Proofpoint Discovers Common Threat Actors In Malware Campaigns Aimed At Aviation And Defense Targets

Researchers at Proofpoint have discovered a common threat actor behind aviation and defense malware campaigns, dubbed TA2541. The threat group has been attacking targets in several critical industries since 2017 with phishing emails and cloud-hosted malware droppers, according to a report from Proofpoint.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Volumetric phishing campaigns are playing the odds that at least one person will take the bait. That is really all it takes to compromise an organization. Once that initial compromise takes place, the threat actor uses dwell time and other techniques to maintain their presence and evade current XDR and SIEM tools as they spread their infection, look for critical data and eventually either exfiltrate data, detonate ransomware, or both. TA2541 is so confident in the lack of detection capabilities in current tools, all they do is tweak the phishing campaign, while barely touching commodity malware and previous techniques once inside. This shows that XDR and SIEM solutions are insufficient for preventing threat actor groups from successfully executing their attack campaigns. The only answer is more advanced analytics, behavioral baselining, and anomaly detection with a better understanding of users, access controls and entity activity. These promote the ability to automate detection before a security team can sift through the huge volumes of data that they must parse through and prioritize manually despite most vendor claims. The proof is in the number of true, not rule-based, machine learning models that can adapt to changing tactics by threat actors to circumvent most other solutions.”

Your security shouldn’t be so bad that “playing the odds” allows them to get in and do damage. Companies need to up their game so that groups like TA2541 don’t have an easy time to pwn anyone that they are interested in.

UPDATE: Chris Olson, CEO, The Media Trust had this to say:

“TA 2541 demonstrates a level of detail and personalization that is increasingly typical of threat actors in the digital space. After a lengthy research and reconnaissance phase, they craft professional and high-quality messaging based on the target’s industry, products and other criteria. In the past, one could often tell the difference between legitimate and fraudulent messaging by quality alone – but that is no longer the case.”

“This is particularly true across websites and mobile applications, where personalization and tracking features are increasingly weaponized to target victims based on granular data, which may include personal interests, search history and location. While today’s organizations often focus on email as the most dangerous channel for malware delivery, they should be paying close attention to their digital properties as well.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: