Loading...

Follow Cisco Blog » Security on Feedspot

Continue with Google
Continue with Facebook
or

Valid

By Edmund Brumaghin and other Cisco Talos researchers.

Executive summary

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we’re calling “SWEED,” including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.

SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).

Read More >>

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 5 and July 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com

Reference
TRU071219 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

One of the best tools in your SOC’s arsenal is something you might already have access to and didn’t even have to pay for. If you already deploy Cisco Umbrella, AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, or Threat Grid, then you can immediately access Cisco Threat Response for FREE. As in no charge. Zero extra dollars. No strings attached.

With Cisco Threat Response, customers receive a powerful solution that can streamline and simplify detection, investigation, and remediation of threats. In addition, Threat Response offers a very easy, powerful tool in the new browser plugin (for Chrome and Firefox). By adding the plugin, security professionals now have instant access to threat intelligence and response capabilities directly from their browser. To prove the simplicity of this, let’s use a straightforward example.

For information on configuring the plugin, watch the tutorial here.

For the threat, we will use the Karkoff malware, used in the DNSpionage campaign. For background on the malware, let’s see what Talos has to say about it.

Ah, it seems that Talos has a full spotlight of Karkoff. Towards the bottom of the blog, Talos gives a full report on Indicators of Compromise for Karkoff.

Traditionally, you’d have to manually copy and paste  each file, IP address, etc. from the blog, editing them to remove the defanging “safety brackets”, searching for each one in turn, in each of your telemetry sources – a laborious, manual activity. Cisco Threat Response simplifies this entire process by bringing all of these capabilities to one central source. So, let’s open the Cisco Threat Response browser plugin.

Immediately, Cisco Threat Response identifies 16 observables from this threat intelligence blog. 1 clean. 9 malicious. 6 unknown.

By clicking the malicious and unknown observables, we can tailor our investigation. We will not worry at all about snort.org, because we know Snorty is never up to anything bad!

As an example of how quickly we can take response actions, even before pivoting into Threat Response to do a more complete investigation, let’s look at kuternull.com. It is listed as “unknown.” By clicking the dropdown menu next to it, and pivoting out to other trusted intelligence sources like the Talos database or Threat Grid, we could quickly gather more information to determine a course of action.

For the purposes of simply showing the ease of the plugin, let’s assume we investigated this domain and there is no legitimate business need for our organization to be contacting it. In order to prevent potential malware activity, we will proactively block it now as a first level stopgap while we continue our investigation. Threat Response directly integrates with Umbrella, so we can immediately block the domain across our entire network with one click within the plugin.

Within a few seconds, Threat Response will flash a green banner confirming the blocking of the domain with Umbrella.

Now, after blocking a few domains quickly, our network is certainly better protected from Karkoff, but there is more investigation to be done. A quick click of the “Investigate” button will launch Cisco Threat Response’s cloud-based dashboard.

Cisco Threat Response will automatically load the list of the observables and provide insights with relation graphs, file hashes, and others.

Previously, Security Operations Centers (SOCs) would hear about trending threats and wonder, “Is my network affected by this threat?” To answer that question, it would require a series of manual processes that required investigating observables hundreds of times across the network, and then, writing sufficient policy to defend against these threats. To make life even more difficult, these solutions were often from different vendors and require manual processes to implement across different parts of the next work.

With Cisco Threat Response, within minutes, your SOC can:

  1. Identify a trending threat from your SIEM, Talos, other threat intel sources, or virtually any third party product that has a web based interface
  2. Identify a list of observables with one click
  3. Quickly block domains across the network
  4. Launch Cisco Threat Response for further investigation

It is important to note that Cisco Threat Response is a FREE add-on to existing Cisco Security solutions. In the example above, the user has Threat Response integrated with their AMP For Endpoints, Cisco Threat Grid, and Umbrella solutions. In addition, every user of Threat Response automatically gets access to the Talos Intelligence and AMP File Reputation databases for use in Threat Response. While Cisco Threat Response provides significant value when integrated with only one product, it becomes even more useful with each additional Cisco Security solution integration. It offers unparalleled central-management for detection, investigation, and remediation – and the browser plugins bring all those capabilities into any type of web content. Whether it is a blog entry like in this example, any other intelligence source, or the browser-based management console of any Cisco or third-party security or networking product.

For more information on Cisco Threat Response, visit our webpage or create an account in the U.S.or EMEAR to get started right away. You can also download plugins for Chrome and Firefox to make investigations easier today.

BONUS: Make sure to catch our upcoming #CiscoChat LIVE, featuring Cisco Threat Response, on Tuesday, July 16 at 10am PT/1pm ET.

