog) \'My Apps\' \'My Profile\' Post compromise risks Successful initial access often leads to a sequence of unauthorized post-compromise activities, including: MFA manipulation. Attackers register their own MFA methods to maintain persistent access. We have observed attackers choosing different authentication methods, including the registration of alternative phone numbers for authentication via SMS or phone call. However, in most MFA manipulation instances, attackers preferred to add an authenticator app with notification and code. Examples of MFA manipulation events, executed by attackers in a compromised cloud tenant. Data exfiltration. Attackers access and download sensitive files, including financial assets, internal security protocols, and user credentials. Internal and external phishing. Mailbox access is leveraged to conduct lateral movement within impacted organizations and to target specific user accounts with personalized phishing threats. Financial fraud. In an effort to perpetrate financial fraud, internal email messages are dispatched to target Human Resources and Financial departments within affected organizations. Mailbox rules. Attackers create dedicated obfuscation rules, intended to cover their tracks and erase all evidence of malicious activity from victims\' mailboxes. Examples of obfuscation mailbox rules created by attackers following successful account takeover. Operational infrastructure Our forensic analysis of the attack has surfaced several proxies, | Malware Tool Threat Cloud | ★★★ | |
|
2024-02-09 06:00:24 | Offensif et défensif: renforcer la sensibilisation à la sécurité avec deux approches d'apprentissage puissantes Offensive and Defensive: Build Security Awareness with Two Powerful Learning Approaches (lien direct) |
“Offensive” security awareness and “defensive” security awareness are two learning approaches that you can use to build a robust security culture in your company. They involve applying different strategies to educate your employees about threats and how they can respond to them safely. You may have heard the terms “offensive cybersecurity” and “defensive cybersecurity.” You use defensive tools and techniques to strengthen security vulnerabilities. And with offensive tools and techniques, you focus on identifying those vulnerabilities before attackers find them first. How do defensive and offensive approaches apply to security awareness? Here\'s a quick overview: With a defensive approach, users learn the fundamentals of security. With an offensive approach, users learn how to protect themselves and the business against future threats. Let\'s use a sports analogy here. You can actively learn to be a defensive goalie and block threats. Then, you can take your skills up a level and learn to score points with protective techniques. With Proofpoint Security Awareness, our industry-leading threat intelligence informs both approaches. We help people learn how to defend against current threats. And we give them the tools for taking offensive action against future threats. Live-action series about Insider Threats. (play video) Defensive security awareness: set the foundation We all have to start with the basics, right? With defensive security awareness, you teach people the fundamentals of security and set the stage for safe behavior. This training is often reactive. It enables people to respond to immediate threats and incidents as they arise. At Proofpoint, we believe in using behavioral science methodologies, like adaptive learning and contextual nudges. We combine this with a threat-driven approach, weaving trend analysis and insights about recent security breaches into our training. A personalized adaptive framework The adaptive learning framework is a personalized defensive approach to training. It recognizes that everyone learns differently; it is the opposite of a one-size-fits-all approach. You can teach security fundamentals in a way that is meaningful for each person based on what they know, what they might do and what they believe. This framework lets you drive behavior change with education that is tailored to each person\'s needs. That can include their professional role, industry, content style and native language. The learner can engage with a wide variety of styles and materials. And each training is tied to a specific learning objective. Adaptive learning recognizes that people learn best in short bursts that are spread over time. Our microlearning video modules are under three minutes, and our nano-learning videos are under one minute. These formats give people the flexibility to learn at their own pace. For instance, our “You\'re Now a Little Wiser” nano series offers bite-size training on topics such as data protection to help users learn about specific threats. Screenshots from a one-minute nano-learning video. Contextual nudges and positive reinforcement Training is essential if you want to build a robust security culture. But it is not enough to change behavior fully. Here is where contextual nudges play a vital role in helping to reinforce positive behavior habits once they are formed. These deliberate interventions are designed to shape how people behave. Nudges are rooted in a deep understanding of human behavior. They can move people toward making better decisions, often without them realizing it. They are gentle reminders that can guide people toward creating optimal outcomes. That, in turn, helps to foster a defensive security-conscious culture in your company. It is important to find the respectful balance of nudging people toward secure behaviors without being too intrusive or complex. For example, when a user fails a phishing simulation exercise, Proofpoint Security Awareness offers “Tea | Ransomware Malware Tool Vulnerability Threat Prediction | ★★★ | |
|
2024-02-07 05:00:39 | Arrêt de cybersécurité du mois: prévenir le compromis de la chaîne d'approvisionnement Cybersecurity Stop of the Month: Preventing Supply Chain Compromise (lien direct) |
This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. Its goal is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Business email compromise (BEC) and supply chain attacks EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation In this post, we look at supply chain compromise, which is a form of BEC. Supply chain compromise is not a new form of BEC, but we are seeing a rise in these attacks. The example in this blog post is one that Proofpoint recently detected. A law firm with 2,000 users was the intended target. In our discussion, we cover the typical attack sequence of a supply chain compromise to help you understand how it unfolds. And we explain how Proofpoint uses multiple signals to detect and prevent these threats for our customers. Background Supply chain attacks are growing in popularity and sophistication at a rapid pace. TechCrunch reports that the largest supply chain compromise in 2023 cost the impacted businesses more than $9.9 billion. That incident had a direct impact on more than 1,000 businesses and over 60 million people. In these attacks, a bad actor targets a company by compromising the security of its suppliers, vendors and other third parties within its supply chain. Instead of launching a direct attack on the target company\'s systems, networks or employees, an attacker infiltrates a trusted entity within the supply chain, thereby exploiting the entity\'s trust and access vis-a-vis the target. Attackers know that enterprises with mature supply chains tend to have stronger cybersecurity defenses, which makes them challenging targets. So, rather than trying to break into “Fort Knox” through the front door, they will target the ventilation system. Bad actors often use thread hijacking, also known as conversation hijacking, in these attacks. They target specific email accounts and compromise them so that they can spy on users\' conversations. When the time is right, they will insert themselves into a business email conversation based on the information they have gathered from the compromised email accounts or other sources. Sometimes, the attack will be bold enough to initiate new conversations. Thread hijacking attacks, like other BEC campaigns, don\'t often carry malicious payloads like attachments or URLs. Thread hijacking is also a targeted attack, so bad actors will often use a lookalike domain. (A lookalike domain is a website URL that closely resembles the address of a legitimate and well-known domain, often with slight variations in spelling, characters or domain extensions.) This potent combination-the lack of an active payload and the use of a lookalike domain-makes it difficult for simple, API-based email security solutions to detect and remediate these types of attacks. The scenario Proofpoint recently detected a threat actor account that was impersonating an accounts receivable employee at a small financial services company in Florida. Through this impersonation, the adversary launched a supply chain attack on their intended target-a large law firm in Boston. They sent an impersonating message to the law firm\'s controller asking them to halt a requested payment and change the payment information to another account. Unlike API-based email security solutions that only support post-delivery remediation, Proofpoint detected and blocked the impersonating messages before they reached the controller\'s inbox. As a result, the law fir | Tool Threat | ★★ | |
|
2024-02-07 05:00:33 | Protéger vos chemins, partie 2: Comprendre votre rayon de souffle d'identité Protecting Your Paths, Part 2: Understanding Your Identity Blast Radius (lien direct) |
Welcome to the second part of our blog series on using attack path management (APM) to secure your network. In our first post, we examined the importance of using APM to identify and remediate identity-centric attack paths before attackers exploit them. We also emphasized that the compromise of tier-zero assets -aka the “IT crown jewels”-is a top objective for attackers. Attack path management (APM) is a process by which you discover all the existing paths that an attacker can exploit to reach tier-zero assets within your environment. APM plays a pivotal role in helping security teams pinpoint vulnerable identities. It provides a holistic view of the available attack paths that an attacker could use to move laterally in the quest to reach your IT crown jewels. In this blog, we introduce a crucial APM concept known as the identity blast radius. We explore the use cases for this view. And we highlight how it is similar but distinct from the attack path view. What you can learn from identity blast radius analysis An identity blast radius represents the potential impact of an attacker who is moving laterally using a compromised identity. It presents how the compromise of one particular identity can help an attacker reach other identities or assets in the network. Discovering the identity blast radius before attackers do is essential to prevent a minor compromise from turning into a major security incident. To see how this works, it\'s helpful to visualize it. Below is an illustration of the vulnerabilities related to a user named Brian Rivera. It\'s just one example of how attackers can abuse Active Directory ACLs. Example view of an identity blast radius. In the blast radius view above the subject identity for Brian Riviera serves as the “tree root” of the view. Branching off the tree root are all the assets and privileges that that specific user can invoke. These include: Stored credentials. If an attacker compromises hosts where Brian\'s Remote Desktop Protocol (RDP) credentials are stored, they can use those credentials to move laterally to the indicated hosts. Active Directory ACL assignments. An attacker that compromises Brian\'s identity can use his GenericWrite permission in Active Directory to: Gain code execution with elevated privileges on a remote computer Delete files and data Introduce malicious files or code on the flagged targets Identity blast radius use cases The identity blast radius view supports powerful use cases that support attack path analysis, including: Post-compromise analysis. After an attacker gets control of an identity, the blast radius view can help you identify other identities and assets that are vulnerable to lateral movement or other malicious actions. What-if analysis. Your security teams can use the identity blast radius view to assess the potential impact of an attack on high-value targets like your chief financial officer or a senior IT administrator. With that insight, they can apply other compensating controls. Changes in access privileges. It can also help you identify the potential impact of changes in access privileges. These often occur when employees move between roles. You can use this insight to ensure that an employee\'s access is properly managed. This can prevent an excessive accumulation of privileges. Assets vs. identities: Differences between tier-zero asset views and identity blast radius views The figure below shows how the tier-zero asset view illustrates paths that ascend from different entities to the tier-zero asset root. In contrast, the identity blast radius view positions the subject identity as the tree root. Paths extend downward to various entities that are reachable through diverse relations like Active Directory ACL assignments or stored credentials. Comparison of the tier-zero assets view versus the identity blast radius view. These two views offer different perspectives. But both are powerful tools to help you visualize identity-related vulnerabilities. These i | Tool Vulnerability Threat | ★★★ | |
|
2024-02-06 05:00:20 | Comment les cybercriminels augmentent-ils le privilège et se déplacent-ils latéralement? How Do Cybercriminals Escalate Privilege and Move Laterally? (lien direct) |
If you want to understand how cybercriminals cause business-impacting security breaches, the attack chain is a great place to start. The eight steps of this chain generalize how a breach progresses from start to finish. The most impactful breaches typically follow this pattern: Steps in the attack chain. In this blog post, we will simplify the eight steps of an attack into three stages-the beginning, middle and end. Our focus here will primarily be on the middle stage-info gathering, privilege escalation and lateral movement, which is often the most challenging part of the attack chain to see and understand. The middle steps are often unfamiliar territory, except for the most highly specialized security practitioners. This lack of familiarity has contributed to significant underinvestment in security controls required to address attacks at this stage. But before we delve into our discussion of the middle, let\'s address the easiest stages to understand-the beginning and the end. The beginning of the attack chain A cyberattack has to start somewhere. At this stage, a cybercriminal gains an initial foothold into a target\'s IT environment. How do they do this? Mainly through phishing. A variety of tactics are used here including: Stealing a valid user\'s login credentials Luring a user into installing malicious software, such as Remote Access Trojans (RATs) Calling the company\'s help desk to socially engineer the help desk into granting the attacker control over a user\'s account Much ink has been spilled about these initial compromise techniques. This is why, in part, the level of awareness and understanding by security and non-security people of this first stage is so high. It is fair to say that most people-IT, security and everyday users-have personally experienced attempts at initial compromise. Who hasn\'t received a phishing email? A great deal of investment goes into security tools and user training to stop the initial compromise. Think of all the security technologies that exist for that purpose. The list is very long. The end of the attack chain Similarly, the level of awareness and understanding is also very high around what happens at the end of the attack chain. As a result, many security controls and best practices have also been focused here. Everyone-IT, security and even everyday users-understands the negative impacts of data exfiltration or business systems getting encrypted by ransomware attackers. Stories of stolen data and ransomed systems are in the news almost daily. Now, what about the middle? The middle is where an attacker attempts to move from the initially compromised account(s) or system(s) to more critical business systems where the data that\'s worth exfiltrating or ransoming is stored. To most people, other than red teamers, pen testers and cybercriminals, the middle of the attack chain is abstract and unfamiliar. After all, regular users don\'t attempt to escalate their privileges and move laterally on their enterprise network! These three stages make up the middle of the attack chain: Information gathering. This includes network scanning and enumeration. Privilege escalation. During this step, attackers go after identities that have successively higher IT system privileges. Or they escalate the privilege of the account that they currently control. Lateral movement. Here, they hop from one host to another on the way to the “crown jewel” IT systems. Steps in the middle of the attack chain. Relatively few IT or security folks have experience with or a deep understanding of the middle of the attack chain. There are several good reasons for this: Most security professionals are neither red teamers, pen testers, nor cybercriminals. The middle stages are “quiet,” unlike initial compromise-focused phishing attacks or successful ransomware attacks, which are very “loud” by comparison. Unlike the front and back end of the attack chain, there has been little coverage about how these steps | Ransomware Malware Tool Vulnerability Threat | ★★★ | |
|
2024-02-06 05:00:18 | Elon Musk veut vous envoyer à Mars: un tour d'horizon de quelques leurres impairs récents Elon Musk Wants to Send You to Mars: A Round Up of Some Recent Odd Lures (lien direct) |
Nous savons tous qu'Internet peut être un endroit étrange dans le meilleur des cas, il ne devrait donc pas surprendre que les cybercriminels du monde contribuent leur juste part d'étrangeté.Mais au cours des dernières semaines, nos chercheurs ont rencontré une poignée de campagnes malveillantes qui vont bien au-delà du niveau habituel de Bizarre pour atteindre leurs objectifs d'ingénierie sociale. Billets pour Mars Il y a quelques années à peine, le tourisme spatial faisait la une des gros titres.Il semblait que l'âge des escarpins orbitaux était juste au coin de la rue, et que la NASA construirait des bases de lune d'ici longtemps.Malheureusement, il y a eu des revers, et pour l'instant, l'espace reste la réserve des astronautes, des scientifiques et des très riches.Mais en suivant le principe «Go Big Or Rad Home», une récente campagne de messagerie malveillante ne s'est pas arrêtée au vol spatial sub-orbital ou ne visite pas sur la lune, promettant aux destinataires de gagner un voyage à Mars. Avec une ligne d'objet de «vous gagnez un voyage à Mars», les messages contenaient un PDF avec une image d'une récente biographie d'Elon Musk et une boîte de dialogue de mise à jour spoofée pour Adobe Reader.Le bouton de téléchargement de la fausse image liée à un fichier tar.gz contenant un exécutable qui a finalement téléchargé Redline Stealer. Le moment de cette campagne est intéressant, car le support natif de ce type de fichier dans Windows 11 n'a commencé qu'en octobre 2023. Les acteurs de menace occasionnellement proposent des leurres si improbables qu'il est difficile d'imaginer quiconque tombe amoureux d'eux.Mais il y a une méthode dans leur folie.Pour certains destinataires, la curiosité seule sera un leurre efficace.Après tout, l'ingénierie sociale consiste à amener votre victime à faire ce que vous voulez dans ce cas, en cliquant sur un lien de téléchargement.Et vous ne devez pas croire que vous allez vraiment gagner un voyage à Mars pour être intéressé à découvrir pourquoi vous en avez offert un. Service client grossier Nous avons tous de mauvais jours, mais les médias sociaux ont transformé les plaintes des clients en sport de spectateur.Dans cette campagne à faible volume, un acteur de menace non attribué a distribué des messages censés provenir de clients furieux appelés «Daniel Rodriguez» ou «Emma Grace».Daniel et Emma étaient tellement en colère contre le service qu'ils ont reçu qu'ils n'ont pas simplement envoyé un e-mail pour se plaindre - ils ne semblaient pas avoir rédigé des pensées encore plus étendues dans une pièce jointe appelée «attitude_reports.svg». Curieusement, SVG est l'extension de fichier pour les graphiques vectoriels évolutifs - un type de fichier inhabituel dans lequel notez vos réflexions sur un employé irrespectueux.Mais si le destinataire était suffisamment consciencieux pour télécharger la pièce jointe, les problèmes s'ensuivirent. Le SVG s'est ouvert dans un navigateur, initiant une chaîne d'infection complexe menant au malware du voleur de phédrone.La chaîne d'attaque était remarquable pour son utilisation de CVE-2023-38831, ainsi que d'être un exemple de l'utilisation croissante des fichiers SVG dans le paysage post-macro. De l'Ukraine à l'Ouzbékistan Le conflit entre la Russie et l'Ukraine a provoqué des troubles dans toute la région, et même les cybercriminels du monde ont été affectés.Dans une récente campagne, nos chercheurs ont remarqué un attaquant essayant d'utiliser la difficulté de l'approvisionnement en produits en Ukraine comme prétexte pour cibler les victimes potentielles dans toute l'Europe au nom de leurs partenaires en Ouzbékistan. Les messages contenaient une image hyperlienne usurpant une pièce jointe PDF.Les victimes cliquant sur l'image ont été adressées vers une URL MediaFire déclenchant une chaîne d'infection, ce qui a finalement conduit à l'agenttesla. Pour plus d'informations de nos chercheurs sur les menaces, abonnez-vous au podcast dé | Malware Threat | ★★ | |
|
2024-02-05 11:41:18 | 7 conseils pour développer une approche proactive pour éviter le vol de données 7 Tips to Develop a Proactive Approach to Prevent Data Theft (lien direct) |
Data is one of the most valuable assets for a modern enterprise. So, of course, it is a target for theft. Data theft is the unauthorized acquisition, copying or exfiltration of sensitive information that is typically stored in a digital format. To get it, bad actors either abuse privileges they already have or use various other means to gain access to computer systems, networks or digital storage devices. The data can range from user credentials to personal financial records and intellectual property. Companies of all sizes are targets of data theft. In September 2023, the personal data of 2,214 employees of the multinational confectionary firm The Hershey Company was stolen after a phishing attack. And in January 2024, the accounting firm of Framework Computer fell victim to an attack. A threat actor posed as the Framework\'s CEO and convinced the target to share a spreadsheet with the company\'s customer data. Data thieves aim to profit financially, disrupt business activities or do both by stealing high-value information. The fallout from a data breach can be very costly for a business-and the cost is going up. IBM reports that the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years. Other data suggests that the average cost of a breach is more than double for U.S. businesses-nearly $9.5 million. Not all data breaches involve data theft, but stealing data is a top aim for many attackers. Even ransomware gangs have been shifting away from data encryption in their attacks, opting instead to steal massive amounts of data and use its value as a means to compel businesses to pay ransom. So, what can businesses do to prevent data theft? Taking a proactive approach toward stopping someone from stealing your data is a must. This blog post can help jump-start your thinking about how to improve data security. We explore how data theft happens and describe some common threats that lead to it. We also outline seven strategies that can help reduce your company\'s risk of exposure to data theft and highlight how Proofpoint can bolster your defenses. Understanding data theft-and who commits it Data theft is a serious security and privacy breach. Data thieves typically aim to steal information like: Personally identifiable information (PII) Financial records Intellectual property (IP) Trade secrets Login credentials Once they have it, bad actors can use stolen data for fraudulent activities or, in the case of credential theft, to gain unlawful access to accounts or systems. They can also sell high-value data on the dark web. The consequences of data theft for businesses can be significant, if not devastating. They include hefty compliance penalties, reputational damage, and financial and operational losses. Take the manufacturing industry as an example. According to one source, a staggering 478 companies in this industry have experienced a ransomware attack in the past five years. The costs in associated downtime are approximately $46.2 billion. To prevent data theft, it\'s important to recognize that bad actors from the outside aren\'t the only threat. Insiders, like malicious employees, contractors and vendors, can also steal data from secured file servers, database servers, cloud applications and other sources. And if they have the right privileges, stealing that data can be a breeze. An insider\'s goals for data theft may include fraud, the disclosure of trade secrets to a competitor for financial gain, or even corporate sabotage. As for how they can exfiltrate data, insiders can use various means, from removable media to personal email to physical printouts. How does data theft happen? Now, let\'s look at some common methods that attackers working from the outside might employ to breach a company\'s defenses and steal data. Phishing. Cybercriminals use phishing to target users through email, text messages, phone calls and other forms of communication. The core objective of this approach is to trick users into doing what | Ransomware Data Breach Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-02-02 05:00:40 | Brisez la chaîne d'attaque: le gambit d'ouverture Break the Attack Chain: The Opening Gambit (lien direct) |
The threat landscape has always evolved. But the pace of change over the last decade is unlike anything most security professionals have experienced before. Today\'s threats focus much less on our infrastructure and much more on our people. But that\'s not all. Where once a cyberattack may have been a stand-alone event, these events are now almost always multistage. In fact, most modern threats follow the same playbook: initial compromise, lateral movement and impact. While this approach has the potential to cause more damage, it also gives security teams more opportunities to spot and halt cyberattacks. By placing protections in key spots along the attack chain, we can thwart and frustrate would-be cybercriminals before their ultimate payoff. This starts with understanding the opening gambit: How do threat actors attempt to gain access to your king-in this case, your networks and data? And what can be done to keep them at bay? Understanding the playbook The chess parallels continue when we look at recent evolutions in the threat landscape, with our defensive tactics provoking an adapted method of attack. We see this in full effect when it comes to multifactor authentication (MFA). In recent years, security professionals have flocked to MFA