Proofpoint News

Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity

The Proofpoint Q3 2019 Threat Report has been released. The report provides insights into the main threats in Q3, 2019 and reveals the changing tactics, techniques, and procedures used by cybercriminals.

The data for the report comes from an analysis of more than 5 billion email messages, hundreds of millions of social media posts, and over 250 million captured malware samples.

The report reveals scammers now favor embedded hyperlinks over attachments for spreading malware. 88% of malicious emails that were used to install malware used malicious URLs. This tactic is preferred as it makes it easier to bypass email security defenses.

Proofpoint notes that ransomware still poses a significant threat, but it was noticeably absent from most email campaigns. Proofpoint suggests that the fall in the value of cryptocurrencies is making it harder for threat actors to monetize their ransomware campaigns. Greater rewards can be gained through other types of malware, such as remote access Trojans (RATs) and banking Trojans.

RATs and banking Trojans were the main malware threats in Q3, 2019, accounting for 15% and 45% of all malware attacks, up from 6% and 23% respectively from the previous quarter. The most common banking Trojans were The Trick (37%), IcedID (26%), Ursnif (20%) and Dridex (14%). The most commonly used RATs were FlawedAmmyy (45%), FlawedGrace (30%), NanoCore RAT (12%), and LimeRAT (5%).

In contrast to ransomware, these malware variants are much quieter, have persistence, and can be used for extended periods to steal data, send spam email, and mine cryptocurrencies. Downloaders accounted for 13% of the total malicious payloads, followed by botnets (12%), and keyloggers (7%) and credential stealers (7%).

The change in spam stats can be attributed, in the main, to the disappearance of the Emotet botnet in May. Spamming activity did not recommence until the third week in September, which was the main reason why the total volume of malicious messages fell by 39% in Q3, 2019. Despite being absent for most of the quarter, the Emotet botnet still accounted for almost 12% of malicious payloads for the entire quarter.

Q3, 2019 saw an increase in web-based threats and malvertising redirects to exploit kits such as RIG and Fallout. A high percentage of traffic to the exploit kits came through the Keitaro traffic distribution system (TDS). Proofpoint notes that Keitaro abuse is driving the increase in exploit kit activity. It can also intelligently route traffic to legitimate websites if sandbox signals are detected to prevent the detection of malicious redirects. Confirming that HTTPS does not mean a website is genuine, 26% of malicious domains had valid SSL certificates, up from 20% in Q1, 2019.

Sextortion scams are still widely used. While these scams use social engineering techniques to scare people into making a payment, Proofpoint notes the emergence of malware that is capable of recording users’ online activities, which suggests that future campaigns may feature actual evidence of adult activity> That would greatly increase the attackers’ success rate.

One malware variant that has been tooled for this is PsiBot. PsiBort has had a new PornModule added. This module contains a list of words associated with adult content and monitors the open window titles in browsers. When there is a match, audio and video via the microphone and webcam are recorded and saved in an AVI file that is exfiltrated to the attacker’s C2.

The post Proofpoint Q3 2019 Threat Report Shows Increase in RAT and Banking Trojan Activity appeared first on HIPAA Journal.

Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations

A new report from Proofpoint offers insights into the cyber threats faced by healthcare organizations and the most common attacks that lead to healthcare data breaches.

Proofpoint’s 2019 Healthcare Threat Report highlights the ever-changing threat landscape and how the tactics used by cybercriminals are in a constant state of flux.

The study – conducted between Q2, 2018 and Q1, 2019 – shows how the malware variants used in attacks often change. Ransomware was a popular form of malware in Q2, 2018 and was used in many attacks on healthcare organizations, but ransomware incidents then dwindled rapidly as cybercriminals switched their attention to banking Trojans. For the remaining three quarters of the study period, banking Trojans were the malware variant of choice, although ransomware is now proving popular once again.

Proofpoint’s research shows banking Trojans were the biggest malware threat to healthcare organizations for the period of the study, accounting for 41% of malicious payloads delivered via email between Q2 2018 and Q1 2019. In Q1, 2019, the biggest threat came from the Emotet banking Trojan, which accounted for 60% of all malicious payloads.

While phishing attacks are a constant threat, malware attacks were more numerous over the period of study, although phishing attacks have increased considerably in 2019. Malware is often spread via email attachments, but URLs are also used to deliver malware. The embedded hyperlinks can direct users to phishing websites where credentials are stolen, but they can also send healthcare employees to websites where malware is silently downloaded. 77% of email-based attacks during the period of study used malicious URLs

Malicious emails are more likely to be opened if the sender of the email is known to the recipient. 95% of targeted healthcare companies received emails that spoofed their own trusted domain and 100% of targeted healthcare companies had their domain spoofed in attacks on their patients and business partners.

On average, targeted healthcare organizations received 43 imposter emails in Q1, 2019, an increase of 300% from Q1, 2018. Those attacks saw an average of 65 members of staff attacked at each healthcare organization.

While the subjects of the emails were highly varied, most commonly the subject lines contained the words “urgent”, “payment”, or “request.” Those words were included in 55% of malicious emails. Malicious emails are most commonly sent during business hours when employees are at their desks, usually between 7am and 1pm, Monday to Friday.

While spray and pray tactics are still used by cybercriminals to get their phishing emails and malware out to as many individuals as possible, many healthcare email attacks are much more targeted. Proofpoint analyzed email attacks at several healthcare organizations and found that some individuals are more targeted than others.

These “Very Attacked Persons” or VAPs include doctors/physicians, researchers, and admin staff at healthcare providers, customer support/sales staff, admin staff, and IT teams at health insurers, and executives, marketing employees, and logistics/sourcing and supply chain staff at pharma firms.

Shared email aliases used to request patient information or for patient portals received the most malicious emails. These email addresses have the potential to result in multiple malware infections and several responses to phishing emails.

Blocking these threats requires layered defenses. Anti-phishing and anti-malware solutions should be implemented to protect the email system, filtering controls are required to block web-based threats, anti-malware controls are required on endpoints, and employees must receive regular training to help them identify threats and condition them to take appropriate action when a suspicious email is received.

The post Report Reveals the Most Common Cyber Threats Faced by Healthcare Organizations appeared first on HIPAA Journal.