By Ben Munroe You can tell it’s raining by sticking your head out the door; but what’s the likelihood of it stopping in the next hour? What’s the temperature and relative humidity? Suddenly the need for analytics is apparent. Without it, the chance of getting soaked on any given day would dramatically increase.
Analytics makes the world go ‘round. So why shouldn’t it be the same in security? According to our CISO Benchmark Study, only 35% of respondents said it was easy to determine the scope of a compromise, contain it, and remediate it. This is where analytics can come in, helping to turn the tide. Analytics are becoming increasingly critical for security, and when done right, can significantly improve an organization’s risk posture.
With so much at stake, cybersecurity should be seamless, precise, and manageable. Unfortunately, as I elaborated on in my last blog post, that’s not often the case. Organizations have become accustomed to purchasing and using too many security products without having enough people to manage them – resulting in more alerts than can be digested.

Forecast: Advanced Analytics
We understand the importance of delivering security intelligence that can be easily obtained, understood, and responded to in a timely manner. Seventy-seven percent of our customers say that our industry-leading Network Traffic Analysis (NTA) solution, Cisco Stealthwatch, has reduced their time to detect and remediate threats from months to hours, and has provided a fast return on investment.
Stealthwatch provides enterprise-wide visibility from the private network to the public cloud – including from endpoints and encrypted traffic. It delivers comprehensive situational awareness to help organizations detect, prioritize, and mitigate threats in real time.

Customers Enhance Security with Stealthwatch
The in-depth visibility and robust analytics provided by Stealthwatch translate into high-fidelity alerts, dramatically decreasing the need to manually sift through massive amounts of information to pinpoint a security threat. In fact, our customers consistently rate greater than 90 percent of the alerts they receive from Stealthwatch as “helpful,” meaning they lead to something that definitely needs attention. Minimizing noise and zeroing in on what’s most important is a requirement for effectively protecting today’s complex, modernized environments.

According to the Durham County Government, Stealthwatch has increased visibility and detection of internal threats by at least 80% and has reduced incident response time by 90%.
According to Dimension Data, Stealthwatch has decreased incident response time by over 100 days.
And with Stealthwatch, J. Crew Group can now respond to incidents in 10-15 minutes.
A Platform Approach to Security
Stealthwatch is part of a portfolio of products that work together as a team, learning from each other and improving each other’s effectiveness. For example, Stealthwatch integrates with our incident response portal, Cisco Threat Response, and our security policy management tool, Cisco Defense Orchestrator. We also integrate third-party solutions to deliver more thorough and impactful defenses.
Stealthwatch leverages many aspects of our platform approach to security – including integration, automation, and machine learning – to harden networks and simplify protection. It’s like knowing with confidence what the weather will be like all day and having exactly the right kind of clothes to stay comfortable and dry.
Learn More
If you are joining us this week at Cisco Live in Barcelona, come check out Stealthwatch at one of the sessions or experience a demo within the Security area at the World of Solutions. Or, learn more about Stealthwatch here and take our free 2-week visibility assessment to see how powerful security analytics can quickly surface threats that might be lurking within your network.
The post Cloudy with a Chance of Extremely High Alert Accuracy appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Robert Waitman As we embark on a new decade, data privacy has become top-of-mind for business executives and consumers worldwide. Data breaches frequently expose the personal data of millions, and many companies have not done enough to protect themselves from intentional or unintentional misuse. While it is often hard to reach agreement on new legislation, one issue that governments around the world seem to agree on is the need to help protect the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) became enforceable in May 2018, and many countries, from China to Brazil, have updated or passed their own regulations. The new California Consumer Privacy Act (CCPA) became effective at the beginning of 2020, other states are following suit, and a U.S. Federal privacy law is now under consideration.
Insights from the Cisco Data Privacy Research Program
The Cisco Chief Privacy Office has provided groundbreaking research and insights to help organizations and consumers understand what they can and should do to keep data safe and maximize their investments in data privacy. Two years ago, we launched our Data Privacy Benchmark Study, which explored privacy maturity and investments across thousands of organizations worldwide. We found that two-thirds of organizations were experiencing significant sales delays due to customer’s data privacy concerns, but that privacy investment was minimizing those delays. Last year, we expanded our inquiry to explore a wide range of business benefits, including the connection between privacy investment and security benefits such as fewer and less costly breaches. In November, we released a companion study looking at the attitudes and behaviors of consumers worldwide. We identified a large group we call “Privacy Actives” – that is, consumers who care about privacy, are willing to spend time or money to protect their data, and have already switched companies or providers based on their data policies.
The 2020 Data Privacy Benchmark Study and the ROI of Privacy
Today, in observance of International Data Privacy Day, I am pleased to share our 2020 Data Privacy Benchmark Study. Drawing on data from 2800 organizations in 13 countries, we have – for the first time – calculated the ROI for privacy. In addition, we updated the privacy metrics we have been tracking over several years. The study explores the value of privacy certifications in today’s market, as follows:
For every dollar spent on privacy, the average organization is getting $2.70 in associated benefits. We asked respondents to quantify their annual privacy investment and business benefits, and we used this to calculate their privacy ROI. Most organizations are seeing very positive returns, and over 40% are realizing at least double their investment.
70% of organizations say they received significant business benefits from privacy beyond compliance. This is up from 40% last year, and includes better agility and innovation, increased competitive advantage, improved attractiveness to investors, and greater customer trust.
Higher accountability translates to increased benefits: Companies with higher accountability scores (as assessed using the Accountability Wheel of the Centre for Information Policy Leadership) experience lower breach costs, shorter sales delays, and higher financial returns.
Eighty-two percent of organizations see privacy certifications as a motivation for purchasing: Privacy certifications such as the ISO 27701 and the EU-U.S. Privacy Shield are becoming an important purchasing factor when selecting a third-party vendor.
What does this mean for organizations?
The results of this study highlight that privacy is good for business, beyond any compliance requirements. We recommend that organizations:
Invest in privacy beyond the legal minimum; most organizations are seeing very positive returns on their privacy spending.
Work to obtain external privacy certifications; these have become an important factor in the buying process.
Build in privacy accountability and maturity to achieve security benefits, reduced sales delays, and higher returns.
In future blogs, I will explore these results more fully, including some of the interesting differences in results across geographies and company size.

More Information
Cisco Data Privacy Benchmark Study 2020
Press Announcement Cisco Data Privacy Benchmark Study 2020 Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices
Cisco Data Privacy Benchmark Study 2020 – Infographic
Cisco 2019 Data Privacy Benchmark Study
Consumer Privacy Survey
Cisco Data Privacy
Follow Robert on Twitter @RobertWaitman

The post From Privacy to Trust and ROI appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 17 and Jan 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01242020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 17 to January 24 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group News Summary
There is another large-scale cryptomining attack from an actor we are tracking as “Vivin” that has been active since at least November 2017.
“Vivin” has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.
By Andrew Windsor.
Talos has identified a new threat actor, internally tracked as “Vivin,” conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.
Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor’s delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common “living-off-the-land” methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.
Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, “Panda,” illustrating their potential for long-term exploitation of their victims‘ resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.
Read More >>
The post Breaking down a two-year run of Vivin’s cryptominers appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 10 and Jan 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU01172020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for January 10 to January 17 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Megha Mehta As businesses continue to move towards a more digital future, the threats they face continue to become more complex. As many organizations continue to embrace the benefits of cloud, IoT, and an increasingly mobile workforce, threat actors are taking advantage of these attack vectors to work their way into your business.
Cisco Stealthwatch provides comprehensive network-wide visibility and security analytics, so you can stay ahead of attackers and expose their locations and behaviors to help you prevent a security event from becoming a full-blown breach. Today, we’re happy to announce that you’ll have the chance to get behind the wheel and give Stealthwatch a live test drive!
Before they become customers, many organizations we work with have never experienced what it’s like to gain insight into their networks and how they might use the power of behavioral analytics and machine learning to detect threats. Fortunately, Stealthwatch test drives are the perfect way to gain first-hand experience with Stealthwatch and how you can use its capabilities to do just that.
The Cisco Stealthwatch Test Drive provides users with access to a fully configured environment with traffic that you generate to test first hand live use cases including:
Breach Detection
Insider and Advanced Threat Detection
High Risk Application Detection
Policy Violations
Encrypted Traffic Analytics
Attendees will get to experience life-like cyber security attack situations in a virtualized lab environment, playing the role of both attacker and defender. Operating in an environment similar to many large, complex networks, you will learn how an environment can become compromised, how security breaches are detected, and how to respond to these threats using Stealthwatch. Completing these labs will provide you with test plans to effectively operationalize Stealthwatch.
Whether you’re new to Stealthwatch and interested in trying the product for the first time, or a long-time customer, the Cisco Stealthwatch Test Drive Labs are a great way to see all of the detections and integrations that Stealthwatch can do for your organization and help you tailor your product experience to your network and security needs.
To see a schedule of upcoming Cisco Stealthwatch Test Drive Labs, be sure to visit: https://www.cisco.com/c/en/us/products/security/stealthwatch-test-drive.html
To learn more about Stealthwatch, please visit: https://www.cisco.com/go/stealthwatch
The post Get in the Security Fast Lane with a Stealthwatch and Encrypted Traffic Analytics Test Drive! appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analyzed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
For more, read the rest on the Talos blog here.
The post JhoneRAT: Cloud based python RAT targeting Middle Eastern countries appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Jeff Bollinger Cisco’s Computer Security Incident Response Team (CSIRT) detected a large and ongoing malspam campaign leveraging the .IMG file extension to bypass automated malware analysis tools and infect machines with a variety of Remote Access Trojans. During our investigation, we observed multiple tactics, techniques, and procedures (TTPs) that defenders can monitor for in their environments. Our incident response and security monitoring team’s analysis on a suspicious phishing attack uncovered some helpful improvements in our detection capabilities and timing.
In this case, none of our intelligence sources had identified this particular campaign yet. Instead, we detected this attack with one of our more exploratory plays looking for evidence of persistence in the Windows Autoruns data. This play was successful in detecting an attack against a handful of endpoints using email as the initial access vector and was able to evade our defenses at the time. Less than a week after the incident, we received alerts from our retrospective plays for this same campaign once our integrated threat intelligence sources delivered the indicators of compromise (IOC). This blog is a high level write-up of how we adapted to a potentially successful attack campaign and our tactical analysis to help prevent and detect future campaigns.
(This blog was co-authored by Jeff Bollinger & William Sheldon)

Incident Response Techniques and Strategy
The Cisco Computer Security and Incident Response Team (CSIRT) monitors Cisco for threats and attacks against our systems, networks, and data. The team provides around the globe threat detection, incident response, and security investigations. Staying relevant as an IR team means continuously developing and adapting the best ways to defend the network, data, and infrastructure. We’re constantly experimenting with how to improve the efficiency of our data-centric playbook approach in the hope it will free up more time for threat hunting and more in-depth analysis and investigations. Part of our approach has been that as we discover new methods for detecting risky activity, we try to codify those methods and techniques into our incident response monitoring playbook to keep an eye on any potential future attacks.
Although some malware campaigns can slip past the defenses with updated techniques, we preventatively block the well-known, or historical indicators and leverage broad, exploratory analysis playbooks that spotlight more on how attackers operate and infiltrate. In other words, there is value in monitoring for the basic atomic indicators of compromised like IP addresses, domain names, file hashes, etc. but to go further you really have to look broadly at more generic attack techniques. These playbooks, or plays, help us find out about new attack campaigns that are possibly targeted and potentially more serious. While some might label this activity “threat hunting”, this data exploration process allows us to discover, track, and potentially share new indicators that get exposed during a deeper analysis.
Defense in depth demands that we utilize additional data sources in case attackers successfully evade one or more of our defenses, or if they were able to obscure their malicious activities enough to avoid detection. Recently we discovered a malicious spam campaign that almost succeeded due to a missed early detection. In one of our exploratory plays, we use daily diffs for all the Microsoft Windows registry autorun key changes since the last boot. Known as “Autoruns“, this data source ultimately helped us discover an ongoing attack that was attempting to deliver a remote access trojan (RAT). Along with the more mundane Windows event logs, we pieced together the attack from the moment it arrived and made some interesting discoveries on the way — most notably how the malware seemingly slipped past our front line filters. Not only did we uncover many technical details about the campaign, but we also used it as an opportunity to refine our incident response detection techniques and some of our monitoring processes.

IMG File Format Analysis
.IMG files are traditionally used by disk image files to store raw dumps of either a magnetic disk or of an optical disc. Other disk image file formats include ISO and BIN. Previously, mounting disk image file files on Windows required the user to install third-party software. However Windows 8 and later automatically mount IMG files on open. Upon mounting, Windows File Explorer displays the data inside the .IMG file to the end user. Although disk image files are traditionally utilized for storing raw binary data, or bit-by-bit copies of a disk, any data could be stored inside them. Because of the newly added functionality to the Windows core operating system, attackers are abusing disk image formats to “smuggle” data past antivirus engines, network perimeter defenses, and other auto mitigation security tooling. Attackers have also used the capability to obscure malicious second stage files hidden within a filesystem by using ISO and DMG (to a lesser extent). Perhaps the IMG extension also fools victims into considering the attachment as an image instead of a binary pandora’s box.
Know Where You’re Coming From
As phishing as an attack vector continues to grow in popularity, we have recently focused on several of our email incident response plays around detecting malicious attachments, business email compromise techniques like header tampering or DNS typosquatting, and preventative controls with inline malware prevention and malicious URL rewriting.
Any security tool that has even temporarily outdated definitions of threats or IOCs will be unable to detect a very recent event or an event with a recent, and therefore unknown, indicator. To ensure that these missed detections are not overlooked, we take a retrospective look back to see if any newly observed indicators are present in any previously delivered email. So when a malicious attachment is delivered to a mailbox, if the email scanners and sandboxes do not catch it the first time, our retrospective plays look back to see if the updated indicators are triggered. Over time sandboxes update their detection abilities and previously “clean” files could change status. The goal is to detect this changing status and if we have any exposure, then we reach out and remediate the host.

This process flow shows our method for detecting and responding to updated verdicts from sandbox scanners. During this process we collect logs throughout to ensure we can match against hashes or any other indicator or metadata we collect:

Figure 1: Flow chart for Retrospective alerting
This process in combination with several other threat hunting style plays helped lead us to this particular campaign. The IMG file isn’t unique by any means but was rare and stood out to our analysts immediately when combined with the file name as a fake delivery invoice – one of the more tantalizing and effective types of phishing lures.
Incident Response and Analysis
We needed to pull apart as much of the malicious components as possible to understand how this campaign worked and how it might have slipped our defenses temporarily. The process tree below shows how the executable file dropped from the original IMG file attachment after mounting led to a Nanocore installation:

Figure 2: Visualization of the malicious process tree.

Autoruns
As part of our daily incident response playbook operations, we recently detected a suspicious Autoruns event on an endpoint. This log (Figure 2) indicated that an unsigned binary with multiple detections on the malware analysis site, VirusTotal, had established persistence using the ‘Run‘ registry key. Anytime the user logged in, the binary referenced in the “run key” would automatically execute – in this case the binary called itself “filename.exe” and dropped in the typical Windows “%SYSTEMROOT%%USERNAME%AppDataRoaming” directory:
{

„enabled“: „enabled“,

„entry“: „startupname“,

„entryLocation“: „HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun“,

„file_size“: „491008“,

„hostname“: „[REDACTED]“,

„imagePath“: „c:users[REDACTED]appdataroamingfilename.exe“,

„launchString“: „C:Users[REDACTED]AppDataRoamingfilename.exe“,

„md5“: „667D890D3C84585E0DFE61FF02F5E83D“,

„peTime“: „5/13/2019 12:48 PM“,

„sha256“: „42CCA17BC868ADB03668AADA7CF54B128E44A596E910CFF8C13083269AE61FF1“,

„signer“: „“,

„vt_link“: „https://www.virustotal.com/file/42cca17bc868adb03668aada7cf54b128e44a596e910cff8c13083269ae61ff1/analysis/1561620694/“,

„vt_ratio“: „46/73“,

„sourcetype“: „autoruns“,

}

Figure 3: Snippet of the event showing an unknown file attempting to persist on the victim host
Many of the anti-virus engines on VirusTotal detected the binary as the NanoCore Remote Access Trojan (RAT), a well known malware kit sold on underground markets which enables complete control of the infected computer: recording keystrokes, enabling the webcam, stealing files, and much more. Since this malware poses a huge risk and the fact that it was able to achieve persistence without getting blocked by our endpoint security, we prioritized investigating this alert further and initiated an incident.
Once we identified this infected host using one of our exploratory Autoruns plays, the immediate concern was containing the threat to mitigate as much potential loss as possible. We download a copy of the dropper malware from the infected host and performed additional analysis. Initially we wanted to confirm if other online sandbox services agreed with the findings on VirusTotal. Other services including app.any.run also detected Nanocore based on a file called run.dat being written to the %APPDATA%Roaming{GUID} folder as shown in Figure 3:

Figure 4: app.any.run analysis showing Nanocore infection
The sandbox report also alerted us to an unusual outbound network connection from RegAsm.exe to 185.101.94.172 over port 8166.
Now that we were confident this was not a false positive, we needed to find the root cause of this infection, to determine if any other users are at risk of being victims of this campaign. To begin answering this question, we pulled the Windows Security Event Logs from the host using our asset management tool to gain a better understanding of what occurred on the host at the time of the incident. Immediately, a suspicious event that was occurring every second jumped out due to the unusual and unexpected activity of a file named “DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe” spawning the Windows Assembly Registration tool RegAsm.exe.
Process Information:

New Process ID: 0x4128

New Process Name: C:WindowsMicrosoft.NETFrameworkv2.0.50727RegAsm.exe

Token Elevation Type: %%1938

Mandatory Label: Mandatory LabelMedium Mandatory Level

Creator Process ID: 0x2ba0

Creator Process Name: DeviceCdRom0DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe

Process Command Line: „C:WINDOWSMicrosoft.NETFrameworkv2.0.50727RegAsm.exe“

Figure 5: New process spawned from a ‘CdRom0′ device (the fake .img) calling the Windows Assembly Registration tool
This event stands out for several reasons.
The filename:
Attempts to social engineer the user into thinking they are executing a PDF by appending “_PDF”
“DHL_Label_Scan” Shipping services are commonly spoofed by adversaries in emails to spread malware.

The file path:
DeviceCdRom0 is a special directory associated with a CD-ROM that has been inserted into the disk drive.
A fake DHL label is a strange thing to have on a CD-ROM and even stranger to insert it to a work machine and execute that file.

The process relationship:
Adversaries abuse the Assembly Registration tool “RegAsm.exe” for bypassing process whitelisting and anti-malware protection.
MITRE tracks this common technique as T1121 indicating, “Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration”
We saw this technique in the app.any.run sandbox report.

The frequency of the event:
The event was occurring every second, indicating some sort of command and control or heartbeat activity.

Mount Up and Drop Out

At this point in the investigation, we have now uncovered a previously unseen suspicious file: “DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe”, which is strangely located in the DeviceCdRom0 directory, and the original “filename.exe” used to establish persistence.
The first event in this process chain shows explorer.exe spawning the malware from the D: drive.
Process Information:

New Process ID: 0x2ba0

New Process Name: DeviceCdRom0DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe

Token Elevation Type: %%1938

Mandatory Label: Mandatory LabelMedium Mandatory Level

Creator Process ID: 0x28e8

Creator Process Name: C:Windowsexplorer.exe

Process Command Line: „D:DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe“
Figure 6: Additional processes spawned by the fake PDF

The following event is the same one that originally caught our attention, which shows the malware spawning RegAsm.exe (eventually revealed to be Nanocore) to establish communication with the command and control server:

Process Information:

New Process ID: 0x4128

New Process Name: C:WindowsMicrosoft.NETFrameworkv2.0.50727RegAsm.exe

Token Elevation Type: %%1938

Mandatory Label: Mandatory LabelMedium Mandatory Level

Creator Process ID: 0x2ba0

Creator Process Name: DeviceCdRom0DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe

Process Command Line: „C:WINDOWSMicrosoft.NETFrameworkv2.0.50727RegAsm.exe“
Figure 7: RegAsm reaching out to command and control servers

Finally, the malware spawns cmd.exe and deletes the original binary using the built-in choice command:
Process Information:

New Process ID: 0x2900

New Process Name: C:WindowsSysWOW64cmd.exe

Token Elevation Type: %%1938

Mandatory Label: Mandatory LabelMedium Mandatory Level

Creator Process ID: 0x2ba0

Creator Process Name: DeviceCdRom0DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe

Process Command Line: „C:WindowsSystem32cmd.exe“ /C choice /C Y /N /D Y /T 3 & Del „D:DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe“

Figure 8: Evidence of deleting the original dropper.

At this point in the investigation of the original dropper and the subsequent suspicious files, we still could not answer how the malware ended up on this user’s computer in the first place. However with the filename of the original dropper to pivot with, a quick web search for the filename turned up a thread on Symantec.com from a user asking for assistance with the file in question. In this post, they write that they recognize the filename from a malspam email they received. Based on the Symantec thread and other clues, such as the use of the shipping service DHL in the filename, we now know the delivery method is likely via email.

Delivery Method Techniques
We used the following Splunk query to search our Email Security Appliance logs for the beginning of the filename we found executing RegAsm.exe in the Windows Event Logs.
index=esa earliest=-30d

[search index=esa „DHL*.img“ earliest=-30d

| where isnotnull(cscoMID)

| fields + cscoMID,host

| format]

| transaction cscoMID,host

| eval wasdelivered=if(like(_raw, „%queued for delivery%“), „yes“, „no“)

| table esaTo, esaFrom, wasdelivered, esaSubject, esaAttachment, Size, cscoMID, esaICID, esaDCID, host
Figure 9: Splunk query looking for original DHL files.
As expected, the emails all came from the spoofed sender address noreply@dhl.com with some variation of the subject “Re: DHL Notification / DHL_AWB_0011179303/ ETD”. In total, CSIRT identified a total of 459 emails from this campaign sent to our users. Of those 459 emails, 396 were successfully delivered and contained 18 different Nanocore samples.
396 malicious emails making it past our well-tuned and automated email mitigation tools is no easy feat. While the lure the attacker used to social engineer their victims was common and unsophisticated, the technique they employed to evade defenses was successful – for a time.
Detecting the Techniques
During the lessons learned phase after this campaign, CSIRT developed numerous incident response detection rules to alert on newly observed techniques discovered while analyzing this incident. The first and most obvious being, detecting malicious disk image files successfully delivered to a user’s inbox. The false-positive rate for this specific type of attack is low in our environment, with a few exceptions here and there – easily tuned out based on the sender. This play could be tuned to look only for disk image files with a small file size if they are more prevalent in your environment.
Another valuable detection rule we developed after this incident is monitoring for suspicious usage (network connections) of the registry assembly executable on our endpoints, which is ultimately the process Nanocore injected itself into and was using to facilitate C2 communication. Also, it is pretty unlikely to ever see legitimate use of the choice command to create a self-destructing binary of sorts, so monitoring for execution of choice with the command-line arguments we saw in the Windows Event above should be a high fidelity alert.
Some additional, universal takeaways from this incident:
Auto-mitigation tools should not be treated as a silver bullet – Effective security monitoring, rapid incident response, and defense in depth/layers is more important.
Obvious solutions such as blocking extensions at email gateway are not always realistic in large, multifunction enterprises – .IMG files were legitimately being used by support engineers and could not be blocked.
Malware campaigns can slip right past defenders on occasion, so a wide playbook that focuses on how attackers operate and infiltrate (TTPs) is key for finding new and unknown malware campaigns in large enterprises (as opposed to relying exclusively on indicators of compromise.)

Indicators Of Compromise (IOCS)
2b6f19fac64c847258fe776a2ea6444cc469ac6a348e714fcab23cc6cb2c5b74
327c646431a644192aae8a0d0ebe75f7a2b98d7afa7a446afa97e2a004ca64b0
3718957d7f0da489935ce35b6587a6c93f25cff69d233381131b757778826da3
3873ef89a74a9c03ba363727b20429a45f29a525532d0ef9027fce2221f64f60
3a7c23a01a06c257b2f5b59647461ebf8f58209a598390c2910d20a9c5757c62
4eb2af63e121c22df7945258991168be4a70aa32669db173743701aab94383fb
5d14e5959c05589978680e46bffd586e10c1fcabc21ddd94c713520cd0037640
6a2af44e186531d07c53122d42280bc18929d059b98f0449c1a646d66a778ffb
80ab695da86e97861b294b72ba1ef2e8e2f322e7ec0d0834e71f92497515b63d
a34aa05710cf0afb111181c23468c2dcc3a2c2d6aa496c9dffe45dde11e2c4d1
abf41ea1909a39c644e5b480b176ef8a3c4a80e2ee8b447d4320e777384392cf
af5d9ca1ed166a8d378c5b5ed7e187035f374b4376bdd632c3a2ee156613fd29
afb87da69c9ad418ac29af27602a450a7eae63132443c7bc56ab17785dd3bbfd
d871704baad496b47b15da54e7766c0a468ac66337d99032908ad7d4732ecffb
da79495b8b75c9b122a1116494f68661ec45a1fdfb8fd39c000f1f691b39bc13
deb805ce329f17a48165328879b854674eb34abd704eeb575e643574f31d3e83
eaee0577806861c23bef8737e5ba2d315e9c6bfa38bf409dda9a2a13599615b4
fc0cf381e433cd578128be91dfd7567d2294a6d3ff4d2ce0e3f4046442b1f5f0
185.101.94.172:8166
The post Disk Image Deception appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group By Edmund Brumaghin, with contributions from Dalton Schaadt.
Executive Summary
Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781. A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.
Read More >>
The post New Snort rules protect against recently discovered Citrix vulnerability appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Jessica Bair Register now for your free tour of the RSA Conference Security Operations Center (SOC), where engineers are monitoring all traffic on the Moscone Wireless Network for security threats. The SOC is sponsored by RSA and Cisco. Sign up for a guided tour, where we’ll show real time traffic in NetWitness Packets, plus advanced malware analysis, sandboxing and threat intelligence from Cisco Threat Grid, Threat Response and Umbrella, and protection from Cisco Next-Gen Firewall.
At the SOC, you will receive a security briefing and have time for Q&A with RSA and Cisco engineers.
Advanced registration is highly recommended. Below are the available tour times. Please fill out the RSA SOC Tour Request Form to request your spot.
SOC Tours Offered Tues-Thurs (25-27 February 2020):
10:30
11:30
1:00
2:00
3:00 (not on Thursday)
Please meet at the Cisco Threat Wall, which is located at the base of the escalator in the North Hall, where a Cisco team member will escort the group to the SOC (max. 25 persons per tour).
Also, plan to attend the official out briefing on the observations for RSAC 2020:
Malware And Misconfigurations – The 2nd Annual RSAC SOC Report
Date/Time/Location: 2/28/20, 11:10AM – 50 Minutes – Moscone West 3002
Abstract: In this session we share our experience monitoring the RSAC network for stability, security, and stats of interest. We’ll talk about what changes we’ve seen over the years, informative and comical experiences from the trenches, and what we think it means for our industry going forward. So, if you’d like to see what a network looks like when its users know security, know its challenges, should know better, and choose to ignore all of that anyway; join us for the RSAC SOC report.
You may also be interested in reading The 1st Annual RSAC SOC Report.
The post Tour the RSA Conference 2020 Security Operations Center appeared first on Cisco Blogs.

Source:: Cisco Security Notice