Archiv für das Monat: September, 2019
Kaum bei uns angekommen und schon den ersten Zertifizierungslehrgang erfolgreich bestanden. So kann man starten, oder?Glückwunsch zum Bestehen des innovaphone Technician Connect.
Zur Freude der Kollegen spielt Efrem an der Konsole im Team X-BOX. In der Freizeit testet er gerne gemeinsam mit seiner Freundin die unterschiedlichsten Restaurants und hält sich auch privat in Sachen PC-Systeme auf dem aktuellsten Stand.
Schön, dass Du an Bord bis, Efrem.
By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 6. to Sep 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU09132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
Source:: Cisco Security Notice
By Jessica Bair Download the app for faster, more effective threat detection and response
Two years ago, Cisco and IBM Security announced a strategic alliance to address the growing threat of cybercrime. This collaboration builds on each organization’s strengths and complementary offerings to provide integrated solutions, managed services and shared threat intelligence to drive more effective security for our joint customers. We continue to develop new applications for IBM’s QRadar security analytics platform and the Cisco Threat Grid app for QRadar with DSM was just released.
Cisco’s Threat Grid App integrates with IBM’s QRadar SIEM, enabling analysts to quickly identify, understand and respond to system threats rapidly through the QRadar dashboard. Downloadable via the IBM Security App Exchange, this powerful app combines advanced sandboxing, malware analysis and threat intelligence in one unified solution.
Threat Grid + QRadar enables analysts to quickly determine the behavior of possible malicious files, which have been submitted to Threat Grid, and rapidly drill down from QRadar into the Threat Grid unified malware analysis and threat intelligence platform, for deeper insight. This integration expedites the threat investigation process, with a dashboard view into the highest priority threats, delivered directly through QRadar versus having to pivot on disparate tools and interfaces.
Detailed results from the sandbox analysis of Threat Grid can be aggregated by QRadar to determine whether the potential threats within the organization are malicious or benign. Malware samples are then assigned a Threat Score, and displayed by hash value and the user which submitted the sample.
This information displayed on the Threat Grid dashboard can be used to quickly resolve threats detected by QRadar. This results in improved efficiency and optimization for security analysts, by quickly identifying the top priorities for threat investigation.
With the QRadar DSM capabilities, you can see the analysis results over time.
Also, under Log Activity, for suspicious IP addresses, you can use the right-click to see instant contextual threat intelligence from Threat Grid.
Threat Grid also integrates with IBM Resilient Incident Response Platform (IRP) for automated response and X-Force Exchange for even greater threat intelligence enrichment. For example, analysts in the IRP can look up Indicators of Compromise (IoC) with Cisco Threat Grid’s threat intelligence, or detonate suspected malware with its sandbox technology. This empowers security teams to gain valuable incident data in the moment of response.
These technology integrations between Cisco Security and IBM Security enables a more extensive security architecture for greater speed and efficiency in identifying, investigating, and remediating threats. Together, we deliver the intelligence, automation and analytics required to provide data and insights that today’s security practitioners require.
Please visit the Cisco and IBM page for the latest information about our partnership, and the Cisco Marketplace for details of the IBM integrations.
Note: Version 1.0.0 of the app has a coding error that limits its compatibility to the Threat Grid US Cloud. A fix for support of the Threat Grid European cloud and appliance are in validation testing with IBM.
Source:: Cisco Security Notice
By Talos Group By Luke DuCharme and Paul Lee.
What Happened?
Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.
This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.
There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover – this attacker did not practice particularly strong operational security.
The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any “real” hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary. Below is a message left on a compromised system by the adversary:
at Talosintelligence.com
Source:: Cisco Security Notice
By Amanda Rogerson Cybersecurity – the final frontier, these are the trials and tribulations that network admins face on an ongoing basis. Sometimes it feels like network admins are Starfleet captains navigating unknown galaxies as the infrastructure of organizations become more complex. Using a complicated mix of cloud apps, on-prem systems, BYOD, IoT, and more, gone are the days of purely corporate-owned assets.
This means that it is more challenging to trust all the devices on your network anymore. Let’s face it, the perimeter has shifted and users and devices have become the primary entry points for accessing the network and business applications, and more often than not they rely on weak legacy password-based access controls. There must be a better way to boldly go where every admin has gone before to control both application and network access across your campus, Data Center, and cloud!
On today’s modern networks, administrators require solutions that provide deep visibility into users, devices, and the applications both on and off the corporate network.
There is no need to set your phasers to stun for non-compliant users or devices, a “zero trust for the workforce” security model answers these challenges by treating every access attempt as if it were an invading alien species coming from an unknown galaxy, or in this case and untrusted network.
This model focuses on authenticating users and checking the security posture of devices before granting access to applications. By combining the power of Duo Security with Cisco Identity Services Engine (ISE), you have a recipe for successfully implementing modern access controls which are simple yet astonishingly effective to address some core use cases around these challenges, and more appetizing than a Klingon’s Rokeg Blood Pie.