to protect accounts and safeguard credentials. In response, threat actors have developed MFA bypass and spoofing methods to get around and weaponize these protections. So much so that MFA bypass can now be considered the norm when it comes to corporate credential phishing attacks. Increasingly, cybercriminals purchase off-the-shelf kits which enable them to use adversary-in-the-middle (AiTM) tactics to digitally eavesdrop and steal credentials. We have also seen an increase in other human-activated methods, such as telephone-oriented attack delivery (TOAD). This method combines voice and email phishing techniques to trick victims into disclosing sensitive information such as login credentials or financial data. Whatever the method, the desired outcome at this stage is the same. Cybercriminals seek to get inside your defenses so they can execute the next stage of their attack. That is what makes the opening gambit such a critical time in the lifecycle of a cyber threat. Modern threat actors are experts at remaining undetected once they are inside our networks. They know how to hide in plain sight, move laterally and escalate privileges. So, if this stage of the attack is a success, organizations have a huge problem. The good news is that the more we understand the tactics that today\'s cybercriminals use, the more we can adapt our defenses to stop them in their tracks before they can inflict significant damage. Countering the gambit The best opportunity to stop cybercriminals is before and during the initial compromise. By mastering a counter to the opening gambit, we can keep malicious actors where they belong-outside our perimeter. It will surprise no one that most threats start in the inbox. So, the more we can do to stop malicious messaging before it reaches our people, the better. There is no silver bullet in this respect. artificial intelligence (AI)-powered email security is as close as it gets. Proofpoint Email Protection is the only AI and machine learning-powered threat protection that disarms today\'s advanced attacks. Proofpoint Email Protection uses trillions of data points to detect and block business email compromise (BEC), phishing, ransomware, supply chain threats and plenty more. It also correlates threat intelligence across email, cloud and network data to help you stay ahead of new and evolving threats that target your people. However, the difficult reality is that nothing is entirely impenetrable. Today\'s security teams must assume some threats will reach the inbox. And your people need to be prepared when they do. Equipping this vital line of defense requires total visibility into who is being attacked in your organization-and when, where and how. Once you have identified the people who ar | Ransomware Threat Cloud | ★★★ | |
|
2024-02-02 05:00:36 | Développement d'une nouvelle norme Internet: le cadre de la politique relationnelle du domaine Developing a New Internet Standard: the Domain Relationship Policy Framework (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. In this blog post, we discuss the Domain Relationship Policy Framework (DRPF)-an effort that has been years in the making at Proofpoint. The DRPF is a simple method that is used to identify verifiably authorized relationships between arbitrary domains. We create a flexible way to publish policies. These policies can also describe complex domain relationships. The details for this new model require in-depth community discussions. These conversations will help us collectively steer the DRPF toward becoming a fully interoperable standard. We are now in the early proposal stage for the DRPF, and we are starting to engage more with the broader community. This post provides a glimpse down the road leading to standardization for the DRPF. Why Proofpoint developed DRPF To shine a light on why Proofpoint was inspired to develop the DRPF in the first place, let\'s consider the thinking of the initial designers of the Domain Name System (DNS). They assumed that subdomains would inherit the administrative control of their parent domains. And by extension, this should apply to all subsequent subdomains down the line. At the time, this was reasonable to assume. Most early domains and their subdomains operated in much the same way. For example, “university.edu” directly operated and controlled the administrative policies for subdomains such as “lab.university.edu” which flowed down to “project.lab.university.edu.” Since the mid-1980s, when DNS was widely deployed, there has been a growing trend of delegating subdomains to third parties. This reflects a breakdown of the hierarchical model of cascading policies. To see how this works, imagine that a business uses “company.com” as a domain. That business might delegate “marketing.company.com” to a third-party marketing agency. The subdomain must inherit some policies, while the subdomain administrator may apply other policies that don\'t apply to the parent domain. Notably, there is no mechanism yet for a domain to declare a relationship with another seemingly independent domain. Consider a parent company that operates multiple distinct brands. The company with a single set of policies may want them applied not only to “company.com” (and all of its subdomains). It may also want them applied to its brand domains “brand.com” and “anotherbrand.com.” It gets even more complex when any of the brand domains delegate various subdomains to other third parties. So, say some of them are delegated to marketing or API support. Each will potentially be governed by a mix of administrative policies. In this context, “policies” refers to published guidance that is used when these subdomains interact with the domain. Policies might be for information only. Or they might provide details that are required to use services that the domain operates. Most policies will be static (or appear so to the retrieving parties). But it is possible to imagine that they could contain directives akin to smart contracts in distributed ledgers. 3 Design characteristics that define DRPF The goal of the DRPF is to make deployment and adoption easier while making it flexible for future use cases. In many prior proposals, complex requirements bogged down efforts to get rid of administrative boundaries between and across disparate domains. Our work should be immediately useful with minimal effort and be able to support a wide array of ever-expanding use cases. In its simplest form, three design characteristics define the DRPF: A domain administrator publishes a policy assertion record for the domain so that a relying party can discover and retrieve it. The discovered policy assertion directs the relying party to where they can find | Tool Prediction Cloud Technical | ★★★ | |
|
2024-02-01 06:00:12 | Le pare-feu humain: Pourquoi la formation de sensibilisation à la sécurité est une couche de défense efficace The Human Firewall: Why Security Awareness Training Is an Effective Layer of Defense (lien direct) |
Do security awareness programs lead to a quantifiable reduction in risk? Do they directly impact a company\'s security culture? In short, are these programs effective? The answer to these questions is a resounding yes! With 74% of all data breaches involving the human element, the importance of educating people to help prevent a breach cannot be understated. However, for training to be effective, it needs to be frequent, ongoing and provided to everyone. Users should learn about: How to identify and protect themselves from evolving cyberthreats What best practices they can use to keep data safe Why following security policies is important In this blog post, we discuss the various ways that security awareness training can have a positive impact on your company. We also discuss how to make your program better and how to measure your success. Security awareness training effectiveness Let\'s look at three ways that security awareness training can help you boost your defenses. 1. Mitigate your risks By teaching your team how to spot and handle threats, you can cut down on data breaches and security incidents. Our study on the effects of using Proofpoint Security Awareness showed that many companies saw up to a 40% decrease in the number of harmful links clicked by users. Think about this: every click on a malicious link could lead to credential theft, a ransomware infection, or the exploitation of a zero-day vulnerability. So, an effective security awareness program essentially reduces security incidents by a similar amount. Want more evidence about how important it is? Just check out this study that shows security risks can be reduced by as much as 80%. Here is more food for thought. If a malicious link does not directly result in a breach, it must still be investigated. The average time to identify a breach is 204 days. So, if you can reduce the number of incidents you need to investigate, you can see real savings in time and resources. 2. Comply with regulations Security awareness education helps your company comply with data regulations, which are always changing. This can help you avoid hefty fines and damage to your reputation. In many cases, having a security awareness program can keep you compliant with several regulations. This includes U.S. state privacy laws, the European Union\'s GDPR and other industry regulations. 3. Cultivate a strong security culture An effective security awareness program doesn\'t have to be all doom and gloom. Done right, it can help you foster a positive security culture. More than half of users (56%) believe that being recognized or rewarded would make their company\'s security awareness efforts more effective. But only 8% of users say that their company provides them with incentives to practice “good” cybersecurity behavior. When you make security fun through games, contests, and reward and recognition programs, you can keep your employees engaged. You can also motivate them to feel personally responsible for security. That, in turn, can inspire them to be proactive about keeping your critical assets safe. Finally, be sure to incorporate security principles into your company\'s core values. For example, your business leaders should regularly discuss the importance of security. That will help users to understand that everyone plays a vital role in keeping the business safe. How to make your security awareness program effective The verdict is clear. Security awareness programs can tangibly reduce organizational risks. When asked about the connection between their security awareness efforts and their company\'s cybersecurity resilience, a resounding 96% of security professionals say that there is more than just a strong link. They say that it\'s either a direct result of security training or that training is a strong contributor. Let\'s discuss how you can make your program more effective. Assess your security posture The first step toward effectiveness is to assess your company\'s security posture | Ransomware Tool Vulnerability Threat Studies | ★★★ |
To see everything:
Our RSS (filtrered)
