What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-02-07 05:00:39 | Arrêt de cybersécurité du mois: prévenir le compromis de la chaîne d'approvisionnement Cybersecurity Stop of the Month: Preventing Supply Chain Compromise (lien direct) |
This blog post is part of a monthly series, Cybersecurity Stop of the Month, which explores the ever-evolving tactics of today\'s cybercriminals. It focuses on the critical first three steps in the attack chain in the context of email threats. Its goal is to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have examined these types of attacks: Business email compromise (BEC) and supply chain attacks EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion MFA manipulation In this post, we look at supply chain compromise, which is a form of BEC. Supply chain compromise is not a new form of BEC, but we are seeing a rise in these attacks. The example in this blog post is one that Proofpoint recently detected. A law firm with 2,000 users was the intended target. In our discussion, we cover the typical attack sequence of a supply chain compromise to help you understand how it unfolds. And we explain how Proofpoint uses multiple signals to detect and prevent these threats for our customers. Background Supply chain attacks are growing in popularity and sophistication at a rapid pace. TechCrunch reports that the largest supply chain compromise in 2023 cost the impacted businesses more than $9.9 billion. That incident had a direct impact on more than 1,000 businesses and over 60 million people. In these attacks, a bad actor targets a company by compromising the security of its suppliers, vendors and other third parties within its supply chain. Instead of launching a direct attack on the target company\'s systems, networks or employees, an attacker infiltrates a trusted entity within the supply chain, thereby exploiting the entity\'s trust and access vis-a-vis the target. Attackers know that enterprises with mature supply chains tend to have stronger cybersecurity defenses, which makes them challenging targets. So, rather than trying to break into “Fort Knox” through the front door, they will target the ventilation system. Bad actors often use thread hijacking, also known as conversation hijacking, in these attacks. They target specific email accounts and compromise them so that they can spy on users\' conversations. When the time is right, they will insert themselves into a business email conversation based on the information they have gathered from the compromised email accounts or other sources. Sometimes, the attack will be bold enough to initiate new conversations. Thread hijacking attacks, like other BEC campaigns, don\'t often carry malicious payloads like attachments or URLs. Thread hijacking is also a targeted attack, so bad actors will often use a lookalike domain. (A lookalike domain is a website URL that closely resembles the address of a legitimate and well-known domain, often with slight variations in spelling, characters or domain extensions.) This potent combination-the lack of an active payload and the use of a lookalike domain-makes it difficult for simple, API-based email security solutions to detect and remediate these types of attacks. The scenario Proofpoint recently detected a threat actor account that was impersonating an accounts receivable employee at a small financial services company in Florida. Through this impersonation, the adversary launched a supply chain attack on their intended target-a large law firm in Boston. They sent an impersonating message to the law firm\'s controller asking them to halt a requested payment and change the payment information to another account. Unlike API-based email security solutions that only support post-delivery remediation, Proofpoint detected and blocked the impersonating messages before they reached the controller\'s inbox. As a result, the law fir | Tool Threat | ★★ | |
|
2024-02-07 05:00:33 | Protéger vos chemins, partie 2: Comprendre votre rayon de souffle d'identité Protecting Your Paths, Part 2: Understanding Your Identity Blast Radius (lien direct) |
Welcome to the second part of our blog series on using attack path management (APM) to secure your network. In our first post, we examined the importance of using APM to identify and remediate identity-centric attack paths before attackers exploit them. We also emphasized that the compromise of tier-zero assets -aka the “IT crown jewels”-is a top objective for attackers. Attack path management (APM) is a process by which you discover all the existing paths that an attacker can exploit to reach tier-zero assets within your environment. APM plays a pivotal role in helping security teams pinpoint vulnerable identities. It provides a holistic view of the available attack paths that an attacker could use to move laterally in the quest to reach your IT crown jewels. In this blog, we introduce a crucial APM concept known as the identity blast radius. We explore the use cases for this view. And we highlight how it is similar but distinct from the attack path view. What you can learn from identity blast radius analysis An identity blast radius represents the potential impact of an attacker who is moving laterally using a compromised identity. It presents how the compromise of one particular identity can help an attacker reach other identities or assets in the network. Discovering the identity blast radius before attackers do is essential to prevent a minor compromise from turning into a major security incident. To see how this works, it\'s helpful to visualize it. Below is an illustration of the vulnerabilities related to a user named Brian Rivera. It\'s just one example of how attackers can abuse Active Directory ACLs. Example view of an identity blast radius. In the blast radius view above the subject identity for Brian Riviera serves as the “tree root” of the view. Branching off the tree root are all the assets and privileges that that specific user can invoke. These include: Stored credentials. If an attacker compromises hosts where Brian\'s Remote Desktop Protocol (RDP) credentials are stored, they can use those credentials to move laterally to the indicated hosts. Active Directory ACL assignments. An attacker that compromises Brian\'s identity can use his GenericWrite permission in Active Directory to: Gain code execution with elevated privileges on a remote computer Delete files and data Introduce malicious files or code on the flagged targets Identity blast radius use cases The identity blast radius view supports powerful use cases that support attack path analysis, including: Post-compromise analysis. After an attacker gets control of an identity, the blast radius view can help you identify other identities and assets that are vulnerable to lateral movement or other malicious actions. What-if analysis. Your security teams can use the identity blast radius view to assess the potential impact of an attack on high-value targets like your chief financial officer or a senior IT administrator. With that insight, they can apply other compensating controls. Changes in access privileges. It can also help you identify the potential impact of changes in access privileges. These often occur when employees move between roles. You can use this insight to ensure that an employee\'s access is properly managed. This can prevent an excessive accumulation of privileges. Assets vs. identities: Differences between tier-zero asset views and identity blast radius views The figure below shows how the tier-zero asset view illustrates paths that ascend from different entities to the tier-zero asset root. In contrast, the identity blast radius view positions the subject identity as the tree root. Paths extend downward to various entities that are reachable through diverse relations like Active Directory ACL assignments or stored credentials. Comparison of the tier-zero assets view versus the identity blast radius view. These two views offer different perspectives. But both are powerful tools to help you visualize identity-related vulnerabilities. These i | Tool Vulnerability Threat | ★★★ | |
|
2024-02-06 05:00:20 | Comment les cybercriminels augmentent-ils le privilège et se déplacent-ils latéralement? How Do Cybercriminals Escalate Privilege and Move Laterally? (lien direct) |
If you want to understand how cybercriminals cause business-impacting security breaches, the attack chain is a great place to start. The eight steps of this chain generalize how a breach progresses from start to finish. The most impactful breaches typically follow this pattern: Steps in the attack chain. In this blog post, we will simplify the eight steps of an attack into three stages-the beginning, middle and end. Our focus here will primarily be on the middle stage-info gathering, privilege escalation and lateral movement, which is often the most challenging part of the attack chain to see and understand. The middle steps are often unfamiliar territory, except for the most highly specialized security practitioners. This lack of familiarity has contributed to significant underinvestment in security controls required to address attacks at this stage. But before we delve into our discussion of the middle, let\'s address the easiest stages to understand-the beginning and the end. The beginning of the attack chain A cyberattack has to start somewhere. At this stage, a cybercriminal gains an initial foothold into a target\'s IT environment. How do they do this? Mainly through phishing. A variety of tactics are used here including: Stealing a valid user\'s login credentials Luring a user into installing malicious software, such as Remote Access Trojans (RATs) Calling the company\'s help desk to socially engineer the help desk into granting the attacker control over a user\'s account Much ink has been spilled about these initial compromise techniques. This is why, in part, the level of awareness and understanding by security and non-security people of this first stage is so high. It is fair to say that most people-IT, security and everyday users-have personally experienced attempts at initial compromise. Who hasn\'t received a phishing email? A great deal of investment goes into security tools and user training to stop the initial compromise. Think of all the security technologies that exist for that purpose. The list is very long. The end of the attack chain Similarly, the level of awareness and understanding is also very high around what happens at the end of the attack chain. As a result, many security controls and best practices have also been focused here. Everyone-IT, security and even everyday users-understands the negative impacts of data exfiltration or business systems getting encrypted by ransomware attackers. Stories of stolen data and ransomed systems are in the news almost daily. Now, what about the middle? The middle is where an attacker attempts to move from the initially compromised account(s) or system(s) to more critical business systems where the data that\'s worth exfiltrating or ransoming is stored. To most people, other than red teamers, pen testers and cybercriminals, the middle of the attack chain is abstract and unfamiliar. After all, regular users don\'t attempt to escalate their privileges and move laterally on their enterprise network! These three stages make up the middle of the attack chain: Information gathering. This includes network scanning and enumeration. Privilege escalation. During this step, attackers go after identities that have successively higher IT system privileges. Or they escalate the privilege of the account that they currently control. Lateral movement. Here, they hop from one host to another on the way to the “crown jewel” IT systems. Steps in the middle of the attack chain. Relatively few IT or security folks have experience with or a deep understanding of the middle of the attack chain. There are several good reasons for this: Most security professionals are neither red teamers, pen testers, nor cybercriminals. The middle stages are “quiet,” unlike initial compromise-focused phishing attacks or successful ransomware attacks, which are very “loud” by comparison. Unlike the front and back end of the attack chain, there has been little coverage about how these steps | Ransomware Malware Tool Vulnerability Threat | ★★★ | |
|
2024-02-06 05:00:18 | Elon Musk veut vous envoyer à Mars: un tour d'horizon de quelques leurres impairs récents Elon Musk Wants to Send You to Mars: A Round Up of Some Recent Odd Lures (lien direct) |
Nous savons tous qu'Internet peut être un endroit étrange dans le meilleur des cas, il ne devrait donc pas surprendre que les cybercriminels du monde contribuent leur juste part d'étrangeté.Mais au cours des dernières semaines, nos chercheurs ont rencontré une poignée de campagnes malveillantes qui vont bien au-delà du niveau habituel de Bizarre pour atteindre leurs objectifs d'ingénierie sociale. Billets pour Mars Il y a quelques années à peine, le tourisme spatial faisait la une des gros titres.Il semblait que l'âge des escarpins orbitaux était juste au coin de la rue, et que la NASA construirait des bases de lune d'ici longtemps.Malheureusement, il y a eu des revers, et pour l'instant, l'espace reste la réserve des astronautes, des scientifiques et des très riches.Mais en suivant le principe «Go Big Or Rad Home», une récente campagne de messagerie malveillante ne s'est pas arrêtée au vol spatial sub-orbital ou ne visite pas sur la lune, promettant aux destinataires de gagner un voyage à Mars. Avec une ligne d'objet de «vous gagnez un voyage à Mars», les messages contenaient un PDF avec une image d'une récente biographie d'Elon Musk et une boîte de dialogue de mise à jour spoofée pour Adobe Reader.Le bouton de téléchargement de la fausse image liée à un fichier tar.gz contenant un exécutable qui a finalement téléchargé Redline Stealer. Le moment de cette campagne est intéressant, car le support natif de ce type de fichier dans Windows 11 n'a commencé qu'en octobre 2023. Les acteurs de menace occasionnellement proposent des leurres si improbables qu'il est difficile d'imaginer quiconque tombe amoureux d'eux.Mais il y a une méthode dans leur folie.Pour certains destinataires, la curiosité seule sera un leurre efficace.Après tout, l'ingénierie sociale consiste à amener votre victime à faire ce que vous voulez dans ce cas, en cliquant sur un lien de téléchargement.Et vous ne devez pas croire que vous allez vraiment gagner un voyage à Mars pour être intéressé à découvrir pourquoi vous en avez offert un. Service client grossier Nous avons tous de mauvais jours, mais les médias sociaux ont transformé les plaintes des clients en sport de spectateur.Dans cette campagne à faible volume, un acteur de menace non attribué a distribué des messages censés provenir de clients furieux appelés «Daniel Rodriguez» ou «Emma Grace».Daniel et Emma étaient tellement en colère contre le service qu'ils ont reçu qu'ils n'ont pas simplement envoyé un e-mail pour se plaindre - ils ne semblaient pas avoir rédigé des pensées encore plus étendues dans une pièce jointe appelée «attitude_reports.svg». Curieusement, SVG est l'extension de fichier pour les graphiques vectoriels évolutifs - un type de fichier inhabituel dans lequel notez vos réflexions sur un employé irrespectueux.Mais si le destinataire était suffisamment consciencieux pour télécharger la pièce jointe, les problèmes s'ensuivirent. Le SVG s'est ouvert dans un navigateur, initiant une chaîne d'infection complexe menant au malware du voleur de phédrone.La chaîne d'attaque était remarquable pour son utilisation de CVE-2023-38831, ainsi que d'être un exemple de l'utilisation croissante des fichiers SVG dans le paysage post-macro. De l'Ukraine à l'Ouzbékistan Le conflit entre la Russie et l'Ukraine a provoqué des troubles dans toute la région, et même les cybercriminels du monde ont été affectés.Dans une récente campagne, nos chercheurs ont remarqué un attaquant essayant d'utiliser la difficulté de l'approvisionnement en produits en Ukraine comme prétexte pour cibler les victimes potentielles dans toute l'Europe au nom de leurs partenaires en Ouzbékistan. Les messages contenaient une image hyperlienne usurpant une pièce jointe PDF.Les victimes cliquant sur l'image ont été adressées vers une URL MediaFire déclenchant une chaîne d'infection, ce qui a finalement conduit à l'agenttesla. Pour plus d'informations de nos chercheurs sur les menaces, abonnez-vous au podcast dé | Malware Threat | ★★ | |
|
2024-02-05 11:41:18 | 7 conseils pour développer une approche proactive pour éviter le vol de données 7 Tips to Develop a Proactive Approach to Prevent Data Theft (lien direct) |
Data is one of the most valuable assets for a modern enterprise. So, of course, it is a target for theft. Data theft is the unauthorized acquisition, copying or exfiltration of sensitive information that is typically stored in a digital format. To get it, bad actors either abuse privileges they already have or use various other means to gain access to computer systems, networks or digital storage devices. The data can range from user credentials to personal financial records and intellectual property. Companies of all sizes are targets of data theft. In September 2023, the personal data of 2,214 employees of the multinational confectionary firm The Hershey Company was stolen after a phishing attack. And in January 2024, the accounting firm of Framework Computer fell victim to an attack. A threat actor posed as the Framework\'s CEO and convinced the target to share a spreadsheet with the company\'s customer data. Data thieves aim to profit financially, disrupt business activities or do both by stealing high-value information. The fallout from a data breach can be very costly for a business-and the cost is going up. IBM reports that the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years. Other data suggests that the average cost of a breach is more than double for U.S. businesses-nearly $9.5 million. Not all data breaches involve data theft, but stealing data is a top aim for many attackers. Even ransomware gangs have been shifting away from data encryption in their attacks, opting instead to steal massive amounts of data and use its value as a means to compel businesses to pay ransom. So, what can businesses do to prevent data theft? Taking a proactive approach toward stopping someone from stealing your data is a must. This blog post can help jump-start your thinking about how to improve data security. We explore how data theft happens and describe some common threats that lead to it. We also outline seven strategies that can help reduce your company\'s risk of exposure to data theft and highlight how Proofpoint can bolster your defenses. Understanding data theft-and who commits it Data theft is a serious security and privacy breach. Data thieves typically aim to steal information like: Personally identifiable information (PII) Financial records Intellectual property (IP) Trade secrets Login credentials Once they have it, bad actors can use stolen data for fraudulent activities or, in the case of credential theft, to gain unlawful access to accounts or systems. They can also sell high-value data on the dark web. The consequences of data theft for businesses can be significant, if not devastating. They include hefty compliance penalties, reputational damage, and financial and operational losses. Take the manufacturing industry as an example. According to one source, a staggering 478 companies in this industry have experienced a ransomware attack in the past five years. The costs in associated downtime are approximately $46.2 billion. To prevent data theft, it\'s important to recognize that bad actors from the outside aren\'t the only threat. Insiders, like malicious employees, contractors and vendors, can also steal data from secured file servers, database servers, cloud applications and other sources. And if they have the right privileges, stealing that data can be a breeze. An insider\'s goals for data theft may include fraud, the disclosure of trade secrets to a competitor for financial gain, or even corporate sabotage. As for how they can exfiltrate data, insiders can use various means, from removable media to personal email to physical printouts. How does data theft happen? Now, let\'s look at some common methods that attackers working from the outside might employ to breach a company\'s defenses and steal data. Phishing. Cybercriminals use phishing to target users through email, text messages, phone calls and other forms of communication. The core objective of this approach is to trick users into doing what | Ransomware Data Breach Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-02-02 05:00:40 | Brisez la chaîne d'attaque: le gambit d'ouverture Break the Attack Chain: The Opening Gambit (lien direct) |
The threat landscape has always evolved. But the pace of change over the last decade is unlike anything most security professionals have experienced before. Today\'s threats focus much less on our infrastructure and much more on our people. But that\'s not all. Where once a cyberattack may have been a stand-alone event, these events are now almost always multistage. In fact, most modern threats follow the same playbook: initial compromise, lateral movement and impact. While this approach has the potential to cause more damage, it also gives security teams more opportunities to spot and halt cyberattacks. By placing protections in key spots along the attack chain, we can thwart and frustrate would-be cybercriminals before their ultimate payoff. This starts with understanding the opening gambit: How do threat actors attempt to gain access to your king-in this case, your networks and data? And what can be done to keep them at bay? Understanding the playbook The chess parallels continue when we look at recent evolutions in the threat landscape, with our defensive tactics provoking an adapted method of attack. We see this in full effect when it comes to multifactor authentication (MFA). In recent years, security professionals have flocked to MFA to protect accounts and safeguard credentials. In response, threat actors have developed MFA bypass and spoofing methods to get around and weaponize these protections. So much so that MFA bypass can now be considered the norm when it comes to corporate credential phishing attacks. Increasingly, cybercriminals purchase off-the-shelf kits which enable them to use adversary-in-the-middle (AiTM) tactics to digitally eavesdrop and steal credentials. We have also seen an increase in other human-activated methods, such as telephone-oriented attack delivery (TOAD). This method combines voice and email phishing techniques to trick victims into disclosing sensitive information such as login credentials or financial data. Whatever the method, the desired outcome at this stage is the same. Cybercriminals seek to get inside your defenses so they can execute the next stage of their attack. That is what makes the opening gambit such a critical time in the lifecycle of a cyber threat. Modern threat actors are experts at remaining undetected once they are inside our networks. They know how to hide in plain sight, move laterally and escalate privileges. So, if this stage of the attack is a success, organizations have a huge problem. The good news is that the more we understand the tactics that today\'s cybercriminals use, the more we can adapt our defenses to stop them in their tracks before they can inflict significant damage. Countering the gambit The best opportunity to stop cybercriminals is before and during the initial compromise. By mastering a counter to the opening gambit, we can keep malicious actors where they belong-outside our perimeter. It will surprise no one that most threats start in the inbox. So, the more we can do to stop malicious messaging before it reaches our people, the better. There is no silver bullet in this respect. artificial intelligence (AI)-powered email security is as close as it gets. Proofpoint Email Protection is the only AI and machine learning-powered threat protection that disarms today\'s advanced attacks. Proofpoint Email Protection uses trillions of data points to detect and block business email compromise (BEC), phishing, ransomware, supply chain threats and plenty more. It also correlates threat intelligence across email, cloud and network data to help you stay ahead of new and evolving threats that target your people. However, the difficult reality is that nothing is entirely impenetrable. Today\'s security teams must assume some threats will reach the inbox. And your people need to be prepared when they do. Equipping this vital line of defense requires total visibility into who is being attacked in your organization-and when, where and how. Once you have identified the people who ar | Ransomware Threat Cloud | ★★★ | |
|
2024-02-02 05:00:36 | Développement d'une nouvelle norme Internet: le cadre de la politique relationnelle du domaine Developing a New Internet Standard: the Domain Relationship Policy Framework (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. In this blog post, we discuss the Domain Relationship Policy Framework (DRPF)-an effort that has been years in the making at Proofpoint. The DRPF is a simple method that is used to identify verifiably authorized relationships between arbitrary domains. We create a flexible way to publish policies. These policies can also describe complex domain relationships. The details for this new model require in-depth community discussions. These conversations will help us collectively steer the DRPF toward becoming a fully interoperable standard. We are now in the early proposal stage for the DRPF, and we are starting to engage more with the broader community. This post provides a glimpse down the road leading to standardization for the DRPF. Why Proofpoint developed DRPF To shine a light on why Proofpoint was inspired to develop the DRPF in the first place, let\'s consider the thinking of the initial designers of the Domain Name System (DNS). They assumed that subdomains would inherit the administrative control of their parent domains. And by extension, this should apply to all subsequent subdomains down the line. At the time, this was reasonable to assume. Most early domains and their subdomains operated in much the same way. For example, “university.edu” directly operated and controlled the administrative policies for subdomains such as “lab.university.edu” which flowed down to “project.lab.university.edu.” Since the mid-1980s, when DNS was widely deployed, there has been a growing trend of delegating subdomains to third parties. This reflects a breakdown of the hierarchical model of cascading policies. To see how this works, imagine that a business uses “company.com” as a domain. That business might delegate “marketing.company.com” to a third-party marketing agency. The subdomain must inherit some policies, while the subdomain administrator may apply other policies that don\'t apply to the parent domain. Notably, there is no mechanism yet for a domain to declare a relationship with another seemingly independent domain. Consider a parent company that operates multiple distinct brands. The company with a single set of policies may want them applied not only to “company.com” (and all of its subdomains). It may also want them applied to its brand domains “brand.com” and “anotherbrand.com.” It gets even more complex when any of the brand domains delegate various subdomains to other third parties. So, say some of them are delegated to marketing or API support. Each will potentially be governed by a mix of administrative policies. In this context, “policies” refers to published guidance that is used when these subdomains interact with the domain. Policies might be for information only. Or they might provide details that are required to use services that the domain operates. Most policies will be static (or appear so to the retrieving parties). But it is possible to imagine that they could contain directives akin to smart contracts in distributed ledgers. 3 Design characteristics that define DRPF The goal of the DRPF is to make deployment and adoption easier while making it flexible for future use cases. In many prior proposals, complex requirements bogged down efforts to get rid of administrative boundaries between and across disparate domains. Our work should be immediately useful with minimal effort and be able to support a wide array of ever-expanding use cases. In its simplest form, three design characteristics define the DRPF: A domain administrator publishes a policy assertion record for the domain so that a relying party can discover and retrieve it. The discovered policy assertion directs the relying party to where they can find | Tool Prediction Cloud Technical | ★★★ | |
|
2024-02-01 06:00:12 | Le pare-feu humain: Pourquoi la formation de sensibilisation à la sécurité est une couche de défense efficace The Human Firewall: Why Security Awareness Training Is an Effective Layer of Defense (lien direct) |
Do security awareness programs lead to a quantifiable reduction in risk? Do they directly impact a company\'s security culture? In short, are these programs effective? The answer to these questions is a resounding yes! With 74% of all data breaches involving the human element, the importance of educating people to help prevent a breach cannot be understated. However, for training to be effective, it needs to be frequent, ongoing and provided to everyone. Users should learn about: How to identify and protect themselves from evolving cyberthreats What best practices they can use to keep data safe Why following security policies is important In this blog post, we discuss the various ways that security awareness training can have a positive impact on your company. We also discuss how to make your program better and how to measure your success. Security awareness training effectiveness Let\'s look at three ways that security awareness training can help you boost your defenses. 1. Mitigate your risks By teaching your team how to spot and handle threats, you can cut down on data breaches and security incidents. Our study on the effects of using Proofpoint Security Awareness showed that many companies saw up to a 40% decrease in the number of harmful links clicked by users. Think about this: every click on a malicious link could lead to credential theft, a ransomware infection, or the exploitation of a zero-day vulnerability. So, an effective security awareness program essentially reduces security incidents by a similar amount. Want more evidence about how important it is? Just check out this study that shows security risks can be reduced by as much as 80%. Here is more food for thought. If a malicious link does not directly result in a breach, it must still be investigated. The average time to identify a breach is 204 days. So, if you can reduce the number of incidents you need to investigate, you can see real savings in time and resources. 2. Comply with regulations Security awareness education helps your company comply with data regulations, which are always changing. This can help you avoid hefty fines and damage to your reputation. In many cases, having a security awareness program can keep you compliant with several regulations. This includes U.S. state privacy laws, the European Union\'s GDPR and other industry regulations. 3. Cultivate a strong security culture An effective security awareness program doesn\'t have to be all doom and gloom. Done right, it can help you foster a positive security culture. More than half of users (56%) believe that being recognized or rewarded would make their company\'s security awareness efforts more effective. But only 8% of users say that their company provides them with incentives to practice “good” cybersecurity behavior. When you make security fun through games, contests, and reward and recognition programs, you can keep your employees engaged. You can also motivate them to feel personally responsible for security. That, in turn, can inspire them to be proactive about keeping your critical assets safe. Finally, be sure to incorporate security principles into your company\'s core values. For example, your business leaders should regularly discuss the importance of security. That will help users to understand that everyone plays a vital role in keeping the business safe. How to make your security awareness program effective The verdict is clear. Security awareness programs can tangibly reduce organizational risks. When asked about the connection between their security awareness efforts and their company\'s cybersecurity resilience, a resounding 96% of security professionals say that there is more than just a strong link. They say that it\'s either a direct result of security training or that training is a strong contributor. Let\'s discuss how you can make your program more effective. Assess your security posture The first step toward effectiveness is to assess your company\'s security posture | Ransomware Tool Vulnerability Threat Studies | ★★★ | |
|
2024-01-30 05:00:16 | Mémoire de sécurité: \\ 'c'est la saison de Tax Hax Security Brief: \\'Tis the Season for Tax Hax (lien direct) |
Ce qui s'est passé Les chercheurs de ProofPoint ont récemment identifié le retour de TA576, un acteur de menace cybercriminale qui utilise des leurres sur le thème de la taxe ciblant spécifiquement les organisations comptables et financières.Cet acteur n'est généralement actif que les premiers mois de l'année pendant la saison fiscale des États-Unis, ciblant généralement les organisations en Amérique du Nord avec des campagnes de messagerie à faible volume.Dans toutes les campagnes, l'acteur par e-mail des demandes d'aide à la préparation des revenus et tentera de livrer des chevaux de Troie à distance (rats). Dans les deux premières campagnes observées en janvier 2024, l'acteur a utilisé un compte compromis pour envoyer des e-mails bénins censés demander une assistance fiscale.Bien que le compte de l'expéditeur ait été compromis, les e-mails comportaient une adresse de réponse avec un domaine récemment enregistré qui appartient probablement à l'acteur de menace.L'acteur de menace a fourni une trame de fond et a demandé des prix et une disponibilité.Si la cible a répondu, l'acteur de menace a répondu par une URL malveillante Google Firebase (Web.App). Lyure sur le thème des impôts utilisé par TA576. Si l'URL était cliquée, elle redirigea vers le téléchargement d'un fichier de raccourci zippé (LNK).Si ce raccourci était exécuté, il a exécuté PowerShell encodé via l'injection SyncappvpublishingServer.vbs lolbas.La commande PowerShell a lancé MSHTA pour exécuter la charge utile de l'application HTML (HTA) à partir d'une URL fournie.Vivant des techniques de binaires terrestres, scripts et bibliothèques (lolbas) devient de plus en plus populaire parmi les menaces cybercriminales. Exemple de cible de raccourci. Le code prend une séquence de valeurs numériques, soustrait un nombre de chacun (dans ce cas 593), et convertit chaque résultat en un caractère utilisant le casting de type [char], et concaténe les caractères en une chaîne stockée dans la variable $ k.Fait intéressant, le nombre soustrait diffère du raccourci au raccourci. La charge utile HTA a exécuté une commande PowerShell à AES Decrypt et décompresser une autre commande qui a téléchargé un exécutable dans le dossier% AppData% et l'a exécuté.Cette technique est similaire à celle précédemment documentée par SANS ISC.L'exécutable de la campagne TA576 a utilisé la technique d'évasion de la "porte du ciel" pour exécuter Parallax Rat. Résumé de la chaîne d'attaque: Message bénigne> Réponse cible> Réponse de l'acteur avec web.app URL> Redirection> zip> lnk> syncappvpublishingServer.vbs lolbas> PowerShell> mshta exécute HTA à partir de l'URL> PowerShell cryptée> Obfuscated PowerShell> Télécharger et exécuter l'exe exe Les campagnes de 2024 de TA576 \\ sont notables car il s'agit du premier point de preuve a observé que l'acteur livrant Parallax Rat.De plus, la chaîne d'attaque de l'acteur \\ à l'aide de techniques LOLBAS et de plusieurs scripts PowerShell est nettement différente des campagnes précédemment observées qui ont utilisé des URL pour zipper les charges utiles JavaScript ou des documents Microsoft Word en macro. Attribution TA576 est un acteur de menace cybercriminale.ProofPoint a suivi TA576 depuis 2018 via des techniques de création de courriels de spam, une utilisation des logiciels malveillants, des techniques de livraison de logiciels malveillants et d'autres caractéristiques.Cet acteur utilise des leurres d'impôt contenant des caractéristiques et des thèmes similaires pendant la saison fiscale américaine pour livrer et installer des rats.Les objectifs de suivi de Ta576 \\ sont inconnus.Bien que les secteurs les plus fréquemment observés ciblés incluent les entités comptables et financières, Proof Point a également observé le ciblage des industries connexes telles que le légal. Pourquoi est-ce important Les campagnes annuelles sur le thème de l'impôt de TA576 \\ servent de rappel récurrent que les acteurs des menaces de cybercri | Spam Malware Threat Prediction | ★★ | |
|
2024-01-29 14:42:02 | Informations exploitables: protégez vos identités vulnérables Actionable Insights: Protect Your Vulnerable Identities (lien direct) |
In this blog series, we cover how to improve your company\'s security posture with actionable insights. Actionable insights are a critical tool to help you improve your security posture and stop initial compromise in the attack chain. You can use them to identify and respond to potential risks, enhance your incident response capabilities and make more informed security decisions. Figure 1. Steps in the cyberattack chain. In previous actionable insights blog posts, we covered these topics: People risk Origin risk Business email compromise (BEC) risk Ensuring proper risk context Risk efficacy Telephone-oriented attack delivery (TOAD) risk Threat intelligence Executive Summary Condemnation Summary In this post, we show you the value of integrating data from Proofpoint Identity Threat Defense into the Proofpoint Targeted Attack Protection (TAP) Dashboard. You can now use this data about your identity risks to stop initial compromise and prevent the lateral movement of threats in your environment. Get insights about your vulnerable identities IT and security professionals are always looking for ways to stay ahead of evolving threats and protect their organizations. The TAP Dashboard from Proofpoint has long been a valuable tool in this fight. It provides crucial visibility into email threats and user activity. Now that the TAP Dashboard uses data from Proofpoint Identity Threat Defense, it has become even more powerful. Rich data about identity risks can help you see the impact of a potential compromise without having to leave the TAP Dashboard. Let\'s explore what this looks like in the dashboard-and how you can use this identity data to strengthen your security posture. Insights for supercharged visibility One new addition to the People page in the TAP Dashboard is the Identity Threat Attack Paths column. It reveals the currently available attack paths for each user, which are based on their identified vulnerabilities. No more digging through separate tools. You can now have a clear picture within the TAP Dashboard of how a threat actor could use each identity to escalate privilege and move laterally. Figure 2. Identity Threat Attack Paths column in the TAP Dashboard. You can also view identity risk factors for each user. This allows you to gain a deeper understanding of the potential impact of compromise for each user. The metrics you can view include: Overall risk exposure Number of potential attack paths associated with the user Key identity vulnerabilities associated with the user Figure 3. Identity risk factors for individual users. This data can help you to prioritize your response efforts. You can use it to better focus on securing the identities that might be used to cause the most harm to your business. Example use case Take this example of a hypothetical user named Dona Hosby, a 47-year-old finance director. She has access to client accounts and sensitive financial data. Despite her crucial role in the business, Hosby tends to be less cautious about clicking on suspicious email links and attachments. From the TAP Dashboard, Hosby is identified as a Very Attacked Person™ (VAP) with a high attack index. However, this risk level is not unique to her; others in the company share similar risk levels. With data enrichment from Proofpoint Identity Threat Defense, the TAP Dashboard shows that Hosby is also a shadow admin, which exposes her to critical risks. A shadow admin is an individual or account that has elevated privileges or access rights that are not in compliance with the company\'s security policies. We can also see the number of lateral attack paths (41) an attacker could take from Hosby\'s identity. This information can help the security team to pinpoint which VAPs in the organization pose a higher post-compromise risk. Figures 4 and 5 show what these insights look like in the TAP Dashboard. Figure 4: Example identity risk metrics in the TAP Dashboard for Dona Hosby. Fi | Tool Vulnerability Threat | ★★★ | |
|
2024-01-24 06:00:39 | 5 Common Privilege Escalation Attack Techniques with Examples (lien direct) | Privilege escalation is often a top aim for cybercriminals as they traverse the attack chain to exploit your IT crown jewels. It lets them achieve critical steps in the attack chain, like maintaining persistence and moving laterally within an environment. Once they\'ve initially compromised a host, they will seek to acquire higher privileges to gain access to valuable assets and create other mischief or damage. This blog post explains why privilege escalation is a significant challenge for today\'s businesses. We also present five common techniques, along with brief examples of each. And we offer a real-world example to underscore how bad actors use privilege escalation as a key intermediary step to carry out attacks. Understanding privilege escalation In cybersecurity, privilege escalation is the process by which an attacker gains access or permissions on a system that is at a higher level of privilege than what they had at the time of the initial compromise. Attackers look to escalate privileges in one of two ways. They either do this horizontally or vertically. Horizontal example This approach involves an attacker moving laterally within a network by compromising accounts at the same privilege level. As they move across the network, they can discover more targets and find more valuable data or systems. Here\'s an example of how a horizontal privilege escalation attack might unfold: An attacker uses stolen credentials to access a host with regular privileges within a company\'s network. The attacker identifies a file server within the network that has sensitive data. Multiple users can access it, but they can only read and write files. The attacker takes advantage of this shared access. They modify files within the shared file system, injecting malicious code or replacing critical configuration files. This activity may go unnoticed for a time because legitimate users regularly modify files on the shared file server. As other users interact with the compromised files, the attacker can increase the number of compromised accounts and hosts, collect sensitive data and prepare to launch a more widescale attack. Vertical example In this approach, attackers exploit identity vulnerabilities within a system or application to escalate their privileges from a basic user account to a privileged user. They might use social engineering tactics like phishing at first to trick users into handing over their login credentials. Here is how a vertical privilege escalation attack might play out: An attacker uses a compromised user account to gain access to a targeted system. They identify a known vulnerability in an application or service that is running on the system. The attacker creates and deploys an exploit to take advantage of this vulnerability. In this case, they take advantage of a flaw in the code that allows a user to escalate privileges without being authorized. The attacker can now change their privileges to a higher level, like system admin. Now that they have a lot of control over the system, the attacker can carry out a range of malicious actions. For example, they might change system configurations or steal data. Why it is important to prevent privilege escalation attacks The examples above make it clear that privilege escalation-enabled attacks can have a significant impact on businesses. To underscore the risk further, here are several other reasons these attacks are a cause for concern: Unauthorized access to and exposure of sensitive data Compromised user accounts and user identities Manipulated systems and configurations Disrupted business operations Data tampering and manipulation, such as with ransomware Legal and regulatory repercussions Reputational damage 5 Common privilege escalation attack techniques and examples Now that you understand the two main categories of privilege escalation and why you must be vigilant in defending against these techniques, let\'s look at five tactics that bad actors might use in | Tool Vulnerability Threat Commercial | ★★★ | |
|
2024-01-24 06:00:39 | (Déjà vu) 5 Techniques d'attaque d'escalade communes avec des exemples 5 Common Privilege Escalation Attack Techniques with Examples (lien direct) |
Privilege escalation is often a top aim for cybercriminals as they traverse the attack chain to exploit your IT crown jewels. It lets them achieve critical steps in the attack chain, like maintaining persistence and moving laterally within an environment. Once they\'ve initially compromised a host, they will seek to acquire higher privileges to gain access to valuable assets and create other mischief or damage. This blog post explains why privilege escalation is a significant challenge for today\'s businesses. We also present five common techniques, along with brief examples of each. And we offer a real-world example to underscore how bad actors use privilege escalation as a key intermediary step to carry out attacks. Understanding privilege escalation In cybersecurity, privilege escalation is the process by which an attacker gains access or permissions on a system that is at a higher level of privilege than what they had at the time of the initial compromise. Attackers look to escalate privileges in one of two ways. They either do this horizontally or vertically. Horizontal example This approach involves an attacker moving laterally within a network by compromising accounts at the same privilege level. As they move across the network, they can discover more targets and find more valuable data or systems. Here\'s an example of how a horizontal privilege escalation attack might unfold: An attacker uses stolen credentials to access a host with regular privileges within a company\'s network. The attacker identifies a file server within the network that has sensitive data. Multiple users can access it, but they can only read and write files. The attacker takes advantage of this shared access. They modify files within the shared file system, injecting malicious code or replacing critical configuration files. This activity may go unnoticed for a time because legitimate users regularly modify files on the shared file server. As other users interact with the compromised files, the attacker can increase the number of compromised accounts and hosts, collect sensitive data and prepare to launch a more widescale attack. Vertical example In this approach, attackers exploit identity vulnerabilities within a system or application to escalate their privileges from a basic user account to a privileged user. They might use social engineering tactics like phishing at first to trick users into handing over their login credentials. Here is how a vertical privilege escalation attack might play out: An attacker uses a compromised user account to gain access to a targeted system. They identify a known vulnerability in an application or service that is running on the system. The attacker creates and deploys an exploit to take advantage of this vulnerability. In this case, they take advantage of a flaw in the code that allows a user to escalate privileges without being authorized. The attacker can now change their privileges to a higher level, like system admin. Now that they have a lot of control over the system, the attacker can carry out a range of malicious actions. For example, they might change system configurations or steal data. Why it is important to prevent privilege escalation attacks The examples above make it clear that privilege escalation-enabled attacks can have a significant impact on businesses. To underscore the risk further, here are several other reasons these attacks are a cause for concern: Unauthorized access to and exposure of sensitive data Compromised user accounts and user identities Manipulated systems and configurations Disrupted business operations Data tampering and manipulation, such as with ransomware Legal and regulatory repercussions Reputational damage 5 Common privilege escalation attack techniques and examples Now that you understand the two main categories of privilege escalation and why you must be vigilant in defending against these techniques, let\'s look at five tactics that bad actors might use in | Tool Vulnerability Threat Commercial | ★★★ | |
|
2024-01-23 15:29:37 | Plus d'un quart des 2000 mondiaux ne sont pas prêts pour les règles d'authentification des e-mails rigoureuses à venir More than One-Quarter of the Global 2000 Are Not Ready for Upcoming Stringent Email Authentication Rules (lien direct) |
Le courrier électronique reste le principal canal de communication pour les organisations et les moyens de communication préférés pour les consommateurs.Et partout où les gens vont, les acteurs de la menace suivent.Les cybercriminels continuent d'exploiter les e-mails pour livrer le phishing, la fraude par e-mail, le spam et d'autres escroqueries.Mais Google, Yahoo!, Et Apple se battent avec de nouvelles exigences d'authentification par e-mail conçues pour empêcher les acteurs de la menace d'abuser des e-mails.Bien que ce changement majeur soit une excellente nouvelle pour les consommateurs, les organisations n'ont pas beaucoup de temps pour préparer le google, Yahoo!Et Apple commencera à appliquer ses nouvelles exigences au premier trimestre de 2024. Avec seulement des semaines jusqu'à ce que ces règles commencent à prendre effet, plus d'un quart (27%) des Forbes Global 2000 ne sont pas prêts pour ces nouvelles exigences;Cela peut avoir un impact significatif sur leur capacité à fournir des communications par e-mail à leurs clients en temps opportun et met leurs clients en danger de fraude par e-mail et d'escroqueries.En fait, notre rapport State of the Phish 2023 a révélé que 44% des consommateurs mondiaux pensent qu'un e-mail est sûr s'il inclut simplement l'image de marque familière. L'analyse de Proofpoint \\ de la Forbes Global 2000 et leur adoption du protocole ouvert DMARC (reporting et conformité d'authentification des messages basés sur le domaine), un protocole d'authentification largement utilisé qui aide à garantir l'identité des communications par e-mail et protège les noms de domaine du site Web contre le fait d'êtreusurpé et mal utilisé, montre: Plus d'un quart (27%) du Global 2000 n'a aucun enregistrement DMARC en place, indiquant qu'ils ne sont pas préparés aux prochaines exigences d'authentification par e-mail. 69% stupéfiants ne bloquent pas activement les e-mails frauduleux en atteignant leurs clients;Moins d'un tiers (31%) ont mis en œuvre le plus haut niveau de protection pour rejeter les e-mails suspects en atteignant leurs clients de réception. 27% ont mis en œuvre une politique de moniteur, ce qui signifie que des e-mails non qualifiés peuvent toujours arriver dans la boîte de réception du destinataire;et seulement 15% ont mis en œuvre une politique de quarantaine pour diriger des e-mails non qualifiés aux dossiers spam / indésirables. L'authentification par e-mail est une meilleure pratique depuis des années.DMARC est l'étalon-or pour se protéger contre l'identité des e-mails, une technique clé utilisée dans la fraude par e-mail et les attaques de phishing.Mais, comme le révèle notre analyse du Global 2000, de nombreuses entreprises doivent encore la mettre en œuvre, et celles qui sont à la traîne de l'adoption du DMARC devront désormais rattraper leur retard rapidement s'ils souhaitent continuer à envoyer des e-mails à leurs clients.Les organisations qui ne se contentent pas ne pourraient pas voir leurs e-mails acheminés directement vers les dossiers de spam des clients ou rejeté. La mise en œuvre peut cependant être difficile, car elle nécessite une variété d'étapes techniques et une maintenance continue.Toutes les organisations n'ont pas les ressources ou les connaissances en interne pour répondre aux exigences en temps opportun.Vous pouvez profiter de ressources telles que le kit technique et d'authentification de l'e-mail technique de Proofpoint \\ pour vous aider à démarrer.ProofPoint propose également un outil pour vérifier les enregistrements DMARC et SPF de votre domaine, ainsi que pour créer un enregistrement DMARC pour votre domaine.Cet outil fait partie d'une solution complète de défense de fraude par e-mail, qui fournit un SPF hébergé, un DKIM hébergé et des fonctionnalités DMARC hébergées pour simplifier le déploiement et la maintenance tout en augmentant la sécurité.La solution comprend également l'accès à des consultants hautement expérimentés pour vous guider à travers les workflows d'im | Spam Tool Threat Cloud Technical | ★★★ | |
|
2024-01-23 12:51:12 | Le paysage des menaces est toujours en train de changer: à quoi s'attendre en 2024 The Threat Landscape Is Always Changing: What to Expect in 2024 (lien direct) |
Gather \'round, cyber friends, and I\'ll let you in on a little secret: no one knows what the Next Big Thing on the threat landscape will be. But we can look back on 2023, identify notable changes and actor behaviors, and make educated assessments about what 2024 will bring. This month on the DISCARDED podcast my co-host Crista Giering and I sat down with our Threat Research leaders Daniel Blackford, Alexis Dorais-Joncas, Randy Pargman, and Rich Gonzalez, leaders of the ecrime, advanced persistent threat (APT), threat detection, and Emerging Threats teams, respectively. We discussed what we learned over the last year, and what\'s on the horizon for the future. While the discussions touched on different topics and featured different opinions on everything from artificial intelligence (AI) to living off the land binaries (LOLBins) to vulnerability exploitation to ransomware, there were some notable themes that are worth writing down. We can\'t say for sure what surprises are in store, but with our cyber crystals balls fully charged – and a deep knowledge of a year\'s worth of threat actor activity based on millions of email threats per day – we can predict with high confidence what\'s going to be impactful in the coming year. 1: Quick response (QR) codes will continue to proliferate 2023 was the year of the QR code. Although not new, QR codes burst on the scene over the last year and were used in many credential phishing and malware campaigns. The use was driven by a confluence of factors, but ultimately boiled down to the fact that people are now way more accustomed to scanning QR codes for everything from instructions to menus. And threat actors are taking advantage. Proofpoint recently launched new in-line sandboxing capabilities to better defend against this threat, and our teams anticipate seeing more of it in 2024. Notably, however, Dorais-Joncas points out that QR codes still just exist in the realm of ecrime – APT actors have not yet jumped on the QR code bandwagon. (Although, some of those APT actors bring ecrime energy to their campaigns, so it\'s possible they may start QR code phishing, too.) 2: Zero-day and N-day vulnerability exploitation A theme that appeared throughout our conversations was the creative use of vulnerabilities – both known and unreported – in threat actor activity. APT actors used a wide variety of exploits, from TA473 exploiting publicly-facing webmail servers to espionage actors using a zero-day in an email security gateway appliance that ultimately forced users to rip out and reinstall physical hardware. But ecrime actors also exploited their share of vulnerabilities, including the MOVEit file transfer service vulnerability from the spring of 2023 that had cascading repercussions, and the ScreenConnect flaw announced in the fall of 2023 – both of which were used by ecrime actors before being officially published. Proofpoint anticipates vulnerability exploitation will continue, driven in part by improved defense making old school techniques – like macro-enabled documents – much less useful, as well as the vast financial resources now available to cybercriminals that were once just the domain of APT. Pargman says the creativity from ecrime threat actors is a direct response of defenders imposing cost on our adversaries. 3: Continuing, unexpected behavior changes Avid listeners of the podcast know I have regularly said the ecrime landscape is extremely chaotic, with TA577 demonstrating the most chaotic vibes of them all. The tactics, techniques, and procedures (TTPs) of some of the most sophisticated actors continue to change. The cost imposed on threat actors that Pargman mentioned – from law enforcement takedowns of massive botnets like Qbot to improved detections and automated defenses – have forced threat actors, cybercriminals in particular, to regularly change their behaviors to figure out what is most effective. For example, recently Proofpoint has observed the increased use of: traffic dis | Ransomware Malware Tool Vulnerability Threat Prediction | ★★★ | |
|
2024-01-22 06:00:26 | Types de menaces et d'attaques d'identité que vous devez être consciente Types of Identity Threats and Attacks You Should Be Aware Of (lien direct) |
It\'s easy to understand why today\'s cybercriminals are so focused on exploiting identities as a key step in their attacks. Once they have access to a user\'s valid credentials, they don\'t have to worry about finding creative ways to break into an environment. They are already in. Exploiting identities requires legwork and persistence to be successful. But in many ways this tactic is simpler than exploiting technical vulnerabilities. In the long run, a focus on turning valid identities into action can save bad actors a lot of time, energy and resources. Clearly, it\'s become a favored approach for many attackers. In the past year, 84% of companies experienced an identity-related security breach. To defend against identity-based attacks, we must understand how bad actors target the authentication and authorization mechanisms that companies use to manage and control access to their resources. In this blog post, we will describe several forms of identity-based attacks and methods and offer an overview of some security controls that can help keep identity attacks at bay. Types of identity-based attacks and methods Below are eight examples of identity attacks and related strategies. This is not an exhaustive list and, of course, cybercriminals are always evolving their techniques. But this list does provide a solid overview of the most common types of identity threats. 1. Credential stuffing Credential stuffing is a type of brute-force attack. Attackers add pairs of compromised usernames and passwords to botnets that automate the process of trying to use the credentials on many different websites at the same time. The goal is to identify account combinations that work and can be reused across multiple sites. Credential stuffing is a common identity attack technique, in particular for widely used web applications. When bad actors find a winning pair, they can steal from and disrupt many places at once. Unfortunately, this strategy is highly effective because users often use the same passwords across multiple websites. 2. Password spraying Another brute-force identity attack method is password spraying. A bad actor will use this approach to attempt to gain unauthorized access to user accounts by systematically trying commonly used passwords against many usernames. Password spraying isn\'t a traditional brute-force attack where an attacker attempts to use many passwords against a single account. It is a more subtle and stealthy approach that aims to avoid account lockouts. Here\'s how this identity attack usually unfolds: The attacker gathers a list of usernames through public information sources, leaked databases, reconnaissance activities, the dark web and other means. They then select a small set of commonly used or easily guessable passwords. Next, the attacker tries each of the selected passwords against a large number of user accounts until they find success. Password spraying is designed to fly under the radar of traditional security detection systems. These systems may not flag these identity-based attacks due to the low number of failed login attempts per user. Services that do not implement account lockout policies or have weak password policies are at risk for password spraying attacks. 3. Phishing Here\'s a classic and very effective tactic that\'s been around since the mid-1990s. Attackers use social engineering and phishing to target users through email, text messages, phone calls and other forms of communication. The aim of a phishing attack is to trick users into falling for the attacker\'s desired action. That can include providing system login credentials, revealing financial data, installing malware or sharing other sensitive data. Phishing attack methods have become more sophisticated over the years, but they still rely on social engineering to be effective. 4. Social engineering Social engineering is more of an ingredient in an identity attack. It\'s all about the deception and manipulation of users, and it\'s a feature in | Malware Vulnerability Threat Patching Technical | ★★ | |
|
2024-01-18 05:00:52 | Mémoire de sécurité: TA866 revient avec une grande campagne de messagerie Security Brief: TA866 Returns with a Large Email Campaign (lien direct) |
What happened Proofpoint researchers identified the return of TA866 to email threat campaign data, after a nine-month absence. On January 11, 2024, Proofpoint blocked a large volume campaign consisting of several thousand emails targeting North America. Invoice-themed emails had attached PDFs with names such as “Document_[10 digits].pdf” and various subjects such as “Project achievements”. The PDFs contained OneDrive URLs that, if clicked, initiated a multi-step infection chain eventually leading to the malware payload, a variant of the WasabiSeed and Screenshotter custom toolset. Screenshot of an email with an attached PDF. If the user clicked on the OneDrive URL inside the PDF, they were: Served a JavaScript file hosted on OneDrive. The JavaScript, if run by the user, downloaded and ran an MSI file. The MSI file executed an embedded WasabiSeed VBS script. The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown. Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2. Attack chain summary: Email > PDF > OneDrive URL > JavaScript > MSI / VBS (WasabiSeed) > MSI (Screenshotter). The attack chain was similar to the last documented email campaign using this custom toolset observed by Proofpoint on March 20, 2023. The similarities helped with attribution. Specifically, TA571 spam service was similarly used, the WasabiSeed downloader remained almost the same, and the Screenshotter scripts and components remained almost the same. (Analyst Note: While Proofpoint did not initially associate the delivery TTPs with TA571 in our first publication on TA866, subsequent analysis attributed the malspam delivery of the 2023 campaigns to TA571, and subsequent post-exploitation activity to TA866.) One of the biggest changes in this campaign from the last observed activity was the use of a PDF attachment containing a OneDrive link, which was completely new. Previous campaigns used macro-enabled Publisher attachments or 404 TDS URLs directly in the email body. Screenshot of “TermServ.vbs” WasabiSeed script whose purpose is to execute an infinite loop, reaching out to C2 server and attempting to download and run an MSI file (empty lines were removed from this script for readability). Screenshot of “app.js”, one of the components of Screenshotter. This file runs “snap.exe”, a copy of legitimate IrfanView executable, (also included inside the MSI) to save a desktop screenshot as “gs.jpg”. Screenshot of “index.js”, another Screenshotter component. This code is responsible for uploading the desktop screenshot ”gs.jpg” to the C2 server. Attribution There are two threat actors involved in the observed campaign. Proofpoint tracks the distribution service used to deliver the malicious PDF as belonging to a threat actor known as TA571. TA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers. Proofpoint tracks the post-exploitation tools, specifically the JavaScript, MSI with WasabiSeed components, and MSI with Screenshotter components as belonging to TA866. TA866 is a threat actor previously documented by Proofpoint and colleagues in [1][2] and [3]. TA866 is known to engage in both crimeware and cyberespionage activity. This specific campaign appears financially motivated. Proofpoint assesses that TA866 is an organized actor able to perform well thought-out attacks at scale based on their availability of custom tools, and ability and connections to purchase tools and services from other actors. Why it matters The following are notable characteristics of TA866\'s return to email threat data: TA866 email campaigns have been missing from the landscape for over nine months (although there are indications that the actor was meanwhile | Spam Malware Tool Threat | ★★ | |
|
2024-01-17 06:00:02 | Comment mettre en place un programme de gestion des menaces d'initié et de prévention des pertes de données How to Set Up an Insider Threat Management and Data Loss Prevention Program (lien direct) |
This blog post is adapted from our e-book, Getting Started with DLP and ITM. The last few years have brought unprecedented change. An increasingly distributed workforce, access to more data through more channels and a shift to the cloud have transformed the nature of work. These trends have made protecting sensitive data more complicated and demanding. What\'s clear is that organizations are struggling to rise to the challenge. Between 2020 and 2022, insider threats increased by a staggering 44%. And the costs of addressing them increased 34%-from $11.45 million to $15.38 million. This upswing mainly comes down to two factors. For starters, most security teams have little visibility into people-caused data loss and insider-led security incidents. And few have the tools or resources to handle it. That\'s why Gartner sees platforms for data loss prevention and insider threat management (DLP and ITM) increasingly converging. Businesses need tools and processes that give them holistic, contextualized insights that take user behavior into account. It\'s no longer enough to focus on data-and where it\'s moving. To prevent data loss, industry leaders need to take a people-centric approach that expands beyond traditional drivers like compliance. In this blog post, we\'ll explore some basics for designing an ITM and DLP program. This can help you approach information protection in a way that\'s built for how modern organizations work. Why information protection is so challenging Risks are everywhere in today\'s complex landscape. Here are a few changes making it difficult for companies to protect their data. More data is open to exposure and theft. As businesses go digital, more data is being generated than ever before. According to IDC\'s Worldwide Global DataSphere Forecast, the total amount of data generated data will double from 2022 to 2026. That means malicious insiders will have more access to more sensitive data through more channels. It will also be easier for careless users to expose data inadvertently. Plus, any security gap between channels, any misconfiguration or any accidental sharing of files can give external attackers more opportunities to steal data. New data types are hard to detect. Data isn\'t just growing in volume. It\'s also becoming more diverse, which makes it harder to detect and control. With traditional DLP program tools, data typically fits within very tightly defined data patterns (such as payment card number). But even then, it generates too many false positives. Now, key business data is more diverse and can be graphical, tabular or even source code. The network security perimeter no longer exists. With more employees and contractors working remotely, the security perimeter has shifted from brick and mortar to one based on people. Add to the mix bring-your-own-device (BYOD) practices, where the personal and professional tend to get blurred, and security teams have even more risks to contend with. In a survey for the 2023 State of the Phish report from Proofpoint, 72% of respondents said they use one or more of their personal devices for work. Employee churn is high. Tech industry layoffs in 2022 and 2023 have seen many employees leaving and joining businesses at a rapid rate. The result is greater risk of data exfiltration, infiltration and sabotage. Security leaders know it, too-39% of chief information security officers rated improving information protection as the top priority over the next two years. Security talent is in short supply. A lack of talent has left many security teams under-resourced. And the situation is likely to get worse. In 2023, the cybersecurity workforce gap hit an all-time high-there are 4 million more jobs than there are skilled workers. DLP vs. ITM What\'s the difference between DLP and ITM? Both DLP and ITM work to prevent data loss. But they achieve it in different ways. DLP tracks data movement and exfiltration DLP monitors file activity and scans content to see whether users are handling sen | Tool Threat Cloud Technical | ★★ | |
|
2024-01-16 08:32:19 | Défense post-livraison à propulsion du cloud: la dernière innovation de Proofpoint \\ dans la protection des e-mails Cloud-Powered Post-Delivery Defense: Proofpoint\\'s Latest Innovation in Email Protection (lien direct) |
Cybercriminals are constantly innovating so that they can infiltrate your systems and steal your valuable data. They do this through a complex multi-stage method commonly known as the attack chain. During the initial compromise, attackers use advanced email threats like phishing scams, malware attachments, business email compromise (BEC) and QR code threats to get a foothold in your systems. That\'s why email security tools typically focus on stopping these threats. Steps in the attack chain. But no technology is foolproof. Inevitably, some emails will get through. To keep your company safe, you need an email security solution that can detect, analyze and remediate email threats post-delivery. That\'s where Proofpoint can help. Proofpoint Cloud Threat Response is the cloud-based alternative to TRAP (Threat Response Auto-Pull), known for its effective post-delivery remediation capabilities. Not only is this solution easy to use, but it also automates post-detection incident response and remediation tasks that slow down security teams. In this blog post, we\'ll highlight some of its capabilities and benefits. Overview of Cloud Threat Response capabilities Proofpoint Cloud Threat Response keeps you safer by remediating threats post-delivery. Plus, it helps security teams prioritize and execute response actions three different ways: Automatically by Proofpoint. Cloud Threat Response automatically analyzes emails post-delivery. It identifies and quarantines malicious emails within user inboxes. Doing so reduces the risk that users will interact with them, helping to prevent your business from being compromised. Manually by the SOC team. Your security team gains instant access to detailed email analysis, historical data and risk scoring through an integration with Proofpoint Smart Search. This integration makes it easier for you to delve into specific emails and swiftly identify and remove any lurking threats. With the assistance of end users. Users can report messages that look suspicious thanks to a simple button directly integrated into their mailboxes. Reported emails are automatically investigated and are neutralized if determined to be a threat. Proofpoint Cloud Threat Response benefits At many companies, security incident response is a slow and labor-intensive process. Responding to security incidents may take days or weeks depending on the size of your security team. Time-intensive tasks can turn into painful bottlenecks. Compare that to Proofpoint Cloud Threat Response, which automates and simplifies threat response tasks. Here\'s what you can expect: Enjoy a simplified management interface. Our centralized, modern interface simplifies how you manage email security. From this dashboard, you can manage a range of tasks, including threat reporting, threat analysis and user administration. The simplified, modern interface of Proofpoint Cloud Threat Response. Respond to incidents faster. Proofpoint Cloud Threat Response acts on intelligence from our Supernova detection engine, which improves threat detection and reduces the mean time to respond (MTTR). Spend less time on deployment and maintenance. Because it\'s cloud native, our platform is not only easy to deploy but it eliminates the need for on-premises infrastructure. Plus, your investment is future-proof, and it comes with automated maintenance and security updates. Streamline security operations. Use Single Sign-On (SSO) to seamlessly navigate between Cloud Threat Response and other Proofpoint apps such as Targeted Attack Protection, Email Fraud Defense and Email Protection. This helps to boost analyst efficiency and response times. See more threats. It automatically shares a threat\'s remediation status across your other Proofpoint platforms. This increases threat visibility and helps you to identify and neutralize threats faster. Proofpoint Cloud Threat Response is integrated with Proofpoint threat intelligence and abuse mailbox sources. Contain threats quickly. Malici | Malware Tool Threat Cloud | ★★ | |
|
2024-01-12 06:00:17 | Déterministe vs détection de menace probabiliste: quelle est la différence? Deterministic vs. Probabilistic Threat Detection: What\\'s the Difference? (lien direct) |
When you understand the difference between deterministic and probabilistic threat detection, you can better choose the right mix of processes and tools that will keep your data, systems and users most secure. Here is a spoiler, though: As you compare probabilistic and deterministic methods, you will likely conclude that both approaches are needed to some degree. That means you\'re on the right track. When you employ both, you can use the strengths of each approach while mitigating their respective weaknesses. In other words, these methods are different but complementary. To help you figure out when to use each method, we put together this overview. In each section, we start by defining terms, and then we delve into the pros and cons of using the approach to detect threats. What is probabilistic threat detection? Probabilistic threat detection involves the use of probability-based analytic methods to identify potential security threats or malicious activities within a system. This approach doesn\'t rely on fixed (deterministic) rules or signatures alone. Instead, it relies on the likelihood-or probability-that certain behaviors or patterns may indicate the presence of a security threat. Tools for probabilistic threat detection analyze various factors and assign weights to different indicators. That helps cybersecurity systems-and security teams-to prioritize and respond to potential threats based on their perceived risk. This approach to threat detection presents advantages as well as challenges. Here\'s a look at some of the pros and cons of using probabilistic and deterministic detections. Pros Let\'s start with the pros of probabilistic threat detection. Adaptability to new threats. Probabilistic threat detection can help you identify new and evolving threats that may not have definitive signatures. Machine learning and behavioral analysis can adapt to changing attack tactics. Slight pivots in attacker tools and techniques won\'t necessarily fake out these detection techniques. Reduced false positives to unknown threats. Probabilistic methods may result in fewer false negatives for threats that have not been seen before. That\'s because these methods don\'t require a perfect match to a known signature to send an alert. Probabilistic methods are inherently non-binary. Behavioral analysis. This is often part of probabilistic threat detection. It typically uses a baseline of normal system behavior. That, in turn, makes it easier to detect deviations that may indicate a security threat. Continuous learning. Machine learning models for probabilistic threat detection can continuously learn, incorporate feedback from security analysts, and adapt to changes in the threat landscape. That means their accuracy is not static and can improve over time. Cons Now, here is a rundown of some cons. False positives. Probabilistic methods will produce false positives. They rely on statistical models that might interpret unusual but benign behavior as a potential threat. That can lead to alerts on activities that aren\'t malicious. Taken to extremes this can waste security analysts\' time. But making the models less sensitive can lead to false negatives. That\'s why tuning is part of ongoing maintenance. Complexity and resource intensiveness. Implementing and maintaining probabilistic threat detection systems can be complex and demand a lot of resources. That is especially true when it comes to systems that use machine learning because they require a great deal of computing power and expertise to operate. Cost issues. Probabilistic methods and tools deal with uncertainty, which is a key design principle. So they may not be as cost effective as deterministic approaches for detecting well-known threats. Difficulty in interpreting results. It can be a challenge to understand the output of probabilistic models. You may have difficulty discerning why a particular activity is flagged as a potential threat, as the rationale is deep within the model. To interpret the results, you | Malware Tool Vulnerability Threat | ★★ | |
|
2024-01-09 11:57:12 | L'augmentation préoccupante des attaques centrées sur l'identité: tendances et faits The Concerning Rise in Identity-Centric Attacks: Trends and Facts (lien direct) |
Identity threats are by no means a new type of crime. But in today\'s increasingly digitized world, there are more opportunities for bad actors to steal identities and engage in identity-centric attacks than ever before. Unfortunately, user identities are tough for businesses to protect. The fact that these types of attacks are skyrocketing is evidence of that-in the past year alone the Identity Defined Security Alliance reports that a whopping 84% of companies experienced an identity-related security breach. In this post, we\'ll take a look at identity attack statistics and trends and provide some recent case studies to illustrate how some attacks work. We\'ll also highlight one of the most important identity threat facts-that the human element plays a crucial role in the success of these attacks. Understanding identity-centric attacks There are many types of identity attacks. When most people think of these types of crimes, they often imagine traditional identity theft scenarios: Financial identity theft, where a criminal gains access to a victim\'s financial data, like their credit card details, bank account numbers or Social Security number, to make unauthorized purchases, withdraw funds or open new accounts. Tax identity theft, where a bad actor uses a victim\'s personal information to file false tax returns and claim refunds, diverting the money to their own accounts. Employment identity theft, where a fraudster uses a victim\'s identity to get a job, potentially causing issues for that person when discrepancies arise in their employment and tax records. But identity-based attacks also target enterprises and their online users. The cybercriminals behind these attacks might aim to steal sensitive data, siphon off funds, damage or disrupt systems, deploy ransomware or worse. Those are the types of identity attacks we\'re covering here. Identity threat trends and tactics In short, identity-centric attacks are a practical calculation by bad actors: Why would they invest their time and resources to build exploits to help them get in through a virtual back door when they can just walk through the front door? But before they reap the rewards, they still have some legwork to do. Here are a few techniques that cybercriminals use to progress identity-based attacks against businesses and their users: MFA bypass attacks. Many businesses today use multifactor authentication (MFA) to protect the account of their users. It\'s more secure than using passwords alone. But of course, bad actors have found new ways to bypass commonly used MFA methods. MFA fatigue attacks are one example. People-activated malware. People often give life to malware when they fall for a phishing scam or other social engineering tactics. Malware can appear in the form of a .zip file, QR code, .html link, MS Office file and more-there are at least 60 known techniques to plant people-activated malware on corporate networks. Active Directory (AD) attacks. Most enterprises today use AD as a primary method for directory services like user authentication and authorization. Cybercriminals are keen to target AD, which touches almost every place, person and device on a network. This approach works very well, too-more than half of identity-related breaches can be traced back to AD. Cached credentials harvesting. Cached credentials are commonly stored on endpoints, in memory, in the registry, in a browser or on disk. Attackers use various tools and techniques to collect these credentials and gain access to more privileged identities. Once they have harvested these credentials, they can use them to move laterally and log into different applications. Adversaries are likely to find a good “crop” when they are harvesting cached credentials. Recent research from Proofpoint found that more than one in 10 endpoints have exposed privileged account passwords, making it one of the most common identity risks. Keep in mind that cybercriminals are always innovating, and they are quick to build or adopt tools that | Ransomware Malware Tool Threat Studies | Uber | ★★ |
|
2024-01-08 17:33:02 | Proofpoint célèbre une année historique Proofpoint Celebrates a Landmark Year (lien direct) |
L'année dernière, les violations de données à grande échelle ont continué de dominer les gros titres, les progrès de l'IA générative se sont transformés en une épée à double tranchant pour les adversaires et les défenseurs et les acteurs de la menace ont adapté leur métier à une vitesse aveuglante.Dans ce contexte difficile pour les organisations, il reste une constante: les humains et leurs identités sont les liens les plus ciblés de la chaîne d'attaque. Chez Proofpoint, nous comprenons le risque humain d'une manière que les autres ne peuvent pas faire de la lumière sur qui est attaqué, dont le comportement est risqué, dont le récit compromis détient les clés du royaume et qui met les données en danger.C'est précisément pourquoi les organisations du monde entier nous font confiance pour protéger leur peuple et défendre leurs données. 2023: une année record pour Proofpoint et nos clients Nous avons terminé l'année avec un énorme élan des affaires, malgré un environnement économique incertain.Nous avions un quatrième trimestre record pour les nouvelles entreprises, augmentant de plus de 20% d'une année sur l'autre et nous avons quitté l'année avec des revenus récurrents annuels (ARR) au milieu de l'adolescence.Les faits saillants notables incluent: Nos clients existants ont adopté notre pile complète de solutions de sécurité centrées sur l'homme, à travers nos solutions stratégiques de protection contre les menaces et de protection de l'information, ce qui a contribué à une croissance ARR de plus de 20%.Il s'agit notamment de solutions pour la défense de la fraude par e-mail, la défense des menaces d'identité, ainsi que la protection de l'information, notamment la gestion des menaces d'initié et le DLP multicanal. Nous avons ajouté de nouveaux clients, avec plus de 1 200 nouvelles organisations contenant le point de preuve en tant que partenaire de cybersécurité de choix en 2023. Nous avons continué à voir une grande validation du marché de notre offre avec un taux de rétention très sain pour notre entreprise avec des clients existants (90 +%). De plus, notre récente acquisition de Tessian ajoute une détection comportementale et dynamique alimentée par l'IA pour donner à nos clients la protection la plus complète et la plus complète centrée sur l'homme dans l'industrie, avec un modèle de déploiement flexible, tirant parti des solutions en ligne et basées sur l'API.Avec l'industrie, d'abord, les innovations alimentées par AI- et ML lancées l'automne dernier, Proofpoint permet désormais aux clients de détecter et de se défendre contre les menaces modernes d'aujourd'hui, alimentées par l'un des ensembles de données les plus complets disponibles. Notre innovation implacable n'est pas passée inaperçue, avec Proofpoint Winning Premier Security Company et la meilleure sensibilisation à la sécurité aux 2023 Ciso Choice Awards, la première reconnaissance des fournisseurs en beauté sélectionnée par un conseil d'administration de CISO. 2024: Un engagement inébranlable dans notre mission de protéger les gens et de défendre les données La protection de la couche humaine n'a jamais été aussi haut de gamme.En fait, Gartner a identifié la sécurité centrée sur l'homme comme l'un des trois seuls impératifs stratégiques pour les CISO en 2024 et 2025 [1].Contrairement à d'autres solutions qui offrent une protection fragmentaire, fragmentée et incomplète à des coûts plus élevés, Proofpoint offre une sécurité complète sur l'homme sur laquelle les clients peuvent s'appuyer. Nos objectifs de 2024 sont de: Développez nos plateformes de sécurité et de protection de l'information centrées sur l'homme avec d'autres innovations, afin que les clients bénéficient de la protection des menaces la plus avancée disponible sur le marché.Notre objectif est de permettre à nos clients de construire une stratégie de sécurité complète centrée sur l'homme qui atténue les quatre types de risques critiques de cybersécurité: a | Threat | ★★★ | |
|
2024-01-08 06:00:19 | ProofPoint reconnu en 2023 Gartner & Reg;Guide du marché pour les solutions de gestion des risques d'initiés Proofpoint Recognized in 2023 Gartner® Market Guide for Insider Risk Management Solutions (lien direct) |
It\'s easy to understand why insider threats are one of the top cybersecurity challenges for security leaders. The shift to remote and hybrid work combined with data growth and cloud adoption has meant it\'s easier than ever for insiders to lose or steal data. Legacy systems simply don\'t provide the visibility into user behavior that\'s needed to detect and prevent insider threats. With so much potential for brand and financial damage, insider threats are now an issue for the C-suite. As a result, businesses are on the lookout for tools that can help them to better manage these threats. To help businesses understand what to look for, Gartner has recently released Market Guide for Insider Risk Management Solutions. In this report, Gartner explores what security and risk leaders should look for in an insider risk management (IRM) solution. It also provides guidance on how to implement a formal IRM program. Let\'s dive into some of its highlights. Must-have capabilities for IRM tools Gartner states that IRM “refers to the use of technical solutions to solve a fundamentally human problem.” And it defines IRM as “a methodology that includes the tools and capabilities to measure, detect and contain undesirable behavior of trusted accounts in the organization.” Gartner identifies three distinct types of users-careless, malicious and compromised. That, we feel, is in line with our view at Proofpoint. And the 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that most insider risks can be attributed to errors and carelessness, followed by malicious and compromised users. In its Market Guide, Gartner identifies the mandatory capabilities of enterprise IRM platforms: Orchestration with other cybersecurity tooling Monitoring of employee activity and assimilating into a behavior-based risk model Dashboarding and alerting of high-risk activity Orchestration and initiation of intervention workflows This is the third consecutive year that Proofpoint is a Representative Vendor in the Market Guide. Proofpoint was an early and established leader in the market for IRM solutions. Our platform: Integrates with a broad ecosystem of cybersecurity tools. Our API-driven architecture means it\'s easy for you to feed alerts into your security tools. That includes security information and event management (SIEM) as well as SOAR and service management platforms, such as Splunk and ServiceNow. That, in turn, helps you gain a complete picture of potential threats. Provides a single lightweight agent with a dual purpose. With Proofpoint, you get the benefit of data loss prevention (DLP) and ITM in a single solution. This helps you protect against data loss and get deep visibility into user activities. With one agent, you can monitor everyday users. That includes low-risk and regular business users, risky users, such as departing employees, privileged users and targeted users. Offers one centralized dashboard. This saves you time and effort by allowing you to monitor users, correlate alerts and triage investigations from one place. You no longer need to waste your time switching between tools. You can quickly see your riskiest users, top alerts and file exfiltration activity in customizable dashboards. Includes tools to organize and streamline tasks. Proofpoint ITM lets you change the status of events with ease, streamline workflows and better collaborate with team members. Plus, you can add tags to help group and organize your alerts and work with more efficiency. DLP and IRM are converging In its latest Market Guide, Gartner says: “Data loss prevention (DLP) and insider risk strategies are increasingly converging into a unified solution. The convergence is driven by the recognition that preventing data loss and managing insider risks are interconnected goals.” A legacy approach relies on tracking data activity. But that approach is no longer sufficient because the modern way of working is more complex. Employees and third parties have access to more data than ever before. And ex | Tool Threat Cloud Technical | ★★★ | |
|
2024-01-05 06:00:31 | 2023 Année en revue: versions de contenu axées sur les menaces pour la sensibilisation à la sécurité 2023 Year in Review: Threat-Driven Content Releases for Security Awareness (lien direct) |
As a new year approaches, it is natural to reflect on recent accomplishments. At Proofpoint, we are reflecting on our work to deliver security awareness content and updated features in line with our ongoing goal to drive behavior change. Proofpoint Security Awareness integrates our rich threat intelligence, which means it taps into current and emerging attacks. Our threat analysts surface threat trends, such as artificial intelligence (AI)-enhanced vishing, malicious QR codes and remote IT support scams. And then we work quickly to release new training features and awareness material to ensure inform security administrators and educate employees about ever-evolving attacks. In 2023, our content releases focused on three areas: Delivering a threat-driven program Improving how security awareness administrators work Enhancing how people learn Let\'s review the past year and explore how Proofpoint used content releases to respond to the changing threat landscape. Image from AI Chatbot Threats training (play video). Quick turnaround for threat trends Proofpoint Security Awareness alerts customers to threats in two powerful ways-Threat Alerts and Attack Spotlights. It also continuously trains employees with threat-driven training modules. Threat Alerts These weekly releases focus on a specific and current ongoing attack. They explain what the threat is and who it might target. And they describe a specific lure, if applicable. Each alert is linked to activity that our threat analysts see happening in the wild. We recommend applicable training like simulated phishing and awareness material and include suggested email messaging. In 2023, we released Threat Alerts on: IRS-themed phishing lures for tax season (February, March, April) AI-enhanced vishing calls that impersonate loved ones (March) Malicious QR codes for credential phishing (May, August) Telephone-oriented attack delivery (TOAD) using a Geek Squad PDF lure (July, October) Charity donation scams around the Israel-Palestine crisis (October) Christmas party lures for credential phishing (November) Attack Spotlights These monthly releases cast a wider lens on attack types. They focus on a time-based or reoccurring threat that is expected to trend, typically related to holidays, travel seasons or shopping events. Each spotlight is released a month in advance with a campaign plan, awareness material and training modules, and is available in 12 core languages. In 2023, Proofpoint published these Attack Spotlight campaigns: Smishing with package delivery lures (February) Business email compromise (BEC) phishing with requests for quotations (RFQs) (April) LinkedIn phishing lures (May) Amazon phishing lures (June) Remote IT support scams (September) Gift card scams (December) Image from Attack Spotlight video (play video). Threat modules These training videos are relevant to the changing threat landscape. They are inspired by our threat intelligence and our team\'s threat landscape research. These micro-learning modules are grounded in learning science principles that are designed to drive behavior change. Each module has a concise and specific learning objective. The delivery of content is tailored to individual factors such as a person\'s role, learning style, vulnerability level and preferred language. In 2023, we covered these topics in our new threat training modules: Data loss protection AI chatbot threats Amazon phishing scams Cryptocurrency investment scams QR code dangers Multifactor authentication (MFA) Image from Threat Module video (play video). Staying ahead of generative AI attacks AI-powered systems are promoted as tools to help us work faster, and they are transforming businesses and industries. This wide-reaching access can create security risks from potential data breaches to concerns over user privacy. Your employees need to be aware of the limitations and risks of using AI-powered tools, especiall | Ransomware Tool Vulnerability Threat Studies Prediction Cloud | ★★★★ | |
|
2024-01-04 06:00:10 | Cybersecurity Stop of the Month: MFA Manipulation (lien direct) | This blog post is part of a monthly series exploring the ever-evolving tactics of today\'s cybercriminals. Cybersecurity Stop of the Month focuses on the critical first three steps in the attack chain in the context of email threats. The series is designed to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The critical first three steps of the attack chain: reconnaissance, initial compromise and persistence. So far in this series, we have covered the following types of attacks: Supplier compromise EvilProxy SocGholish eSignature phishing QR code phishing Telephone-oriented attack delivery (TOAD) Payroll diversion In this post, we examine an attack technique called multifactor (MFA) manipulation. This malicious post-compromise attack poses a significant threat to cloud platforms. We cover the typical attack sequence to help you understand how it works. And we dive deeper into how Proofpoint account takeover capabilities detected and prevented one of these threats for our customer. Background MFA manipulation is an advanced technique where bad actors introduce their own MFA method into a compromised cloud account. These attackers are used after a cloud account takeover attack, or ATO. ATOs are an insidious threat that are alarmingly common. Recent research by Proofpoint threat analysts found that in 2023 almost all businesses (96%) were targeted by cloud-based attacks. What\'s more, a whopping 60% were successfully compromised and had at least one account taken over. MFA manipulation attacks can work several ways with bad actors having multiple options for getting around MFA. One way is to use an adversary-in-the-middle (AiTM) attack. This is where the bad actor inserts a proxy server between the victim and the website that they\'re trying to log into. Doing so enables them to steal that user\'s password as well as the session cookie. There\'s no indication to the user that they\'ve been attacked-it just seems like they\'ve logged into their account as usual. However, the attackers have what they need to establish persistence, which means they can maintain access even if the stolen MFA credentials are revoked or deemed invalid. The scenario Recently, Proofpoint intercepted a series of MFA manipulation attacks on a large real estate company. In one case, the bad actors used an AiTM attack to steal the credentials of the firm\'s financial controller as well as the session cookie. Once they did that, they logged into that user\'s business account and generated 27 unauthorized access activities. The threat: How did the attack happen? Here is a closer look at how this MFA manipulation attack played out: 1. Bad actors used the native “My Sign-Ins” app to add their own MFA methods to compromise Microsoft 365 accounts. We observed that the attackers registered their own authenticator app with notification and code. They made this move right after they gained access to the hijacked account as part of an automated attack flow execution. This, in turn, allowed them to secure their foothold within the targeted cloud environment. The typical MFA manipulation flow using Microsoft\'s “My Sign-Ins” app. 2. After the compromise, the attackers demonstrated a sophisticated approach. They combined MFA manipulation with OAuth application abuse. With OAuth abuse, an attacker authorizes and/or uses a third-party app to steal data, spread malware or execute other malicious activities. Attackers also use the abused app to maintain persistent access to specific resources even after their initial access to a compromised account has been cut off. 3. The attackers authorized the seemingly benign application, “PERFECTDATA SOFTWARE,” to gain persistent access to the user\'s account and the systems, as well as the resources and applications that the user could access. The permissions the attackers requested for this app included: | Malware Tool Vulnerability Threat Cloud | ★★★ | |
|
2024-01-02 08:41:00 | 6 Exigences d'assurance cybersécurité Votre entreprise doit être prête à répondre 6 Cybersecurity Insurance Requirements Your Business Should Be Ready To Meet (lien direct) |
Every year, more companies are finding out firsthand how damaging a cyberattack can be. Research for the 2023 State of the Phish report from Proofpoint found that 30% of companies that were successfully attacked experienced a direct monetary loss. That\'s an increase of 76% year over year. And costs for these attacks are rising. IBM reports that the global average cost of a data breach went up by 15% over the last three years, hitting $4.45 million in 2023. Concerns about costs and risks mean that more companies than ever are buying cyber insurance. A World Economic Forum survey found that 71% of organizations have cyber insurance. And Allied Market Research projects that the global cyber insurance market, which is currently valued at $12.5 billion, will reach $116.7 billion by 2032. Investing in cyber insurance for your business can be a wise strategy. For one, it helps you to transfer some of the financial risks of a cybersecurity event to your insurance provider. But the cyber insurance landscape is changing. You should know that getting the coverage you want might be a challenge, and you will need to meet an array of cybersecurity insurance requirements. In this blog post, we\'ll cover six of the most common requirements you\'ll likely need to fulfill. What is cyber insurance-and what does it cover? But first, let\'s take a closer look at what cyber insurance is and why it is important. Also known as cyber liability insurance, this relatively new type of insurance helps to protect businesses and individuals from the negative impacts of cybersecurity events. It generally covers: Loss of data and the associated recovery Loss of revenue due to business interruption Loss of transferred funds from cyberattacks, like business email compromise (BEC) and phishing Loss of funds from ransomware and extortion Many policies also cover the aftermath and follow-up events associated with a data breach. This includes the costs associated with identifying and notifying victims, credit monitoring for victims and forensics expertise, to name a few. Why is cyber insurance important? For many companies, cyber insurance is an essential part of their risk management strategy. It covers many costs related to cyber events, such as legal expenses and fees for compliance violations. Depending on the policy, it might also cover: Ransomware attacks. If your business is hit with a ransomware attack, you may face demands for payment to unlock your systems. Or you may need to pay a ransom to prevent the release of sensitive data. In certain cases, cyber insurance can help cover ransom payments. Incident response and recovery. Cybersecurity insurance can help with the cost of investments you may need to make after an attack. For example, you may need to hire experts, conduct forensic investigations, and implement tools and measures to prevent future attacks. Business disruption. This may include lost revenue during downtime. This coverage can help your business stay afloat financially and continue operating in the wake of a cyber event. Want more details on the benefits of cyber insurance? Download the Proofpoint presentation, “Cyber Insurance: Facts, Figures and Policy Fundamentals.” Examples of common cyber insurance requirements As noted earlier, getting coverage is more complicated than it used to be. Because security breaches are so costly and cybercrime is so common, many insurers have become more stringent in their underwriting processes. Some have lowered caps for payouts and narrowed their coverage offerings as well. This means that the requirements your business may be expected to meet will be fairly complex. Every provider will likely conduct a risk assessment to determine if you qualify for cyber insurance. The process will help them to determine how much coverage they can offer you, and what you\'ll need to pay for it. The risk assessment might be as quick and simple as a questionnaire or as complex and time-consuming as a third-party audit. Here are six examples | Ransomware Data Breach Tool Threat | ★★★ | |
|
2023-12-29 08:35:15 | Pointpoint de preuve nommé fournisseur représentatif en 2023 Gartner & Reg;Guide du marché pour la gouvernance des communications numériques Proofpoint Named as a Representative Vendor in 2023 Gartner® Market Guide for Digital Communications Governance (lien direct) |
It has been more than a year since Gartner retired its Magic Quadrant for Enterprise Information Archiving, which it had published for many years. When it first happened, many of us from the compliance, e-discovery and archiving world wondered what research would come next. Now the wait is over. On November 13, 2023, Gartner unveiled its new Market Guide for Digital Communications Governance (DCG). And it named Proofpoint as a Representative DCG solution Vendor. Gartner says, “Gartner retired the Magic Quadrant for Enterprise Information Archiving in 2022. This DCG research recognizes the rise in communication tool complexity and demand from clients to seek guidance on the selection of vendors and solutions that specialize in communications governance.” The Gartner Market Guide presents a “definition, rationale and dynamics” for the DCG market and a list of Representative Vendors. It is now up to clients to download the Market Guide so that they can learn more about digital communications governance. And they can refer to Gartner recommendations as they look into DCG solutions that will work best for their business. In this blog post, I go over some of initial coverage of DCG by Gartner. I also provide insights into some of the key points that are made in the new report. Assessing a strategic planning assumption Gartner specifies two strategic planning assumptions in the Market Guide. Here is a look at the first one: “By 2027, 40% of enterprise customers will proactively assess workstream collaboration and meeting solution content for corporate policy and general business insights, up from less than 5% in 2023.” We believe this seems reasonable at face value if you apply it to businesses that operate in regulated industries like financial services. But I question its validity if the intent is to expand it to all verticals. Customers that use a DCG solution as a way to improve their litigation readiness will likely find the deployment of a supervision/surveillance solution for “corporate policy and general business insights” to be a “nice to have,” not a “must have.” I suspect that, in general, these customers will agree to the value in principle. But they will struggle to gain executive sponsors and budget in the absence of: Regulatory mandates that compel relevant action, like the Financial Industry Regulatory Authority (FINRA) or the U.S. Securities and Exchange Commission (SEC) for financial services Widely accepted performance statistics, such as archive search performance or archive system availability It will be interesting to revisit this assumption in 2027. At that point, we\'ll see how much progress has been made on the regulatory and statistics fronts-and the percentage of enterprise customers. Compliance risk versus security risk In the Market Direction section of the report, under “Compliance risk versus security,” Gartner states, “Most frequently used for adherence to compliance use cases, solutions are expanding to broader uses in security risk.” No vendor will do integrations simply because they are cool ideas. They need compelling use cases and business cases. However, with Proofpoint you have a single vendor that offers leading technology for both digital communications governance and security. To learn more about these platforms, check out Proofpoint Aegis threat protection and the Proofpoint Sigma information protection. For more than 15 years, we have provided innovative solutions to address compliance use cases as well as security use cases. Most of the customers we work with who use Proofpoint Intelligent Compliance offerings are Proofpoint security customers, as well. The use of machine learning to improve supervision and surveillance Gartner addresses the use of these technologies in the Market Analysis section of the Market Guide, under “Supervision and surveillance capabilities.” It says, “The results can be used for improved automated monitoring/tagging, and accuracy and efficiency outcomes | Tool Threat Commercial | ★★ | |
|
2023-12-28 14:18:07 | Concevoir un indice de texte mutable à l'échelle de la pétaoctet rentable Designing a Cost-Efficient, Petabyte-Scale Mutable Full Text Index (lien direct) |
Engineering Insights is an ongoing blog series that gives a behind-the-scenes look into the technical challenges, lessons and advances that help our customers protect people and defend data every day. Each post is a firsthand account by one of our engineers about the process that led up to a Proofpoint innovation. At Proofpoint, running a cost-effective, full-text search engine for compliance use cases is an imperative. Proofpoint customers expect to be able to find documents in multi-petabyte archives for legal and compliance reasons. They also need to index and perform searches quickly to meet these use cases. However, creating full-text search indexes with Proofpoint Enterprise Archive can be costly. So we devote considerable effort toward keeping those costs down. In this blog post, we explore some of the ways we do that while still supporting our customers\' requirements. Separating mutable and immutable data One of the most important and easiest ways to reduce costs is to separate mutable and immutable data. This approach doesn\'t always fit every use case, but for the Proofpoint Enterprise Archive it fits well. For archiving use cases-and especially for SEC 17a-4 compliance-data that is indexed can\'t be modified. That includes data-like text in message bodies and attachments. The Proofpoint Enterprise Archive has features that require the storage and mutation of data alongside a message, in accordance with U.S. Securities and Exchange Commission (SEC) compliance. (For example, to which folders a message is a member, and to which legal matters a message pertains.) To summarize, we have: Large immutable indexes Small mutable indexes By separating data into mutable and immutable categories, we can index these datasets separately. And we can use different infrastructure and provisioning rules to manage that data. The use of different infrastructure allows us to optimize the cost independently. Comparing the relative sizes of mutable and immutable indexes. Immutable index capacity planning and cost Normally, full-text search indexes must be provisioned to handle the load of initial write operations, any subsequent update operations and read operations. By indexing immutable data separately, we no longer need to provision enough capacity to handle the subsequent update operations. This requires less IO operations overall. To reduce IO needs further, the initial index population is managed carefully with explicit IO reservation. Sometimes, this will mean adding more capacity (nodes/servers/VMs) so that the IO needs of existing infrastructure are not overloaded. When you mutate indexes, it is typically best practice to leave an abundance of disk space to support the index merge operations when updates occur. In some cases, this can be as much as 50% free disk space. But with immutable indexes, you don\'t need to have so much spare capacity-and that helps to reduce costs. In summary, the following designs can help keep costs down: Reduce IO needs because documents do not mutate Reduce disk space requirements because free space for mutation isn\'t needed Careful IO planning on initial population, which reduces IO requirements Mutable index capacity planning and cost Meanwhile, mutable indexes benefit from standard practices. They can\'t receive the same reduced capacity as immutable indexes. However, given that they\'re a fraction of the size, it\'s a good trade-off. Comparing the relative free disk space of mutable and Immutable indexes. Optimized join with custom partitioning and routing In a distributed database, join operations can be expensive. We often have 10s to 100s of billions of documents for the archiving use case. When both sides of the join operation have large cardinality, it\'s impractical to use a generalized approach to join the mutable and immutable data. To make this high-cardinality join practical, we partition the data in the same way for both the mutable and immutable data. As a result, we end up with a one-t | Cloud Technical | ★★★ | |
|
2023-12-27 09:19:46 | 3 incontournables des performances de recherche d'archives: une comparaison de logiciels d'archives de messagerie 3 Must-Haves of Archive Search Performance: An Email Archive Software Comparison (lien direct) |
Yes, it\'s true that customers who use legacy on-premises archives or even modern cloud solutions say “fast search performance” is a primary reason to migrate to Proofpoint Archive. Our customers often highlight “fast search performance” as a key email archiving solution element. For reference, look no further than Gartner Peer Insights, where “search/index” is ranked the highest out of product feature areas evaluated by our customers. However, you don\'t buy a Tesla Model X just for its top speed. You don\'t purchase a Rolex just to tell time. And you don\'t subscribe to or license an archive just for its search performance. Of course, not having adequate search performance can spell dire consequences when you need to address e-discovery requests. Think of having to settle a lawsuit early because you can\'t get search results in time to determine whether it makes better sense to litigate. But there\'s more to email archive search performance than just speed. In this blog, we\'ll explore three factors that drive positive outcomes for our customers. Speed is one, and the other two are scalability and ease of use. 1: Speed When you run a search for specific information in your email archive, how long does it take to retrieve that information? Hours? Days? Longer? Search speed dictates how fast you receive results from a search. While some vendor email archiving tools are incredibly slow, Proofpoint Archive has a financially backed search service-level agreement (SLA) that obligates us to return search results in seconds, on average, for our customers. To give you with some context, here\'s what we found when we compared the email archive search speeds of Microsoft Purview eDiscovery and Proofpoint Archive-specifically when searching 100 mailboxes and 50,000 mailboxes. For this example, a total of 200 searches were run, based on an average of 10 cases managed per month with each case requiring 20 searches to be performed. Microsoft doesn\'t have search performance SLAs. But they provide “guidelines for average search time” based on the number of mailboxes searched. (See the table below.) Guidelines for average search times for Microsoft Purview eDiscovery solutions. Based on internal, anonymous archive usage reports, as of August 2023 the average search time for Proofpoint Archive was 3.28 seconds. Also, it\'s estimated that Microsoft will take about 1.67 hours to return results when searching 100 mailboxes. Proofpoint Archive returned results in about 0.18 hours, as shown below. A comparison of search speed between Microsoft and Proofpoint. At this level of searching, the search speed difference may not seem significant. However, if you factor in rerunning searches due to new data or a system failure (like index corruption) with Microsoft, the numbers can grow rapidly. The search speed expectation with Proofpoint remains consistent, given our average search performance, particularly when you run consecutive searches. The search speed difference becomes more noteworthy when you consider highly litigious organizations that need to run hundreds or thousands of searches across hundreds or thousands of mailboxes. In the second scenario, when searching 50,000 mailboxes, it\'s estimated that Microsoft will take about 66.67 hours to return search results. That\'s like having your team “babysit” Microsoft e-discovery searches for more than a week and a half every month! Separately, Proofpoint Archive is expected to remain the same at 0.18 hours. With Proofpoint, you get search results from the archive when you need them, helping to improve your ability to respond to e-discovery requests and internal investigations in a timely fashion. 2: Scalability When you address an e-discovery request, do you run only one search? Probably not. The factor of search scalability defines your ability to achieve your expected search speed performance time and time again, regardless of whether you\'re searching 100 mailboxes or 50,000 mailboxes-and regardless of | Tool Cloud | ★★★ | |
|
2023-12-21 05:00:25 | Battleroyal, le cluster Darkgate se propage par e-mail et les fausses mises à jour du navigateur BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates (lien direct) |
Overview Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates. Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for: Delivery: via email and RogueRaticate fake browser updates Volumes and geography: email campaigns include tens of thousands of emails targeting dozens of industries primarily in USA and Canada Attack chain: includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025 Volume of DarkGate campaigns based on four GroupIDs discussed in this report. TDS all the things! (an email campaign example) On October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use of more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL files involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the attack chain from this actor changed or varied, .URL files were involved in every campaign. The emails in this campaign contained: 404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS Keitaro TDS was observed serving an internet shortcut (.URL) file The internet shortcut, if double clicked, downloaded a zipped VBS script The VBS in turn downloaded and executed several shell commands (cmd.exe) The shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new directory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script, and (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter The AutoIT script ran an embedded DarkGate Attack chain summary that follows the flow of: Email > 404 TDS > Keitaro TDS > .URL > .VBS > Shell commands > AutoIT / AutoIT script > DarkGate. Screenshot of an example email from October 2 campaign. Screenshot of the .URL file involved in the October 2 campaign. Proofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the BattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data. Notably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a security feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow an actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink pointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL target. RogueRaticate (fake browser update campaign example) On October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake update activity cluster using an interesting obfuscation technique first identified in 2020. Proofpoint subsequently identified the activity in Proofpoint data. This campaign delivered fake browser update requests to end users on their web browsers that dropped a DarkGate payload with the “ADS5” GroupID. The threat actor injected a request to a domain they controlled that used .css steganography to conceal the malicious c | Malware Tool Vulnerability Threat Prediction | ★★ | |
|
2023-12-18 06:00:21 | Une approche de risque intégrée pour briser la chaîne d'attaque juridique et de conformité: les informations de Proofpoint Protect 2023 An Integrated Risk Approach to Breaking the Legal and Compliance Attack Chain: Insights from Proofpoint Protect 2023 (lien direct) |
Last September, Proofpoint held our first in-person event since the pandemic in New York City, Protect 2023. In this blog post, our Chief Compliance Officer in Residence John Pepe shares some key insights from the leaders who participated in the Compliance Leader\'s Roundtable at that conference. A big part of that discussion was exploring how combining data points from multiple tools can help stop known risk patterns before problems escalate. “Break the Attack Chain” is a Proofpoint initiative that outlines our approach to prevent and disrupt cyberattacks that target people and their data. The attack chain can basically be broken down into eight steps and three main stages: Initial compromise Privilege escalation Data exfiltration Steps in the attack chain. We believe that breaking the attack chain is so important that we made it the theme of Protect 2023. When you break the attack chain, you reduce the risks and the impact of cyberattacks. And you avoid a lot of the financial, reputational and operational damage. Proofpoint argues that this starts by taking a people-centric approach to security that focuses on the human factors that enable and motivate attackers. But this theme isn\'t just relevant to cybersecurity. It\'s also an important concept that\'s relevant to compliance professionals and their current challenges. Recently at the Protect 2023 conference, we explored how the industry is using this idea to rethink the ways it approaches and mitigates risk. What\'s top of mind for compliance professionals right now? Part of my job at Proofpoint is to provide our customers-some of whom are highly regulated-with executive briefings on compliance and regulatory best practices. I also have a lot of critical discussions with the legal and regulatory communities. So I understand why the concept of breaking the attack chain transcends cybersecurity and really resonates with these groups. That\'s why I chose to explore it at Protect 2023 at the Compliance Leader\'s Roundtable. This panel was comprised of a chief compliance officer from a leading financial services provider, the head of surveillance for an asset manager, and a chief information security officer. And our topic was “What\'s Top of Mind for Compliance Professionals Post COVID-19." The discussion was informal and focused on work-from-home (WFH) initiatives during and after the pandemic. Two interconnected areas were of particular interest: Risks and programs related to WFH, with a special focus on collaboration platforms How behavioral indicators may help to predict potential legal or compliance issues When talking about insider risks and threats, the panelists explored: Best practices for controlling messaging apps and mitigating risks in mobile texts and chat How behavioral modeling and analytics can be used to enhance risk monitoring for user conduct How combining multiple compliance approaches can help form a holistic risk management program, which can mean integrating: Threat detection People analytics Conduct compliance applications As part of the conversation, I brought up the topic of employee behaviors and patterns that can lead to legal or compliance issues. The example scenario I offered was of a disgruntled employee who had received an underwhelming bonus or was passed up for a promotion. To get back at the company, this person stole sensitive company data and intellectual property (IP) before they left their job. The panel discussed behaviors or telemetry that might be present in such a scenario. And they talked about whether any data about user conduct might help detect and prevent potential losses. An integrated approach to breaking the attack chain What follows are some of the ways that our panelists use tools to mitigate risks. And how Proofpoint can help. Combining internal and external data One of the most crucial aspects of a surveillance analyst\'s job, especially in financial services, is monitoring employee risk. The roundtable emp | Tool Threat Mobile Prediction Conference | ★★★ | |
|
2023-12-15 06:00:41 | Comment empêcher les attaques basées sur l'identité avec ITDR How to Prevent Identity-Based Attacks with ITDR (lien direct) |
Identity-based attacks are on the rise. Research from the Identity Defined Security Alliance found that 84% of businesses experienced an identity-related breach in the past year. While that\'s a huge percentage, it\'s not all that surprising. Just consider how focused attackers have been in recent years on gaining access to your user\'s identities. In the latest Verizon 2023 Data Breach Investigations Report, Verizon found that 40% of all data breaches in 2022 involved the theft of credentials which is up from 31% in 2021. With access to just one privileged account an attacker can move around undetected on a company\'s network and cause havoc. When they look like the right employee, they have the freedom to do almost anything, from stealing sensitive data to launching ransomware attacks. What\'s worse, attackers usually have tools that make it fast and easy to exploit stolen credentials, escalate privilege and move laterally. That makes this type of attack all the more appealing. There are a bevy of cybersecurity tools that are supposed to protect companies from these attacks. So why do they fall short? The simple answer is that it\'s not their job-at least not completely. Take tools used for identity access management (IAM) as an example. Their role is to administer identities and manage their access to applications and resources. They don\'t detect malicious activity after a “legitimate” user has been authenticated and authorized. And tools for anomaly detection, like security information and event management (SIEM) systems, alert on abnormal or malicious user activity. But they are even less capable of flagging attempts at lateral movement and privilege escalation. As a result, these tools tend to generate high levels of false positives, which overwhelm security teams. However, there is a way to address the security gaps these solutions aren\'t well equipped to cover. It\'s called identity threat detection and response, or ITDR for short. What is ITDR? ITDR is an umbrella term coined by Gartner to describe a new category of security tools and best practices that companies can use to detect and respond more effectively to identity-based attacks. ITDR protects the middle of the attack chain-the point where enterprise defenses are usually the weakest. ITDR tools offer robust analytics, integrations and visibility that can help you to: Detect, investigate and respond to active threats Stop privilege escalations Identify and halt lateral movement by attackers Reduce the identity-centric attack surface before the threat actor even arrives When you use ITDR, you\'re not replacing existing tools or systems for IAM and threat detection and response like privileged access management (PAM) or endpoint detection and response (EDR). Instead, you\'re complementing them. Those tools can continue to do what they do best while ITDR addresses the identity security gaps they\'re not designed to cover. How ITDR solutions work-and help to prevent identity-based attacks ITDR tools are designed to continuously monitor user behavior patterns across systems. They scan every endpoint-clients and servers, PAM systems and identity repositories-to look for unmanaged, misconfigured and exposed identities. With a holistic view of identity risks, your security team can remove key attack pathways through Active Directory (AD) that threat actors use to install ransomware and steal data. ITDR tools can help defenders stop identity attacks and proactively get rid of risks. They allow defenders to see exactly how attackers can access and use identities to compromise the business. Essentially, ITDR provides answers to these three critical questions: Whose identity provides an attack path? What is the identity threat blast radius, and the impact to my business? Are there any identity-based attacks in progress? Leading ITDR tools can help you catch adversaries in the act by planting deceptive content, or trip wires, throughout your environment that only attackers would in | Ransomware Data Breach Tool Vulnerability Threat | ★★ | |
|
2023-12-14 09:44:32 | Atténuation des menaces d'initié: 5 meilleures pratiques pour réduire le risque Insider Threat Mitigation: 5 Best Practices to Reduce Risk (lien direct) |
(This is an updated version of a blog that was originally published on 1/28/21.) Most security teams focus on detecting and preventing external threats. But not all threats come from the outside. The shift to hybrid work, accelerated cloud adoption and high rates of employee turnover have created a perfect storm for data loss and insider threats over the past several years. Today, insider threats rank amongst the top concerns for security leaders-30% of chief information security officers report that insider threats are their biggest cybersecurity threat over the next 12 months. It\'s easy to understand why. Insider threats have increased 44% since 2020 due to current market dynamics-and security teams are struggling to keep pace. According to the Verizon 2023 Data Breach Investigations Report, 74% of all breaches involve the human element. In short, data doesn\'t lose itself. People lose it. When the cybersecurity risk to your company\'s vital systems and data comes from the inside, finding ways to mitigate it can be daunting. Unlike with tools that combat external threats, security controls for data loss and insider threats can impact users\' daily jobs. However, with the right approach and insider threat management tools, that doesn\'t have to be the case. In this blog post, we\'ll share best practices for insider threat mitigation to help your business reduce risk and overcome common challenges you might face along the way. What is an insider threat? But first, let\'s define what we mean by an insider threat. In the cybersecurity world, the term “insider” describes anyone with authorized access to a company\'s network, systems or data. In other words, it is someone in a position of trust. Current employees, business partners and third-party contractors can all be defined as insiders. As part of their day-to-day jobs, insiders have access to valuable data and systems like: Computers and networks Intellectual property (IP) Personal data Company strategy Financial information Customer and partner lists All insiders pose a risk given their position of trust-but not all insiders are threats. An insider threat occurs when someone with authorized access to critical data or systems misuses that access-either on purpose or by making a mistake. The fallout from an insider threat can be dire for a business, including IP loss, legal liability, financial consequences and reputational damage. The challenge for security firms is to determine which insiders are threats, and what type of threats they are, so they know how to respond. There are three insider threat types: Careless. This type of risky insider is best described as a user with good intentions who makes bad decisions that can lead to data loss. The 2022 Cost of Insider Threats Global Report from Ponemon Institute notes that careless users account for more than half (56%) of all insider-led incidents. Malicious. Some employees-or third parties, like contractors or business partners-are motivated by personal gain. Or they might be intent on harming the business. In either case, these risky users might want to exfiltrate trade secrets or take IP when they leave the company. Industrial espionage and sabotage are examples of malicious insider activity. Ponemon research shows malicious insiders account for 26% of insiders. Compromised. Sometimes, external threat actors steal user login information or other credentials. They then use those credentials to access applications and systems. Ponemon reports that compromised users account for 18% of insiders. Insider threat mitigation best practices Companies can minimize brand and financial damage by detecting and stopping insider threats. How each security team approaches insider threats will vary depending on the industry, maturity and business culture. However, every organization can use the five best practices we\'ve outlined below to improve their insider threat prevention. 1. Identify your risky users Most insiders fall into the “care | Data Breach Tool Threat Industrial Cloud Technical | ★★ | |
|
2023-12-14 09:00:56 | La détection de code QR malveillant fait un bond en avant géant Malicious QR Code Detection Takes a Giant Leap Forward (lien direct) |
Proofpoint introduces inline, pre-delivery QR code detection engine to help protect against imaged-based QR code phishing attacks QR code phishing, also known as quishing, is the latest attack hitting inboxes. This emerging threat is able to get around traditional email defenses and is forging a new way to deliver email attacks directly to users. Along with email phishing, executive impersonation, spear phishing and business email compromise (BEC), this threat has become one of the top concerns for security and IT teams. In response, Proofpoint has launched new inline sandboxing capabilities to detect and stop suspicious QR code threats. Not only do we support behavioral and sandbox detection engines, but we also provide pre- and post-scanning for risky QR codes. When combined, these capabilities more accurately detect and better protect against this new threat vector. Most API-based email security tools rely on behavioral signals, which means they can only detect a suspicious QR code email after it has been delivered to the user\'s inbox. In contrast, Proofpoint stops attacks pre-delivery, so threats can never make it to users\' inboxes. In this blog post, we\'ll cover what you should know about QR code phishing and detection-and how Proofpoint can help. Why QR codes? When Microsoft disabled macros to prevent threat actors from exploiting them to deliver malware, threat actors started to test various new attack delivery techniques, such as QR codes. Used by marketers as a quick and easy way to connect with consumers and drive engagement, QR codes have become a part of our daily lives and are now used in retail stores, airline tickets, contactless menus and scan-to-pay, among many others. While it\'s common knowledge that standard QR codes can be used in malicious ways, a recent Scantrust QR code survey found that “over 80% of US-based QR code users said that they think QR codes are safe.” It\'s this inherent trust of QR codes that threat actors depend on. That and the fact that QR codes do not expose malicious URLs make them very hard detect with traditional email security tools. What is QR code phishing? A QR code scam is when a bad actor creates a QR code phishing campaign to trick a user into navigating to a malicious URL. This leads them to a malicious website that then harvests their credentials or downloads malware onto their device. These campaigns include payment scams, package scams, email scams and even donation scams during the holiday season. Because all QR codes look similar, users are easily fooled. Figure 1: How a QR scam typically works. Why are QR codes getting through? Legacy email security providers and most API-based email security tools have a very difficult time detecting these attacks. That\'s because these tools scan email messages for known malicious links-they don\'t scan images for links that are hidden inside QR code images. This attack method also creates a new security blind spot. QR codes are scanned by a separate device, like a smartphone, from where the email is delivered. And smartphones are less likely to have robust security protection, which is needed to detect and prevent these attacks. For this reason, it\'s essential that an email security tool detects and blocks QR code phishing emails before they reach users\' inboxes. When messages are scanned post-delivery, like with API-based tools, there\'s a chance that users will get to them first-before they\'re clawed back. Post-delivery-only detection risks Post-delivery-only email security tools claim to “detect and block” QR code phishing emails, but they simply cannot. While they may “detect” a suspicious QR code email, it\'s only after the threat has been delivered to the user\'s inbox. Moreover, these tools do not sandbox suspicious QR codes. This means they have a high miss rate-which creates more risk for your company. Besides creating more risk, they also create more work for your teams. By relying solely on behavioral anomalies, these tools | Malware Tool Threat Mobile Cloud | ★★★ | |
|
2023-12-14 07:44:10 | J'ai cassé mon téléphone!Une mise à jour sur les nouveaux développements dans les attaques conversationnelles contre le mobile I Broke My Phone! An Update on New Developments in Conversational Attacks on Mobile (lien direct) |
C'est la saison des achats, ce qui ne peut signifier qu'une chose: des dizaines de fausses messages de «livraison manqués» qui tentent de voler notre argent, nos données et nos identités.Mais il y a de bonnes nouvelles.Les données de preuve Point montrent que la croissance des smirs a ralenti au cours des 18 derniers mois dans de nombreuses régions, devenant une partie établie du paysage plutôt qu'une menace croissante. Tendances mondiales de smirs. Cependant, le risque reste grave.Et dans de nombreux cas, les attaques deviennent plus spécialisées et sournoises. De nouvelles attaques conversationnelles émergent Au cours de la dernière année, nous avons connu une croissance rapide des attaques conversationnelles contre le mobile.Ces tactiques impliquent que les attaquants envoient plusieurs messages, imitant les modèles d'engagement authentique pour renforcer la confiance.Pendant ce temps, nous avons vu le volume des attaques conversationnelles augmenter de 318% dans le monde, 328% aux États-Unis et 663% dans la boucherie de porc au Royaume-Uni, que nous avons couverte auparavant sur le blog, est un exemple notabled'une menace conversationnelle.Mais ce n'est pas le seul. Dans certaines parties du monde, une usurpation d'identité est devenue une tendance importante.C'est là que l'attaquant prétend être quelqu'un que la victime connaît, comme un membre de la famille, un ami ou une connaissance des entreprises.L'usurpation d'identité peut augmenter la probabilité que la victime faisait confiance au message et attiré dans la conversation. Au Royaume-Uni, l'une des tactiques d'identité communes est de prétendre être un enfant avec un téléphone perdu ou cassé. Exemple d'un texte envoyé par les attaquants. Ceci est un exemple classique de l'ingénierie sociale, en utilisant l'anxiété parentale pour contourner notre prudence habituelle.La prochaine étape dans les abus de conversation implique généralement de persuader la victime de passer à WhatsApp ou un autre service de messagerie avant de demander un transfert d'argent.Dans ce cas, la somme est susceptible d'être faible, mais nous avons vu des montants importants demandés et reçus dans une gamme de leurres conversationnels. Des messages familiaux similaires ont également été signalés en Nouvelle-Zélande.Aux États-Unis, l'identité est plus susceptible d'être un ami ou une connaissance d'entreprise revendiquant une connexion manquée ou demandant à rattraper son retard.Les méthodes qui réussissent dans un pays sont souvent appliquées ailleurs, donc il ne faudra peut-être pas longtemps avant que «Hey Mum» du Royaume-Uni ne devienne «Hey Mom» d'Amérique \\. Et comme les licenciements et l'incertitude économique restent une réalité pour beaucoup, les escroqueries de recrutement ont également passé le courrier électronique au mobile.Après une approche initiale via SMS, les attaquants tenteront de poursuivre l'engagement sur un service de messagerie.Les victimes peuvent être ciblées pour une fraude à des fins avancées, faire face au vol de données personnelles ou être recrutées comme des mules de l'argent pour le blanchiment de gangs criminels. Restez vigilant et signalez des messages malveillants Le ralentissement de la croissance peut sembler une bonne nouvelle.Mais la réalité est que les attaques de smirs sont simplement devenues omniprésentes, tout en grandissant en sophistication et en ruse.Et le risque pour les utilisateurs et l'écosystème mobile reste sévère.Nos téléphones sont toujours au centre de notre vie personnelle, professionnelle et financière.À mesure que les escroqueries deviennent plus variées et ciblées, le coût de la victime d'une attaque peut être significatif. Si vous rencontrez du shishing, du spam ou d'autres contenus suspects, assurez-vous d'utiliser les fonctionnalités de rapport Android et iOS.Ou si la capacité de rapport simplifiée n'est pas disponible, vous pouvez transmettre des messages texte de spam à 7726 qui épellent le «spam» sur le clavier | Spam Threat Mobile Prediction | ★★★ | |
|
2023-12-12 05:00:00 | Mémoire de sécurité: TA4557 cible les recruteurs directement par e-mail Security Brief: TA4557 Targets Recruiters Directly via Email (lien direct) |
What happened Since at least October 2023, TA4557 began using a new technique of targeting recruiters with direct emails that ultimately lead to malware delivery. The initial emails are benign and express interest in an open role. If the target replies, the attack chain commences. Previously, throughout most of 2022 and 2023, TA4557 typically applied to existing open job listings purporting to be a job applicant. The actor included malicious URLs, or files containing malicious URLs, in the application. Notably, the URLs were not hyperlinked and the user would have to copy and paste the URL text to visit the website. The legitimate job hosting sites would then generate and send email notifications to the prospective employers who posted the positions. In recently observed campaigns, TA4557 used both the new method of emailing recruiters directly as well as the older technique of applying to jobs posted on public job boards to commence the attack chain. Specifically in the attack chain that uses the new direct email technique, once the recipient replies to the initial email, the actor was observed responding with a URL linking to an actor-controlled website posing as a candidate resume. Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to visit the fake resume website. Example initial outreach email by TA4557 to inquire about a job posting. Example follow up email containing a URL linking to a fake resume website. Very notably, in campaigns observed in early November 2023, Proofpoint observed TA4557 direct the recipient to “refer to the domain name of my email address to access my portfolio” in the initial email instead of sending the resume website URL directly in a follow up response. This is likely a further attempt to evade automated detection of suspicious domains. Email purporting to be from a candidate directing the recipient to visit the domain in an email address. If the potential victims visit the “personal website” as directed by the threat actor, the page mimics a candidate\'s resume or job site for the candidate (TA4557) applying for a posted role. The website uses filtering to determine whether to direct the user to the next stage of the attack chain. Example of a fake candidate website operated by TA4557 that leads to download of a zip attachment. If the potential victim does not pass the filtering checks, they are directed to a page containing a resume in plain text. Alternatively, if they pass the filtering checks, they are directed to the candidate website. The candidate website uses a CAPTCHA which, if completed, will initiate the download of a zip file containing a shortcut file (LNK). The LNK, if executed, abuses legitimate software functions in "ie4uinit.exe" to download and execute a scriptlet from a location stored in the "ie4uinit.inf" file. This technique is commonly referred to as "Living Off The Land" (LOTL). The scriptlet decrypts and drops a DLL in the %APPDATA%\Microsoft folder. Next, it attempts to create a new regsrv32 process to execute the DLL using Windows Management Instrumentation (WMI) and, if that fails, tries an alternative approach using the ActiveX Object Run method. The DLL employs anti-sandbox and anti-analysis techniques. It incorporates a loop specifically designed to retrieve the RC4 key necessary for deciphering the More_Eggs backdoor. This loop is strategically crafted to extend its execution time, enhancing its evasion capabilities within a sandbox environment. Furthermore, the DLL employs multiple checks to determine if it is currently being debugged, utilizing the NtQueryInformationProcess function. The DLL drops the More_Eggs backdoor along with the MSXSL executable. Subsequently, it initiates the creation of the MSXSL process using the WMI service. Once completed, the DLL deletes itself. More_Eggs can be used to establish persistence, profile the machine, and drop additional payloads. Attribution Proofpoint has been tracking TA4557 since 2018 as a | Malware Tool Threat | ★★★ | |
|
2023-12-08 06:00:37 | Protéger les identités: comment ITDR complète EDR et XDR pour garder les entreprises plus en sécurité Protecting identities: How ITDR Complements EDR and XDR to Keep Companies Safer (lien direct) |
Defenders who want to proactively protect their company\'s identities have no shortage of security tools to choose from. There are so many, in fact, that it seems like a new category of tool is invented every few months just to help keep them all straight. Because most security teams are finding it increasingly difficult to stop attackers as they use identity vulnerabilities to escalate privilege and move laterally across their organization\'s IT environment, some of today\'s newest tools focus on this middle part of the attack chain. Endpoint detection and response (EDR) and extended detection and response (XDR) are two tools that claim to cover this specialized area of defense. But unfortunately, because of their fundamental architecture and core capabilities, that\'s not really what they do best. That\'s why a new category of tool-identity threat detection and response (ITDR)-is emerging to fill the gaps. In this blog post, we\'ll explain the difference between EDR, XDR and ITDR so that you can understand how these tools complement and reinforce each other. They each have strengths, and when they\'re combined they provide even better security coverage. But first, let\'s rewind the cybersecurity evolution timeline back to the 1980s to understand why ITDR has emerged as a critical defense measure in today\'s threat landscape. The rise of antivirus software and firewalls We\'re starting in the 1980s because that\'s the decade that saw the advent of computer networks and the proliferation of personal computers. It also saw the rapid rise of new threats due to adversaries taking advantage of both trends. There were notable computer threats prior to this decade, of course. The “Creeper” self-replicating program in 1971 and the ANIMAL Trojan in 1975 are two examples. But the pace of development picked up considerably during the 1980s as personal computing and computer networking spread, and bad actors and other mischief-makers sought to profit from or simply break into (or break) devices and systems. In 1987, the aptly named Bernd Robert Fix, a German computer security expert, developed a software program to stop a virus known as Vienna. This virus destroyed random files on the computers it infected. Fix\'s program worked-and the antivirus software industry was born. However, while early antivirus tools were useful, they could only detect and remove known viruses from infected systems. The introduction of firewalls to monitor and control network traffic is another security advancement from the decade. Early “network layer” firewalls were designed to judge “packets” (small chunks of data) based on simple information like the source, destination and connection type. If the packets passed muster, they were sent to the system requesting the data; if not, they were discarded. The internet explosion-and the escalation of cybercrime The late 1990s and early 2000s witnessed the explosive growth of the internet as a key business platform, kicking off an era of tremendous change. It brought new opportunities but also many new security risks and threats. Cybercrime expanded and became a more formalized and global industry during this time. Bad actors focused on developing malware and other threats. Email with malicious attachments and crafty social engineering strategies quickly became favorite tools for adversaries looking to distribute their innovations and employ unsuspecting users in helping to activate their criminal campaigns. As cyberthreats became more sophisticated, defenders evolved traditional detective security tools to feature: Signature-based detection to identify known malware Heuristic analysis to detect previously difficult to detect threats based on suspicious behavioral patterns All of these methods were effective to a degree. But once again, they could not keep in step with cybercriminal innovation and tended to generate a lot of false positives and false negatives. Enter the SIEM Around 2005, security information and event management (SIEM) tools emerged to enhance | Ransomware Malware Tool Vulnerability Threat Studies Cloud | ★★★ | |
|
2023-12-06 08:01:35 | Conscience de sécurité et renseignement sur la sécurité: le jumelage parfait Proofpoint Security Awareness and Threat Intelligence: The Perfect Pairing (lien direct) |
Just like peanut butter and chocolate, when you add threat intelligence to a security awareness program, it\'s the perfect pairing. Together, they can help you efficiently train one of your most important yet most attacked lines of defense-your people. A robust security awareness program that is tailored, defined and driven by real-world threat insights and context is one of the strongest defenses you can implement. Every week, the Proofpoint Security Awareness team gets regular updates about new and emerging threats and social engineering trends from the Proofpoint Threat Intelligence Services team. This helps drive the development of our security awareness platform. Likewise, our customers can generate daily, weekly, monthly and ad-hoc threat intelligence reports to boost the efficacy of their security awareness programs. In this blog, we will discuss some ways that security awareness teams (SATs) can use threat intelligence from Proofpoint to supercharge their awareness programs. Tailor your program to defend against the latest threats Not all people within a company see the same threats. And the response to threats differs greatly across teams-even within the same business. That\'s why security awareness programs shouldn\'t a take one-size-fits-all approach. Here\'s where Proofpoint Threat Intelligence Services can help. Our team regularly briefs customers about which threat actors are targeting their business and industry, who within their company is clicking, which users and departments are attacked most, and what threats they\'re being targeted with. Proofpoint gives SAT teams the data they need so they can tailor the modules, training and phishing simulations to match those that their users face. Threats in the wild are converted to valuable, tailored awareness materials. Use cases Our threat intelligence services team analyzes exactly what threat actors are targeting when they go after a customer-both in terms of volume, but also at a granular department level. We regularly observe that it\'s more common for specific actors to target users within a specific department. Are threat actors targeting a specific department? This is a good example of how SAT teams can use threat intelligence to identify departments that are at risk and help keep them safe. In this case study, Proofpoint Threat Intelligence Services revealed that TA578-an initial access broker-was frequently targeting marketing and corporate communications departments with a standard copyright violation message lure. We highlighted this trend for a particular customer as we reviewed their TAP data. This Proofpoint threat actor victimology report shows that TA578 is targeting a marketing address. Proofpoint Threat Intelligence Services identified what was happening and also provided additional context about the threat actor, including: Tactics, techniques and procedures (TTPs) Malware payloads Attack chains Specific examples of message lures and landing pages Plus, Proofpoint offered recommendations for remediation and proactive, layered protection. Proofpoint Threat Intelligence Services report on TA578. The SAT team used this information in its Proofpoint Security Awareness program to train the marketing department about specific message lures. The team also created a phishing simulation that used a similar-style lure and content to educate those users about this unique threat. Are threat actors targeting specific people? Another use case for Proofpoint Threat Intelligence Services is that it can help SAT teams understand who at their company is clicking-and what types of message themes they are clicking on. Proofpoint Threat Intelligence Services report for a large healthcare customer. Proofpoint Threat Intelligence Services report shows which users are repeat clickers. This data is compiled from real threats that users have clicked on. SAT teams can use it to prioritize these users for additional awareness training. They can also pi | Tool Threat Studies Prediction | ★★★ | |
|
2023-12-05 05:00:40 | TA422 \\ Soule d'exploitation dédiée - la même semaine après semaine TA422\\'s Dedicated Exploitation Loop-the Same Week After Week (lien direct) |
Key takeaways Since March 2023, Proofpoint researchers have observed regular TA422 (APT28) phishing activity, in which the threat actor leveraged patched vulnerabilities to send, at times, high-volume campaigns to targets in Europe and North America. TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity. The vulnerabilities included CVE-2023-23397-a Microsoft Outlook elevation of privilege flaw that allows a threat actor to exploit TNEF files and initiate NTLM negotiation, obtaining a hash of a target\'s NTLM password-and CVE-2023-38831-a WinRAR remote code execution flaw that allows execution of “arbitrary code when a user attempts to view a benign file within a ZIP archive,” according to the NIST disclosure. Overview Starting in March 2023, Proofpoint researchers have observed the Russian advanced persistent threat (APT) TA422 readily use patched vulnerabilities to target a variety of organizations in Europe and North America. TA422 overlaps with the aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, and is attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). While TA422 conducted traditional targeted activity during this period, leveraging Mockbin and InfinityFree for URL redirection, Proofpoint observed a significant deviation from expected volumes of emails sent in campaigns exploiting CVE-2023-23397-a Microsoft Outlook elevation of privilege vulnerability. This included over 10,000 emails sent from the adversary, from a single email provider, to defense, aerospace, technology, government, and manufacturing entities, and, occasionally, included smaller volumes at higher education, construction, and consulting entities. Proofpoint researchers also identified TA422 campaigns leveraging a WinRAR remote execution vulnerability, CVE-2023-38831. Bar chart showing the breakdown of TA422 phishing activity from March 2023 to November 2023. Please attend: CVE-2023-23397-test meeting In late March 2023, TA422 started to launch high volume campaigns exploiting CVE-2023-23397 targeting higher education, government, manufacturing, and aerospace technology entities in Europe and North America. TA422 previously used an exploit for CVE-2023-23397 to target Ukrainian entities as early as April 2022, according to open-source reporting by CERT-EU. In the Proofpoint-identified campaigns, our researchers initially observed small numbers of emails attempting to exploit this vulnerability. The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume. This campaign was very large compared to typical state-aligned espionage campaign activity Proofpoint tracks. Proofpoint observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer of 2023. It is unclear if this was operator error or an informed effort to collect target credentials. TA422 re-targeted many of the higher education and manufacturing users previously targeted in March 2023. It is unclear why TA422 re-targeted these entities with the same exploit. Based upon the available campaign data, Proofpoint suspects that these entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access. Like the high-volume TA422 campaign Proofpoint researchers identified in March 2023, the late summer 2023 messages contained an appointment attachment, using the Transport Neutral Encapsulation Format (TNEF) file. The TNEF file used a fake file extension to masquerade as a CSV, Excel file, or Word document, and contained an UNC path directing traffic to an SMB listener being hosted on a likely compromised Ubiquiti router. TA422 has previously used compromised routers to host the gr | Malware Vulnerability Threat | APT 28 | ★★★ |
|
2023-12-04 07:10:47 | Arrêt de cybersécurité du mois: Utilisation de l'IA comportementale pour écraser le détournement de la paie Cybersecurity Stop of the Month: Using Behavioral AI to Squash Payroll Diversion (lien direct) |
This blog post is part of a monthly series exploring the ever-evolving tactics of today\'s cybercriminals. Cybersecurity Stop of the Month focuses on the critical first steps in the attack chain – stopping the initial compromise-in the context of email threats. The series is designed to help you understand how to fortify your defenses to protect people and defend data against emerging threats in today\'s dynamic threat landscape. The first three steps of the attack chain: stop the initial compromise. In our previous posts, we have covered these attack types: Supplier compromise EvilProxy SocGholish E-signature phishing QR code phishing Telephone-oriented attack delivery (TOAD) In this installment we examine a payroll diversion threat that Proofpoint detected during a recent threat assessment. We also cover the typical attack sequence of payroll fraud and explain how Proofpoint uses multiple signals to detect and prevent these threats for our customers. Background Business email compromise (BEC) continues to grow in popularity and sophistication. The 2022 FBI Internet Crime Report notes that BEC attacks cost U.S. businesses $2.7 billion last year. The global figure is no doubt much higher. Ransomware victims, in contrast, lost just $34 million. Payroll diversion is a form of BEC. Typically, employees who have direct access to fulfilling payroll-related requests are prime targets. In these attacks, a bad actor pretends to be an employee who needs to update their direct deposit information. The new information is for an account that the bad actor owns. Once the fraudulent request is complete, the lost funds cannot be retrieved by the business. Payroll diversion fraud isn\'t a new form of BEC, but the frequency of this type of attack is on the rise. Proofpoint continues to see this type of threat getting through the defenses of other email security tools. Across all of our October 2023 threat assessments, we found that more than 400 of these threats got past 12 other email security tools. There are a few reasons why it\'s difficult for a lot of email security tools to detect or remediate these threats. The primary reason is because they don\'t usually carry malicious payloads like attachments or URLs. They also tend to be sent from personal email services-like Google, Yahoo and iCloud-and target specific users. Notably, API-based email security tools that scan for threats post-delivery are the most susceptible to not being able to detect or remediate this type of threat. This partly comes down to how they work. In order for them to be effective, they need security and IT teams to manually populate them with a dictionary of possible display names of all employees, which is a very time-consuming effort that is hard to scale. To avoid this, many organizations simply choose to enable display name prevention for their senior executives only. But bad actors behind payroll diversion don\'t just impersonate executives, they target anyone in the organization who can access corporate funds. In our example below, an attacker took advantage of this exact weakness. The scenario Proofpoint detected a payroll diversion attempt where the attacker posed as a non-executive employee. The email was sent to the director of human resources (HR) at a 300-person company in the energy and utilities industry. The company\'s incumbent email security tool delivered the message, and its API-based post-delivery remediation tool failed to detect and retract it. The threat: How did the attack happen? Here is a closer look at how this payroll diversion scam unfolded: 1. The deceptive message: The attacker sent a request to update their direct deposit information from an account that appeared to be a legitimate employee\'s personal email account. The original malicious message delivered to the recipient\'s inbox. 2. Payroll diversion attack sequence: If the recipient had engaged, the attacker\'s goal would have been to convince them to trans | Ransomware Tool Threat | Yahoo | ★★ |
|
2023-12-01 09:48:42 | Cas d'utilisation du PSAT: comment un utilisateur formé a aidé à arrêter une campagne de BEC massive ciblant les agences gouvernementales américaines PSAT Use Case: How One Trained User Helped Stop a Massive BEC Campaign Targeting U.S. Government Agencies (lien direct) |
In late September 2023, an unattributed business email compromise (BEC) actor sent thousands of highly targeted messages to at least 100 customers across Proofpoint. The attacker targeted individuals who had connections to the U.S. Department of Defense.
The intended victims of the BEC campaign worked in functions such as business development, sales and procurement. The attacker likely wanted to take advantage of increased procurement activity at the end of the fiscal year.
Fortunately, a trained and security-aware employee caught the threat and reported it. That helped to protect hundreds of federal customers across the landscape.
In this blog, we\'ll examine what exactly happened so that you can see how consistent training and awareness about threats likely to target your users can protect your business-and hundreds of others like it.
The timeline-before, during and after the attack
Here\'s a closer look at the details surrounding this BEC incident:
Pre-attack:
Before the attack, end users underwent consistent security awareness and training. The training was designed to educate employees on BEC and other government themed lures, which were most likely to be seen by employees who were at risk. One of the key components of the training had been the sharing of Threat Intelligence to all employees via weekly newsletters and bi-weekly webinars.
During the attack:
In mid-September, a U.S. government-affiliated employee was the first to receive the BEC threat.
This user recognized the threat-even though the attacker had not targeted them before-because it looked like one they\'d seen in past that had focused on government bids and proposals.
The user then alerted security to the threat using the Report Phish button in their email client.
Post-attack:
Detection systems were updated in response to this employee\'s quick action.
Proofpoint blocked, alerted and pulled messages from hundreds of Proofpoint customers.
Proofpoint account and threat intelligence teams also notified dozens of other government entities that were not our customers to help protect the larger federal sector.
Follow-on attacks
After the first attack, the threat actor continued with the same tactics using a different email address.
Meanwhile, Proofpoint continued to send out alerts about this BEC threat to our customers and government partners. As a result, the threat was blocked across hundreds of Proofpoint customers and thousands of malicious messages were stopped from reaching users\' inboxes.
What we know about this threat
BEC attackers are often very strategic in their efforts to trick their intended targets. In this case, we know that the user was never targeted by this bad actor before. Additionally, we learned that:
The attacker spoofed a legitimate government user and proposal process. (The attacker spoofed the email address of a Federal Emergency Management Agency employee.)
The email was sent two weeks before the end of the U.S. government fiscal year; this is a time of high stress and high tempo throughout all government organizations and contractors.
The message contained no misspellings or other red flags signaling it might be a BEC attempt.
This incident underscores the value of consistent threat intelligence and user training and awareness. The swift action of one informed user helped Proofpoint to protect our customers from this BEC attack, as well as many other businesses and users.
Learn more
To learn about Proofpoint Security Awareness, see these resources.
Download this data sheet to find out more about Proofpoint Threat Intelligence Services.
And visit this page on the Proofpoint website to get details about our federal solutions.
In late September 2023, an unattributed business email compromise (BEC) actor sent thousands of highly targeted messages to at least 100 customers across Proofpoint. The attacker targeted individuals who had connections to the U.S. Department of Defense. The intended victims of th |
Threat | ★★★ | |
|
2023-11-30 07:23:34 | Améliorations aux solutions fédérales de preuvepoint: un nouveau moteur de détection AI / ML, mises à jour du tableau de bord TAP et plus Enhancements to Proofpoint Federal Solutions: A New AI/ML Detection Engine, Updates to the TAP Dashboard and More (lien direct) |
ProofPoint a fait plus d'investissements dans notre plate-forme de protection contre les menaces AEGIS cette année qui peut aider à soutenir nos clients et partenaires de nos agences fédérales dans leurs missions.Ce blog donne un aperçu de certaines de ces innovations et améliorations récentes.
Moteur comportemental de supernova
En octobre, nous avons commencé à déployer le moteur comportemental Supernova pour Proofpoint FedRamp Reptection Environments.Supernova est une pile de détection de pointe qui utilise l'intelligence artificielle avancée et l'apprentissage automatique pour arrêter les menaces en temps réel.
Non seulement Supernova arrête le spam, mais il protège également contre les menaces qui ne comptent pas sur des logiciels malveillants, comme les compromis par courrier électronique (BEC), la fraude des fournisseurs et les attaques de livraison d'attaques axées sur le téléphone (TOAD).Il détecte également les menaces basées sur les logiciels malveillants, comme les ransomwares.Et il analyse les messages de phishing avant la livraison afin qu'ils ne soient jamais livrés aux utilisateurs.
Le moteur comportemental Supernova utilise la langue, les relations, la cadence et le contexte pour détecter les anomalies et prévenir les menaces en temps réel en utilisant l'IA / ML.
Avec cette récente version, Supernova est désormais disponible pour tous les clients de la sécurité des e-mails de ProofPoint à travers le monde.Il s'agit d'une mise à niveau de pile de détection gratuite qui est intégrée dans notre plate-forme plus large.Vous pouvez en savoir plus sur le moteur comportemental Supernova ici.
Autres investissements de point de preuve qui profitent aux clients fédéraux
Supernova n'est pas le seul nouveau déploiement.Ce sont des améliorations de produits supplémentaires qui soutiennent la communauté du gouvernement fédéral et ses missions:
FedRamp Email Gateway (Proofpoint à la demande, alias FedPod).Nous avons mis à niveau FedPod pour aligner la parité des fonctionnalités plus étroitement avec nos environnements commerciaux.Cela comprend des améliorations des balises d'avertissement de messagerie de preuves et du cercle de confiance de ProofPoint.
Tableau de bord de protection contre les attaques ciblés par FedRamp (TAP).Désormais, le tableau de bord TAP comprend un résumé détaillé de la menace.Il présente des informations sur les menaces sur les principales menaces à l'échelle mondiale et au sein de votre agence ou de votre verticale.Ceci s'ajoute aux vulnérabilités et aux expositions courantes (CVE) que nous organisons à partir de nos analystes émergents des données de renseignement des menaces et des analystes de renseignements sur les menaces de preuve.
Solutions de point de preuve pour le gouvernement fédéral
Il existe des centaines de clients fédéraux qui utilisent des dizaines de solutions sur site et cloud de Proofpoint.Ce ne sont que quelques-uns:
Département américain de la défense
La base industrielle de la défense
La communauté du renseignement
Agences civiles fédérales
Intégrateurs de systèmes fédéraux
ProofPoint a obtenu la certification modérée FedRamp dans ces quatre solutions basées sur le cloud:
Protection de la protection des e-mails
ProofPoint Email Data Loss Prevention (DLP)
Tap de point de preuve
Archivage de preuves
Apprendre encore plus
Les missions de l'agence fédérale sont sous attaque constante.Et les agences sont confrontées à une tâche intimidante: ils doivent mettre en œuvre des mesures qui protègent les données vitales tout en permettent à leurs employés de réaliser leurs missions.Le point de preuve peut aider.
Pour plus de détails sur la façon dont Proofpoint aide à protéger les agences gouvernementales fédérales, consultez cette solution brève.Vous pouvez en savoir plus sur nos solutions gouvernementales ici.
Proofpoint has made more investments in our Aegis threat protection platform this year that can help support our federal agency customer |
Ransomware Spam Malware Vulnerability Threat Industrial Cloud Commercial | ★★ | |
|
2023-11-30 06:00:38 | L'avenir de la conformité: suivre le rythme d'un paysage en constante évolution The Future of Compliance: Keeping Pace with an Ever-Changing Landscape (lien direct) |
Nothing stands still in cybersecurity-and that includes compliance. Just as new threats drive the need for new deterrents, new technologies and evolving business practices drive the need for greater oversight. Over the last few years, compliance, regulation and governance have begun evolving faster than we have seen for some time. This has been in response to rapid changes we\'ve seen ripple across industries caused by new technologies, like artificial intelligence (AI) and machine learning, and new ways of doing business launched in response to the pandemic. In this blog, we explore what has changed within the world of compliance over the last few years and where things are likely heading. On compliance trends Like many industries, compliance and regulation tend to follow market trends. If we go back a few years, we saw a raft of privacy legislation introduced in the wake of the European Union\'s introduction of the General Data Protection Regulation (GDPR). High profile events also tend to shift the attitudes of regulators. For example, financial services companies found themselves in the spotlight following the 2008 economic crash, while the auto industry faced similar scrutiny after the emissions scandal. During these times, regulators tend to turn their attention to enforcement, and they are willing to make an example of a company if that\'s what\'s needed to improve things. Over the years, many regulators have become much more aggressive in this area, expanding their scope and proactively applying their rules. Of course, technology drives regulatory change, too. The pandemic has recently accelerated the mass adoption of collaborative technologies and communication channels like Microsoft Teams, Zoom, Slack and many more. The availability and advancement of these channels have changed how we communicate and how we access and share data, both inside and outside of our organizations. In turn, compliance requirements have had to adapt to accommodate new ways of working. On AI and ML compliance Over the last two or three years, we have seen exciting advances in generative AI. But it has also made possible some fundamental capabilities that will become incredibly important. For example, in a world with so many claims of fake news and misrepresentation, the ability to retain immutable records is a big deal. “Immutable” effectively means that something cannot be changed and cannot be hacked. This is huge not just from a source of truth perspective but also regarding reproducibility. As we use AI tools en masse, questions will be asked about why specific systems are making certain decisions. Is AI discriminating against specific ZIP codes, for example? And if not, can those in charge of these systems prove that? In many cases, doing so will take work. AI could be better at explaining how it gets to its decisions. In order to do so, businesses will need to return to the original, immutable data. And as they become increasingly information-intensive, getting back to that source data sets a high bar of capability. AI\'s ability to process vast data sets will also raise concerns around testing. Before any organization puts a system or platform into the world, potential users want to be confident that it has been suitably tested. But even if a company spends millions of dollars testing a system, it will still sometimes fail-and errors will get through. In the past, we could accept a failure rate of, say, one in a million. But today\'s software is much more complex than anything we\'ve been able to produce in the past. So, a one-in-a-million failure rate in a system running 100, 200 or 300 million events in a day quickly adds up to widespread failures. Regulators will need to iron out how they intend to protect consumers and the markets from issues like these and set clear guidelines regarding who, ultimately, is accountable. On the future of compliance Current trends are likely to continue to drive the development of compliance management. Currently, we\'re seeing a lot of instability. While t | Tool Legislation | ★★ | |
|
2023-11-28 23:05:04 | Prédictions 2024 de Proofpoint \\: Brace for Impact Proofpoint\\'s 2024 Predictions: Brace for Impact (lien direct) |
In the ever-evolving landscape of cybersecurity, defenders find themselves navigating yet another challenging year. Threat actors persistently refine their tactics, techniques, and procedures (TTPs), showcasing adaptability and the rapid iteration of novel and complex attack chains. At the heart of this evolution lies a crucial shift: threat actors now prioritize identity over technology. While the specifics of TTPs and the targeted technology may change, one constant remains: humans and their identities are the most targeted links in the attack chain. Recent instances of supply chain attacks exemplify this shift, illustrating how adversaries have pivoted from exploiting software vulnerabilities to targeting human vulnerabilities through social engineering and phishing. Notably, the innovative use of generative AI, especially its ability to improve phishing emails, exemplifies a shift towards manipulating human behavior rather than exploiting technological weaknesses. As we reflect on 2023, it becomes evident that cyber threat actors possess the capabilities and resources to adapt their tactics in response to increased security measures such as multi-factor authentication (MFA). Looking ahead to 2024, the trend suggests that threats will persistently revolve around humans, compelling defenders to take a different approach to breaking the attack chain. So, what\'s on the horizon? The experts at Proofpoint provide insightful predictions for the next 12 months, shedding light on what security teams might encounter and the implications of these trends. 1. Cyber Heists: Casinos are Just the Tip of the Iceberg Cyber criminals are increasingly targeting digital supply chain vendors, with a heightened focus on security and identity providers. Aggressive social engineering tactics, including phishing campaigns, are becoming more prevalent. The Scattered Spider group, responsible for ransomware attacks on Las Vegas casinos, showcases the sophistication of these tactics. Phishing help desk employees for login credentials and bypassing MFA through phishing one-time password (OTP) codes are becoming standard practices. These tactics have extended to supply chain attacks, compromising identity provider (IDP) vendors to access valuable customer information. The forecast for 2024 includes the replication and widespread adoption of such aggressive social engineering tactics, broadening the scope of initial compromise attempts beyond the traditional edge device and file transfer appliances. 2. Generative AI: The Double-Edged Sword The explosive growth of generative AI tools like ChatGPT, FraudGPT and WormGPT bring both promise and peril, but the sky is not falling as far as cybersecurity is concerned. While large language models took the stage, the fear of misuse prompted the U.S. president to issue an executive order in October 2023. At the moment, threat actors are making bank doing other things. Why bother reinventing the model when it\'s working just fine? But they\'ll morph their TTPs when detection starts to improve in those areas. On the flip side, more vendors will start injecting AI and large language models into their products and processes to boost their security offerings. Across the globe, privacy watchdogs and customers alike will demand responsible AI policies from technology companies, which means we\'ll start seeing statements being published about responsible AI policies. Expect both spectacular failures and responsible AI policies to emerge. 3. Mobile Device Phishing: The Rise of Omni-Channel Tactics take Centre Stage A notable trend for 2023 was the dramatic increase in mobile device phishing and we expect this threat to rise even more in 2024. Threat actors are strategically redirecting victims to mobile interactions, exploiting the vulnerabilities inherent in mobile platforms. Conversational abuse, including conversational smishing, has experienced exponential growth. Multi-touch campaigns aim to lure users away from desktops to mobile devices, utilizing tactics like QR codes and fraudulent voice calls | Ransomware Malware Tool Vulnerability Threat Mobile Prediction Prediction | ChatGPT ChatGPT | ★★★ |
|
2023-11-28 06:05:24 | Proofpoint nomme Sumit Dhawan en tant que directeur général Proofpoint Appoints Sumit Dhawan as Chief Executive Officer (lien direct) |
Nous sommes ravis d'annoncer que Sumit Dhawan a été nommé chef de la direction de Proofpoint \\, avec effet immédiat.R & eacute; Mi Thomas, directeur financier de Proofpoint \\ qui agit en tant que PDG par intérim de Proofpoint \\ depuis le 25 octobre, continuera de servir de CFO de la société \\.
Sumit est un leader technologique très respecté et chevronné avec un historique éprouvé de la construction de la sécurité du marché, des entreprises cloud et de l'informatique de l'utilisateur final.Dans son dernier rôle en tant que président de VMware, Sumit était chargé de générer plus de 13 milliards de dollars de revenus et a dirigé les fonctions de mise sur le marché de la société, y compris les ventes mondiales, la réussite et l'expérience des clients, l'écosystème stratégique, les solutions de l'industrie, le marketinget communications.
Avant VMware, il était chef de la direction d'Instart, une entreprise de cybersécurité fournissant des services de sécurité des applications Web innovants.Ayant occupé des postes de direction et de gestion générale chez VMware et Citrix, Sumit apporte plus de 25 ans d'expérience dans la construction d'entreprises de catégorie de catégorie à grande échelle.
Commentant sa nomination, Sumit a déclaré: «Au fil des ans, Proofpoint a construit une entreprise exceptionnelle et est fiable par certaines des principales organisations du monde en tant que partenaire de cybersécurité de choix.Je suis honoré de rejoindre un leader à la pointe de l'innovation de la cybersécurité et de diriger son engagement continu et inébranlable à aider les organisations à travers le monde à protéger les personnes et à défendre les données. »
Seth Boro, associé directeur de Thoma Bravo, a ajouté: «Le conseil d'administration de Proofpoint ne pourrait pas être plus excité de s'associer à Sumit alors qu'il rejoint Proofpoint pour inaugurer une nouvelle étape de croissance.Sumit apporte une richesse d'expérience et d'expertise précieuses dans la construction d'entreprises et d'entreprises à l'échelle de catégories.Nous sommes convaincus que sa passion centrée sur le client et son fort héritage de leadership continueront de poursuivre la mission de Proofpoint \\ pour fournir des solutions de cybersécurité axées sur les personnes qui traitent de certains des risques les plus difficiles auxquels sont confrontés les organisations aujourd'hui. »
Vous pouvez lire l'annonce de Proofpoint \\ à propos de ce rendez-vous ici.
We are delighted to announce that Sumit Dhawan has been appointed as Proofpoint\'s chief executive officer, effective immediately. Rémi Thomas, Proofpoint\'s chief financial officer who has been acting as Proofpoint\'s interim CEO since October 25th, will continue to serve as the company\'s CFO. Sumit is a highly respected and seasoned technology leader with a proven track record of building market-leading security, cloud and end-user computing businesses. In his most recent role as president of VMware, Sumit was responsible for driving over $13B of revenue and led the company\'s go-to-market functions including worldwide sales, customer success and experience, strategic ecosystem, industry solutions, marketing, and communications. Before VMware, he was chief executive officer of Instart, a cybersecurity business delivering innovative web application security services. Having held senior executive and general management roles at both VMware and Citrix, Sumit brings over 25 years of experience building category-leading businesses at scale. Commenting on his appointment, Sumit said: “Over the years, Proofpoint has built an exceptional company and is trusted by some of the world\'s leading organizations as their cybersecurity partner of choice. I\'m honored to join a leader at the forefront of cybersecurity innovation and to shepherd its continuing and unwavering commitment to helping organizations across the globe protect people and defend data.” Seth Boro, managing partner at |
Cloud | ★★ | |
|
2023-11-27 09:26:51 | 8 sujets essentiels de cybersécurité à inclure dans votre programme de formation 8 Essential Cybersecurity Topics to Include in Your Training Program (lien direct) |
Your employees have a critical role to play as a first line of defense against cyberthreats. But to be effective, they need to know what those threats are-and stay apprised of how they\'re evolving. A comprehensive security awareness program is the key to helping your users grow their understanding of attackers\' methods and objectives so they can become more proactive defenders. That includes knowing what strategies malicious actors employ to manipulate people so they can use them to enable their campaigns. The importance of security awareness It\'s well worth taking the time to craft a meaningful and engaging security awareness program. By presenting the right mix of information to your users in a compelling way, you can empower them to help you improve your organization\'s security posture as well as create a more robust security culture overall. The cybersecurity topics that you include in your program should be relevant to your business and industry, of course. Companies face different cyberthreat challenges and regulatory compliance requirements related to data protection and data privacy. That said, there are several subjects that almost any modern business, regardless of its industry, will want to ensure its employees understand. We list eight of these cybersecurity topics below. They are the go-to approaches and tools that attackers around the world commonly use to compromise users and their accounts, disrupt normal business operations, steal money or data, and do other damage. Here\'s a high-level overview of these eight must-know cybersecurity topics: 1. Social engineering Social engineering is a collection of techniques malicious actors use to manipulate human psychology. Attackers rely on these strategies to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code and transferring funds. They do this by taking advantage of users\': Emotions, by conveying a sense of urgency, generating excitement about an opportunity, or creating fear around losing money or doing something wrong Trust, by posing as someone familiar to the user or a trusted brand or authority-such as the Internal Revenue Service (IRS), UPS, Amazon or Microsoft Fatigue, by timing attacks when users are likely to be tired or distracted and more inclined to let their “emotional mind” guide their decision-making Common social engineering tactics include phishing-which we cover in the next section-and these others: Social media reconnaissance. Attackers often turn to social media to gather information about users that they target with their campaigns. These efforts can include direct outreach to users. Vishing (voice phishing) and smishing (SMS/text phishing). Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from a trusted brand or authority. With smishing, attackers use text messages to send SMS messages to users or robocall them. The messages often promise gifts or services in exchange for payment. Telephone-oriented attack delivery (TOAD). TOAD attacks start with an email that claims to be from a legitimate source and includes a phone number for customer assistance. Callers are connected to fake customer service representatives who then direct the victim through the attack. They may instruct the victim to let them access their machine remotely or download a file that turns out to be malware. Or they might direct them to a phishing site. Common sense can go a long way toward preventing a social engineering attack. Make sure to reiterate that if a message seems too good to be true, it\'s very likely a scam. And if something doesn\'t look or sound right, it probably isn\'t. 2. Phishing Phishing is an example of social engineering. Most phishing messages are sent by email. But some attackers deliver these messages through other methods, including smishing and vishing. Here are some typical strategies: Malicious links. When a user clicks on a | Ransomware Malware Tool Vulnerability Threat Mobile Cloud | Uber Uber | ★★ |
|
2023-11-21 08:35:02 | Prévenir les attaques de fatigue du MFA: sauvegarder votre organisation Preventing MFA Fatigue Attacks: Safeguarding Your Organization (lien direct) |
Gaining access to critical systems and stealing sensitive data are top objectives for most cybercriminals. Social engineering and phishing are powerful tools to help them achieve both. That\'s why multifactor authentication (MFA) has become such an important security measure for businesses and users. Without MFA as part of the user authentication process, it is much less challenging for an attacker with stolen credentials to authenticate a user\'s account. The primary goal of MFA is to reduce the risk of unauthorized access, especially in situations where passwords alone may not provide enough protection. Even if an attacker steals a user\'s password, with MFA they still need the second factor (and maybe others) to gain access to an account. Examples of MFA factors include biometrics, like fingerprints, and signals from user devices, like GPS location. MFA isn\'t a perfect solution, though-it can be bypassed. Adversaries are relentless in their efforts to undermine any security defenses standing in the way of their success. (The evolution of phish kits for stealing MFA tokens is evidence of that.) But sometimes, attackers will choose to take an in-your-face approach that is not very creative or technical. MFA fatigue attacks fall into that category. What are MFA fatigue attacks-and how do they work? MFA fatigue attacks, also known as MFA bombing or MFA spamming, are a form of social engineering. They are designed to wear down a user\'s patience so that they will accept an MFA request out of frustration or annoyance-and thus enable an attacker to access their account or device. Many people encounter MFA requests daily, or even multiple times per day, as they sign-in to various apps, sites, systems and platforms. Receiving MFA requests via email, phone or other devices as part of that process is a routine occurrence. So, it is logical for a user to assume that if they receive a push notification from an account that they know requires MFA, it is a legitimate request. And if they are very busy at the time that they receive several push notifications in quick succession to authenticate an account, they may be even more inclined to accept a request without scrutinizing it. Here\'s an overview of how an MFA attack works: A malicious actor obtains the username and password of their target. They can achieve this in various ways, from password-cracking tactics like brute-force attacks to targeted phishing attacks to purchasing stolen credentials on the dark web. The attacker then starts to send MFA notifications to the user continuously, usually via automation, until that individual feels overwhelmed and approves the login attempt just to make the requests stop. (Usually, the push notifications from MFA solutions require the user to simply click a “yes” button to authenticate from the registered device or email account.) Once the attacker has unauthorized access to the account, they can steal sensitive data, install malware and do other mischief, including impersonating the user they have compromised-taking their actions as far as they can or want to go. 3 examples of successful MFA fatigue attacks To help your users understand the risk of these attacks, you may want to include some real-world examples in your security awareness program on this topic. Here are three notable incidents, which are all associated with the same threat actor: Uber. In September 2022, Uber reported that an attacker affiliated with the threat actor group Lapsus$ had compromised a contractor\'s account. The attacker may have purchased corporate account credentials on the dark web, Uber said in a security update. The contractor received several MFA notifications as the attacker tried to access the account-and eventually accepted one. After the attacker logged in to the account, they proceeded to access other accounts, achieving privilege escalation. One action the attacker took was to reconfigure Uber\'s OpenDNS to display a graphic image on some of the company\'s internal sites. Cisco. Cisco suffer | Ransomware Data Breach Malware Tool Threat Technical | Uber | ★★★ |
|
2023-11-17 12:01:12 | Démystifier l'IA et ML: six questions critiques à poser à votre fournisseur de cybersécurité Demystifying AI and ML: Six Critical Questions to Ask Your Cybersecurity Vendor (lien direct) |
As cyber threats continue to evolve at an unprecedented pace, many organizations are turning to artificial intelligence (AI) and machine learning (ML) in hopes of keeping up. While these advanced technologies hold immense promise, they\'re also more complex and far less efficient than traditional threat detection approaches. The tradeoff isn\'t always worth it. And not all AI and ML processes are created equal. The models used, the size and quality of the data sets they\'re trained on-and whether an advanced computational process is suitable for the problem at hand-are all critical factors to consider when deciding how both AI and ML fit into your cybersecurity strategy. In this blog post, we explore the vital questions you should ask your cybersecurity vendor about these technologies. We will also demystify their role in safeguarding your people, data and environment. Note: Though often conflated, AL and ML are related but distinct concepts. For simplicity, we\'re using AI when discussing the broader technology category and ML to discuss narrower learning models used in AI. Question 1: Why is AI suitable for this security problem? You\'ve probably heard the old saying that when your only tool is a hammer, every problem looks like a nail. While AI has rightly generated enthusiasm in cybersecurity, it may not be the optimal approach to every task. On one hand, the technologies can help analyze large amounts of data and find anomalies, trends and behaviors that indicate potential attacks. And the technologies can automate response and mitigation of security incidents. But depending on the size and complexity of the learning model, they can also be computationally intensive (read: expensive) to maintain. And worse, execution time can be much longer than less complex approaches such as rules and signatures. On the other hand, rules and signatures are static, so they don\'t automatically evolve to detect new threats. But they\'re also fast, easy on computing resources and highly effective for certain aspects of threat detection. Other signals, such as email sender reputation and IP addresses, can also be as effective as AI for many detections-and in most cases are faster and much more cost-effective. Getting AI right starts with understanding what cybersecurity tasks they\'re best suited to and applying them to the right problems. In the same vein, how the technology is applied matters. In cybersecurity, every second counts. Making decisions in real time and blocking malicious content before it can be delivered is today\'s key challenge. If the processing time of the vendor\'s AI means the technology is relegated solely to post-delivery inspection and remediation, that\'s a major drawback. Question 2: Where do you get your training data? The performance of ML models hinges on the source and quality of their data. That\'s because AI models learn from examples and patterns, not rules. And that requires a large amount of data. The more data, and the higher the quality of that data, the better the model can learn and generalize to new conditions. Like any ML model, those used in cybersecurity need a wide-ranging, diverse data set that accurately reflects the real world. Or more precisely, the data used to train your vendor\'s AI model should reflect your world-the threats targeting your organization and users. Finding data for general-purpose AI applications is easy. It\'s all over the internet. But threat data-especially data well-suited for the type of ML model the vendor intends to use- is scarcer. Gaining malware samples is a lot harder than acquiring data used in applications such as image and natural language processing. First, not much attack data is publicly available. Most security vendors hold on tightly to the threat data they collect, and for good reason. Beyond the obvious competitive advantages it offers, threat data is sensitive and comes with a bevy of privacy concerns. As a result, few cybersecurity vendors have a dataset large enough to trai | Malware Tool Vulnerability Threat | ★★ | |
|
2023-11-16 14:15:19 | Informations exploitables: simplifier l'explication des menaces via le résumé de la condamnation Actionable Insights: Simplifying Threat Explainability via the Condemnation Summary (lien direct) |
In this blog series we cover how to improve your company\'s security posture with actionable insights. Actionable insights are a critical tool to help you improve your security posture and stop initial compromise in the attack chain. You can use them to identify and respond to potential risks, enhance your incident response capabilities, and make more informed security decisions. In previous actionable insights blog posts, we covered these topics: People risk Origin risk Business email compromise (BEC) risk Ensuring proper risk context Risk efficacy Telephone-oriented attack delivery (TOAD) risk Threat intelligence Your risk profile In this post, we are excited to announce the new TAP Condemnation Summary-which is available to all Proofpoint Targeted Attack Protection (TAP) customers who use the Proofpoint Aegis threat protection platform. We\'ll explain why it is an invaluable resource and we\'ll explore some of its key reports. Threat explainability: Introducing the Condemnation Summary In the ever-evolving cybersecurity landscape, clear communication and rapid understanding of email threats are essential. Proofpoint introduced the Condemnation Summary to enhance threat visibility and explain-in plain, everyday language-why a particular threat is condemned. The summary makes it easier for both technical and nontechnical users to comprehend email threats. You can find the TAP Condemnation Summary in the Evidence section of the threat details page for any individual threat within your Aegis platform. Let\'s explore how this new feature can help your business. Insights: What you can learn from the Condemnation Summary The Condemnation Summary helps demystify email threats and streamline the decision-making process for threat remediation. Here\'s what you can expect from this innovative feature. User and VIP insights The Condemnation Summary includes a highlights card that spotlights impacted users and VIPs. With drilldown options and actionable items, you can quickly determine who is affected. You can use these insights to understand the steps you need to take to mitigate the threat. Details about affected users shown in the Condemnation Summary. Threat state overview This section of the summary breaks down the state of the threat or campaign, complete with timestamps. A chronological view provides you with a clear understanding of how the threat evolved, so you can assess its severity and impact. The threat state overview section in the Condemnation Summary. User-friendly descriptions The Condemnation Summary offers high-level observations from our behavioral and machine learning detection layers. Threats are described in everyday language. So nontechnical users can better grasp the nature of a threat and its potential consequences. High-level observations in plain language in the Condemnation Summary. Source attribution It\'s helpful to understand where a threat originated. Condemnation Sources gives you insight into which sources contributed to the detection and condemnation of the threat. The Condemnation Sources section in the Condemnation Summary. Targeted controls: Taking action The Condemnation Summary isn\'t just a feature for visibility or explainability. It\'s a tool for action. Here\'s how to make the most of this new feature: Mitigate threats faster. With user and VIP insights, you can respond promptly to threats that are impacting specific individuals. Take immediate actions to protect these users and mitigate risks. Improve your communication about threats. The user-friendly descriptions in the Condemnation Summary make it easier to communicate threat details to nontechnical stakeholders. This, in turn, helps to foster better collaboration around security across your business. See how threats evolve. When you have a timeline of a threat\'s progression, you can assess how a threat evolved and whether it is part of a broader campaign. Track where threats come from. It is cruci | Tool Threat Technical | ★★★ | |
|
2023-11-16 07:00:00 | Patrick Joyce rejoint la preuve en tant que résident mondial CISO Patrick Joyce Joins Proofpoint as Global Resident CISO (lien direct) |
Nous sommes ravis d'accueillir Patrick Joyce, un véritable leader de l'industrie, qui servira de responsable de la sécurité en chef de l'information résidente de Proofpoint \\ (RCISO).Dans ce rôle, Patrick agira en tant que conseiller stratégique de la Communauté du Greater Ciso et se fermera le comité consultatif client de Customer Point de Ciso (CAB).
Alors que certaines sociétés de cybersécurité offrent des ressources et une valeur supplémentaire à leurs clients grâce à un CISO interne, l'objectif est généralement de vendre leurs produits de leur entreprise.Chez ProofPoint, notre RCISO agit comme une liaison, une collègue, un mentor et des ressources à la grande communauté de Ciso, axée uniquement sur les besoins de sécurité des CISO des clients en fournissant des conseils, des connaissances et une formation impartiaux pour aider les CISOChanger le paysage des menaces.
Patrick est un leader d'opinion reconnu dans l'industrie de la cybersécurité, et son vaste expertise sera un atout précieux pour aider nos clients à briser la chaîne d'attaque, les protégeant des cyber-risques et menaces les plus sophistiqués d'aujourd'hui.En tant que praticien de cybersécurité très respecté avec plus de 30 ans d'expérience dans le domaine de l'informatique et de la sécurité, Patrick apporte une richesse de connaissances à ce rôle essentiel;Plus récemment, il a été vice-président et chef de la sécurité (CSO et CISO) pour Medtronic, une entreprise de MedTech Fortune 500, où il était responsable de la direction des stratégies, opérations et initiatives mondiales de la société de la société.Avant de rejoindre Medtronic, Patrick a occupé des postes de direction dans des organisations du secteur public et privé à travers plusieurs verticales, notamment des soins de santé (fournisseur et payeur), des voyages / hospitalités et du conseil informatique.Il a également été officier dans l'US Air Force et dans la communauté du renseignement américain.
Patrick a une solide référence de la création de partenariats de confiance et de collaborations en réunissant des pairs et d'autres hauts dirigeants pour relever les défis communs dans le secteur privé et diverses agences gouvernementales.Il siège également aux conseils d'administration de l'industrie et présente ses conseils et son expertise sur les forums privés et publics.Par exemple, il a siégé au conseil d'administration du Healthcare Information Shart & Analysis Center (H-ISAC), créé par la directive présidentielle américaine pour gérer le cyber-risque à travers les infrastructures critiques, ainsi que les conseils d'administration de la Minnesota Technology Association (Mntech), laLe comité d'audit du programme national des donateurs de Marrow ou \\ 'être le match \', et le comité d'audit et de risque du système de santé d'Allina.
En plus de ses réalisations en tant que partenaire commercial et conseiller de confiance, Patrick est également connu pour son approche de bon sens, son leadership calme et minutieux, son bon jugement et sa capacité à communiquer efficacement à tous les niveaux.
Nous sommes ravis d'accueillir Patrick à Proofpoint et nous sommes impatients de présenter Patrick aux CISO à travers le monde au cours des semaines et des mois à venir.
We are thrilled to welcome Patrick Joyce, a veritable industry leader, who will serve as Proofpoint\'s Global Resident Chief Information Security Officer (RCISO). In this role, Patrick will act as a strategic advisor to the greater CISO community and spearhead Proofpoint\'s Customer Advisory Board (CAB). While some cybersecurity companies offer resources and additional value to their customers through an internal CISO, the goal is typically to sell their company\'s products. At Proofpoint, our RCISO acts as a liaison, colleague, mentor and resource to the greater CISO community, focused solely on the security needs of customer CISOs by delivering unbiased advice, knowledge and training to help CISOs stay ahead of t |
Threat | ★★ | |
|
2023-11-14 05:00:49 | TA402 utilise des chaînes d'infection Ironwind complexes pour cibler les entités gouvernementales à base de Moyen-Orient TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities (lien direct) |
Points clés à retenir De juillet à octobre 2023, des chercheurs de PROVELPOINT ont observé que TA402 s'engage dans des campagnes de phishing qui ont livré un nouveau téléchargeur d'accès initial surnommé Ironwind.Le téléchargeur a été suivi par des étapes supplémentaires qui consistaient à ShellCode téléchargé. Au cours de la même période, TA402 a ajusté ses méthodes de livraison, passant de l'utilisation de liens Dropbox à l'utilisation des pièces jointes XLL et RAR, susceptibles d'échapper aux efforts de détection. Cet acteur de menace s'est toujours engagé dans une activité extrêmement ciblée, poursuivant moins de cinq organisations avec une seule campagne.Ils ont également maintenu un fort accent sur les entités gouvernementales basées au Moyen-Orient et en Afrique du Nord. Proofpoint a suivi TA402 depuis 2020. Nos chercheurs évaluent l'acteur de menace est un groupe de menace persistante avancée (APT) du Moyen-Orient qui a historiquement opéré dans l'intérêt des territoires palestiniens et chevauche des rapports publics sur MoleratS, Gaza Cybergang, Frankenstein et Wirte. Aperçu À la mi-2023, les chercheurs de la preuve ont d'abord identifié TA402 (Molerats, Gaza CyberActivité Gang, Frankenstein, Wirte) Utilisant une chaîne d'infection labyrinthique pour cibler les gouvernements du Moyen-Orient avec un nouveau point de téléchargeur d'accès initial surnommé Ironwind.De juillet à octobre 2023, TA402 a utilisé trois variations de cette infection des liens de chair de chaîne, des pièces jointes de fichiers XLL et des pièces jointes RAR-avec chaque variante conduisant constamment au téléchargement d'une DLL contenant les logiciels malveillants multifonctionnels.Dans ces campagnes, TA402 a également été éloigné de son utilisation de services cloud comme l'API Dropbox, que les chercheurs à preuves ont observés dans l'activité de 2021 et 2022, à l'utilisation d'infrastructures contrôlées par acteur pour la communication C2. Fin octobre 2023, les chercheurs de PEOTPOINT n'avaient observé aucun changement dans le ciblage par TA402, un groupe APT qui a historiquement opéré dans l'intérêt des territoires palestiniens, ni identifié aucune indication d'un mandat modifié malgré le conflit actuel dans la région.Il reste possible que cet acteur de menace redirige ses ressources à mesure que les événements continuent de se dérouler. Détails de la campagne et Ironwind Activité de juillet 2023: En juillet 2023, des chercheurs de Pointpoint ont observé le premier de la nouvelle chaîne d'infection plus compliquée de TA402 \\ par rapport à l'activité de la campagne antérieure de 2021 et 2022 (figures 1 et 2). Figure 1. Chaîne d'infection TA402 utilisée de novembre 2021 à janvier 2022. Figure 2. Chaîne d'infection TA402 utilisée dans la campagne de juillet 2023. TA402 s'est engagé dans une campagne de phishing en utilisant un compte de messagerie compromis du ministère des Affaires étrangères pour cibler les entités gouvernementales du Moyen-Orient.Les e-mails ont utilisé un leurre d'ingénierie sociale sur le thème économique ("برنامج التعاون الإقتصاDE avec les pays du Golfe Cooperation Council 2023-2024ies of the Gulf Cooperation Council 2023-2024 "]) Pour livrer un lien drobox qui a téléchargé un fichier Microsoft Powerpoint Microsoft Powerpoint (PPAM)..exe, et GathernetworkInfo.vbs. timeout.exe a été utilisé pour la localisation de Sideload Ironwind.Au moment de l'analyse en août 2023. Les chercheurs de points de preuve ont observé TA402 en train de tirer parti de Dropbox pour la livraison de logiciels malveillants depuis au moins décembre 2021. Après avoir reçu la demande HTTP GET, le C2 a répondu avec Shellcode qui représentait la troisième étape de la chaîne d'infection.Pendant l'analyse de Proofpoint \\, le shellcode a utilisé des chargeurs .net réfléchissants pour mener des requêtes WMI.Le Shellcode a également servi de chargeur polyvalent, téléchargeant l'exécutable .NET de | Malware Threat Cloud | ★★ |
To see everything:
Our RSS (filtrered)
