By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 24 and Jan 31. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01312020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 24 to January 31 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Ben Nahorney It’s hard to ignore the ubiquity of the internet of things (IoT). Even if you’re one of those holdouts that doesn’t own consumer IoT devices such as a smart speaker, internet-connected thermostat, or a smart watch, industrial IoT (IIoT) devices—a subset of the IoT landscape—are already playing a part in your daily life. From the delivery of water and electricity, to manufacturing, to entertainment such as amusement park rides, IIoT devices are part of more industries than not, and have been for some time. Gartner recently estimated that there were 4.8 billion IIoT assets in the world at the end of 2019, and expects that number will grow by 21 percent in 2020.
The biggest issue faced in many operational technology (OT) environments, which host IIoT assets, isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation as long as 30 years. Many of these assets have been connected to the network over the years, making them susceptible to attacks. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.
The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT assets means taking them offline—something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large swath of exploits to attempt in the pursuit of compromising IIoT assets.
And the number of vulnerabilities discovered in IIoT devices is growing, as is evident in research carried out by Cisco Talos‘ Security Research Team, whose mission is to discover vulnerabilities before the bad guys do. During their look back at 2019, Talos pointed out that they published 87 advisories about vulnerabilities in IoT and ICS devices—by far the largest category for the year. In fact, there were 23 percent more advisories published in this space than there were for desktop operating systems, the second largest category, and historical mainstay targeted by attackers.
This isn’t all that surprising in a field that’s growing this fast. But it’s worth considering how adding new assets into a network, as well as securely maintaining the OT network where assets reside, presents new challenges and naturally increases the attack surface.
So, if you’re using IIoT assets in your business, what sorts of threats do you need to look out for? And how do you protect your devices?
Getting in
The good news is that most IIoT assets aren’t directly exposed to the internet, meaning attackers must rely on other methods to get to them. In essence, the same techniques used in other attacks are used to get to IIoT assets.
The most common vector for compromise—email—certainly applies here. An attacker can attempt to gather information about engineers, plant managers, and developers that have access to IIoT systems and specifically target them with phishing emails. Compromising a computer owned by any of these users can be the most direct path to compromising IIoT assets.
Unpatched systems, simple or default device passwords, and relaxed remote access policies for maintenance contractors all offer attackers avenues of approach. Weaknesses in any of these can provide ways for an attacker to move laterally and gain access.
The reality is that IIoT-specific threats are not that common of an occurrence. There are threats that have attacked general IoT devices en mass, such as Mirai and VPNFilter. And there are threats like Stuxnet, which specifically targeted PLCs. Of course such highly targeted threats are cause for concern. But it’s far more likely that an IIoT device will be compromised and reconfigured by an attacker than be compromised by a trojan or a worm.
Scorching the earth
Let’s say an attacker sets their sights on bringing a particular business to its knees. He or she begins by crafting an enticing phishing email with a malicious PDF and sends it to HR in the guise of a job application. The employee responsible for monitoring job enquiries opens the PDF, effectively compromising the computer.
The attacker works his or her way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. Without multi-factor authentication enabled for access, they encounter few issues in doing so. The attacker eventually manages to compromise a domain controller, where they deploy malware using a Group Policy Object (GPO), successfully compromising the entire IT network.
Due to poor segmentation, the attacker manages to eventually work his or her way to the OT network. Once in, the attacker performs reconnaissance, flagging the IIoT assets present. The attacker identifies vulnerable services in the assets, exploits them, and knocks them offline.
Production grinds to a halt and the business is effectively shut down.
Defense with an arm behind your back
So how do you defend your IIoT assets and the OT network as a whole against attacks, especially for high-availability assets that can’t readily be brought down to patch?
Network monitoring is often the most effective step you can take. However, it’s important to passively monitor the traffic when it comes to IIoT assets. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to the traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment.
Keeping a current inventory of assets on the network is also very important in protecting the IT and OT networks. Passive monitoring can help to identify assets on the network, including errant and rogue devices. With a comprehensive list of devices, you can create policies for asset groups.
It’s also very important to segment your networks. Having a complete asset inventory and policies in place will help when figuring out how to segment your IIoT assets and the OT network. While this may not prevent a determined attacker from crossing the boundaries between different areas of the network, it can slow them down, providing more time to respond in the case of an attack. Explore implementing zones and conduits as discussed in ISA99 and IEC 62443 within your organization.
However, it’s worth noting that many IIoT assets leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having a complete inventory of assets on the network is important. Strong dataflow mapping is also helpful when it comes to knowing which assets are talking to each other and how they interact as a whole.
Patching IIoT assets as soon as possible after a vulnerability is discovered is highly recommended. But if it isn’t possible to take a device offline to patch, then visibility becomes critical. It’s important to know what assets you have and the network layout to identify what absolutely must be patched. It may also be worth exploring IIoT redundancy within your network, allowing you to take one device down while others pick up the load during maintenance cycles.
Being able to detect IIoT traffic anomalies is also very helpful. Look for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned firmware updates, unexpected configuration changes, or other anomalies.
Finally, threat hunting is a great way to look for and weed out threats within your OT environment. Proactively looking for bad actors doing bad things, building playbooks, and automating them will go a long way to improve your security posture.
Easing the burden
Protecting IIoT assets is arguably one of the more difficult tasks in security. There are a wide variety of devices, many of which operate in a very tailored manner and don’t respond well to disruption that could be caused by many security processes and procedures.
Fortunately, there are a number of Cisco Security products that can help.
Cisco Cyber Vision gives OT teams and network managers full visibility into their industrial assets and application flows. Embedded in Cisco industrial network equipment, it decodes industrial protocols to map your OT network and detect process anomalies or unwanted asset modifications.
Identity Services Engine leverages the asset inventory built by Cisco Cyber Vision to create dynamic security groups and automatically enforce segmentation using TrustSec.
ISA3000 is a ruggedized industrial firewall appliance you can deploy in harsh environments to enforce zone segmentation, detect intrusions, and stop network threats.
Stealthwatch is a security analytics solution that uses a combination of behavioral modeling, machine learning, and global threat intelligence to detect advanced threats. Integrated with Cisco Cyber Vision, this visibility extends deep within the IIoT infrastructure.
AMP for Endpoints can be used to protect engineering workstations within the OT environment.
Duo’s multi-factor authentication can be used to prevent an attacker from gaining access to systems on the network as a they attempt to move laterally.
Cisco Email Security can detect targeted phishing emails aimed at IIoT operators and others, preventing malicious payloads from reaching their intended target.
Ultimately, a layered approach will provide the best security. For instance, Cisco Cyber Vision can automate visibility of industrial devices and secure operational processes. Integrated with Cisco’s security portfolio, it provides context for profiling of industrial devices in Stealthwatch, and maps communication patterns to define and enforce policy using granular segmentation via with ISE.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Securing Industrial IoT appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Jeff Reed According to research from the Enterprise Strategy Group, 87% of organizations use Network Traffic Analysis (NTA) tools for threat detection and response today, and 43% say that NTA is a “first line of defense” in case of an attack. The increasing IT complexity is one of the main factors in the adoption of NTA tools – growing infrastructure, rise in hybrid and multi cloud deployments, employees accessing the network from any device and any location, and large number of smart devices (IoT/OT) connecting to the network. At the same time, the attack landscape has evolved as well – use of stolen credentials, threats hiding in encrypted traffic, rise in nation-state attacks, and more.
Perhaps that’s why there are so many NTA vendors out there today, trying to catch the attention of security practitioners, carrying their “AI and ML” billboards.
Cisco offers an NTA solution as well, but it wasn’t born yesterday. Cisco Stealthwatch has been in the market more than 17 years. And here are some things that make it the market leading NTA solution:
Broad dataset
Stealthwatch has always relied on network meta data such as NetFlow to feed into its analytics. Now, some vendors claim that this way of ingesting telemetry doesn’t give the complete picture and has limitations. It’s because they rely on deploying a large number of sensors and probes in the network to capture data. If I were cynical, I’d say the vendors who take this position want you to buy more probes and increase your workload!
We realized very early on that as the network grows exponentially, it’s very difficult (and expensive) to deploy sensors everywhere. And this approach leaves you with a lot of blind spots. That’s why we offer an agentless deployment to customers using built in functionality in your network devices. And unlike competitive claims, Stealthwatch doesn’t just rely on NetFlow. For example, it gets user contextual data from Cisco Identity Services Engine (ISE) and also ingests proxy, web, and endpoint data to provide comprehensive visibility. If you do need to investigate the payload, Stealthwatch integrates with major packet capture solutions so you can selectively analyze the malicious traffic pinpointed by Stealthwatch.

Layered analytical approach
Visibility is great, but can be dangerous when it begins to overwhelm your security team. The key is effective analytics to reduce that massive dataset to a few actionable alerts. Stealthwatch uses close to 100 different behavioral models to analyze the telemetry and identify anomalies. These anomalies are further reduced to high-level alerts mapped to the kill-chain such as reconnaissance, command-and-control, data exfiltration and others. Stealthwatch also employs machine learning that uses global threat intelligence powered by Cisco Talos and techniques like supervised and unsupervised learning, statistical modeling, rule mining…I could go on. But I want to talk about the outcomes of analytics within the solution:
Stealthwatch processes ~6.7 trillion network sessions each day across ~80 million devices in our customer environments and reduces them to a few critical alerts. In fact, our customers consistently rate more than 90% of the alerts they see in the dashboard as helpful.
Stealthwatch can automatically detect and classify devices and their roles on the network so that your security scales automatically with your growing network
Another key outcome of Stealthwatch security analytics is the ability to analyze encrypted traffic to detect threats and ensure compliance, without any decryption, using Encrypted Traffic Analytics. With greater than 80% of the web traffic being encrypted1 and more than 70% of threats in 2020 predicted to use encryption2, this is a major attack vector and it’s no longer feasible to rely on decryption-based monitoring
And lastly, instead of throwing random metrics like “XX times workload reduction”, we asked our customers how Stealthwatch has helped them in their incident response and 77% agreed that it has reduced the time to detect and remediate threats from months to hours.

Multi cloud visibility
As organizations increasingly adopt the cloud, they need to ensure that their security controls extend to the cloud as well. Stealthwatch is the only network traffic analysis solution that can provide truly cloud-native visibility across all major cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). And again, the deployment is agentless without the need to install multiple sensors across the infrastructure. With a single solution, you get visibility across the entire network infrastructure, on-premises to the cloud.

Integrated platform approach
We have been working on integrating Stealthwatch analytics into our security platform that spans the network, endpoint, applications and cloud. Most recently, we have integrated Stealthwatch with Cisco Threat Response. Stealthwatch sends alerts directly to Cisco Threat Response’s Incident Manager feature, allowing users to see those alerts alongside prioritized security alerts from other products such as Firepower devices. These incidents can then be investigated with additional context from your other threat response-enabled technologies, all in one console, with one click. This lowers the time required to triage and response to these alarms.
Stealthwatch is also integrated with firewall through the Cisco Defense Orchestrator for threat detection and effective policy management.
Try Stealthwatch
Customers, big and small, love and trust Stealthwatch. We count 15 of top 20 US banks, and 14 of top 20 global healthcare companies among our customers. If you would like to try the solution, you can sign up for a free 2-week Stealthwatch visibility assessment at: https://www.cisco.com/go/free-visibility-assessment
Joining us at Cisco Live, Barcelona this week? Here’s a guide to all the activities and key sessions related to Stealthwatch at the event or come check out a Stealthwatch demo within the Security area at World of Solutions.
As of May 2019, 94% of all Google web traffic is encrypted. And nearly 80% of web pages loaded by Firefox use HTTPS
Gartner predicts that more than 70% of malware campaigns in 2020 will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration – Gartner, Predicts 2017: Network and Gateway Security, December 13, 2016
The post Time for Some Straight Talk Around Network Traffic Analysis appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Ben Munroe You can tell it’s raining by sticking your head out the door; but what’s the likelihood of it stopping in the next hour? What’s the temperature and relative humidity? Suddenly the need for analytics is apparent. Without it, the chance of getting soaked on any given day would dramatically increase.
Analytics makes the world go ‘round. So why shouldn’t it be the same in security? According to our CISO Benchmark Study, only 35% of respondents said it was easy to determine the scope of a compromise, contain it, and remediate it. This is where analytics can come in, helping to turn the tide. Analytics are becoming increasingly critical for security, and when done right, can significantly improve an organization’s risk posture.
With so much at stake, cybersecurity should be seamless, precise, and manageable. Unfortunately, as I elaborated on in my last blog post, that’s not often the case. Organizations have become accustomed to purchasing and using too many security products without having enough people to manage them – resulting in more alerts than can be digested.

Forecast: Advanced Analytics
We understand the importance of delivering security intelligence that can be easily obtained, understood, and responded to in a timely manner. Seventy-seven percent of our customers say that our industry-leading Network Traffic Analysis (NTA) solution, Cisco Stealthwatch, has reduced their time to detect and remediate threats from months to hours, and has provided a fast return on investment.
Stealthwatch provides enterprise-wide visibility from the private network to the public cloud – including from endpoints and encrypted traffic. It delivers comprehensive situational awareness to help organizations detect, prioritize, and mitigate threats in real time.

Customers Enhance Security with Stealthwatch
The in-depth visibility and robust analytics provided by Stealthwatch translate into high-fidelity alerts, dramatically decreasing the need to manually sift through massive amounts of information to pinpoint a security threat. In fact, our customers consistently rate greater than 90 percent of the alerts they receive from Stealthwatch as “helpful,” meaning they lead to something that definitely needs attention. Minimizing noise and zeroing in on what’s most important is a requirement for effectively protecting today’s complex, modernized environments.

According to the Durham County Government, Stealthwatch has increased visibility and detection of internal threats by at least 80% and has reduced incident response time by 90%.
According to Dimension Data, Stealthwatch has decreased incident response time by over 100 days.
And with Stealthwatch, J. Crew Group can now respond to incidents in 10-15 minutes.
A Platform Approach to Security
Stealthwatch is part of a portfolio of products that work together as a team, learning from each other and improving each other’s effectiveness. For example, Stealthwatch integrates with our incident response portal, Cisco Threat Response, and our security policy management tool, Cisco Defense Orchestrator. We also integrate third-party solutions to deliver more thorough and impactful defenses.
Stealthwatch leverages many aspects of our platform approach to security – including integration, automation, and machine learning – to harden networks and simplify protection. It’s like knowing with confidence what the weather will be like all day and having exactly the right kind of clothes to stay comfortable and dry.
Learn More
If you are joining us this week at Cisco Live in Barcelona, come check out Stealthwatch at one of the sessions or experience a demo within the Security area at the World of Solutions. Or, learn more about Stealthwatch here and take our free 2-week visibility assessment to see how powerful security analytics can quickly surface threats that might be lurking within your network.
The post Cloudy with a Chance of Extremely High Alert Accuracy appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Robert Waitman As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide. Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.
Insights from the Cisco Data Privacy Research Program
The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide. We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.
The 2020 Data Privacy Benchmark Study and the ROI of Privacy
Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:
For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.
What does this mean for organizations?
The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:
Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
Work to obtain external privacy certifications; these have become an important factor in the buying process.
Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.
In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.

More Information
Cisco Data Privacy Benchmark Study 2020
Press Announcement Cisco Data Privacy Benchmark Study 2020 Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices
Cisco Data Privacy Benchmark Study 2020 – Infographic
Cisco 2019 Data Privacy Benchmark Study
Consumer Privacy Survey
Cisco Data Privacy
Follow Robert on Twitter @RobertWaitman

The post From Privacy to Trust and ROI appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 17 and Jan 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01242020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 17 to January 24 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group News Summary
There is another large-scale cryptomining attack from an actor we are tracking as “Vivin” that has been active since at least November 2017.
“Vivin” has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.
By Andrew Windsor.
Talos has identified a new threat actor, internally tracked as “Vivin,” conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.
Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor’s delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common “living-off-the-land” methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.
Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, “Panda,” illustrating their potential for long-term exploitation of their victims‘ resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.
Read More >>
The post Breaking down a two-year run of Vivin’s cryptominers appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 10 and Jan 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01172020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 10 to January 17 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Megha Mehta As businesses continue to move towards a more digital future, the threats they face continue to become more complex. As many organizations continue to embrace the benefits of cloud, IoT, and an increasingly mobile workforce, threat actors are taking advantage of these attack vectors to work their way into your business.
Cisco Stealthwatch provides comprehensive network-wide visibility and security analytics, so you can stay ahead of attackers and expose their locations and behaviors to help you prevent a security event from becoming a full-blown breach. Today, we’re happy to announce that you’ll have the chance to get behind the wheel and give Stealthwatch a live test drive!
Before they become customers, many organizations we work with have never experienced what it’s like to gain insight into their networks and how they might use the power of behavioral analytics and machine learning to detect threats. Fortunately, Stealthwatch test drives are the perfect way to gain first-hand experience with Stealthwatch and how you can use its capabilities to do just that.
The Cisco Stealthwatch Test Drive provides users with access to a fully configured environment with traffic that you generate to test first hand live use cases including:
Breach Detection
Insider and Advanced Threat Detection
High Risk Application Detection
Policy Violations
Encrypted Traffic Analytics
Attendees will get to experience life-like cyber security attack situations in a virtualized lab environment, playing the role of both attacker and defender. Operating in an environment similar to many large, complex networks, you will learn how an environment can become compromised, how security breaches are detected, and how to respond to these threats using Stealthwatch. Completing these labs will provide you with test plans to effectively operationalize Stealthwatch.
Whether you’re new to Stealthwatch and interested in trying the product for the first time, or a long-time customer, the Cisco Stealthwatch Test Drive Labs are a great way to see all of the detections and integrations that Stealthwatch can do for your organization and help you tailor your product experience to your network and security needs.
To see a schedule of upcoming Cisco Stealthwatch Test Drive Labs, be sure to visit: https://www.cisco.com/c/en/us/products/security/stealthwatch-test-drive.html
To learn more about Stealthwatch, please visit: https://www.cisco.com/go/stealthwatch
The post Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive! appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analyzed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
For more, read the rest on the Talos blog here.
The post JhoneRAT: Cloud based python RAT targeting Middle Eastern countries appeared first on Cisco Blogs.

Source:: Cisco Security Notice