A Recipe to Simplify Visibility and Device Compliance
Decentralization of device management can leave administrators wondering how users are accessing resources. Determining the posture of devices connecting to resources is critical because outdated software often has vulnerabilities that are routinely exploited. Without current endpoint security protections, people can unwittingly turn their devices into a menace on the network, worse than a Tribble invasion. Two simple ingredients provide a delicious approach for strong access controls that is easy to replicate anywhere in the environment.
Cisco Identity Services Engine (ISE) makes it easy to gain visibility and control over who and what’s on your corporate network consistently across wireless, wired, and VPN connections. As users and devices connect to the network, ISE confirms identities against its own user repository and authenticates those users before it grants and controls access based on who and what requested network access. Duo Security compliments this visibility by providing device insights for any device connecting to applications, including devices that are not connected to the corporate environment.
With multi-factor authentication and adaptive access controls, Duo provides the ability to authenticate the user connecting to the resource and verify the access attempt. Through granular access policies at the application or group membership level, administrators can establish controls to grant or block access attempts by identity or device and based on contextual factors such as user location, network address ranges, biometrics, device security and more.
For devices connected to the corporate network ISE together with Cisco AnyConnect Secure Mobility Client checks the security posture of devices that connect to your network. Duo’s Trusted Endpoints augments these controls and lets you issue device certificates that are checked at login for greater insight into and control over your BYOD environment while limiting access by any personal devices that don’t meet your security requirements. With ISE and Duo, you’ll benefit from simplified, secure controls needed to grant appropriate access while protecting your organization from the risks of unauthorized people and devices.
Don’t let the Borg assimilate you into an outdated approach to security. Take the helm and join Duo and Cisco on September 24th to learn more recipes for how combining the power of Duo Security with Cisco ISE can help your organization adopt a zero-trust approach to modern, simple and effective secure access. Full speed ahead, live long and prosper.
Source:: Cisco Security Notice
By Ben Nahorney It can happen to the best of us. You can have robust security software deployed in your environment, and yet a threat slips through. Often it happens at a weak point that you hadn’t considered critical or just overlooked entirely. It can be a humbling experience and something that many security professionals, while loath to admit, have faced.
What follows is a cautionary tale, but one with a silver lining. It makes the case for threat hunting: A security practice where you look for threats that managed to get past your defenses and have hidden themselves within your environment. It’s a topic that we’re highlighting in our latest report in the Cisco Cybersecurity Series, Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program. Because while no one wants to be caught out by a threat, in today’s threat landscape, it can happen.
Meet John
It started at home one evening. While watching Netflix, John—whose name has been changed to protect the innocent—noticed an unusual amount of screen tearing. He was using a home theater PC (HTPC) that he had built, and it appeared the device was overtaxed by the stream. It had served him well over the years, but he figured the HTPC was just getting old and began to think about replacing it.
What he didn’t consider was that cryptomining was taking place in the background. Unbeknownst to John, a threat had made it into his network without being detected. However, its presence was starting to exhibit side effects.
While such behaviors can be explained by other causes, this is a great place for a threat hunt. A hunt is best begun by testing a suspicion or theory. For example, in looking at systems that exhibit screen tearing—could it be cryptomining? In a larger network, you may have users reporting strange issues like this, which can serve as the basis for a hunt. Computers turning on in the middle of the night—could it be a threat phoning home? Upload speeds spiking for short periods—is it data exfiltration? A periodically unreachable web server—DDoS activity? All of these are good starting points.
Each of these activities could be explained away by other, non-malicious factors. However, threat hunting requires a more balanced approach: It’s best not to think that every oddity is caused by malware, but it’s also important not to dismiss it too quickly.
John’s thinking fell on the side of the latter. His security implementations seemed adequate for a small, home network. He had a router with a firewall that included deep packet inspection (DPI), the HTPC was on a different subnet from devices it had no business talking to, and endpoint protections were in place and up-to-date. Well, in place on all but this HTPC.
This was a critical error. The HTPC was running Linux and John had fallen prey to security through obscurity thinking. It’s a situation where he needed to implement a new security policy within his network to cover Linux PCs.
The goal of threat hunting
This is in line with the overarching goal of threat hunting. It’s not just about uncovering threats, but also implementing policies and playbooks to shore up your security posture. In fact, some of the most successful hunts may not uncover a threat at all. Rather, they identify a weakness in the environment that needs to be addressed.
John wishes that he could say he became suspicious and started a threat hunting investigation for cryptomining. However, since nothing was flagging this as cryptomining, he wasn’t, and he didn’t. This is why having adequate logging enabled is critical. You can’t detect what you can’t see, and without logging or other monitoring tools turned on and reporting on the systems within your environment, it’s difficult to accurately assess your exposure.
The truth is that fortune played a part in identifying the threat. Being a new Cisco employee, John had the opportunity to roll out Cisco Umbrella on his home network. After switching his DNS settings over to the Umbrella servers, and checking the logs after about a day, the presence of a threat was clear. Umbrella detected activity from within his network that was attempting to connect to known cryptomining sites.
Cryptomining events (data taken from Cisco Umbrella)
After the hunt
Since a threat had been identified, this is the point where a hunt began to transition into a cleanup. John quickly grabbed a Linux antivirus scanner, installed it, and ran a scan. The results came back with six separate cryptomining installations, sprinkled around the home folder and the browser’s temp folder. John zeroed out each file’s permissions and the cryptomining events disappeared. Even better, the screen tearing was gone.
After a threat hunt, it’s important to get policies in place to prevent the threat from returning, as well as create a playbook or automation to check in the future. In John’s case, Umbrella took care of the latter. To shore up the HTPC, John formatted the entire system (to be safe), installed a more security-focused Linux distribution, and installed AMP for Endpoints.
When discovering a threat during a hunt, it’s also important to cross-check other systems for signs of similar activity. Gather indicators of compromise (IoCs), such as the hash values of the cryptomining files, and check for their presence on other systems.
One interesting side note: While John was confident he was cryptomining-free at this stage, he took the six cryptomining files and ran them through VirusTotal. Each file came back with slightly different results, but was detected by the generic signatures of 5-6 antivirus engines, further solidifying their malicious classification.
What surprised John was that the next day, when he logged into his AMP dashboard, he discovered that AMP had quarantined six files on his Windows PC. John had pulled the cryptomining files off of the HTPC, zipped them up, and had planned to archive them. However, because he scanned these files through VirusTotal, AMP was automatically updated. The files, having previously been flagged as “unknown,” were now known to be malicious. AMP pulled them out of his archive and quarantined them—an interesting turn of events that highlights the power of an integrated security solution.
Lessons learned
As a result of this experience, John’s security posture has improved. However, he’s not naive enough to think that he’s 100 percent secure. Since the incident, John has checked his environment for published IoCs using tools like Cisco Threat Response, and has enabled further logging to be able to check for unusual activity.
Whether we’ll admit it or not, the fact is John could be either you or me. Things can get through our defenses. And the consequences of having a hidden threat on a large network can reach much further than cryptomining software on a single PC. This is why threat hunting is such an important tool in any security arsenal today.
Want to learn more about threat hunting? Check out our latest paper on the topic, Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program. In it, we go further into threat hunting, explaining in more detail what it is, how it compares to other security disciplines, and how to kick it off within your organization.
Download your copy today!
Source:: Cisco Security Notice
By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 30 and Sep. 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU09062019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
Source:: Cisco Security Notice
By Talos Group Cisco Talos is releasing two new tools for IDA Pro: GhIDA and Ghidraaas.
GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in the IDA workflow, giving users the ability to rename and highlight symbols and improved navigation and comments. GhIDA assists the reverse-engineering process by decompiling x86 and x64 PE and ELF binary functions, using either a local installation of Ghidra, or Ghidraaas ( Ghidra as a Service) — a simple docker container that exposes the Ghidra decompiler through REST APIs.
>>
Source:: Cisco Security Notice
By Talos Group Over the past few months, Microsoft has released several security updates for critical Remote Desktop Protocol (RDP)-related security bugs. These bugs are significant for IT infrastructure because they are classified as “wormable,” meaning future malware that exploits them could spread from system to system without requiring explicit user interaction. These vulnerabilities could be exploited by an attacker sending a specially crafted request to the target system’s Remote Desktop Service via RDP. We have seen how destructive these kinds of attacks can be, most notably WannaCry. We highly recommend organizations immediately apply Microsoft’s patches. Cisco Talos released detection coverage for CVE-2019-0708 and also enhanced guidance to help organizations facilitate inspection of RDP sessions here. Microsoft published additional security updates last month to mitigate two additional remote code execution vulnerabilities, CVE-2019-1181 and CVE-2019-1182, affecting several versions of Microsoft Windows. These bugs are referred to as “DejaBlue” due to their similarities to BlueKeep.
Once again, Cisco Talos started working immediately to reverse-engineer the RCE vulnerabilities. Exploits and protections for both CVE-2019-1181 and CVE-2019-1182 now exist to keep your systems secure. SID 51369 for SNORT® correctly blocks exploitation of CVE-2019-1181 and CVE-2019-1182. In this post, we’ll run through the details of how to protect against this “DejaBlue” exploit and walk through the steps to protect your environment.
Source:: Cisco Security Notice
Adresse
51643 Gummersbach
Telefon: 02261-91550-0
Fax: 02261-91550-99
E-Mail: info@oberberg.net