To participate in this #CiscoChat LIVE:

  • Head over to Cisco.com ,YouTube, Facebook, or Twitter to watch the #CiscoChat as it happens. Moderator Jolene Tam will start the broadcast at 10am PT/1pm ET.
  • Post your questions in the comments section on whichever channel you’re watching on. Or, if you’re watching on Cisco.com, tweet out the questions you want answered live, making sure to include the #CiscoChat hashtag. We will be answering questions live, so feel free to post away during the chat.
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

When it comes to ransomware attacks this year, it’s been a tale of three cities.

In May, the city of Baltimore suffered a massive ransomware attack that took many of its systems down for weeks — restricting employees’ access to email, closing online payment portals and even preventing parking enforcement officials from writing parking tickets. After the attack, the city’s mayor said several times the city would not be paying the extortion request, but it’s still expected to cost the city more than $10 million to recover.

But two cities — albeit smaller ones — in Florida chose to take a different route. Last month, the governments in Lake City and Riviera Beach chose to pay off their attackers in exchange for the return of their data after ransomware attacks, though they still face some work in decrypting the stolen data.

The cities paid the hackers a combined $1 million in Bitcoin — and researchers say these kinds of attacks aren’t going to slow down. So when the next city or state government gets hit, should they pay up, or start the long process of manually recovering their data? We asked experts from Cisco Talos and Cisco Security to weigh in. Check out their answers over on the Cisco blog here.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

I have seen the future of the firewall and it is not a firewall!

Firewalls have been with us since the late 1980s and they have become synonymous with access control. It is time to redefine that relationship because while access control will remain a need from now into the distant future, the way to deliver access control must change given the evolution of networking and new methods of computing. We need to focus on how to deliver a consistent outcome regardless of what is appropriate for these environments.

All around us, consumers want to get as close to “paying for the outcome” versus paying for everything that is required to lead to that outcome. Some of you might remember the days when you wanted to run computer services for your company and it began with you having to rent real estate, HVAC, all the things that led up to finally operating computers and the applications offering those services. A very strong analogy here is ride sharing (like Uber or Lyft) whereby the consumer would like the outcome of “transportation” without the need for a car, insurance payments, covered parking, or the skill to drive. Hold on to this thought because the analogy carries through my entire explanation.

When you look at a ride sharing service, not only is the person paying for the direct outcome but depending on your location, different options are presented. For example, if I’m in a city center, I might be presented with not only different classes of automobiles, but I might also be offered electric scooters, bicycles, or maybe even pedicabs for shorter distances. Again, the outcome is getting from point A to point B, but depending on the environment, some transports might be more appropriate. When you look at the outcome of access control, how that is implemented in the traditional data center is drastically different in public cloud; it is different for mobile computing versus orchestrated containerized workloads. My point being, the policy of who should be able to communicate with whom and what applications can be used requires a similar decision as ride sharing and should be abstracted away from the local device that carries out that task. And this my friends, is why the future of firewalls is not a firewall, but Cisco Defense Orchestrator!

Just like with Cisco’s larger intent-based networking, Cisco Defense Orchestrator (CDO) allows you to state your intention via a policy that spans your hybrid multi-cloud environment. You assert your access policies and Cisco Defense Orchestrator will handle the rest.

This pattern of being able to articulate your intent and having machines reconcile with the dynamic changes in the world is happening across the entire information technology field. We see this happening in container-based computing with the increasing popularity of Kubernetes. As demand ebbs and flows, Kubernetes handles the orchestration to ensure the service levels you intend to deliver are reconciled with the scaling of the services architecture. This same pattern is seen with intent-based networking in that a business can state a policy of connectivity and the Cisco DNA architecture carries this out ensuring that latency, bandwidth, and quality of service are all being met. In all cases, this pattern has made it simpler for the humans to focus on the outcome as machines take on the more complicated and adaptive computing tasks.

Cisco Defense Orchestrator follows the same design pattern whereby an access policy is asserted and depending on the network topology and computing environment, enforcement-point specific configurations are implemented. Where once there was a tight coupling between the firewall being synonymous with the access policy, Cisco Defense Orchestrator separates the access policy from the configuration details of enforcement-points. You can model and explicitly state the access policy of the business such that it can then be applied to the legacy firewalls, next-generation firewalls, host-based firewalls, software defined networking, or any other form of enforcement-point that may come up in the future! Inherently this decoupling also makes policy more testable, more scalable, and simpler to manage.

Cisco Defense Orchestrator has taken the firewall, a word that we would typically view as a noun or a thing and made it an action verb or an outcome. When I realized this, my mind was blown! Just like ride sharing, abstracting away the outcome of transportation from the forms of transportation was not only genius, but also a highly durable and forward-thinking methodology. Access control and the policies that embody what the business requires have been abstracted away from the device forms that will best carry out that access control! You no longer have to worry about topology, legacy firewalls, next-gen firewalls, application firewalls, software defined networking, public cloud workloads, or the many things that we don’t even know today that will appear tomorrow. Instead, we can now focus on the outcome which is the “intended state of access.” #mindblown

Want to learn more? Watch a quick explainer video or visit our Cisco Defense Orchestrator homepage.

Like what you see? Try our free 30-day trial of Cisco Defense Orchestrator to simplify security policy management across your Cisco ASA, FTD, or Meraki MX platforms.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

By Danny Adamitis with contributions from Paul Rascagneres.

Executive summary

After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.

Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.

Read More >>

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 28 and July 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com

Reference
TRU07050219 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Simple DirectMedia Layer contains two vulnerabilities that could an attacker to remotely execute code on the victim’s machine. Both bugs are present in the SDL2_image library, which is used for loading images in different formats. There are vulnerabilities in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution in both cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SDL to ensure that these issues are resolved and that an update is available for affected customers. Check out the Talos blog for all the details and coverage.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Malware is constantly finding new ways to avoid detection. This doesn’t mean that some will never be detected, but it does allow adversaries to increase the period of time between initial release and detection. Flying under the radar for just a few days is enough to infect sufficient machines to earn a decent amount of revenue for an attack. Cisco Talos recently discovered a new campaign delivering the HawkEye Reborn keylogger and other malware that proves attackers are constantly creating new ways to avoid antivirus detection. In this campaign, the attackers built a complex loader to ensure antivirus systems to not detect the payload malware. Among these features is the infamous “Heaven’s Gate” technique — a trick that allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. In this blog, we will show how to analyze this loader quickly, and provide an overview of how these attackers deliver the well-known HawkEye Reborn malware. During our analysis, we also discovered several notable malware families, including Remcos and various cryptocurrency mining trojans, leveraging the same loader in an attempt to evade detection and impede analysis.

Read More >>

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

If you’re still juggling a lot of cyber security tools, you’re not alone. Even as businesses make headway on trimming point-solutions, the recently released Cisco CISO Benchmark Report found that 14% of security leaders are managing more than 20 vendors. And 3% are dealing with over 50.

It’s easy for this to get out of hand. Customers tell us they acquired product A to solve problem A, product B to solve problem B, and so on. Before long, they’re overloaded with point-products that work independently and create tons of siloed data points. The products don’t draw connections between the data to help network administrators understand event context.

It’s almost like having alarm sensors from different security companies on every door to your home. It’s not better, simpler, or easier to manage.

Cisco is helping customers simplify their security ecosystems with powerful tools that work together to automatically thwart cyber attacks. The Cisco Integrated Security Portfolio includes Cisco Next-Generation Firewalls (NGFW) and Cisco Advanced Malware Protection (AMP) for Endpoints. These two tools automatically work together to provide comprehensive threat protection from the network edge to the endpoint. And using the Cisco Threat Response management console, you can take corrective action directly from a single interface.

The power of coordination

This powerful partnership starts with breach prevention. Stopping cyberattacks before they can embed themselves in your extended network is crucial. The Cisco NGFW and AMP for Endpoints both draw threat intelligence from the Cisco Talos Security Intelligence and Research Group to actively block threats in real time. Cisco NGFW monitors and blocks malicious traffic and files at the network perimeter, while Cisco AMP for Endpoints blocks malicious files at the endpoint point-of-inspection.

But what if an attacker or extremely sophisticated malware manages to creep inside? It can happen—cybercriminals are persistent, and malware gets smarter every day. This is where the coordination of Cisco NGFW and AMP can really make a difference. If NGFW sees a threat on the network, it’s contained there and blocked access to the endpoint. If AMP for Endpoints sees trouble on the endpoint, it is automatically quarantined there and blocked from traversing the network. Threat information and event data is shared amongst all Cisco security tools. The system works together so that if a threat is seen once, it is stopped everywhere. This provides continuous visibility across multiple attack vectors for rapid, automatic detection and response.

And the best part? This network and endpoint information is all aggregated in one place – the Cisco Threat Response management console. You can see all of this information in intuitive, configurable graphs for better situational awareness and quick conclusions. You can take corrective action and make decisions across your entire network from one management plane. You can block suspicious files, domains, and more—without having to log in to another product first. Want to see even more network or endpoint detail? One click and you’re inside Cisco AMP for Endpoints or the Cisco NGFW native console.

One proven, efficient system

We work with businesses every day to help them defend their networks and keep security management simple so their teams can be as efficient as possible. Cisco Next-Generation Firewalls and Cisco AMP for Endpoints, along with the Cisco Threat Response management console, offer breach prevention, continuous visibility, rapid detection, automated response, and efficient management from one console.

To learn more about Cisco NGFW and Cisco AMP for Endpoints, click here.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview