Proofpoint News

2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape

Posted by HIPAA Journal

Cybercriminals are now almost exclusively conducting 2019 Novel Coronavirus and COVID-19 themed-campaigns according to a new report published by Proofpoint. 80% of all threats identified by the firm are coronavirus or COVID-19 related.

The recent analysis was performed on more than half a million email messages, 300,000 malicious URLs, and over 200,000 malicious email attachments. Proofpoint researchers identified more than 140 phishing and malware distribution campaigns and report that the number of active campaigns continues to rise. The coronavirus theme spans virtually every possible threat, with COVID-19 campaigns being conducted by small players to the most prolific APT groups. The email campaigns are diverse and frequently change and Proofpoint researchers believe the diverse nature of attacks will continue and attacks will likely increase.

A report from Check Point tells a similar story. In mid-February, Check Point was seeing a few hundred coronavirus-themed malware attacks a day, but by late March the average number of attacks had increased to 2,600 a day with 5,000 attacks taking place on March 28, 2020. These attacks involved emails with “Corona” or “COVID” in the email subject line, name of an email attachment, or linked to domain or URL containing those words.

In the past two weeks alone, Check Point Research reports there have been more than 30,000 domain names purchased related to the coronavirus or COVID-19. While only 0.4% of those domains have been confirmed as malicious, 9% were suspicious, and many more could be used by cybercriminals in the near future for phishing, malware distribution, or fraud. The researchers note that there have been more than 51,000 coronavirus-related domains registered since mid-January.

An analysis of online threats by Cloudflare revealed there has been a 6-fold increase in online threats over the past month, with hacking and phishing attacks up 37% month-over-month. Barracuda Networks reports there has been a 600% increase in phishing attacks since the end of February and notes a rise in impersonation scams and business email compromise scams.

The FBI has already issued warnings about coronavirus and COVID-19-themed phishing scams and a further alert was issued on April 1, 2020 warning of the threat of attacks on software and computer systems being used to support at-home workers. The increase in the number of at-home workers during the 2019 Novel Coronavirus pandemic has seen many turn to teleconferencing and telework solutions to maintain contact with employers, colleagues and customers.

Cybercriminals are searching for exploitable vulnerabilities in virtual private network (VPN), telework, and teleconferencing solutions and the FBI anticipates increased exploits of vulnerabilities over the coming weeks. These attacks are being conducted to steal sensitive data and spread malware and ransomware.

1,200 complaints about COVID-19-related scams have been received and reviewed by staff at the FBI’s Internet Crime Complaint Center (IC3) as of March 30, 2020, and attacks have been reported on first responders and medical facilities tackling the COVID-19 crisis. The FBI has warned that these attacks will continue, and it is likely these threat actors will also start targeting individuals working from home.

“Carefully consider the applications you or your organization uses for telework applications, including video conferencing software and voice over Internet Protocol (VOIP) conference call systems,” warned the FBI in its April 1 alert. “Malicious cyber actors are looking for ways to exploit telework software vulnerabilities in order to obtain sensitive information, eavesdrop on conference calls or virtual meetings, or conduct other malicious activities.

Echoing the findings of Barracuda Networks, the FBI has warned about BEC scams following several complaints from businesses that cybercriminals are conducting BEC attacks requesting payments be made early due to COVID-19. These scams see new account details provided for payments and changes to regular communication methods. Attempts are also being made to change direct deposit information for employees to divert payroll.

Many businesses have been forced into buying new portable devices to allow their employees to work from home, including purchasing devices from oversees or secondhand devices. The FBI warns that these devices carry a risk of having malware pre-installed, which could easily be transferred to business networks when employees connect remotely.

The post 2019 Novel Coronavirus and COVID-19 Themed Attacks Dominate Threat Landscape appeared first on HIPAA Journal.

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Posted by HIPAA Journal

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test.

The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer.

This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive personal and financial data.

Proofpoint has also intercepted several Coronavirus-themed phishing emails in the past few weeks that are being used to distribute a range of malware variants including the Emotet Trojan, AZORult information stealer, the AgentTesla keylogger, and the NanoCore RAT. Several campaigns have been identified that use fake DocuSign, Office 365, and Adobe websites for harvesting credentials.

Several coronavirus-themed phishing lures have been identified. Many claim to offer further information about local COVID-19 cases or claim to include important information to prevent infection. One campaign claimed there was a vaccine and a cure for COVID-19 and it was being withheld by the government. Some of the phishing emails are extremely well written and are highly convincing and impersonate authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Researchers at Checkpoint have been tracking coronavirus-themed domains and report more than 4,000 new coronavirus-themed domains have been registered since January 2020. 5% of those domains are suspicious and 3% have been confirmed as malicious and are being used in phishing campaigns or for malware distribution.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links, explained Proofpoint. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

The post Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign appeared first on HIPAA Journal.

Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years

Posted by HIPAA Journal

The frequency of cybersecurity incidents caused by insiders has increased by 47% in the past two years and the average annual global cost of those cybersecurity incidents has increased by 31% over the same period, according to new research conducted by the Ponemon Institute. The average annual cost of insider incidents is now $11.45 million.

The research was conducted for the 2020 Cost of Insider Threats study on behalf of the Proofpoint company, ObserveIT. 964 IT and security professionals at 204 organizations in North America, Europe, Africa, the Middle East and Asia-Pacific were surveyed for the study.

Insider incidents were divided into three categories: Incidents that resulted from mistakes made by employees (negligent insiders); incidents deliberately caused by employees and contractors to harm the company (criminal insiders); and incidents involving the use of insiders’ login details to gain access to applications, systems, and data (credential insiders).

In the past 12 months, 4,716 insider incidents occurred. Incidents caused by credential insiders were the costliest to resolve. The average cost of credential insider attacks was $871,000 per incident and $2.79 million per year. Attacks by criminal insiders cost an average of $756,000 per incident and $4.08 million a year, and incidents caused by negligent insiders cost an average of $307,000 per incident and $4.58 million per year. Negligent insiders were behind 62% of incidents, 23% of incidents were attributed to credential insiders, and 14% were due to criminal insiders.

Organizations are spending 60% more dealing with insider incidents than they were three years ago, and costs have increased by 25% since 2018. The fastest rising cost is investigating insider incidents, with this cost center increasing by 86% in the past three years. The study revealed the highest cost is containing attacks, with an average organization cost of $211,533 per year.

On average it takes 77 days to contain an incident and the longer it takes, the higher the cost. Incidents that took less than 30 days to contain cost an average of $7.12 million and incidents that took longer than 90 days to contain cost an average of $13.71 million.

The cost of the incidents increases with the size of the company. Organizations with more than 75,000 employees faced the highest costs from insider incidents with an average of $17.92 million spent dealing with insider incidents in the past 12 months. Organizations with 500 or fewer employees spent an average of $7.68 million dealing with insider incidents.

The annual costs of insider incidents varied considerably by industry sector. Organizations in the financial services sector spent an average of $14.5 million in the past year on insider incidents and the lowest costs were in education and research, with annual costs of $8.85 million. The health and pharmaceutical sector spent an average of $10.81 million in the past year on insider incidents.

The post Annual Cost of Insider Cybersecurity Incidents Has Risen 31% in 2 Years appeared first on HIPAA Journal.

65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019

Posted by HIPAA Journal

The 2020 State of the Phish report from the cybersecurity firm Proofpoint shows 65% of U.S. organizations (55% globally) had to deal with at least one successful phishing attack in 2019.

For the report, Proofpoint drew data from a third-party survey of 3,500 working adults in the United States, United Kingdom, Australia, France, Germany, Japan, Spain along with a survey of 600 IT security professionals in those countries. Data was also taken from 9 million suspicious emails reported by its customers and more than 50 million simulated phishing emails in the past year.

Infosec professionals believe the number of phishing attacks remained the same or declined in 2019 compared to the previous year. This confirms what may cybersecurity firms have found: Phishing tactics are changing. Cybercriminals are now focusing on quality over quantity.

Standard phishing may have declined, but spear phishing attacks are more common. 88% of organizations said they faced spear phishing attacks in 2019 and 86% said they faced business email compromise (BEC) attacks.

Phishing attacks are most commonly conducted via email, but phishing via SMS messages (Smishing), social media sites, and voice phishing over the telephone (vishing) are also commonplace. 86% of respondents said they experienced a social media phishing attack in the past 12 months, 84% experienced a smishing attack, and 83% experienced a voice phishing attack.

Source: Proofpoint State of the Phish Report, 2020.

Proofpoint’s report indicates there has been a decline in ransomware attacks since 2017, but IT professionals reported an increase in ransomware infections via phishing emails. This is due to the rise in popularity of ransomware-as-a-service, which allows individuals without the skills to develop their own ransomware variants to conduct attacks using ransomware developed by others.

When a ransomware attack is suffered, paying the ransom does not guarantee recovery of encrypted data. Only 69% of companies that paid the ransom regained access to their data after the first payment. 7% were issued with further demands which they refused to pay, resulting in data loss. 2% paid those extra demands and regained access to their files, and 22% said they did not recover data encrypted in the attacks.

Layered defenses are essential for combatting the threat from phishing, malware, and ransomware, but Proofpoint points out that technical defenses only go so far. What is also required is regular security awareness training for the workforce.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.

95% of surveyed organizations said they provide security awareness training to the workforce and 94% of those that do provide training more frequently than once a year. The figures are good, but there is still considerable room for improvement. Only 60% of companies that provide training do so through formal cybersecurity education and 30% said they only provide training to a portion of their user base.

Training certainly appears to be having a positive effect, as there was a 67% increase in reported phishing emails in 2019 compared to 2018, so employees are taking training on board, are getting better at identifying threats, and are taking the correct action – reporting suspicious emails to their security teams.

The post 65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019 appeared first on HIPAA Journal.

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity

Posted by HIPAA Journal

The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals.

The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples.

The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses.

Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans.

RATs and banking Trojans were the main malware threats in Q3, 2019, accounting for 15% and 45% of all malware attacks, up from 6% and 23% respectively from the previous quarter. The most common banking Trojans were The Trick (37%), IcedID (26%), Ursnif (20%) and Dridex (14%). The most commonly used RATs were FlawedAmmyy (45%), FlawedGrace (30%), NanoCore RAT (12%), and LimeRAT (5%).

In contrast to ransomware, these malware variants are much quieter, have persistence, and can be used for extended periods to steal data, send spam email, and mine cryptocurrencies. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).

The change in spam stats can be attributed, in the main, to the disappearance of the Emotet botnet in May. Spamming activity did not recommence until the third week in September, which was the main reason why the total volume of malicious messages fell by 39% in Q3, 2019. Despite being absent for most of the quarter, the Emotet botnet still accounted for almost 12% of malicious payloads for the entire quarter.

Q3, 2019 saw an increase in web-based threats and malvertising redirects to exploit kits such as RIG and Fallout. A high percentage of traffic to the exploit kits came through the Keitaro traffic distribution system (TDS). Proofpoint notes that Keitaro abuse is driving the increase in exploit kit activity. It can also intelligently route traffic to legitimate websites if sandbox signals are detected to prevent the detection of malicious redirects. Confirming that HTTPS does not mean a website is genuine, 26% of malicious domains had valid SSL certificates, up from 20% in Q1, 2019.

Sextortion scams are still widely used. While these scams use social engineering techniques to scare people into making a payment, Proofpoint notes the emergence of malware that is capable of recording users’ online activities, which suggests that future campaigns may feature actual evidence of adult activity> That would greatly increase the attackers’ success rate.

One malware variant that has been tooled for this is PsiBot. PsiBort has had a new PornModule added. This module contains a list of words associated with adult content and monitors the open window titles in browsers. When there is a match, audio and video via the microphone and webcam are recorded and saved in an AVI file that is exfiltrated to the attacker’s C2.

The post Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity appeared first on HIPAA Journal.

Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations

Posted by HIPAA Journal

A new report from Proofpoint offers insights into the cyber threats faced by healthcare organizations and the most common attacks that lead to healthcare data breaches.

Proofpoint’s 2019 Healthcare Threat Report highlights the ever-changing threat landscape and how the tactics used by cybercriminals are in a constant state of flux.

The study – conducted between Q2, 2018 and Q1, 2019 – shows how the malware variants used in attacks often change. Ransomware was a popular form of malware in Q2, 2018 and was used in many attacks on healthcare organizations, but ransomware incidents then dwindled rapidly as cybercriminals switched their attention to banking Trojans. For the remaining three quarters of the study period, banking Trojans were the malware variant of choice, although ransomware is now proving popular once again.

Proofpoint’s research shows banking Trojans were the biggest malware threat to healthcare organizations for the period of the study, accounting for 41% of malicious payloads delivered via email between Q2 2018 and Q1 2019. In Q1, 2019, the biggest threat came from the Emotet banking Trojan, which accounted for 60% of all malicious payloads.

While phishing attacks are a constant threat, malware attacks were more numerous over the period of study, although phishing attacks have increased considerably in 2019. Malware is often spread via email attachments, but URLs are also used to deliver malware. The embedded hyperlinks can direct users to phishing websites where credentials are stolen, but they can also send healthcare employees to websites where malware is silently downloaded. 77% of email-based attacks during the period of study used malicious URLs

Malicious emails are more likely to be opened if the sender of the email is known to the recipient. 95% of targeted healthcare companies received emails that spoofed their own trusted domain and 100% of targeted healthcare companies had their domain spoofed in attacks on their patients and business partners.

On average, targeted healthcare organizations received 43 imposter emails in Q1, 2019, an increase of 300% from Q1, 2018. Those attacks saw an average of 65 members of staff attacked at each healthcare organization.

While the subjects of the emails were highly varied, most commonly the subject lines contained the words “urgent”, “payment”, or “request.” Those words were included in 55% of malicious emails. Malicious emails are most commonly sent during business hours when employees are at their desks, usually between 7am and 1pm, Monday to Friday.

While spray and pray tactics are still used by cybercriminals to get their phishing emails and malware out to as many individuals as possible, many healthcare email attacks are much more targeted. Proofpoint analyzed email attacks at several healthcare organizations and found that some individuals are more targeted than others.

These “Very Attacked Persons” or VAPs include doctors/physicians, researchers, and admin staff at healthcare providers, customer support/sales staff, admin staff, and IT teams at health insurers, and executives, marketing employees, and logistics/sourcing and supply chain staff at pharma firms.

Shared email aliases used to request patient information or for patient portals received the most malicious emails. These email addresses have the potential to result in multiple malware infections and several responses to phishing emails.

Blocking these threats requires layered defenses. Anti-phishing and anti-malware solutions should be implemented to protect the email system, filtering controls are required to block web-based threats, anti-malware controls are required on endpoints, and employees must receive regular training to help them identify threats and condition them to take appropriate action when a suspicious email is received.

The post Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations appeared first on HIPAA Journal.