Archiv für die Kategorie: RSS Feeds

By Talos Group Orcus RAT and RevengeRAT are two of the most popular remote access trojans (RATs) in use across the threat landscape. Since its emergence in 2016, various adversaries used RevengeRAT to attack organizations and individuals around the world. The source code associated with RevengeRAT was previously released to the public, allowing attackers to leverage it for their own malicious purposes. There are typically numerous, unrelated attackers attempting to leverage this RAT to compromise corporate networks for the purposes of establishing an initial point of network access, the performance of lateral movement, as well as to exfiltrate sensitive information that can be monetized. Orcus RAT was in the news earlier this year due to Canadian law enforcement activity related to the individual believed to have authored the malware.
Cisco Talos recently discovered a threat actor that has been leveraging RevengeRAT and Orcus RAT in various malware distribution campaigns targeting organizations including government entities, financial services organizations, information technology service providers and consultancies. We discovered several unique tactics, techniques, and procedures (TTPs) associated with these campaigns including the use of persistence techniques most commonly associated with “fileless” malware, obfuscation techniques designed to mask C2 infrastructure, as well as evasion designed to circumvent analysis by automated analysis platforms such as malware sandboxes.
The characteristics associated with these campaigns evolved over time, showing the attacker is constantly changing their tactics in an attempt to maximize their ability to infect corporate systems and work toward the achievement of their longer-term objectives.
Read More >>

Source:: Cisco Security Notice

By Jessica Bair Cisco Security is honored to be a supporting partner for the Black Hat USA 2019 Network Operations Center (NOC) for the third year; joining conference producer Informa Tech (formerly UBM) and its other security partners: RSA Security, Palo Alto Networks, Ruckus, CenturyLink and Gigamon. Cisco provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Investigate; and automated malware analysis and threat intelligence with Cisco Threat Grid, backed by Cisco Talos Intelligence and Cisco Threat Response.
Like other Black Hat conferences, the mission of the NOC is to build the conference network that is secure, stable and accessible for the training events, briefings, sponsors and attendees. This requires a robust connection to the Internet (CenturyLink and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. The trainers, briefers and sponsors need to be able to access and demonstrate malicious code and network activity; without infecting attendees or other networks, or experiencing an outage. It is a balancing act that the NOC team enjoys creating at each conference.

Black Hat USA 2019 activity in the NOC was exciting from the first day and it never let up through the week. NOC leaders Neil Wyler (@grifter801) and Bart Stump (@thestump3r) give an out briefing at the end of each conference, on some of the highlights of the security incidents and network metrics; and the security partners each have the ability to blog about some of their findings, with the approval of Black Hat public relations.
Use https and VPNs…
Part of the NOC mission is to protect the users from themselves and to educate the community. On the first day of operations, a PDF was sent to the Threat Grid malware analysis platform from NetWitness. In the thumbnails of the live analysis, I saw what appeared to be a Wells Fargo mortgage statement. I clicked into the Glovebox where the live file could be examined.

The RSA NetWitness and Palo Alto Networks (PAN) Firewall teams were alerted. The PAN team found the .PDF file was downloaded over port 80 to a training class room from a platform that allowed a user to setup a private Dropbox/Box type shared folder in the cloud. However, https was not enabled and all of the data transfer was in the clear. The RSA team was able to reconstruct the packets and observe the plaintext password. With the mortgage account information, the PAN team was able to find the Twitter and PhotoBucket accounts of the user on the Internet and their information security business.
With this information, the PAN team was authorized by the NOC leadership to put up a captive portal for the user, to warn them the next time they connected to the network, that they were passing personal information in the clear. The user saw the warning and clicked through it, without changing their security settings. So, the NOC leader Neil was briefed and went to the classroom to personally inform the student the extent of the personal data and passwords that were being transmitted in the clear. It became a humorous highlight of the conference out briefing.

In a related incident, a user was sending sensitive human resources files in clear text emails. Using the same investigative techniques, the RSA and PAN teams were able to identify the user by name and classroom, and the NOC leadership went to advise them to change the setting on their Outlook email account from http to https.
Lessons learned: Use https and a VPN on a public Wi-Fi network.
So many unique malware samples
There were a number of malware classes that required executables to be downloaded. They were extracted by the NetWitness Packets Malware Analysis and sent to Threat Grid for automated analysis, if the hash has never been seen before…in other words it de-duplicates the files before submission to Threat Grid.

We could see the peaks in the submissions during the training days.

For example, several Metasploit Framework toolkits were downloaded with unique hash values. Metasploit is a collection of tools, exploits and payloads to assist in offensive security exercises. It has a wide variety of payloads that provide remote access capabilities to targets once access has been gained via exploitation of commonly used software. These payloads can be exported to portable executables which can in turn be used to infect machines without requiring initial exploitation.

We also saw the activity of a command shell class, with dozens of unique hash values, illustrating how easy it is to create new files to escape 1-1 hash detection.

Between midnight and 1am on the 2nd day of training, a data exfiltration class came online and downloaded dozens of unique hash exploit kits with random alpha-numeric names.

We also saw a number of instances where Potentially Unwanted Application (PUA) Dealply (also known as Ikarus) was slipped into installers. It is a newer PUA that is in a family of adware that gets distributed through freeware programs and software bundlers. Once installed, Dealply shows advertising pop-ups in the web browser, prompts the user to install fake software updates, modifies default browser settings, and may also collect and transmit various marketing-related information about the user. Dealply was found to be included in packages such as camstudio_0127815701.exe, Setup_ImgBurn_2.5.8.0_dlm_1629102111.exe, idafree50_2113446264.exe and (Hydra) setup_1540910788.exe.

For the first time at Black Hat USA, captured webpage notifications to users who connected to the BH network and were found to be infected with malware. The notifications were done by moving affected users into a group within the PAN Firewall.

Will trade cryptomining for porn
The NOC team also is now alerting users whose devices are seen communicating with cryptomining domains and/or passing clear text passwords. If the attendee wants to cryptomining, that is fine; however, some sites do so without consent.
We saw many cryptomining domains during the conference. However, on the last day of the trainings, I noticed a unique domain that was flagged as both Pornography and Cryptomining.
Cryptomining Domains
Categories
api.bitcore[.]io
Software/Technology,Cryptomining
api.cryptokitties[.]co
Games,Cryptomining
avxhm[.]se
Adult Themes,Illegal Downloads,Cryptomining
ws2.bitcoin[.]de
Ecommerce/Shopping, Financial Institutions, Cryptomining
ws3.bitcoin[.]de
Ecommerce/Shopping, Financial Institutions, Cryptomining
cdn.monero-miner[.]net
Cryptomining
flash-mini[.]com
Search Engines,Cryptomining
gateway.gear.mycelium[.]com
Software/Technology,Cryptomining
host4u.webcounter[.]be
Adware,Web Hosting,Cryptomining
img.cryptokitties[.]co
Games,Cryptomining
javynow[.]com
Pornography,Cryptomining
minergate[.]com
Financial Institutions,Cryptomining
netfixmovie[.]com
Cryptomining
old.nicehash[.]com
Financial Institutions,Online Trading,Cryptomining
www.cryptokitties[.]co
Games,Cryptomining
www.flash-mini[.]com
Search Engines,Cryptomining
www.hostingcloud[.]racing
Cryptomining
www.nicehash[.]com
Financial Institutions,Online Trading,Cryptomining
www.webcounter[.]be
Adware,Web Hosting,Cryptomining

We took a closer look with Umbrella Investigate, to see the global requests and note that several known malicious samples communicated with the domain.

In the Threat Grid Glovebox, we have the ability to investigate URLs without becoming infected, and to observe the behavior. In this case, the website was catering to Japanese porn and we had the ability to see if the behavior of the website changed if the connecting location is the US vs Japan, and if there were differences in the behavior on operating systems, such as the Japanese version of Windows 7.

Examining the website in the Glovebox, we found no mention of the cryptomining in the description of the website, other than they are “…adding more features that will keep your love of for Japanese porn alive and well.”

The Terms of Service also had no mention of the underlying cryptomining.

However, looking at the behavior of the website, we could see the download and execution of the javascript for the mining.

The .js was able to be downloaded as a network artifact from Threat Grid, for further code examination.

Many of the NOC members respected the business model: delivering ad-free full-length HD pornographic movies in exchange for using the CPU cycles for cryptomining. However, it is not disclosed to the user that the mining is taking place. We coordinated with the PAN team for the captive cryptomining portal.

Another very active cryptomining domain was minergate[.]com.

We also safely examined the domain in the Threat Grid glovebox.

The behavior was similar to the pornography / cryptomining domain.

DNS Activity
In 2018, there were about 42.4 million DNS requests on the Black Hat USA network. This year, there were nearly 50 million requests, of which over 5,000 would have been blocked by default as Malware, Command and Control or Phishing.

Working with our partners at RSA NetWitness, we were able to graph the DNS requests into a timeline showing the peaks and valleys from the training events, lunch time and sleeping.

One incident of note, five hosts from five classrooms communicated with a new malicious domain within minutes of each other. Research into the domain reveals abnormal behavior. Coordination with the Talos team indicate this was associated with a new malware campaign.

In App Discovery, over 3,600 applications were used to request DNS. In a production environment, we would have had approval control over category and individual application.

Next stop for the Black Hat NOC team is Black Hat Europe.

Acknowledgements: Special thanks to Michael Auger, our NOC partners RSA (especially the RSA Security team led by Percy Tucker), Palo Alto Networks (especially Sandy Wenzel and Dan Ward), Ruckus (especially Heather Williams), Gigamon, CenturyLink and the entire Black Hat / Informa Tech staff (especially Marissa Parker – Queen of the NOC, Steve Fink – Chief Architect, Neil Wyler and Bart Stump).

