A

Foreign. This is Catalina Campano and this is a risky business. Sponsored interview with Alex Orleans, head of Threat Intelligence at Sublime Security. Welcome, Alex.

B

Thanks so much. It's great to be here.

A

Alex. At Sublime, you see a lot of email threats daily. But we're here to talk about a particular one, the use of zoom video conferencing. But there's two ways this is getting abused. First, I've seen threat actors lure victims to a legitimate zoom meeting where they use various tactics for social engineering attacks to get victims to to perform certain actions. And then we also have a trend where threat actors try to convince targets to install booby trapped zoom clients that deploy malware on their systems. So which one are you seeing more

B

right now we see a fair amount of both. And then there's also, I would say a third category also where there's an attempt in the email to credential harvest through landing pages that simulate zoom updaters and needing to authorize the updater to install. So there's social engineering, there's the credential harvesting and there's the malware. But the one that's really interesting and where we're seeing more innovation in terms of how attackers are changing their tactics and improving their tradecraft is on the malware delivery side, where sometimes it's not even a backdoored installer, it's just a renamed installer for either a legitimately malicious payload or a repurposed legitimate binary that's functioning as malware in that particular operation.

A

Like rmms, right?

B

Yeah, especially rmms, one of the most common ones that I've seen here at Sublime. And also in the last couple of years across threat intel at various places has been screen connect, any desk, things like that.

A

So why the spike? Is it because it's a new technique and people aren't prepared and fall for it, or is it because it's hard to detect from a cyber defensive perspective?

B

I think it's a little bit of both. I think it's more the idea that, you know, everyone's using zoom more and more often, so you're more likely to end up with some sort of zoom fatigue where you go a little bit blind to something showing up in your inbox that says, oh, it's a zoom meeting, join here. Or sometimes we would, we see it through calendar invites, which don't necessarily go through the inbox, but can be silently pushed to your calendar. It's a different way of, we call it ICS phishing. Phishing, different way of pushing it in there. And in those cases you're taking advantage of the routine and the kind of mundane nature of everyone's used to clicking on a Zoom link, or depending on how the fish is phrased, it's an urgency thing. Hey, I need you to get on this call. Please get on this call. And that can take the form of different kinds of impersonation. On top of a false Zoom meeting, on top of impersonating Zoom, they're impersonating somebody who you would expect to be talking to you in the first place, be it a vendor or someone else in your company. So there's taking advantage of the current trend, but there's also the fact that in terms of using like, RMMs rather than traditional malicious payloads that are more likely to get detected, you have a higher chance of evading detection, higher chance of evading both email screening as well as EDR getting that payload on.

A

Well, there goes one of my questions, because I want to mention the ISIS phishing later on because I thought that was going to be used for Zoom because it's the perfect delivery vector.

B

Oh, yeah. And I mean, with all of it, it's exploiting trust, right? You trust your calendar, you trust. Normally, if you're just looking at the top line of an email, this is from Dave Johnson in accounting. If you talk to Dave every day and suddenly you get a thing from Dave about a Zoom meeting, even if you're not going to inspect the email address, but you might click it and if it. Or if something from Dave shows up in your calendar and you didn't see the email, you're like, oh, whatever, I'll just join this, this call with Dave. And it's actually a date with Screen

A

Connect and the Zoom meeting doesn't work. And then you get instructions from a voice that looks like Dave and then all of a sudden you follow those instructions. That's a perfect clue, right? Like, do you see something like this going on?

B

Yeah. So what we see increasingly is Zoom lores and lores in general that aren't just tailored to an organization, but they might be tailored to an individual. And this is part of how we are seeing both trend adoption for actors when dealing with what to take advantage of inside victim environments and how users behave, but also how they're using AI to accelerate attack lifecycle. So you can use AI now to rapidly increase the kind of research you do on a target before engaging in a spear phishing operation against an individual or a phishing campaign against a wider organization. Scraping social media, scraping web results to get data about who the organization does Business with what individuals in different companies or individuals across the business might be engaged with one another. LinkedIn's a really good data source for that. So you'll see the content of the zoom meeting, the fake zoom meeting email will be tailored. You'll see potentially the fake zoom meeting that you end up in, which won't be a zoom meeting at all, it'll be something else. And that can be tailored. It can be tailored down to a real level of specificity to include, you know, it's not just Dave, you know, Marcy and Greg are here too. And you know, Marcy and Greg and the distorted voices in this. What you think is a zoom call might even sound like Marcy and Greg if they've been able to find audio of these individuals, such as on YouTube or social media. So every step of the process, which gets longer and longer in order to make it feel more and more authentic, can both leverage AI and then be customized to really fool a specific user.

A

As an email security company, your window for detection is just at the start of these conversations. These longer attack chains, what are you doing exactly? Should detect them. Like, is this different from your normal procedures? You probably have to scan the email body for language clues that lure victims into these meetings. Like, you don't have to just scan the attachment as you used to before, right?

B

Yeah. So we do use AI powered detection at multiple levels. We have both static and behavioral rules that our detection team develops from observing threat activity and keeping an eye on threat trends, which my team helps inform for them. And we also have asa, our autonomous security analyst that operates on a layer behind those rules to filter more dynamically. In this case, the top detection signals that we often see are there'll be a start meeting button or a link somewhere in there, and the actual URL that we're able to pull out of that will be completely unrelated to official domains. So you'll think you're clicking on a zoom link. But what ASA and what our rules are able to identify is this link is actually going to a completely unrelated unofficial domain that's just designed to look like that. It'll also analyze, you know, what kind of email account it's coming from, rather, so it's coming from a Gmail account rather than, you know, a corporate account being able to flag if it's a free user service or if it's something that might be more, more authentic looking and then generally also looking at URL path structures. So in some cases there'll be key phrases such as maybe it'll specify A operating system like Windows or MA in the URL string. That suggests maybe there's a targeted attempt here to focus on a specific set of operating systems, specific devices for that given email. So when an email like this is flagged, it breaks that down for you. It breaks down the rules, it breaks down the reasoning, and then it provides an AI written executive summary that talks about both. You know, okay, so here's brand impersonation, here's a deceptive subdomain, and builds out the arguments that you could see in plain English exactly why it was flagged.

A

So, because the way you're doing it like this will also be able to detect attacks where the invite will come later on in an email chain. So, for example, like in the fifth email exchange between the two, right?

B

Yes, absolutely.

A

This would be ideal for targeted attacks, like, let's say, a more advanced Financial Threat act or APT group.

B

No, no, absolutely. And you make a really good point that often, you know, it used to be with phishing, it would just be the first email, right? Or it would be, you know, just looking at the attachment, and that's how you would. The detection used to be simpler, and it used to be able to occur with higher fidelity earlier. Now there will be, you know, a long conversation, or they'll try to hijack an existing thread of conversation that's in your inbox in order to lend more authenticity and more realism to the conversation. And then they'll say, all right, let's do a Zoom call. Or can you join me on the zoom call? This way we would be catching that. And there are also ways, even with those earlier message, there's some rules and some features within ASA that can also potentially detect if you're dealing with suspicious emails that might be impersonating someone or attempting to hijack a thread that might not even contain something as blatant as a malicious link to a fake Zoom.

A

So because you're also looking at the intent of the language, you can also detect, like, for example, attempts to move conversations to Telegram or WhatsApp and other instant messaging clients. Like, not necessarily just Zoom, right?

B

Yes, there is linguistic analysis as well as link analysis.

A

Okay, so how much of this trend is it actually focused on Zoom? Or do you see other, like, video conferencing software? Like, I presume Google Meet is also a big target, right?

B

Yeah, we also see Zoom and Google Meet are definitely at the top, but it's not limited to just those. I mean, you can see this for WebEx, you can see it for Microsoft Teams. You could potentially even See it with something like Slack, any, any way of moving the conversation to a different program that you could be tricked into downloading a fake installer for. There's a reasonable chance that actors are going to be doing it. But what we see the most of, I think right now is, is definitely Zoom and Google Meets.

A

I don't know how much of the actual data you got to see about this trend, but I'm curious, from a customer perspective, what are the most common context you see this used in? Is it like stuff that targets particular enterprises or government agencies or stuff like that? Is it like, are most of these campaigns going after specific departments at companies or stuff like that? Is it a general trend that you can identify here?

B

One thing that I can say is that, you know, Zoom as a brand, you know, things that are directly trying to impersonate Zoom or Google Meets fall broadly under the idea of brand impersonation because they're attempting to impersonate a product that you're familiar with and probably trust. And we, we predominantly saw in terms of phishing, brand impersonation especially being used against professional services entities, the education and nonprofit sector, as well as governments and the public sector as well. For us, that also blends into the other two categories of impersonation that we broadly track, which is employee, so peer to peer usually, or executive, which is top down. Each of which has their own dynamics which are useful in targeting different sectors. Employee impersonations most commonly found in like real estate, hospitality and transportation, while executive is more commonly found in energy, financial services and technology. But in any of those situations, any types of those communications can be a useful vector for delivering a fake Zoom meeting or a fake Google Meet meeting in order to raise the level of urgency to get someone to click, but also to capitalize on whatever inherent trust exists in peer to peer relationships. You know, leadership to individual, contributor relationships, vendor to client relationships.

A

So basically, people that usually hang out in meetings are usually the one targeted.

B

I would say that people who are usually most attached to, who are engaged in comms with executives might not necessarily be targeted by this vector, but they might be more likely to see executive impersonation as part of a phish that they receive. It's all about the actor developing an understanding of who the target regularly communicates with, or likely communicates with based on what they're able to pull from open sources or other avenues of visibility, and then building something out that way.

A

You also said the most common goal of these attacks is to get customers to deploy malware on their systems, usually remote monitoring and management solutions. I don't know if you have the data to know what kind of attacks usually follow after that install.

B

So that's outside of our footprint. We're situated very firmly in the inbox. So that's something where that what happens after that typically falls into where an EDR sensor would have visibility. Our goal is providing kind of left of intrusion prevention and left of intrusion visibility and then building out a larger set of data around what we're seeing and where we think it's coming from in order to broaden our detection visibility, broaden the both the rules that we're writing and what we're training ASA to flag on in order to catch more bad before it can be clicked on.

A

So you mentioned AI and a lot of intrusion detection. Are you by any chance seeing this automated by a specific phishing platform or are you just seeing it from everywhere right now?

B

We're just seeing it kind of across the board. I haven't seen it linked to a specific fish kit, although I wouldn't be shocked if major fish kits started to develop modules along these lines.

A

Okay, Alex, that's a perfect way to end it then. Thank you very much.

B

Awesome. Thank you so much, Ryan. Have a great weekend.