Mit unserem Partner Fortinet bieten wir eine einzigartige und breit angelegte Security-Lösung an: Die Fortinet Security-Fabric, ein Netz aus miteinander kommunizierenden, spezialisierten Lösungen für die unterschiedlichen Bereiche im Unternehmen. Vom Arbeitsplatzrechner, über LAN und WLAN, Mail, Web-Applikationen u.v.m., bis zum weltweiten FortiGuard Service, bei dem hunderte Spezialisten Millionen von Sensordaten auswerten und Schadsoftware entdecken und bekämpfen.

Wie Sie von diesem Know-How profitieren können, sehen Sie in unserer Infografik.

By Todd Reid Cisco is pleased to announce a new series of Forensic Investigation Procedures for First Responders guides that will help customers and partners triage Cisco products that are suspected of being tampered with or compromised. These guides provide step-by-step instructions for collecting information that first responders can use for forensic analysis for several different platforms, including devices that run Cisco IOS and IOS XE Software, and devices that run Cisco ASA or Firepower Threat Defense (FTD) Software.
These new documents are available on the Cisco.com Security Portal under Tactical Resources.
The following is a summary of the documents released thus far, along with a brief description of each one.
Cisco ASA Forensic Investigation Procedures for First Responders
This document provides guidance for collecting forensic evidence from the Cisco ASA 5500-X series of devices when compromise or tampering is suspected. It outlines several procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying the system and running images for proper signing characteristics, checking the ROM monitor configuration for signs of remote image loading, and procedures for obtaining both a core file and the memory text segment from an ASA platform.
The document also includes a procedure for checking the integrity of the webvpn configuration for ASA deployments implementing SSL VPN.
Cisco FTD Forensic Investigation Procedures for First Responders
This document provides steps for collecting forensic information from Cisco ASA 5500-X devices running Firepower Threat Defense (FTD) Software when compromise or tampering is suspected. This document contains procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying proper signing characteristics of FTD system and running images, retrieving and verifying the memory text segment, generating and retrieving both crashinfo and core files, and examining the ROM monitor settings for remote system image loading.
Cisco IOS Software Forensic Investigation Procedures for First Responders
This document provides guidance for collecting evidence from Cisco IOS devices when compromise or tampering is suspected and includes procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, examining the ROM monitor region for an upgraded image, and obtaining both a core dump of the running IOS image and the contents of the memory text region.
The document also includes a procedure that provides an alternate method of image analysis if a core dump cannot be performed on a platform that is performing mission-critical traffic forwarding.
Cisco IOS XE Software Forensic Investigation Procedures for First Responders
This document provides guidance for collecting evidence from Cisco IOS XE devices when compromise or tampering is suspected and includes procedures for collecting platform configuration and run time state, examining system image hashes for inconsistencies, verifying the integrity and signing characteristics of system and running images, and exporting the text memory segment to verify the run time integrity of the IOSd process.
Dan Maunz, an Incident Manager in the CX Security Programs group contributed content for this article.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 23 and Aug. 30. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU08302019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Marc Blackmer We are very pleased to share the news that our Advanced Malware Protection (AMP) for Endpoints won the Approved Business Security Award from AV-Comparatives. And we’re happy about this for a couple of reasons. (Click this link to read the full report.)
Most vendors‘ marketing materials look great, your organization exists in the real world. So, having an independent third-party conduct months of testing against our technology, and us coming out a winner, helps to show the world what our customers already know: that the strength, flexibility, and ease of use of our endpoint security establishes our leadership. We have over a decade of experience in endpoint protection through Immunet (creators of AMP) and Sourcefire (creators of ClamAV).
AV-Comparatives‘ Business Main-Test Series ran from March to June and consisted of two, in-depth tests:
The Malware Protection Test
This test ran in March and consisted of having 1,311 malware samples thrown at us during that time. A passing score required a 90% or higher detection rate and this time zero false positives. We did very well scoring a 99.8% with zero false positives.
The Real-World Protection Test
The idea here was to mimic what happens in, well, the real world. This test ran from March to June and was based upon 732 test cases. The focus here was on user behaviors such as clicking malicious links, opening malicious email attachments, etc.
An efficacy score of 90% or higher and a false positive count of 100 or less were the criteria to pass this test. And, we came in with 98.9% and ranked in the lowest false positive group.
In short, AMP for Endpoints achieved test results that demonstrated a balance of strong protection rates with very low false positives. AV-Comparatives also highlighted Cisco’s broad endpoint platform support and relative ease of deployment.
Beyond antivirus
Secondly, we view this report as further evidence that the security world has moved past the legacy world of antivirus. I’m not saying antivirus doesn’t have a role to play in endpoint security. Our own ClamAV is one of the several mechanisms that AMP for Endpoints uses. What I am saying is that the ‘antivirus as a sole means of endpoint protection‘ ship has sailed – and sailed a long time ago.
The biggest problem with antivirus is that it’s not operationally efficient. That means a lower return on your investment and weaker protection of your business. Back in my IT days in the late 90s and early 2000s, antivirus was a big deal, but it was tough enough to administer when I was at a small, two-office operation let alone when I moved up a 50,000-user, global enterprise. And when the Love Letter worm hit us in 2003, that was a couple days and nights of manual remediation for our entire department, worldwide, because antivirus couldn’t remediate the problem or identify infected hosts.
Now fast forward to today’s world of fileless malware and multi-vector attacks that combine email, web, endpoints, etc. What’s antivirus going to do about those? The answer is pretty obvious.
What was surprising for me to learn recently was that the majority of organizations out there still rely on antivirus for their endpoint protection. I attribute this to deployment fatigue. Rolling out software is hard. I know. I’ve deployed my share of enterprise software. The good news about AMP for Endpoints is that we can be up and running quickly, as noted on page 28 of the AV-Comparatives report:
“Getting started with Cisco Advanced Malware Protection for Endpoints is very straightforward. The console requires no setup, and deploying the client software is quick and easy.”
The Big Picture
We believe it’s important to put our technology to the test and we feel the results speak to how our solution helps our customers protect their organizations. (I’ve included links to other real-world tests below.) We also believe that strong endpoint protection comes from being a part of an integrated security portfolio. One that dynamically shares the latest threat intelligence is the most effective way to defend against modern attacks. And we’ve designed our integrated security portfolio to do exactly that. But that’s another story for another day.
What’s next?
AV-Comparatives‘ testing is continuing through the end of the year and we are looking forward to their year-end report. Tune in here for those results.
Can’t wait for the report? Experience threat hunting with AMP for Endpoints for yourself at one of our Threat Hunting Workshops, or if you can’t wait for the event, sign up for a free trial of AMP for Endpoints at https://cisco.com/go/ampendpoints and see for yourself.
Additional reading
NSS: Achieved “Recommended” ratingMiercom: Achieved “Miercom Performance Verified” certification

Source:: Cisco Security Notice

By Harvey Jang Cisco is now certified under the new Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processors (PRP) System. Cisco has been an active supporter of the APEC Cross Border Privacy Rules system (CBPRs) and an advocate for safe and secure global data flows. We are an early adopter and the eighth company to be PRP certified.
The APEC Cross Border Privacy Rules (CBPR) and PRP systems are voluntary, enforceable (and independently verified) privacy certifications built upon the 9 Principles of the APEC Privacy Framework endorsed by the 21 APEC Member Economies (see www.cbprs.org). The CBPRs focus on controls and accountability for data controllers, while the PRP is targeted for data processors. PRP certification demonstrates a data processor’s ability to honor the obligations passed down from data controllers when handling data on another’s behalf. Cisco has chosen to certify under both CBPRs and PRP as part of our overall efforts to demonstrate compliance and accountability to globally recognized privacy standards. We are among just a handful of companies to have obtained APEC CBPRs, APEC PRP, EU/Swiss-US Privacy Shield, and EU Binding Corporate Rules certifications.
We’re seeing a clear trend towards people (data subjects) taking their privacy more seriously and companies (data controllers and processors) being called upon to honor privacy as a fundamental human right. PRP fits within the broader picture of emerging data privacy and security standards and is consistent with the current trend of stakeholders seeking external, independent program validation. PRP and all our privacy certifications underscore Cisco’s ongoing commitment to demonstrable transparency, fairness, and accountability when it comes to handling the personal data of our employees, customers, and all others.

More Information
Cisco Trust Center
Cisco TrustArc certification
Blog: Cisco Adoption of CBPR

Source:: Cisco Security Notice

By Cisco PSIRT This blog post was authored by Eugenio Iavarone, Cisco PSIRT.
On August 28th, 2019, Cisco published a Security Advisory titled “Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Vulnerability”, disclosing an internally found vulnerability which affects the Cisco REST API container for Cisco IOS XE. An exploit could be used to bypass authentication on Cisco routers configured with the REST API support for Cisco IOS XE Software. This vulnerability was found by Cisco during internal testing.
The purpose of this post is to provide additional technical detail about the vulnerability, the specific Cisco hardware platforms that support the feature, and how the affected feature is enabled (as it is not enabled by default).
While the vulnerable code resides within the Cisco REST API container, the effects of the vulnerability, if exploited, will be experienced on the Cisco device as a whole. This is because exploiting this vulnerability could allow an attacker to submit commands through the REST API that will be executed on the affected device.
This is a good example of a “Scope Change” defined within the Common Vulnerability Scoring System (CVSS) standard.
Details
The REST API container is an application that provides a set of RESTful APIs as an alternative method to manage devices running Cisco IOS-XE Software. It is located in a virtual services container, which is a virtualized environment running on the host device. It is also referred to as a virtual machine (VM), virtual service, or container. The REST API virtual service is not a native capability within Cisco IOS XE, but it is instead delivered as an open virtual application (OVA) package file.
Only the following Cisco platforms supports the affected Cisco REST API container and are therefore potentially impacted by this vulnerability:
Cisco 4000 Series Integrated Services Routers
Cisco ASR 1000 Series Aggregation Services Routers
Cisco Cloud Services Router 1000V Series
Cisco Integrated Services Virtual Router
The Cisco REST API OVA package was bundled with the Cisco IOS XE software on releases prior to 16.7.1. Starting with Cisco IOS XE release 16.7.1, the OVA package is not bundled with the Cisco IOS XE image, instead it needs to be downloaded from Cisco’s Software Center and transferred to the Cisco device on which it is to be enabled.
Regardless if bundled with Cisco IOS XE or not, the REST API service is never enabled by default on any Cisco IOS XE release on any of the affected platforms. Customers interested in using the REST API capabilities have to first enable such capabilities on each device by completing the following steps:
1) Login to the device by using an administrator-level account (with privilege level 15)
2) Install the REST-API container by using the Cisco Virtual Manager (VMAN) CLI
3) Enter the remote-management configuration mode and configure a local TCP port that will be bind to the management interface of the REST API service
4) Configure a management interface that will be used to process HTTP requests submitted to the REST API service
5) Enable the REST-API virtual service container
To further clarify, even if the OVA package is present on the device (either because it was shipped with the Cisco IOS XE release running on the device, or was later transferred to the device local storage), the REST API is not enabled and will not accept requests until all of above steps have been completed.
Cisco has addressed this vulnerability on a new version of the REST API package (named iosxe-remote-mgmt.16.09.03.ova) which is available for download from the Software Center. All future REST API packages will include this fix.
Cisco has also implemented additional safeguards in all future Cisco IOS XE releases that will prevent installation of a vulnerable OVA package, and which also prevent activation of an existing, already configured and vulnerable OVA package on a device.
In order for a device to be considered vulnerable, all of the following conditions must be met:
A REST API OVA package with a version below 16.9.3 must be present on the device local storage
The REST API virtual service is installed
The REST API virtual service is configured
The REST API virtual service is enabled
A device meeting some of the previous conditions, but not all of them, is considered not vulnerable.
Additional information can be found on the associated Cisco Security Advisory available at:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass
Conclusion
While this is a serious vulnerability that should be carefully assessed by customers to determine exposure and impact on their environment, the scope of affected Cisco customer base is contained by the limited number of Cisco hardware platforms supporting the feature and the fact the affected feature is not enabled by default.
Customers fulfilling all of the conditions above listed are recommended to review the advisory and take appropriate actions. Although, this vulnerability was found by Cisco during internal testing; our commitment to customers is to be open and transparent, especially as it relates to issues that could negatively impact their business. At Cisco, we always strive to clearly communicate with customers about technical or other issues that could potentially expose their organizations to risk.

Source:: Cisco Security Notice

By Talos Group Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. There are typically numerous, unrelated attackers attempting to leverage this RAT to compromise corporate networks for the purposes of establishing an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT was in the news earlier this year due to Canadian law enforcement activity related to the individual believed to have authored the malware.
Cisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies. We discovered several unique tactics, techniques, and procedures (TTPs) associated with these campaigns including the use of persistence techniques most commonly associated with “fileless” malware, obfuscation techniques designed to mask C2 infrastructure, as well as evasion designed to circumvent analysis by automated analysis platforms such as malware sandboxes.
The characteristics associated with these campaigns evolved over time, showing the attacker is constantly changing their tactics in an attempt to maximize their ability to infect corporate systems and work toward the achievement of their longer-term objectives.
Read More >>

Source:: Cisco Security Notice

Source:: Innovaphone

By Jessica Bair Cisco Security is honored to be a supporting partner for the Black Hat USA 2019 Network Operations Center (NOC) for the third year; joining conference producer Informa Tech (formerly UBM) and its other security partners: RSA Security, Palo Alto Networks, Ruckus, CenturyLink and Gigamon. Cisco provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Investigate; and automated malware analysis and threat intelligence with Cisco Threat Grid, backed by Cisco Talos Intelligence and Cisco Threat Response.
Like other Black Hat conferences, the mission of the NOC is to build the conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (CenturyLink and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference.

Black Hat USA 2019 activity in the NOC was exciting from the first day and it never let up through the week. NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r) give an out briefing at the end of each conference, on some of the highlights of the security incidents and network metrics; and the security partners each have the ability to blog about some of their findings, with the approval of Black Hat public relations.
Use https and VPNs…
Part of the NOC mission is to protect the users from themselves and to educate the community. On the first day of operations, a PDF was sent to the Threat Grid malware analysis platform from NetWitness. In the thumbnails of the live analysis, I saw what appeared to be a Wells Fargo mortgage statement. I clicked into the Glovebox where the live file could be examined.

The RSA NetWitness and Palo Alto Networks (PAN) Firewall teams were alerted. The PAN team found the .PDF file was downloaded over port 80 to a training class room from a platform that allowed a user to setup a private Dropbox/Box type shared folder in the cloud. However, https was not enabled and all of the data transfer was in the clear. The RSA team was able to reconstruct the packets and observe the plaintext password. With the mortgage account information, the PAN team was able to find the Twitter and PhotoBucket accounts of the user on the Internet and their information security business.
With this information, the PAN team was authorized by the NOC leadership to put up a captive portal for the user, to warn them the next time they connected to the network, that they were passing personal information in the clear. The user saw the warning and clicked through it, without changing their security settings. So, the NOC leader Neil was briefed and went to the classroom to personally inform the student the extent of the personal data and passwords that were being transmitted in the clear. It became a humorous highlight of the conference out briefing.

In a related incident, a user was sending sensitive human resources files in clear text emails. Using the same investigative techniques, the RSA and PAN teams were able to identify the user by name and classroom, and the NOC leadership went to advise them to change the setting on their Outlook email account from http to https.
Lessons learned: Use https and a VPN on a public Wi-Fi network.
So many unique malware samples
There were a number of malware classes that required executables to be downloaded. They were extracted by the NetWitness Packets Malware Analysis and sent to Threat Grid for automated analysis, if the hash has never been seen before…in other words it de-duplicates the files before submission to Threat Grid.

We could see the peaks in the submissions during the training days.

For example, several Metasploit Framework toolkits were downloaded with unique hash values. Metasploit is a collection of tools, exploits and payloads to assist in offensive security exercises. It has a wide variety of payloads that provide remote access capabilities to targets once access has been gained via exploitation of commonly used software. These payloads can be exported to portable executables which can in turn be used to infect machines without requiring initial exploitation.

We also saw the activity of a command shell class, with dozens of unique hash values, illustrating how easy it is to create new files to escape 1-1 hash detection.

Between midnight and 1am on the 2nd day of training, a data exfiltration class came online and downloaded dozens of unique hash exploit kits with random alpha-numeric names.

We also saw a number of instances where Potentially Unwanted Application (PUA) Dealply (also known as Ikarus) was slipped into installers. It is a newer PUA that is in a family of adware that gets distributed through freeware programs and software bundlers. Once installed, Dealply shows advertising pop-ups in the web browser, prompts the user to install fake software updates, modifies default browser settings, and may also collect and transmit various marketing-related information about the user. Dealply was found to be included in packages such as camstudio_0127815701.exe, Setup_ImgBurn_2.5.8.0_dlm_1629102111.exe, idafree50_2113446264.exe and (Hydra) setup_1540910788.exe.

For the first time at Black Hat USA, captured webpage notifications to users who connected to the BH network and were found to be infected with malware. The notifications were done by moving affected users into a group within the PAN Firewall.

Will trade cryptomining for porn
The NOC team also is now alerting users whose devices are seen communicating with cryptomining domains and/or passing clear text passwords. If the attendee wants to cryptomining, that is fine; however, some sites do so without consent.
We saw many cryptomining domains during the conference. However, on the last day of the trainings, I noticed a unique domain that was flagged as both Pornography and Cryptomining.
Cryptomining Domains
Categories
api.bitcore[.]io
Software/Technology,Cryptomining
api.cryptokitties[.]co
Games,Cryptomining
avxhm[.]se
Adult Themes,Illegal Downloads,Cryptomining
ws2.bitcoin[.]de
Ecommerce/Shopping, Financial Institutions, Cryptomining
ws3.bitcoin[.]de
Ecommerce/Shopping, Financial Institutions, Cryptomining
cdn.monero-miner[.]net
Cryptomining
flash-mini[.]com
Search Engines,Cryptomining
gateway.gear.mycelium[.]com
Software/Technology,Cryptomining
host4u.webcounter[.]be
Adware,Web Hosting,Cryptomining
img.cryptokitties[.]co
Games,Cryptomining
javynow[.]com
Pornography,Cryptomining
minergate[.]com
Financial Institutions,Cryptomining
netfixmovie[.]com
Cryptomining
old.nicehash[.]com
Financial Institutions,Online Trading,Cryptomining
www.cryptokitties[.]co
Games,Cryptomining
www.flash-mini[.]com
Search Engines,Cryptomining
www.hostingcloud[.]racing
Cryptomining
www.nicehash[.]com
Financial Institutions,Online Trading,Cryptomining
www.webcounter[.]be
Adware,Web Hosting,Cryptomining

We took a closer look with Umbrella Investigate, to see the global requests and note that several known malicious samples communicated with the domain.

In the Threat Grid Glovebox, we have the ability to investigate URLs without becoming infected, and to observe the behavior. In this case, the website was catering to Japanese porn and we had the ability to see if the behavior of the website changed if the connecting location is the US vs Japan, and if there were differences in the behavior on operating systems, such as the Japanese version of Windows 7.

Examining the website in the Glovebox, we found no mention of the cryptomining in the description of the website, other than they are “…adding more features that will keep your love of for Japanese porn alive and well.”

The Terms of Service also had no mention of the underlying cryptomining.

However, looking at the behavior of the website, we could see the download and execution of the javascript for the mining.

The .js was able to be downloaded as a network artifact from Threat Grid, for further code examination.

Many of the NOC members respected the business model: delivering ad-free full-length HD pornographic movies in exchange for using the CPU cycles for cryptomining. However, it is not disclosed to the user that the mining is taking place. We coordinated with the PAN team for the captive cryptomining portal.

Another very active cryptomining domain was minergate[.]com.

We also safely examined the domain in the Threat Grid glovebox.

The behavior was similar to the pornography / cryptomining domain.

DNS Activity
In 2018, there were about 42.4 million DNS requests on the Black Hat USA network. This year, there were nearly 50 million requests, of which over 5,000 would have been blocked by default as Malware, Command and Control or Phishing.

Working with our partners at RSA NetWitness, we were able to graph the DNS requests into a timeline showing the peaks and valleys from the training events, lunch time and sleeping.

One incident of note, five hosts from five classrooms communicated with a new malicious domain within minutes of each other. Research into the domain reveals abnormal behavior. Coordination with the Talos team indicate this was associated with a new malware campaign.

In App Discovery, over 3,600 applications were used to request DNS. In a production environment, we would have had approval control over category and individual application.

Next stop for the Black Hat NOC team is Black Hat Europe.

Acknowledgements: Special thanks to Michael Auger, our NOC partners RSA (especially the RSA Security team led by Percy Tucker), Palo Alto Networks (especially Sandy Wenzel and Dan Ward), Ruckus (especially Heather Williams), Gigamon, CenturyLink and the entire Black Hat / Informa Tech staff (especially Marissa Parker – Queen of the NOC, Steve Fink – Chief Architect, Neil Wyler and Bart Stump).

About Black Hat
For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at: blackhat.com. Black Hat is brought to you by Informa Tech.

Source:: Cisco Security Notice

By Talos Group By Paul Rascagneres and Vanja Svajcer.

Threats will commonly fade away over time as they’re discovered, reported on, and detected. But China Chopper has found a way to stay relevant, active and effective nine years after its initial discovery. China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application which contains all the logic required to control the target. Several threat groups have used China Chopper, and over the past two years, we’ve seen several different campaigns utilizing this web shell and we chose to document three most active campaigns in this blog post.
We decided to take a closer look at China Chopper after security firm Cybereason reported on a massive attack against telecommunications providers called “Operation Soft Cell”, which reportedly utilized China Chopper. Cisco Talos discovered significant China Chopper activity over a two-year period beginning in June 2017, which shows that even nine years after its creation, attackers are using China Chopper without significant modifications.
This web shell is widely available, so almost any threat actor can use. This also means it’s nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.
The usage of China Chopper in recent campaigns proves that a lot of old threats never really die, and defenders on the internet need to be looking out for malware both young and old.
Read More >>

Source:: Cisco Security Notice