About Black Hat
For more than 20 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
Black Hat Briefings and Trainings are held annually in the United States, Europe and Asia. More information is available at: blackhat.com. Black Hat is brought to you by Informa Tech.

Source:: Cisco Security Notice

By Gabrielle Bridgers Gartner’s Market Guide for Email Security 2019 reaffirms that an increasing number of organizations are migrating their email platforms to the cloud. According to Gartner, “by 2021, Gartner expects 70% of public and private companies to be using cloud email services.”1 But, that access to email from anywhere and on any device means it is essential that organizations protect themselves from increasingly prevalent threats.
To combat threats most effectively, Gartner recommends that, “Security and risk management leaders must adopt a continuous adaptive risk and trust assessment mindset to protect inboxes from exposure to increasingly sophisticated threats”. Gartner states further, “Adopt a CARTA strategic approach to email security by layering inbound, outbound, and internal detection and remediation capabilities.” The CARTA inspired email security architecture is dynamic and robust. Instead of simply protecting at the perimeter, this architecture is always evaluating and detecting, and subsequently, learning and changing.
In that vein, and because email is such a prominent attack vector, Gartner specifically states that “Security professionals have known for years that, due to its importance as an attack vector, email security requires a layered approach.” We believe Cisco’s Cloud Email Security (CES) fully represents this model of protection. The foundation of the solution is Talos, a globally recognized threat research team providing real time threat intelligence. Using that telemetry, CES responds to evolving threats and keeps cloud-based email safe and productive by stopping phishing, spoofing, business email compromises and other cyber threats. Additional subscription services provide the complementary layers that create the comprehensive protection the solution provides. We believe, exemplifying Gartner’s CARTA approach, these layers address the four key areas of protection and according to Gartner, “Email security refers collectively to the prediction, prevention, detection and response framework used to provide attack protection and access protection for email.” These subscription products include multifactor authentication using Duo, Advanced Malware Protection (AMP), Advanced Phishing Protection and Domain Protection.
We believe, the CES solution mirrors Gartner’s guidance of layering inbound, outbound, and internal detection and remediation capabilities.

To help determine which combination of cloud email security products might work best for any organization, we believe, a thorough analysis of existing email security products to understand the current solution’s capabilities completely. Gartner recommends, “Leverage incumbent email security products by verifying and optimizing their capabilities and corresponding configurations. This will serve as the start of a gap analysis to determine where supplementation or replacement may be required.” The Cisco Threat Analyzer for Office 365 quickly detects security gaps in Office 365 email inboxes to provide visibility into threats that may have gone undetected and identify security vulnerabilities.
In addition, to support this growing cloud email platform user base, Cisco Email Security now has data centers with global coverage located in North America, Europe and Asia. These locations allow for local customers to satisfy data access and sovereignty requirements in their specific regions and provide the confidence that their data will remain within region. For those install base customers using an on premise or hybrid solution, this global coverage gives them the peace of mind for migrating from on premise to cloud email.
Understanding the gaps within a current system provide the clearest direction for implementing the most effective email security protections going forward. Cisco Cloud Email Security provides a method for that analysis and a robust layered solution for a comprehensive email security defense. As businesses transition to cloud, email capabilities bring new threats and opportunities that can only be addressed by a complimentary security solution from Cisco Email Security. This layered approach of products and services shows the power of the Cisco Security portfolio.

For the full findings from Gartner, read the report here. And if you’re ready to get started with Cisco Email Security consider our free, 45-day trial.

1 “Public companies‘ unstoppable march to cloud continues with almost 25% — of any size, industry and region — having moved to a cloud email platform. Application leaders can use this research to evaluate Google G Suite and Microsoft Office 365 as cloud email solutions, and to guide deployment plans.” (See “Survey Analysis: Cloud Email Adoption Growth Continues but With Large Regional/Industry Variations.”)
Gartner, Market Guide for Email Security, 6 June 2019, Peter Firstbrook, Neil Wynne

2Cisco 2019 Email Cybersecurity Report
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available for viewing by clicking this link.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Source:: Cisco Security Notice

By Talos Group Modern automobiles contain hundreds of sensors and mechanics that communicate via computers to understand their surrounding environment. Those components provide real-time information to drivers, connect the vehicle to a global network, and in some cases use that telemetry to automatically drive the vehicle. Like any computer, those in vehicles are susceptible to threats, such as vulnerabilities in software, abuse via physical-access, or even allowing remote control of the vehicle, as recently demonstrated by Wired and a DARPA-funded team of researchers.
During a recent engagement, the Connected Vehicle Security practice identified a gap in tooling for automobile security assessments. With ease-of-use, modern car computing requirements, and affordability as motivating factors, the Connected Vehicle Security practice has built and is open-sourcing a hardware tool called “4CAN” with accompanying software, for the benefit of all automobile security researchers. We hope 4CAN will give researchers and car manufacturers the ability to test their on-board computers for potential vulnerabilities, making the vehicles safer and more secure for drivers before they even leave the lot.
Check out the complete FAQ here.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU08162019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice