By Talos Group By Asheer Malhotra.
Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.”
These maldocs use malicious macros to deliver the second stage RAT payload.
This campaign appears to target organizations in Southeast Asia.
Network based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What’s New?
Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we’re calling “ObliqueRAT.” Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.
Read More>>
The post ObliqueRAT: New RAT hits victims‘ endpoints via malicious documents appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Jeff Reed My cybersecurity trends outlook for 2020 builds on my forecast for 2019. Identity and application security are still top-of-mind this year, but in new and more advanced ways.
As we approach RSA 2020, these are four trends in cybersecurity that I expect will make an impact this year.
1. Zero Trust goes beyond the hype and becomes reality.
Zero Trust had its buzzword breakout at RSA 2018, but there were a lot of questions. What is it? What does it mean? What does a Zero Trust architecture truly look like? As this security approach matures, it’s clear why Zero Trust is so important – there’s data to prove it.
According to the 2017 Verizon Data Breach Report, 81% of breaches involved compromised credentials
According to Imperva, 54% of web app vulnerabilities have a public exploit available to hackers
According to Positive Technologies, 92% of external penetration tests led to a breach of network perimeters
As a colleague of mine says, “Hackers aren’t breaking into networks, they’re logging onto networks.” We need to be smarter about how we establish the identity of a user or device connecting to a network or application before access is approved or denied. The principles of Zero Trust are consistent, but the “how” varies depending on what’s being protected – whether it’s a user, container, IoT device, or something else.
Zero Trust technology is maturing and customers are gaining a more consistent understanding of it as they begin this journey. Moving to Zero Trust is the No. 1 topic for many customers I speak with and it was a top priority for many at Cisco’s CISO Forum.
2. Customers lean toward a platform approach that embraces best-of-suite, instead of best-of-breed.
Security is complex, and CISOs today don’t want a complex solution to an already complex problem. In response, we’re beginning to see a majority of customers shift from a “best-of-breed” to “best-of-suite” approach to security solutions.
I’m seeing a push for fewer strategic partners and more out-of-the-box value from products designed to work together. And I think that push is only going to get stronger. Many CISOs I talk with can’t afford to spend more money for more tools that require more effort to get a team up and running on each tool. This loss of time keeps security teams from high-value work, like applying security insights to keep the enterprise secure.
As I mentioned in my most recent blog post, our annual CISO survey revealed a trend toward vendor consolidation, which tells us CISOs are looking for ways to make network security easier to manage. This trend toward simple solutions will only continue in 2020 and will be a key topic for Cisco Security at the 2020 RSA Conference.
3. SASE principles take hold as cloud security replaces on-prem security.
I personally hope 2020 is the year we can agree on a new acronym for SASE (pronounced “sassy”). But even if it isn’t, the underlying principles of Secure Access Service Edge are legitimate as more customers adopt security in the cloud. You can read more about the principles of SASE in this article from SDxCentral.
Gartner’s recent 2019 Hype Cycle Report states SASE will be as disruptive to network and network security architectures as IaaS was to the architecture for data center design. The principles of SaaS (software as a service) will unlock a new set of capabilities for security as SASE connects individual users and equipment to the cloud – which, by the way, is now a highly dependable and trustworthy place to house all of your applications and services.
This trend is important because the move to cloud is fundamentally changing how users and devices connect to applications and data. As this happens, we need to re-think the type of security controls required and where those controls should be placed. The ideal model will provide flexibility to security teams to place those controls optimally based on the traffic and access patterns of their environment. In some cases those controls will continue to reside on-prem, but increasingly those controls will move to a cloud edge.
We have already seen this with DNS security, and now are seeing capabilities such as secure web gateway and cloud delivered firewall. A key to this transition will be meeting the security efficacy requirements—and is an area that we at Cisco are leaning into.
4. Security moves into application development via DevSecOps.
Another key point coming from Cisco’s CISO Forum is the continued evolution of application security. We’re seeing it in the plethora of new technologies targeting this space. But I’m also seeing a significant change in the organizational model to deal with it. One of the more surprising data points from our fall CISO Forum was the number of CISOs who are embedding security staff directly into application development teams, often without establishing an ongoing relationship with the security organization. DevSecOps enables greater security knowledge within application development teams, gives security a true stake in the development process, and enables security to build relationships within apps teams.
In my conversations with CISOs over the last few years, I’ve seen application security rise dramatically in importance. And now we’re seeing this come to fruition as security talent is moved into the application development process.
A benchmark in the security industry each year is the RSA Conference, and this year is no exception. We’ll be talking about how these trends are already making an impact in the industry and within Cisco’s security strategy. I hope you can join us in San Francisco on February 24-28, 2020.
Be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security during RSA 2020. It’s going to be big.
The post 4 Cybersecurity Trends that Will Make an Impact in 2020 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Cindy Valladares As part of the activities surrounding Cisco Live Barcelona, we held a very special event specifically tailored for our CISO customers: Cisco CISO Day. It was a full day of exploring topics curated for this executive audience, and an opportunity for them to connect with peers in the security industry. We had engaging discussions around a variety of topics, including: Zero Trust, DevSecOps, cross-domain security, key factors for security success, and more. Below are a few highlights and key insights from the day.
Leadership Through Influence
Perhaps my favorite presentation of the day was by one of our customers, Michael Jenkins, MBE CISO of His experience in both military and academia is intriguing, and has allowed him to ascertain that the best way to lead is through influence. Some tips that he recommended for building strong relationships to support your security goals include:
Take your colleagues out for coffee; share your strategy and obtain their feedback
Select a few vendors and treat them as strategic partners – like friends who have your back
Get buy-in for a common goal and do not be afraid to tell people when things go wrongKey insights from CISOs during Cisco Live Europe teach us how to lead with influence, connect security to the business, address skill shortage and protect industrial IoT environments. Read more
Educate and help – we’re not here to shame or punish
Get plugged into the larger community within your industry and work with law enforcement to help combat threats
Encourage everyone to care about security and privacy – offer security clinics, show the SOC in action, etc.
Connecting Security to the Business
Many of the executives at our CISO Day are still finding it hard to be a part of board conversations surrounding security. Some focus on how their teams can create a competitive advantage and increase revenue, while others spend more time struggling with obtaining the appropriate budget needed for their efforts. If this is a topic of interest to you, be on the lookout for the upcoming Cisco CISO Benchmark Survey, in which we discuss leadership support, metrics that matter, and security on a limited budget. (Register here to be alerted when it comes out.)
The Human Factor
A common challenge that continues to plague CISOs is the lack of a trained and skilled security workforce. Several organizations have talent retention and training programs for their employees, yet even with these incentives, they’re finding it difficult to keep up with their needs. Some are working with local universities to provide opportunities to young professionals. What are you doing to address this issue? (You can read more about it here.)
Industrial IoT Security
Although not all organizations need to protect operational technology, this is a topic that drove several conversations from CISOs in a variety of industries like manufacturing, utilities, telecommunications, and others. Securing these industrial IoT environments is more complex than protecting your typical IT shop, and the need for availability and reliability supersedes the traditional confidentiality and integrity in the CIA triad.
For More Information
It’s always a fantastic day when you get the opportunity to learn from your customers and share challenges and opportunities. If you’re interested in learning more about these topics and would like to receive a copy of the presentations from our CISO Day or see a summary of the main topics we’ve discussed, take a look here.
The post The Voice of the CISO Customers – CISO Day in Europe appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group By Vanja Svajcer.
In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called “living-off-the-land” approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to measure the usage of LoLBins in real-world attacks.
Specifically, we are going to focus on MSBuild as a platform for post-exploitation activities. For that, we are collecting information from open and closed data repositories as well as the behavior of samples submitted for analysis to the Cisco Threat Grid platform.
What’s new?
We collected malicious MSBuild project configuration files and documented their structure, observed infection vectors and final payloads. We also discuss potential actors behind the discovered threats.
Read More >>
The post Building a bypass with MSBuild appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Feb 7 and Feb 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU02142020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for February 7 to February 14 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
By Nick Biasini and Edmund Brumaghin.
Coronavirus is dominating the news and threat actors are taking advantage.
Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants.
Executive Summary
Using the news to try and increase clicks and drive traffic is nothing new for malicious actors. We commonly see actors leveraging current news stories or events to try and increase the likelihood of infection. The biggest news currently is focused on the new virus affecting the world, with a focus on China: the coronavirus. There are countless news articles and email-based marketing campaigns going at full throttle right now, as such, we wanted to take a deeper look at how this is manifesting itself on the threat landscape.
Our investigation had several phases, first looking at the email based campaigns then pivoting into open-source intelligence sources for additional samples. These investigations uncovered a series of campaigns from the adversaries behind Emotet, along with a series of other commodity malware families using these same topics as lures, and a couple of odd documents and applications along the way. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus. This really underscores why using these as lures is so attractive to adversaries and why organizations and individuals need to be vigilant when opening mail attachments, regardless of its origins.
Read More >>
The post Threat actors attempt to capitalize on coronavirus outbreak appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Dan Kurschner For service providers around the world, security is a fundamental and integral part of what they do. With operations across Scandinavia and Asia, Telenor is no exception. The company connects 183 million customers, and each one of them expects secure connections. It’s a given. That’s a key reason Telenor Group and Cisco signed a Joint Purpose Agreement (JPA) to expand their innovation partnership. The JPA consists of helping Telenor establish a security framework architecture, expand their security solutions, and build new security services for their end customers.
Security isn’t optional
For Cisco, this is a multi-year journey with Telenor because when Telenor deploys new infrastructures, security must be built into everything they do. One of the first major milestones is the roll-out of Cisco Stealthwatch in all of Telenor´s business units across their telecommunications and IT operations.
Stealthwatch is a comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure. It provides pervasive network visibility and sophisticated security analytics for advanced protection across the extended network and cloud. With Stealthwatch, you can:
Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling
Know who is on the network and what they are doing using telemetry from your network infrastructure
The threat landscape is changing rapidly. We’re facing adversaries that are moving and we have to move with them. The service provider world is essentially our new enterprise customer. A partner like Telenor can provide the security solutions and answers that customers need today at scale.
The network is watching
Stealthwatch uses the existing network infrastructure by turning the network itself into a security sensor that can see all of your users. This real-time visibility and analytics translate into actionable information that makes quick response to even advanced attacks possible.
Andre Arnes, CSO and SVP, Telenor Group said, “It’s a big strength for Cisco to be able to leverage Talos threat intelligence. That’s one important attribute of the scale of the partnership between Cisco and Telenor. We set some KPIs for how to measure and grow this service. We saw that we would not only reach the 2019 KPIs in 2019, but also the 2020 ambitions.”
Telenor is continuing to work with Cisco on the development of Cisco Umbrella, Stealthwatch, and Stealthwatch Cloud, the firewall intrusion detection and next-generation identity solutions.
Solving challenges and building trust

For Telenor, partnerships with Cisco and other global security players are essential to understanding and solving today’s security challenges. Watch the video to find out more about the collaborative way Telenor is working with Cisco to keep their network and their customers secure.

The post Cisco and Telenor: Working Together to Protect Infrastructure appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group By Chris Neal.
Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
This campaign appears to be targeting countries in South America and Central America, as well as the U.S.
What’s New?
Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.
Read More >>
The post Loda RAT Grows Up appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Bradley Anstis This is probably the most common question I get asked today!
What customers are really asking is “Can I rely on the built-in security capabilities in Office 365 or do I still need to run a 3rd party email security solution such as a Secure Email Gateway?” And the answer — well that depends; every customer’s environment is different.
Do I have to go to the Cloud?
But first, let’s get the most common misconception out of the way. While it is more efficient to run your email security gateway in the cloud, close to your Office 365 tenancy, there is actually no technical reason why you can’t continue using your current on-premise email security appliances to also protect Office 365, during the migration and even afterwards. After all, it is just a matter of MX record addressing and routing, or in other words ensuring you have all the connections between your on-premise email security gateway which would be responsible for receiving all incoming email and Office 365 which would be hosting your users inboxes set correctly. Sure, this isn’t the most efficient method as you are tromboning or hair-pining traffic up and down and most organizations would only run in this mode for the time frame of the migration. If you already own the solution and have staff trained to support and manage it, it makes sense to see what value it adds to Office 365 first before you consider migrating to a cloud email platform, don’t change too much at the same time, let the Office 365 migration settle in first.
How to Answer the Question – For Your Environment
What a customer needs to do, whether its related to the Cisco Email Security solution or any other 3rd party solution, is to consider all the areas of Office 365 where these 3rd party solutions can supplement the base capabilities of Office 365. Don’t just ‘tick-box compare‘ features. Look at all features and understand how they work. Can the Office 365 features do everything I need today and what I might need it to do tomorrow? Consider how you can address any gaps and what it means for your organization.
One example of how 3rd party email security gateways can add value to Office 365 is to consider spam quarantine management. In Office 365 there are essentially two ways that a user can get access to and manage quarantined email that have been classified as false positives. The most common method is via the Junk folder in their Outlook client, it can be difficult to search but generally works well. The second method is a web-based end-user quarantine system. Confusing, but the main issue is that there are very few categories of spam in Office 365. Either an email is categorized as spam or its not and this causes an issue on providing end-user spam management. There are very few controls about what end-users have access to and what they do not. Ideally, you’d likely rather not want your end-users making decisions around whether to release potentially malicious or inappropriate/pornographic content, you have to ensure you are providing a safe working environment for all employees.
Clearly security is the most important area of capability where we can supplement the core capabilities in Office 365. We have had many customers decide to just rely on Office 365 for email security only to come back several months later. What we have seen as a very common theme across these customers is that the first impact they see is at the help-desk which was not expected. The issue is that they have changed out one of the core security technologies that the organization had probably been using for years and become accustomed to, the spam detection engine. Most of the leading email security providers do a pretty good job today, I couldn’t tell you the last time I had a spam message in my inbox. Suddenly the new spam detection engine is letting through some spam, users can’t remember what to do with spam, so they call the help-desk, all at once! Then after that initial rush, end-users start to notice some email possibly missing and now the help-desk are doing (learning in a hurry) message tracking looking for false positives.
A perfect example of a misstep many organizations make by doing a ‘tick-box‘ comparison is that a feature like a spam detection engine can have significantly different capabilities depending on the vendor. Cisco Email Security has been innovating our email security solution for over 20 years. Our world class threat intelligence is supplied by the largest non-government threat research organization in the world, Talos.
There are many other areas in email security to consider; known malware recognition, unknown or suspect attachment handling, embedded URL handling, support for external threat intelligence and active content disarm and reconstruction. All these functions make meaningful differences in keeping the bad stuff out and your inboxes safe.
Also consider how easy your system is to manage. What reports have you come to rely on in your old systems, what are your managers expecting to see? Have you tested Office 365 to see what it’s like to do message tracking? Have you created email policies?
How confident are you in the capability of the policy engine? Are you even confident that you can recreate all your current email policy in Office 365? What policies will you need in the future? In our experience, in addition to reporting, this is the other area often not tested extensively enough in initial evaluations. With the growing amount of regulatory compliance regulations, having an advanced policy engine with plenty of policy conditions and actions coupled with significant flexibility is more likely to support your efforts. While the Cisco policy engine currently has 24 conditions and 26 actions within its content filtering policy engine, it’s what those options are that make the difference. For example, full control over adding/editing header information and the ability to reroute email based on policy are a couple of options that we see organizations using for a variety of business enablement projects. Our customers are getting real business value out of their email security solution, and the options themselves; another example of how dangerous it is to box tick!
Suggested Decision Process
So now that we have some understanding of what we should be looking at, what’s the best way to go about this analysis? Below are a series of steps to consider to help you make an informed decision:

Your current email policy: This is a great opportunity to assess all the policies and settings that you are relying on now. Are they all needed going forward? What have you seen or tested for yourself that is supported by Microsoft?

Email security capabilities: How these technologies work on your email flow is what is important. There are many ways of validating this by either running different solutions in a monitoring only mode or Bcc’ing/copying email to the solution under test for analysis and then deletion. Is Office 365 by itself blocking everything you need? If it is missing some email, is that critical for your organisation? What sort of impact could result in certain types of email getting through to end-users? (Missed spam, malicious attachments, inappropriate content, malicious URL’s, advanced phishing attacks etc?).

Advancing Phishing detection: Phishing has been a scourge for years because it is constantly evolving. The latest iteration, BEC or Business Email Compromise, has financially impacted many organisations large and small all around the world. BEC is difficult to detect, includes no attachments or embedded URL’s and is sent in low numbers and in a very targeted way. Has your company had issues? Do you know someone who has? What could the impact be for you? Does your current solution have any specialist support for BEC? Have you measured how much that is catching and are you sure that Office 365 would be able to detect and block these even using the advanced phishing capabilities in Microsoft’s ATP optional add-on? This in particular is a great area to potentially leverage a specialist solution such as Cisco’s Advanced Phishing Protection module which can work in any email environment.

Management: How easy is the solution to use? Can you track a message all the way through the scanning process? Can the search engine easily find and release quarantined email? Are you using end-user spam management now? Do you want to continue to use it? Will the capability offered in Office 365 meet your HR driven employee policies and requirements?

Reporting: Do you have any automatic scheduled reports being sent within your organization; perhaps to senior management? Can these be replicated within just Office 365? What reporting, or compliance auditing requirements can you see being required in the short term? Are these reports supported?

External Domain Protection: Becoming a more common inclusion for corporate messaging teams, organizations are using DMARC and related standards to monitor which organizations are sending email using your domain. Is your brand being negatively affected by being used in phishing attacks? While Office 365 does not offer any capability here, this is another area that can be addressed or supplemented using standalone products or solutions such as Cisco Domain Protection.
Licensing & Recommendations
For the majority of our customers, the ideal combination is Office 365 E3 with Cisco Cloud Email Security. This combination includes all the core Office 365 products supplemented with an enterprise class email security solution. The ATP features for Safe Links and Safe Attachments are easily met and exceeded in Cisco’s Cloud Email Security, this is the combination that Cisco itself runs.
Moving up to the E5 licensing tier is a difficult decision, you need to look at all the inclusions you get, which are substantial and determine what value your organisation would get out of these. From an email security & management viewpoint everything is pretty much covered with the combination recommended above except for the advanced email archiving capability if you need that over the basic option in E3.
There are also of course all the collaboration/telephony services which Cisco has great solutions for as well!
Options for Proving the Value
So how can you prove the decision you are making is the right one, or at least if you have already deployed Office 365 by itself, test to see how it is performing from a security viewpoint at least?
Cisco has an analysis tool called “Threat Analyzer for Office 365” and it works by accessing a selection on your user’s inboxes (you define which ones) via the Microsoft Graph API built into Office 365. Threat Analyzer scans these inboxes using the same email security engines that we have in our commercial offerings, looking for any email that we would have detected as Spam, Gray-mail, Malicious Email (with attachment or embedded URL) or inappropriate spam. Threat Analyzer does not do anything to this email or the inbox, it just records what the Cisco email security engines would have detected and then produces a report showing these results. From this report you can get an idea of the extra value you would get from running Cisco email security together with Office 365. However, it needs to be remembered that not all the security engines can be used (Connection filtering for example) with a configuration such as this, so your final experience would be even better than the report would suggest.
There are also other options, the recommended option would be to have Cisco email security running in front of Office 365 so it is the internet facing email server for your email domains, this way 100% of the Cisco security capability can be brought to bear. You can test this by using the default policy which would detect/block & quarantine within Cisco email security, or you simply tag email for it to be then processed by Office 365 and see the combined results. We have also seen other organizations creating a BCC rule within Office 365 to copy all email that is to be delivered to end-users also copied to Cisco email security to see what would have been blocked as well, although this also limits the security engines that can be used as it is also not internet facing, the same limitation that Threat Analyzer for Office 365 has.
Summary
Not every single customer will need to supplement the security that is in Office 365 as every organization has a different appetite and requirements when it comes to cyber security. Considerations include how exposed and trained their end users are and the possible impact to the organization of different types of cyber incidents; from fraudulent BEC emails to malicious content leading to data breaches.
It’s important to consider a solution that meets your current needs and your future concerns.
You have a great opportunity to rethink your email security solution, what else can it do for your business, many organizations are just using email security to keep the bad stuff out and the good stuff in, but it can provide so much more business value than just that. We see so many organizations missing a great opportunity here because email security is all they have ever used their email gateway for, then other organizations we have seen use this technology to enable business processes and integrate disparate systems and applications, you just need to use some imagination!
When considering whether Office 365 can do everything you need, or if you might need to supplement it with a 3rd party solution, ensure you make an informed decision for your organization by looking at all the areas where you might need to supplement the core capability in Office 365, security of course but also management and reporting, remember, do not tick box compare!
If you’re interested in seeing what Cisco Email Security can do, contact your Sales Account Manager for a free Threat Analyzer Scan. Or, if you’re interested in a more in-depth look at how we can improve your security posture, we offer a 45-day free trial of Cisco Email Security.

I hope this blog has been of use and I wish you the best of luck in your path going forward.
The post Do I really need additional email security when using Office 365? appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Source:: Innovaphone