By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 11 and Oct 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10182019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Talos Group Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims to give iPhone users the ability to jailbreak their phones. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud.
Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. The campaign we’ll cover in this post tries to capitalize off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called “ipwndfu” developed by Axi0mX.
The attackers we’re tracking run a malicious website called checkrain[.]com that aims to draw in users who are looking for checkra1n.
This discovery made headlines and caught the attention of many security researchers. Jailbreaking a mobile device can be attractive to researchers, average users and malicious actors. A researcher or user may want to jailbreak phones to bypass standard restrictions put in place by the manufacturer to download additional software onto the device or look deeper into the inner workings of the phone. However, an attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.

Read More >>>

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 4 and Oct 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10112019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Wendy Nather As we get ready for the Gartner IT Symposium/Xpo in Orlando, we’ve been thinking more about every element and imperative in their CARTA model: Continuous Adaptive Risk and Trust Assessment. Since ‘C‘ also stands for Cisco, let’s start there.
Gartner uses the word “continuous” in a lot of places, including in their seven imperatives. It’s a reaction to the former practice of using what they call “one-time security gates”: you made a decision based on a static set of information (such as a source IP address or a username and password combination), and then you never revisited it. We know that this practice isn’t sufficient to maintain the proper level of trust. Trust is neither binary nor permanent: you don’t trust something or someone to do everything, and you don’t trust forever. Based on the changing nature of risk and the environment, you have to check more than once.
How often do you need to check, and does “continuous” really mean “all the time”? It depends on what you’re checking, what actions you’re taking based on those checks, and how both of those actions affect the system itself (users, applications, devices, networks and so on). Let’s take a look at a chart that Sounil Yu, formerly at Bank of America, devised for the purposes of identifying all the different ways that authentication can happen:

As you can see, a device can authenticate to a network using network access control; to an application using a client-side certificate; and to data with an encryption key. There are many opportunities to authenticate, but should you use all of them? If you try to make a user do all of the steps in the bottom row — authenticate to the device, the application, the network, the data — then you’re going to have a very cranky user. Continuous authentication, if you want to use it, has to be hidden from the user except at times when your estimation of risk really needs the user’s active participation.
On the other hand, devices and systems don’t mind continuous authentication, so doing the continuous checking and verification isn’t as disruptive. And continuous monitoring is fine, as long as you know what you’re going to do with all the data that’s generated. Can you interpret and respond to an ongoing stream of event data? Can you automate that response? If so, great; if not, you’ll end up throttling that “continuous” monitoring to produce the key data that you can actually use.
Gartner’s CARTA Imperative Number Two says “Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively.” How often do you do all of these things? Near real-time discovery of users and assets is the ideal state, and there are various ways to accomplish it. Continuous monitoring is (hopefully) a given. The tricky parts are assessment and prioritization, which often need a human to incorporate business context. For example, getting a login request from an unusual location could be a high risk, unless you already know that the employee using that account is really traveling there.
An organization needs to design its monitoring, analysis and actions around risk, but with tradeoffs against what the humans in the equation can reasonably support. How long can you let a successfully authenticated application session last before you start worrying that the user is no longer who you thought they were? Two hours? Eight hours (a typical working day)? A week? Can you force the user to re-authenticate just once through a single sign-on system, or will they have to log back into several applications? The answers can determine how frequently you carry out that “continuous” verification.
What events will cause you to revise your risk estimation and require fresh verification? It might be a request for a sensitive or unusual transaction, in which case you might resort to step-up authentication and kick off an extra permission workflow. It could be the release of a new security patch, so that you want to force all users to update before they can renew their access. Or it could be contact with an asset that is now known to be compromised, and you have to reset everything you knew and trusted about the application and its processes.
Your risk and trust assessments should be adaptive, but they shouldn’t be gratuitously continuous. They should be as often as your risk models require, and only as frequent as you can handle. Balancing controls against usability is the great challenge before us today.
Learn more about Cisco’s Zero Trust approach during Wendy’s talk on October 21 at 1:00 p.m. ET at Gartner IT Symposium/Xpo in Orlando, FL, which takes place at Walt Disney World Swan and Dolphin Resort.

Source:: Cisco Security Notice

By Talos Group Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.
read more >>

Source:: Cisco Security Notice

By Mike Luken Today’s digital economy relies on secure communications in both our personal and business activities. We expect that when private data is transmitted over the internet, or other communications channels, it will be protected against tampering and prying eyes. The integrity and confidentiality of information is typically achieved using cryptography, mathematically based methods to encrypt and decrypt information.
We assume our communications are secure. But are they? Cryptography provides the foundation of secure communications, but how do we know that the cryptography we are using is correct and secure? When was the last time you verified that the algorithms used have been implemented correctly? Or that they have not been intentionally or unintentionally altered to make them less secure?
Fortunately for all of us, there are organizations that have active programs to do just this. As highlighted in Anthony Grieco’s blog on “Automating Explicit Trust,” Cisco and industry leaders are working to develop technologies that provide explicit trust (i.e. evidence of trustworthiness) and enhance communications security. A notable example is the Cryptographic Module Validation Program (CMVP) conducted by the National Institute of Standards and Technology (NIST) as a part of Federal Information Processing Standard (FIPS). Many organizations are required to only utilize products that contain NIST validated cryptographic modules. And this makes sense. Leaders want the communications used in their organizations to be based on a sound foundation to ensure the integrity and confidentiality of their information.
Historically, CMVP testing required significant manual effort which made the endeavor both costly to vendors and extremely time consuming. This resulted in vendors having to make hard decisions on which products and software versions to validate. The organizations requiring this validation, saw the following:
A smaller number of available validated products and software versions
Having to choose between using a non-validated version of software that contains vulnerability fixes vs. using existing validated products with known vulnerabilities while waiting for the new software to be validated.
Recognizing the impact of this dilemma, NIST and industry have been working together to create the Automated Cryptographic Validation Testing (ACVT) program. A bold and visionary move that should increase the number of validated products, reduce the lag between vulnerability fix and validation, and reduce risks inherent with manual operations. This is all made possible with the new Automated Cryptographic Validation Protocol (ACVP) which provides the communications between product under test and the NIST test server.
The ACVT program is live and the NIST ACVT server is online. Industry is actively incorporating ACVP into products. Recently, Cisco successfully passed ACVT algorithm testing for one of its core cryptographic modules (validation # A4); thereby, formally validating the cryptography used to secure customer communications.
Network and system attacks by bad actors are frequently in the news. It is encouraging to know there is now an industry defined, independent 3rd party capability available and in-use to validate that the cryptography used to secure communications. +1 for the good guys.
Visit the Trust Center to learn more about Cisco’s commitment to trustworthiness, transparency, and accountability.
Additional references:
Industry Working Group on Automated Cryptographic Algorithm Validation
NIST: Security Testing, Validation and Measurement

Source:: Cisco Security Notice

By Steve Martino October is Cybersecurity Awareness Month, reminding us that cyber-attacks know no boundaries between work and home, so we need to be diligent about cyber hygiene across all environments. With the abundance of connected devices we all depend on, protecting your digital footprint is no longer optional. But where do you learn what to do?
People who work for larger corporations may receive cyber information and training from their employer. For instance, at Cisco every employee gets basic cyber training and increasingly advanced training based on your role; we even share educational materials on applying best practices at home. But not all businesses have the resources to dedicate to such training. And in the home, most people have limited cyber knowledge at best, and only pay attention if or when they become victims of an attack.
To get you started, here are a few tips that will help you to “own IT, protect IT and secure IT” to stay safe online.
Recognize we are experiencing radical change. With our busy lives, we take technology for granted. But it’s important to realize that technology is changing society faster than any other advance in human history. Adults need to get smart about the implications and actively discuss “today’s digital reality” with their children. Just as you teach a toddler to avoid a hot stove, teach them from an early age about safe online practices.
Ask questions. When you acquire a new connected device, stop and ask where it came from. Who connects with it and/or captures data from it? For what purpose do they collect the data and is that important to me? How do they care for the protection of your data and privacy? The more knowledgeable you become, the smarter your next questions will be.
Maintain your devices. Understand if the device you’re buying has software that will need updated and patched as vulnerabilities are found and fixed. If so, make sure that gets done. Just like not replacing expired batteries in a smoke alarm, using outdated unsecure software won’t keep you safe.
Secure and Protect Passwords. Make your passwords long and complex; change them regularly; don’t use the same password for multiple applications Change default password settings on new devices. We all know multiple passwords can get cumbersome and hard to remember, so use a reputable password manager to keep track for you. Many businesses and institutions provide Two-factor authentication (2FA) as an added step to protect your on-line identity and data. If it’s offered, use it.
Embrace technology, but be aware. If you were walking down a dark street in an unfamiliar city, you’d likely be more aware about who else is around you or may be following you. Treat the internet the same way. Being connected does not mean bad things will happen, but it pays to stay alert and understand best practices and how to apply them. For instance, don’t open email attachments if you’re not completely sure of the sender’s trustworthiness. Don’t click on emailed links that you haven’t asked for. “Stop, think before you click” to avoid the burden of what may come after a malicious attack.
Remember Data Privacy. While security and privacy are different, they’re definitely related. When you’re watching for online threats, also remember that nothing online is really ‘free‘ – you’re most likely giving up something (data) to get a “free service/app”. Ask – is the intrinsic value of the “free” thing worth it? When you download an app or sign up for a new service that collects your data, choose carefully what sharing you allow. And remember, when you put personal information online, it stays around for a long time and may come back to you in unexpected, and unwelcome, ways.
It’s time to bring cybersecurity into the greater social consciousness and constructive discussions about changing norms. As new capabilities keep coming to market faster, we should and can have the right social adaptation to embrace technology safely.

Additional Resources
Tips to help improve your cyber-hygiene (Infographic)
Trust.cisco.com

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 27 to Oct 4. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10042019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Vinny Parla Cisco has an amazing set of products like AMP for Endpoints and Cisco Umbrella protecting devices from advanced malware threats. There were other user and endpoint scenarios that remained unsolved until we introduced the new Cisco Endpoint Security Analytics (CESA) solution that was recently announced. CESA provides an unprecedented level of endpoint and user networking visibility built on Cisco AnyConnect Network Visibility Module (NVM) endpoint telemetry and Splunk Enterprise. Underlying the NVM technology is a protocol called nvzFlow (en-vizzy-flow) that I have blogged about in the past.

Why Did We Build CESA?
The CESA solution was originally developed by the Office of the Security CTO and then integrated into Cisco AnyConnect and Splunk products to solve a set of issues for Cisco InfoSec. Cisco InfoSec realized that getting all the endpoint visibility they needed to perform incident response was a challenge. There were also endpoint security blind spots as more Cisco employees were working off premise and connecting to both enterprise and cloud resources. They needed a way to collect and store a year of data for analysis of incidents while also getting information in real‑time to see what is happening in the network. You can read more about the Cisco InfoSec use case in their case study on CESA.
The Office of the Security CTO looks at current and future customer problems that are not being solved by existing technology and then come up with ideas on how to solve them. My fellow co-inventors, Andrew Zawadowskiy and Donovan O’Hara from the CTO Advanced Development team built the initial Proof of Concept and then worked on the final product release with the AnyConnect development team.
As we thought about ways to solve the problems Cisco InfoSec was facing, we wanted to do it in a way that built on standards technology so that not only could Cisco Stealtwatch and Cisco Tetration support it, but also provide an ecosystem for key partners to participate. This is why we chose to build on IPFIX. It is the perfect protocol to build the enhanced context found in nvzFlow. What do we mean by “Enhanced Context”?
The 5 key endpoint visibility categories conveyed by the protocol or “Enhanced Context” are:
User
Device
Application
Location
Destination
At the end of the blog will be a helpful table to show you details of the enhanced context that is provided.

Working with Great Partners like Splunk and Samsung
One of the key features of CESA is Splunk Enterprise, which performs the analytics and alerting on the NVM telemetry, turning it into actionable events. The new CESA Built on Splunk product, available exclusively from Cisco, provides a Splunk package customized and priced specifically for analyzing NVM telemetry. Cisco InfoSec has been using the CESA solution for over two years now. As noted earlier, you can read more about it in their Case Study.
Spunk Enterprise is a fantastic tool. It was really easy for us to take the Cisco AnyConnect NVM data and not only import it into Splunk, but to also quickly create a high value set of dashboards and reports from the data. There are two components in the Splunk store that make up the solution: Cisco AnyConnect Network Visibility Module (NVM) App for Splunk and Cisco NVM Technology Add-on for Splunk. Because NVM produces so much high value data, Splunk created a special per-endpoint license available exclusively from Cisco that makes budgeting predictable and saves you money. We also put together a helpful deployment guide to get you going.
Below is an example of the dozens of reports available in the AnyConnect NVM Splunk Dashboard.
As you can see the solution provides visibility into what applications are connecting to what domains and how much data is being transmitted/received.

From there, you can then drill down on the specific application and obtain finer grained details including the SHA256 hash of the process, the names of domains and IP addresses it connected to, what account it is running under, etc. Just click on the specific element and it will take you to an investigation page for that observable.

You can easily integrate your favorite investigation tools right into the Splunk Enterprise dashboards. For example, you can pivot from a DNS domain name observable into Cisco Umbrella, Talos Intelligence or Cisco Threat Response with just a couple lines of HTML. This will allow you to obtain a threat disposition on the domain.

Similarly, you can take the SHA256 hash observable and pivot right into AMP for Endpoints, ThreatGrid or Cisco Threat Response. This will allow you to obtain a threat disposition on the binary.

We’ve provided those integrations for you in the default dashboards. You can easily add more just by editing them to include your favorite tools. Let us know if there is anything else that would be useful in the default screens.

Samsung has been another excellent partner from the start. We have worked with them closely on their Knox program for a number of years with AnyConnect integrations and neat features like per-app VPN. When we explained to them what we wanted to do with Cisco AnyConnect NVM, they were excited to help and developed the Network Platform Analytics (NPA) framework to make it possible. It is the only framework available on mobile platforms to support Cisco AnyConnect NVM. The best part is that you can enable and provision this capability using your favorite Enterprise Mobility Management (EMM) solution – no special device-mode needed! Keep an eye out for a forthcoming quick‑start guide on this technology. NVM is also available on Windows, MacOS and Linux platforms.
Those are some of the high points of the CESA Built on Splunk solution. If you’d like to get into further technical details on the solution architecture and NVM telemetry itself, see my post on our Cisco Community Page.

Source:: Cisco Security Notice

By Sean Mason Sean Mason, Director of Cisco Incident Response Services andJeff Bollinger, Investigations Manager, Cisco Security Incident Response Team (CSIRT)
As security practitioners who continuously look for adversarial malice, one of the questions we are asked frequently is: What’s around the corner? Threat actors evolve over time, so how do we know not only what they’re doing now, but also what’s next? And if things are quiet and we’re not observing any incidents, does that mean that everything is under control? Or are adversaries simply retooling?
To help answer these tough questions, we have threat hunting. The objective of this ongoing exercise is to find and eliminate adversaries that have penetrated defenses and are yet to be detected. Essentially, it’s a shift in mentality. Instead of waiting to respond to an incident after it has triggered an alarm, we’re turning over some rocks to find things we don’t know yet.
As explained in Cisco’s recent report, “Hunting for Hidden Threats,” threat hunting is one more tool in the incident responder’s arsenal. It’s not a silver bullet. But — based on our own 30 years of combined experience mitigating threats, not to mention the whole of Cisco’s experience — we believe it’s an essential component of making security foundational.
How valuable to you is the ability to keep your organization’s data from being stolen or locked, or to keep your organization’s name out of the headlines for a breach? If you can stop even one attack successfully, then all the time and money you’ve invested into threat hunting is worth its weight in gold.
Benefits of threat hunting
Although the ultimate objective is to get ahead of adversaries by finding and expelling them before they cause damage, threat hunting has many other benefits, some of which are:
Improving security operations: While threat hunting itself can sometimes be arduous, you can use it to improve efficiencies in other areas. Once you develop techniques and ways of discovering malicious activity, commoditize and operationalize that by creating playbooks as well as automating some of your day-to-day incident response. At Cisco, for example, our incident response team has more than 400 unique playbooks, many of them informed by our threat hunting activities. We use these plays regularly to look for suspicious activity and to free up analysts‘ time.
Understanding your environment: Let’s say you’re a new CISO who needs to get a better picture of what’s going on in your network. A threat hunt, or a compromise assessment, is a good way to understand what you’ve inherited and have signed up to defend. The end result is concrete evidence that you can take to your leadership and ensure you have adequate resources to secure the organization. The hunt can prove that the threats are not just theoretical and are actually lurking inside your ecosystem.
Hardening the environment: From a day-to-day perspective, identifying gaps in security gives you the opportunity to remediate and fix larger problems. As you’re doing hunts, you’ll inevitably discover weaknesses that threat actors can exploit. Apply the knowledge you’ve gained through threat hunting to proactively improve tooling and strengthen the overall security posture.
What it takes to be successful
There are many components to a successful threat hunting program, but the ones that we can’t stress enough include access to the data, a diverse team, and the right mindset.
The importance of high-quality data is obvious, but you may be surprised how big a challenge access can be. We commonly find a lack of necessary data during threat hunts for our customers — and even in our own environment.
Instead of treating a data-access problem like a dead end, think outside the box. Can you look at things differently? Can you use a different set of network logs? And just as important, turn this into an opportunity to improve the outcome next time and go the extra mile to collaborate with those teams that can give you better data.
Which brings us to the people component. There are two aspects to it, and one is the importance of building relationships across teams. Especially those impacted by your security activities, such as the network admins and developers. The other side is the people on the hunting team. Success requires diversity of thought. Include individuals who can think creatively and look at the world a little differently, rather than only thinking in ones and zeroes. We find threat hunters from a variety of backgrounds — even nontechnical.
This also helps you hunt with the right mindset. It’s hard to be objective when you’re living and breathing your security environment day in and day out, especially if you’ve architected it. Taking a step back and asking what you may be missing is not easy. A diverse team that both designs and executes the hunt gives you new perspectives.
Jumping in
Besides the right people, you need the right technology and processes. You may already have a basic foundation you can build on — chances are, you’ve been doing threat hunting without even knowing it. If you’ve ever investigated attacks to try to understand what happened, you’ve been answering some of the same questions and following some of the same steps that hunters do.
A deliberate program, however, does take time to develop. Start with small steps and easy, tactical data sources, then build from there. Don’t make the mistake of throwing a bunch of data sources in at once, or you’ll run into challenges. You don’t even need complicated tools to get off the ground, because you can discover malicious behavior with OS event logs or logs your sysadmin keeps for troubleshooting purposes.
One final thought. There’s a misconception that only larger organizations can implement a threat hunting program. In reality, threat actors don’t concern themselves with size and are looking for easy targets — smaller organizations can benefit just as much, if not more, from getting ahead of these threats. If you don’t have in-house resources, outsource to an expert consultant. And if you already have an outside IR team on retainer, start the conversation about what it would take to proactively look for adversaries.
Want to learn more about establishing a threat hunting program? Download the recent Cisco Cybersecurity Series report, “Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program.”

Source:: Cisco Security Notice