By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 2 and Aug. 9. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU08092019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

Source:: Innovaphone

Heben Sie die Sicherheit Ihres Unternehmens auf eine neue Stufe.

Beim Oberberg-Online Business-Frühstück am 11.09.2019 zeigen wir Ihnen mit unserem Partner G DATA, wie Sie Ihr Team mit den laufend aktualisierten Awareness-Trainings sensibilisieren, ohne dass sie Ihr tägliches Geschäft dauerhaft beeinträchtigen müssen.

Mit kurzen Online-Lektionen und -fragen lenken wir die Aufmerksamkeit Ihrer Mitarbeiter auf aktuelle Gefahren und Angriffsmöglichkeiten, damit im Ernstfall ein Schaden möglichst vermieden werden kann.

Bei frischem Kaffee und knusprigen Brötchen haben Sie die Gelegenheit, sich mit Kollegen aus anderen Unternehmen auszutauschen und erfahren in knapp 90 Minuten, wie Sie Ihr Team zur besten Firewall des Unternehmens machen können.

Die Plätze sind begrenzt, also zögern Sie nicht und melden sich jetzt an unter vertrieb@oberberg.net

Die Veranstaltung findet am 11.09.2019 um 09:00 Uhr in unseren Geschäftsräumen statt. Parkplätze sind vorhanden.

Wir freuen uns auf Ihre Teilnahme.

Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net
DSC_2012 klein
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net
DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net

By Andrew Turner In my last blog, I examined the state of cybercrime, fraud, and the losses associated with it. It was also in that blog that I brought up a particular threat that has caused more than $1 billion dollars in losses last year and shows no signs of slowing down. So, what is this increasingly expensive and evolving threat? Ransomware? Insider Threats? Nation-State Attacks?
Email.
That’s right, the technology that was new and exciting in the 1990s that has now become a standard part of our day-to-day lives. But cybercrime is a business, and when you can make this much money this easily why would you change? After all, every business has email so there’s no need to research if your potential victim is susceptible to the threat vector. In many ways, it’s the most ubiquitous of all potential attacks (except for DNS, as it’s so widely deployed). This is in part, one of the reasons email attacks remain an evergreen source of profit for cybercriminals.
After all, when there are so many new technologies, techniques, and threats rolling out onto the enterprise from shiny new areas like cloud and IoT, who wants to focus on the more mundane things like email? And yet, we continue to see threat actors target this legacy attack vector, with the FBI estimating losses of $1.4 billion in 2018 alone!
So now that we’re aware of how big of a target and money maker email is for cybercriminals, what do we do to defend ourselves? Well, it all starts with a shield dropped in front of your email in the form of the Secure Email Gateway (SEG). This shield helps identify and protect against phishing, ransomware, and fraud, as well as the classic spam and graymail.
Now some of you may have had SEGs deployed in the past and have since moved to a cloud email provider. As a result, you might think you don’t need them anymore. In fact, the 2019 CISO benchmark study showed the number of people using email security declined from 56% to 41% within the last 5 years. And this is a good example of where a lack of focus on current and continuing threat from email can be an issue. With any solution in the cloud, email or otherwise, it is important to bear in mind what the roles and responsibilities of the cloud provider and you, as the customer are. In a large number of cases, the cloud provider’s primary focus is on the scalability and availability of the platform, followed by the security of the platform and the infrastructure itself to ensure there are no breaches between tenants. The actual security of the customer data being held in the cloud remains a tertiary or in some cases unimportant concern for the cloud provider.
After all, we have all seen many examples of cloud databases or other sensitive customer data stores that have been left wide open because of enterprises failing to understand what the responsibility of the cloud provider is and what is their responsibility. As an example, GrayhatWarfare built a searchable database in 2018 of open S3 buckets that has already grown from its original number of 48,623 to 90,523!
Furthermore, our adversaries are continuing to ramp up their efforts. In the latest Cisco Cybersecurity Report, Talos threat researchers discovered that the number of new phishing domains has increased 64% from January through March 2019. It’s critical that if you are going to take advantage of the benefits of cloud email that you fully and completely understand what exactly you are getting in terms of security for your actual users. Ask difficult questions of your providers, do not accept vague assurances, and conduct detailed proof testing as you would for any other procurement decision. Remember that it is perfectly possible to move to a cloud email solution and also deploy additional SEGs to protect it. It’s not an either/or deployment model and you should evaluate your defense strategy on that basis. In a 2018 ESG study on email, 43% of existing cloud email users said they felt they needed to add supplementary security controls from a third-party.
In fact, Cisco’s email solutions have been designed from the ground up to be flexible in their deployment. Whether your needs are for an on-premise SEG, a cloud-based email solution, or to augment your existing cloud email providers security, the Cisco Email Security portfolio has you covered. This flexibility was just recognized in the recent Forrester wave report that called out this exact point when mentioning Cisco as a leader in securing email.
Furthermore, we recognize the challenges around understanding the effectiveness of your existing email solutions and have endeavored to make it easy for you to work with our technology and people to quantify your current solution’s capabilities and its risk. After all, as Sun Tzu said the 6th century BC, “If you know yourself and you know the enemy, you need not fear the result of a hundred battles.” As true then as it is now for a company running a 90’s era technology like email alongside more modern-day network innovations like the cloud!
It is the realities of such hybrid technology deployments that drive us to leverage the latest developments within the email portfolio. Whether it’s encryption technologies such as DANE, spoofing protection from SPF/DMARC, or leveraging machine learning and artificial intelligence to prevent advanced phishing, Cisco is committed to meeting the challenge of securing email for today and the future.
In the next blog I’ll be going through some of these technologies and how they protect you, your employees, and your business. And if you’re looking for further reading on some of the latest attack techniques and trends associated with email security, I recommend you read the latest Email Cybersecurity Report.
Did this post resonate with you? Did your organization migrate to the cloud fully aware of the security capabilities within your solution? I welcome your comments below.

Source:: Cisco Security Notice

By Jessica Bair Security Operations Center at RSAC APJ 2019
For the 3rd year, RSAConference 2019 APJ created an educational exhibit, sponsored by RSA, Cisco and M.Tech, to monitor the RSA Conference public Wi-Fi network provided by the Marina Bay Sands (MBS). This exhibit was created in the form of the RSA Conference Security Operations Center (SOC). RSA and Cisco provided technology and staffing to monitor the network for threats, but also to educate attendees on the risks of free Wi-Fi.
What is the difference between a SOC and a NOC?
Network Operations CenterThe NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service
Security Operations CenterThe SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers and other technologies
RSA and Cisco provided the SOC. The NOC was provided by the MBS.
The mission of the RSAC SOC was to ensure the conference Wi-Fi is not attacked (denial of service, laterally spreading malware, etc.). We did not block malicious DNS traffic, downloads or attachments; as this was a learning and demonstration environment. We make sure that network is protected from attackers. We locate (when we can) and advise users when they are at risk.
What technology is in the RSAC SOC?
MBS provided the RSAC SOC a span of all network traffic from the .RSACONFERENCE network, which was passed through the Cisco Next Generation Firewall / ISP and then split the traffic to NetWitness Packets NetWitness Packets and the Cisco Stealthwatch teams.
RSA used NetWitness Packets to collect and investigate all traffic on the Wi-Fi network, from the firewall; to detect deviations from normal behavior and create a probability-weighted risk score for alerts based on these results. NetWitness inspects every network packet session for threat indicators at time of collection and enriches this data with threat intelligence and business context. At the end of the conference, all of this data was wiped from NetWitness.
For suspicious files that might be malicious, NetWitness Packets checks a community AV lookup, some static analysis and its own network intelligence. Then NetWitness Malware Analysis sends the files to Cisco Threat Grid for dynamic malware analysis.
Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. Threat Grid analyzes the behavior of a file against millions of samples and billions of malware artifacts. The SOC team had a global and historical view of the malware, what it’s doing and how large a threat it posed to the RSAC network.
Threat Grid identifies key behavioral indicators of malware and their associated campaigns. The SOC team was able to save time by quickly prioritizing attacks with the biggest potential impact. We used tools like Glovebox, to safely interact with samples and observe malware behavior directly. In addition, we used Cisco Umbrella to have visibility in all DNS activity. We also used the Threat Intelligence of Cisco Threat Response and Talos Intelligence.
When the Cisco team found a potential threat, they handed it off to the RSA team for further investigation. In summary, the technology stack was:
Firewall – Cisco Next Generation Firewall with IPS
Full Packet Capture and Investigation – RSA NetWitness Packets
Dynamic File Analysis – Cisco Threat Grid
DNS / IP Intelligence – Cisco Umbrella / Cisco Umbrella Investigate
Encrypted Traffic Analytics – Cisco Stealthwatch
Threat Intelligence – Cisco Threat Response / Talos Intelligence
Perimeter Defences: Stopping Threats That Matter
Cisco’s Next-Generation Firewall running Firepower Threat Defence (FTD) software was set up as the perimeter security device. The firewall inspected all wireless guest traffic from event attendees, configured in monitor-only mode. FTD offers breach detection, threat discovery and security automation. Rich contextual information (such as Applications, Operating Systems, Vulnerabilities, Intrusions, and Transferred Files) served the SOC to help uncover threats lurking in the environment.
Discovered Applications

Discovered Files

Intrusion Information

During the conference, several intrusion events were recorded by FTD. Automated event analysis correlated threat events with contextual endpoint data, to identify IPS events that require immediate investigation. Whenever a working exploit targeted a vulnerable host on the guest network, an Impact 1 event was raised. For the SOC, that helped cut through the noise and focus attention to save previous time.
Multiple events were categorized as high priority.

One of the Impact Flag 1 events shown below, signalling about suspicious .bit query going over DNS, and associated with a Network Trojan.

The FTD would drop this communication, if it were in a production environment and configured in the active blocking mode. Reviewing the host profile, we confirmed that the target host had a large number of high-severity vulnerabilities associated with unpatched software versions. It may have been infected by malware attempting to control it remotely.

When you request a .jpg and get ransomware
On the first day of the Conference, the SOC team observed a .JPG file served to a conference attendee who connected to a website. The .JPG file was extracted by NetWitness and found to actually have a file header of MZ, used for executables.

Since it was an executable, it was automatically sent for analysis. The static analysis had a score of 0 and 50 from the RSA Malware Analysis Community lookup, meaning it had never been detected by dozens of AV vendors.
The Dynamic Analysis/Sandbox score from Threat Grid was 100, meaning confirmed malicious based on behavior. The team went into action to assess the threat.

The supposed .JPG file was assigned a Threat Score of 100 for the Behavior of Troldesh Ransomware Detected. Troldesh, also known as Shade, is a Russian-targeted Ransomware variant written in Visual Basic. It will encrypt user files and request a ransom to be delivered after contacting a supplied e-mail address. All encrypted files will have an .xtbl extension appended to them.

We also noted the sample attempted to hide itself as a Windows system file, opened up a Personal VPN – Proxy/Anonymizer and wrote files to a USB drive.

We pivoted to Threat Response to learn more and determine if it had been seen before.

With Threat Response we were able to have a global view of the file, that it was first seen November 2018. In a production environment, this threat intelligence would have blocked the file on all integrated Cisco Security platforms.

The NetWitness team investigated the machine that requested the .jpg and confirmed it downloaded other suspicious files.

One of those was titled Memorandum of Sale, but also was an executable that attempts to steal Firefox passwords.

Phishing attack
We also saw a phishing attack, masquerading as a banking email. NetWitness reconstructed the email and sent the attachments to Threat Grid for analysis.

The Payment Advice attachment was actually the LokiBot malware.

Standing up a malicious domain for 24 hours
On the first day of the conference, we noticed some suspicious DNS traffic in Umbrella to a newly created domain. The requests happened throughout the day.

We moved to Umbrella Investigate to learn more and confirmed the sudden malicious activity of 0 DNS requests to over 120,000 global requests.

The requests spiked to 151,000 over the 24-hour period and then they stopped, globally.

We could see the domain was registered in Russia and the distribution of the requesters.

Looking at the NetWitness logs, we could see all requests from RSAC came from Android devices.
Outbound traffic for hostname rousema[.]com [208.67.220.220] we can see 13 sessions from 10:50 AM – 16:50 PM SGT Tues 16th/Jul.

service type UDP DNS & HTTPS

This is originating from 3 IPs

10.10.1.143 Android 9 Samsung Phone sm-g955f running dalvik/2.1.0, Samsung M1client daylite/3.0.05.9 & x86_64 Linux – 11:06 AM SGT – 15:23 PM – (All traffic from IP from 10:31 AM – 16:59 PM)

10.10.5.9 Android 7.0 Phone trt-l21a running dalvik/2.1.0 & Android 2.2 – 10:50 AM SGT – 17:06 PM – (All traffic from IP from 10:51 AM – 23:19 PM)

10.10.2.31 x86_64 Linux & Android 9 Samsung Phone sm-n950f running dalvik/2.1.0(13:12 AM SGT – 13:12 PM – (All traffic from IP from 10:31 AM – 14:16 PM)

Dalvik is the discontinued process Virtual Machine in Android 4.4 and earlier
It was a textbook example of a temporary domain infrastructure that would be blocked in a production environment.

Overall, we saw over 5m DNS requests during RSAC APJ. A couple of thousand would have been blocked in a production environment.
We were also able to have visibility in the 2,001 apps that had DNS activity during the conference.

Stealthwatch brings additional network visibility
Stealthwatch detected insider threat activities like Command & Control activity and Data Exfiltration just over the baseline period of two days, indicating potential threats on the network.

The solution with its unique ability to look at encrypted traffic without decryption, also detected users with unknown TLS version.

Now we can extend this comprehensive visibility to cloud networks as well with an offering called Stealthwatch Cloud.

You can checkout the RSAC USA 2019 SOC Report in comparison.
Come visit us in the Black Hat USA 2019 NOC, 3-8 August 2019.

Acknowledgements
Thank you to Terence Tang, Michael Auger, Evgeny Mirolyubov, Sabiha Rouksana Hashmat Mohideen Pasha and Chong Chee Chua and Cisco Security, who contributed to this blog. Also, our deepest appreciation to our RSA Security partners, especially Chris Thomas, Percy Tucker, Lee McCotter and Mohammed Behlim.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 26 and Aug. 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More >>
Reference:
TRU08022019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

Oberberg-Online unterstreicht das Engagement im Schul- und Weiterbildungssegment und erneuert die Zulassung als offizieller Microsoft Authorized Education Partner 2019/2020.

Das ermöglicht allen Bildungseinrichtungen den Einsatz von Microsoft-Produkten zu interessanten Konditionen.

Neben Microsoft-Lösungen bieten wir Schulen auch spezielle Educational-Konditionen für unsere Herstellerpartner Wortmann, G DATA, seventythree networks.

Leistungsfähige und sichere WLAN-Infrastrukturen bieten wir im Rahmen des DigitalPakt Schule ebenso an, wie Service-Pakete zur IT-Wartung.

Sprechen Sie uns gerne an:

Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net
DSC_2012 klein
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net
DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net