Forcepoint Appoints Chief Strategy and Trust Officer Myrna Soto

June 2, 2020

Myrna Soto brings more than 25 years’ experience in Information Technology and Security strategy and execution to help global enterprises optimize security as a business enabler in today’s modern cloud era

MUMBAI, INDIA/AUSTIN, Texas – June 2, 2020

Global cybersecurity leader Forcepoint today announced Myrna Soto has joined the company as Forcepoint’s inaugural Chief Strategy and Trust Officer. In this newly-created role, Soto will serve as a strategic business and technology driver of the company’s enterprise vision, strategy and programs to protect people, critical data and IP both within the company and for thousands of Forcepoint customers around the globe. As Chief Strategy and Trust Officer, Soto will also serve as a global leader and champion for both the development and execution of strategic initiatives that continue to propel Forcepoint forward as the industry leader for user and data protection worldwide and global enterprises’ trusted cybersecurity partner of choice. And, will function as a member of Forcepoint’s Security Council.

A security and information technology veteran having held senior leadership roles with many of the world’s most recognized brands, Soto brings more than 25 years’ experience to Forcepoint. Utilizing her experience as a transformational security and business leader at Fortune 500 companies including American Express, Comcast and MGM Resorts, Soto will serve as a trusted security and technology innovation partner to customers as they re-assess their security posture in today’s new business reality reliant on cloud-driven security solutions to protect the work-from-everywhere workforce. She will also partner cross-functionally with the company’s IT and engineering teams to act as a pathfinder and modern problem-solver for the organization. In this capacity she will help teams envision, strategize and execute programs that accelerate customers’ digital transformations with modern security architectures that optimize security as a business enabler.

Today we are in a world irrevocably changed and businesses must embrace the new workforce reality ahead that takes security beyond the four walls of the office to a work-from-everywhere environment. Every company today needs to reassess their security posture in this new business reality now heavily reliant on SaaS applications and platforms to operate ‘business as usual,” said Matthew Moynahan, CEO at Forcepoint. “As Chief Strategy and Trust Officer, Myrna brings to Forcepoint an inherent understanding of the challenges global enterprises face today and what it requires to be a security leader driving transformational change at scale. She will serve as a trusted partner to customers as well as a technology leader within the company partnering with R&D and engineering teams to align and accelerate Forcepoint’s roadmap strategy to address customers’ evolving security needs including product improvements and long-term innovation. I am excited to partner with Myrna to continue driving Forcepoint’s industry leadership forward and establish the company as global enterprises’ and government agencies’ most trusted cybersecurity partner for the modern cloud era.”

Soto joins Forcepoint from award-winning managed security service provider Digital Hands where she served as Chief Operating Officer. In this role she was a critical leader in securing the company’s first capital round of funding and building the company’s world-class leadership team. She also served as the senior business leader across the company’s Security Operations, Service Delivery, Sales, Customer Success, Marketing and HR functions. Prior to Digital Hands, Soto was a Partner at ForgePoint Capital (Formerly known as Trident Capital Cybersecurity) and a member of the ForgePoint Capital Investment Team focused exclusively on investing in cybersecurity companies.

For nearly a decade Soto served as Corporate SVP & Global Chief Information Security Officer (GCISO) for Comcast Corporation. In this role, Soto led security and technology risk management for the Enterprise business responsible for aligning security initiatives with enterprise programs and business objectives across the company’s 54 business lines within the Comcast Portfolio to ensure information assets and technologies were protected across the global corporation. She has also held senior leadership roles at companies including MGM Resorts International (formerly known as MGM MIRAGE), American Express, Royal Caribbean Cruise Line, Norwegian Cruise Lines and Kemper Insurance.

Soto also serves on the Boards of CMS Energy/Consumers Energy (NYSE: CMS), Spirit Airlines (NYSE: SAVE) and Popular Inc. which operates under the brand names of Banco Popular, and Popular Bank (NASDAQ: BPOP). And is recognized as a Governance and Board Leadership Fellow by the National Association of Corp Directors.

There has never been more of a driving impetus for enterprises to get cybersecurity right than this moment in time. The legacy approach to security building walls and moats isn’t an option. And current global events have businesses racing to secure today’s people perimeter where the line between home and work no longer exists,” said Soto. “A successful modern security approach requires businesses today to think about what data they own and how the compromise of that data could represent a material threat to their customers and to their business. It is extremely critical for organizations to have a formative plan in place to address the risks associated with a compromise. Forcepoint offers enterprises and government agencies a modern cybersecurity path forward that understands the constants in every security equation – people interacting with data. I look forward to helping drive forward the company’s cloud-first security vision and innovating new programs and services – such as Forcepoint Advantage that changes the game for security licensing models – that will revolutionize what cybersecurity will look like in the next five years.”

# # #

About Forcepoint

Forcepoint is the global human-centric cybersecurity company transforming the digital enterprise by continuously adapting security response to the dynamic risk posed by the behavior of individual users and machines. Forcepoint solutions deliver risk-adaptive protection to continuously ensure trusted use of data and systems. Based in Austin, Texas, Forcepoint protects users and data for thousands of enterprise and government customers in more than 150 countries. For more about Forcepoint, visit www.forcepoint.com.

Join Forcepoint on Social Media

Facebook: https://www.facebook.com/ForcepointLLC/

LinkedIn: https://www.linkedin.com/company/forcepoint

Twitter: https://www.twitter.com/forcepointsec

Instagram: https://www.instagram.com/forcepoint


CEOs Fear Becoming the Next Big Breach According to WSJ Intelligence and Forcepoint Survey

May 20, 2020

  • The C-Suite Report: The Current and Future State of Cybersecurity sponsored by Forcepoint reveals less than half of CEOs believe their business has an ongoing cybersecurity strategy in place
  • Geographic location influences how business and security leaders prioritize security for customer data versus organizational IP
  • Enterprises use more than 50 security vendors on average with 62% reporting they want even more

AUSTIN, Texas – May 19, 2020

Global cybersecurity leader Forcepoint, in partnership with WSJ Intelligence, today revealed The C-Suite Report: The Current and Future State of Cybersecurity featuring new research on global business leaders’ cybersecurity priorities as well as growing disparities in how CEOs and CISOs view the most effective cybersecurity path forward.

The global survey of 200 CEOs and CISOs from across industries including Healthcare, Finance and Retail, among others, uncovered prominent cybersecurity stressors and areas of disconnect for business and security leaders, including the lack of an ongoing cybersecurity strategy for less than half of all CEO respondents. The research also identified disparities between geographic regions on data protection as well as a digital transformation dichotomy battle between increased risk and increased technology capability.

Key findings from The C-Suite Report: The Current and Future State of Cybersecurity:

  • Most leaders (76%) are losing sleep over the prospect of becoming the next headline-grabbing security breach
  • This is despite a high percentage (87%) believing that their security team is consistently ahead of cybersecurity threats
  • This disparity is compounded by a belief that senior leadership is cyber-aware and data-literate (89%) and focused on cybersecurity as a top organizational priority (93%)
  • Cybersecurity strategies are seen by 85% of executives as a major driver for digital transformation, yet 66% recognize the increased organizational exposure to cyber threats because of digitization
  • Only 46% of leaders regularly review their cybersecurity strategies

When more than 89% of leaders believe their teams are more cyber-aware than ever, it’s not surprising to hear executives are losing sleep over their cybersecurity posture today because they know the stakes to their business are so high,” said Nicolas Fischbach, Global CTO at Forcepoint. “At a time when cybersecurity is more strategic to business growth than ever before, it is time senior business and security leaders reassess their cybersecurity strategy to one that enables them to move left of breach. Leader companies understand that behavior-based technologies are the modern cybersecurity path forward and those that get cybersecurity right today will see this be a key competitive differentiator for their business in the years ahead.”

Disparities Between CEOs, CISOs and Global Geographies

The C-Suite Report: The Current and Future State of Cybersecurity research spotlights the disparity in how enterprises across global geographies prioritize key elements of security. Protecting customer data is a resounding priority for leaders in the US (62%) and Europe (64%), while in Asia 61% of leaders will prioritize protecting organizational IP over customer data. Factors influencing these results may be due in part to differing regulatory approaches to data and privacy protection as well as recent legislative decisions in the U.S. and Europe, such as GDPR and CCPA.

There is also a clear divide between CEOs and CISOs in how they identify the right cybersecurity path forward for their business. CEOs prefer to be proactive and risk-focused (58%), prioritizing maintenance of business stability above all. While more than half of CISOs (54%) embrace a more reactive, incident-driven approach to mitigating today’s dynamic cybersecurity threat landscape.

The research also found that, despite claiming vendor fatigue, enterprises use more than 50 security vendors on average with 62% reporting they want even more. However, as more enterprises begin to embrace the cost savings and benefits of converged networking and security capabilities found in the emerging Secure Access Service Edge (SASE) security architecture approach the need for dozens of security vendors will abate over time.

Fischbach continued, “Companies leading on the cybersecurity front today are realistic about the risks they face and are prepared to prioritize security to protect the lifeblood of their business – which is customer data and organizational IP. And with today’s new way of working, getting this right within a remote work reality has never been more critical. Now is the time for all business and security leaders to recognize the business continuity actions they take now will determine whether they simply survive or thrive in today’s new business reality.”

About Forcepoint

Forcepoint is the global cybersecurity leader for user and data protection. Forcepoint’s behavior-based solutions adapt to risk in real-time and are delivered through a converged security platform that protects network users and cloud access, prevents confidential data from leaving the corporate network, and eliminates breaches caused by insiders. Based in Austin, Texas, Forcepoint creates safe, trusted environments for thousands of enterprise and government customers and their employees in more than 150 countries. www.forcepoint.com

# # #

About The C-Suite Report: The Current and Future State of Cybersecurity

Based on an online quantitative survey of 200 CEOs and 100 CISOs, conducted by WSJ Intelligence and sponsored by Forcepoint. Respondents from the U.S., U.K., France, Germany, India, Hong Kong, Singapore and Australia, representing industries including Life Sciences, Healthcare, Manufacturing, Finance, Transportation, Retail, Energy and Telecom, with an average company revenue of $10.4 billion. In field: November 6-26, 2019.

About WSJ Intelligence

WSJ Intelligence, a unit of The Wall Street Journal’s advertising department, conducts bespoke and secondary research for brands and client brands of The Wall Street Journal | Barron’s Group. Through rigorous analysis, WSJ Intelligence provides insights that are relevant, timely, and reliable. The Wall Street Journal news organization was not involved in the creation of this content.

Additional Resources

Watch the Webinar: The C-Suite Report: The Current and Future State of Cybersecurity with WSJ Intelligence and Forcepoint


Three-Month Trend analysis: COVID and Coronavirus Themed Web and Email Traffic

April 28, 2020

INDIA – April 28, 2020

Forcepoint X-Labs is the custodian of threat and behavioral intelligence at Forcepoint. In analysing anonymized recent web and email traffic we have observed interesting trends generated by our global customer base. This analysis focussed on traffic relating to keywords of “Corona” and “COVID.” We share our observations below to show how the behavior of cybercriminals and your own people have changed in response to the situation in which we all now find ourselves.

Methodology

  • Web and email traffic processed by our Cloud Web Security and Cloud Email Security products was analysed to surface trends of the last 3 months (19 January 2020 to 18 April 2020 inclusive).
  • We sought keywords of COVID and Corona in URLs accessed directly over the Web or embedded with an email.
  • The analysis was applied to a global dataset of Forcepoint customers.
  • Data was anonymized (counts only, no attribution) to protect the privacy of our customers as per our approach to “Privacy-by-Design.”

Highlights

  • The analysis shows that cyber criminals are opportunists seeking to piggyback on the public’s interest in COVID-19 and Coronavirus, as described in our March 2020 blog.
  • Brand new COVID and Coronavirus-themed websites have been registered and activated for both legitimate and illegitimate means.
  • Employees’ interest in COVID and Coronavirus-themed websites peaked in mid-March, correlating with the enactment of “lockdown” measures by governments around the word.
  • We saw a rise in unwanted emails (malicious, spam or phishing) containing embedded URLs using the keywords of COVID or Corona from negligible values in January 2020 to over half a million blocked per day the end-of-March onwards.
  • Note the dip in activity at weekends as is usual with active spam campaigns.
  • An email security solution is an effective “first line of defence” against so-called blended threats (emails containing an embedded URL).

Website traffic

Categorisation of web traffic was achieved by our Cloud Web Security solution.

Observation 1 – Legitimate web traffic

From mid-January (the start of this reporting period) through to the end of February a steady undercurrent of browsing requests to legitimate COVID or Coronavirus-themed URLs was apparent. These requests relate to so-called COVID-19 tracking sites (sites set up specifically to share data points related to the pandemic) and news websites. During the first two weeks of March 2020 a significant rise (5 million+ categorisations) was observed that may correlate with the onset of lockdown procedures enacted by global governments and a move to remote working. A steady decline in activity was observed for the following three weeks, possibly relating to so-called “news fatigue” and gradual understanding of the “new normal.” Interest peaked again last week.

See Figure 1 below:

 

Figure 1: Web traffic to clean/legitimate COVID or Coronavirus-themed URLs (3-month period).

Observation 2 – Malicious web traffic

The chart below shows a steady increase in the number of COVID or Coronavirus-themed URLs categorized by Forcepoint as malicious from 9 March to the present date, with two spikes. As explained in the Highlights above cybercriminals have seen value in generating relevant looking, albeit nefarious, domains to encourage people to click on links in emails or generated by search.

See Figure 2 below:

 

Figure 2: Web traffic to malicious COVID or Coronavirus-themed URLs (3-month period).

Observation 3 – Newly registered domains

Employees browsed to COVID or Coronavirus-themed domains that were Newly Registered only several hundred times per day for the duration of the three month period. Such domains included so-called COVID trackers and newly registered news websites.

Spikes in browsing activity to such domains occurred at multiple times in March. One example of such a spike can be explained by interest in a legitimate Indian Covid-19 tracking site that correlated with an order prescribing lockdown in the country.

Note: In the figure below, we have not made a determination of whether the domain in question was malicious or legitimate.

See Figure 3 below:

 

Figure 3: Web traffic to websites categorized as Newly Registered Websites (3-month period).

Email traffic

Emails identified as “clean,” “virus” or “spam” were identified as such by our Cloud Email Security solution. During peak volumes, we identified 1.5 million total COVID-related emails per day. This is the disposition our customers will see in the product’s dashboard.

Observation 4 – legitimate email traffic

Employees at organisations around the globe have been sharing, and are in receipt of, legitimate emails containing COVID or Coronavirus-themed embedded URLs. Interest in such content began to noticeably rise in mid-March hitting one million legitimate emails per day across our systems. Interest remains phenomenally high since that point in time.

See Figure 4 below:

 

Figure 4: Legitimate emails containing COVID or Coronavirus-themed embedded URLs.

Observation 5 – spam emails

Spam emails containing COVID or Coronavirus-themed embedded URLs during January and February 2020 were observed in the tens of thousands per day. Scammers ramped up activity in mid-March as they made adjustments to existing spambots. Over half a million scams per day were blocked by Forcepoint X-Labs from mid-March onwards. Notice the decline in such sends during the Easter and Passover period.

See Figure 5 below:

 

Figure 5: Spam emails that included COVID or Coronavirus-themed embedded URLs.

Observation 6 – malicious email traffic

Traditionally, the number of malicious emails seen per day through Forcepoint Cloud Email Security solutions are orders of magnitude less than the number of observed spam emails. The same can be said of COVID and Coronavirus-themed malicious emails. Up until the week of 16 March the number of malicious emails containing embedded COVID and Coronavirus-themed URLs had not increased for the previous eight weeks. The week of 23 March saw the largest increase (358%) of such emails compared with the final working day of the previous week. The first week of April saw a significant decline but the number of malicious emails has increased ever since.

See Figure 6 below:

 

Figure 6: 3-month trend of malicious emails with COVID or Coronavirus keyword in embedded URLs.

What other active mitigation methods are being by deployed Forcepoint X-Labs?

  • Forcepoint X-Labs consumes third-party feeds that cover new malware. We are adopting our usual approaches to validate and ingest those feeds as we see an uptick in COVID-specific malware now included in those feeds.
  • We are subscribed to the COVID19 Cyber Threat Coalition. This feed has recently been set up by the security industry to share threat telemetry across the community. Read more about that initiative here: https://www.cyberthreatcoalition.org/
  • We are working closely with our customers to increase coverage and understand novel ways that malware authors are operating with COVID and Coronavirus-themed attacks.
  • Forcepoint X-Labs operates a 24/7 team that monitors our detection and adds new detection rules as appropriate.
  • Indicators and trends gained from one product are used to enhance protection across the range of Forcepoint products, including behavioral analytics.

Conclusion

Cybercriminals have adapted to exploit the public’s interest in COVID-19 and Coronavirus. This should not come as a surprise to defenders of global organisations as we see this modus operandi on a daily basis. The email and web attack vectors remain key components in a cybercriminal’s arsenal. In response to global events we have also seen changes in the behavior of employees within organisations around the world as they respond to mandates set by government or their own employers.


New Appointments for Asia Pacific in Sales and Channel Leadership to Accelerate Adoption of Forcepoint’s Behaviour-Based Cloud Security Platform

April 2, 2020

Technology leaders to drive robust growth for the company and customers in the region

MUMBAI – April 2, 2020 – Global cybersecurity leader Forcepoint has announced three new appointments in strategy, sales and channel leadership for Asia Pacific (APAC):

  • Bjorn Engelhardt has joined as vice president of APAC sales
  • Talib Yousry is the new senior director of channels and alliances for APAC
  • Nick Savvides has joined as senior director of strategic business for APAC

Industry veteran Bjorn Engelhardt joins as vice president of APAC Sales

2020 will see Forcepoint extend its leadership in human-centric security as it delivers on its mission to be a trusted partner to enterprises and government agencies seeking a modern security-as-a-service model. Engelhardt’s role is critical in achieving this mission, as he takes on responsibility for accelerating sales through growth and expansion across the APAC market. He is based out of Forcepoint’s Singapore office and reports to Forcepoint Chief Revenue Officer (CRO), Kevin Isaac.

Engelhardt brings more than 30 years of dynamic leadership experience in cybersecurity and application software industry to Forcepoint. Most recently, he was senior vice president of Asia Pacific and Japan at Symantec where he oversaw Symantec Enterprise transition to Broadcom. Previous roles include senior leadership roles at Riverbed, Actifio and Citrix Systems.

Channel leader Talib Yousry to grow Forcepoint’s channel business and drive value for its partners in the APAC region

Yousry drives Forcepoint’s go-to-market strategy for partners, delivering greater business outcomes for enterprises through the company’s broad portfolio of cloud-first, behaviour-based security products. He also focuses on the growth of the channel business, driving value for the company’s partners in the region. Yousry is based in Forcepoint’s Singapore office and reports to Oni Chakravartti, Vice President, Global Channel Sales, Forcepoint.

Yousry joins Forcepoint from Pulse Secure, where he was director of channels, Asia Pacific and Japan (APJ), responsible for managing the company’s vast channel and distribution network of over 17 distributors and 400 resellers across APAC. He has 20 years of experience in sales and partner leadership roles in technology sector in APAC covering telecommunications and cybersecurity – including roles at Telstra BT, Alcatel-Lucent Enterprise and Cable & Wireless.

Nick Savvides joins as senior director of strategic business for APAC

Savvides’ remit includes growing the Forcepoint strategic business across the APAC region and working with Forcepoint’s key customers and partners to deliver innovative and transformational security projects, taking a human-centric approach. He is based in Forcepoint’s Sydney office and reports to Bjorn Engelhardt.

Savvides has a proven track record in delivering thought leadership and over-the-horizon guidance to CISOs, industry and analysts. Prior to joining Forcepoint, he spent 14 years at Symantec, most recently as Chief Technology Officer (CTO) for the APAC region. In this role, Savvides was responsible for the organisations portfolio strategy and innovation roadmap in APAC. He brings over 20 years of industry experience and previously worked for VeriSign and Melbourne University in various technology-related roles.

The refreshed leadership team for the APAC region will bring new strength and to what is already a highly talented group of cybersecurity professionals,” said Bjorn Engelhardt. “I’m confident that this leadership team will prove immensely helpful in scaling our business in the APAC region, and meet the growing demand for human-centric security solutions to enable our customers to derive the benefits of digital transformation.”

As companies increasingly turn to cloud technologies and a flexible workforce to provide a path to the future, they face continuous challenge of protecting their users and data everywhere. Forcepoint is committed to supporting customers throughout their digital transformation journeys. With this regional leadership group, we are demonstrating our continued investment to creating a unique behavior-based cloud security platform, allowing our customers to accelerate their business growth and meet their desired business outcomes,” said Kevin Isaac, CRO, Forcepoint.

About Forcepoint Forcepoint is the global cybersecurity leader for user and data protection. Forcepoint’s behavior-based solutions adapt to risk in real-time and are delivered through a converged security platform that protects network users and cloud access, prevents confidential data from leaving the corporate network, and eliminates breaches caused by insiders. Based in Austin, Texas, Forcepoint creates safe, trusted environments for thousands of enterprise and government customers and their employees in more than 150 countries. For more about Forcepoint, visit www.forcepoint.com


Malware authors and scammers adapt to current events

March 30, 2020

By

Carl Leonard

Principal Security Analyst

Forcepoint

Cyber criminals are opportunists that continuously evolve their methods of attack. And, as history has shown us, the bigger the global visibility of a cyber-attack opportunity – be it government elections, religious holidays or global events such as we find ourselves in today – bad actors employ every tool in their arsenal to make the most of every attack opportunity.

According to the World Health Organization, email attacks impersonating that organisation have increased two-fold since the beginning of March. And this is just one of many examples of current cyber-attacks posing as a trusted global organization, as every nation in the world is trying to manage through these unprecedented times.

Taking optimal advantage of world events, we are seeing trends of cyber attackers leaning into social-engineering that utilizes popular keywords – such as Coronavirus and COVID-19 – to execute online scams, phishing and malware attacks.

Following is an overview of recent global cyber-attack trends Forcepoint has been tracking to give you a view into what to look out for and how to protect yourself against impending cyber-attacks that take advantage of today’s global climate.

Standard Phishing

Phishing related campaigns have one goal – tricking people into entering their personal details or valuable credentials into a fake application or on a “legitimate” looking web site. Our first subject under analysis is pretending to be a missed call about a COVID-19 update. The email contains no text in the message body, but rather an attachment with an .htm” extension.

Figure 1 – Missed call email example

 

Upon a closer look, the attachment is indeed a simplistic HTML file with the sole purpose of directing people to a suspicious looking URL.

Figure 2 – HTML attachment of the missed call email

The window title will display “Fetching your audio file” while the web page is loading, and soon we will find ourselves on a fake Outlook portal. The username will be already pre-filled, only the password is waiting to be entered. Despite all the similarities we aren’t dealing with an official Outlook portal here, look at the strange URL in the HTML attachment with the prepared email address. It’s always recommended to double check the destination we land on before entering any sensitive data.

Figure 3 – Fake Outlook landing page with pre-filled username

Different flavors of traditional spam

Trading on people’s superstitions and fear is an old technique, especially in times when we are navigating through a serious global event with far reaching impact on communities all over the world. Official, semi-official and unofficial advice is coming from every possible direction – along with a number of hoaxes.

 

  • How to strengthen our immune system?
  • What steps to take to prevent infection?
  • What are the natural ways to defend ourselves?
  • Which are the best masks to wear when travelling?

Figure 4 – Example of Coronavirus related spam

Most of these are valid questions to raise, however answers can vary widely, and it is easy to heed fake advice. Some of the recent spam campaigns are particularly focused on this technique. They either contain links to shady web sites and services or encourage people to buy a specific product which is supposed to help protect against Coronavirus and COVID-19.

 Figure 5 – Face mask advertisement spam

When in doubt, research similar goods from reputable websites and brands you have purchased from before. And, starting research through official global health sources such as WHO or CDC can also help with debunking what is real and what may actually be detrimental to your health.

Figure 6 – Example of Health Improvement spam

New pitch for existing malware families

The examples above are from the lesser types of evil when it comes to the level of possible harm caused. Our final subject – despite arguably looking the most authentic, takes the damage potential up a notch. The email targeted those in Italy, purportedly during the time the country’s reported cases were continuing to increase. It encourages the opening of the attached document, which it presents to be sent from the World Health Organization (WHO) with information covering all the necessary precautions against Coronavirus infections.

  Figure 7 -fake WHO precautions email targeted towards Italians

Opening the attached Microsoft Word document will result in the following screen being displayed, asking users to follow the steps of enabling macros, unless the default security settings related to them were already modified.

Figure 8 – Malicious Word attachment asking for macros to be enabled

There are several macros in the document and they are also protected by a password to prevent editing. Fortunately, that can be worked around, so let’s have a look at the famous autoopen.

Figure 9 – Content of the autoopen macro

There is “DebugClassHandler” defined in the autoopen macro which would be automatically executed upon opening the document. Investigating it deeper quickly reveals the dropping of two files: “errorfix.bat” and “Ranlsojf.jse”. The former is a standard batch file meant to open the latter with the help of Windows’s inbuilt script interpreter.

Figure 10 – Source code of DebugClassHandler

As expected, the dropped “Ranlsojf.jse” is indeed a script file, actually a complex and heavily obfuscated JavaScript. It is usually referred to as the Ostap downloader family which is known for its strong ties to TrickBot.

Figure 11 – Part of Ostap’s obfuscated JavaScript code

At the end of the execution the JavaScript code will reach out to a pre-defined C2 server for downloading further payloads. In our case it was a variant of the TrickBot infostealer malware.

Conclusion

Under an extended period of stress such as a world-wide pandemic, anxiety and desperation can make it easy to let one’s guard down when it comes to online threats. Cybercriminals exploit these moments by playing on fears in the hope that we will fall for their carefully crafted scams. Whenever emails related to real-life events are received, we must remain vigilant and take the time to consider their authenticity. By practicing security vigilance on a daily basis, we can mitigate the impact cyber attackers can have during global events because we’ll already be looking for their exploits.

Attacker tools, techniques and procedures remain largely the same; only the theme of the lure has changed to align with current events. If kept up to date, your web and email security stack should remain effective against these adjustments in the threat landscape.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.

Stage 6 (Call Home) – Attempts to contact command-and-control servers are blocked.

IOCs

 hxxps://cubanananananana.blob.core.windows[.]net/

hxxp://track.ljmzf[.]com/aff_c?offer_id=9801&aff_id=6258&aff_sub=SW16M

hxxps://offerhub[.]buzz/

hxxp://www.aloofdorm[.]icu/

hxxps://194.87.96[.]100/1/1.php


%d bloggers like this: