Post authored by Martin Rehak, Veronica Valeros, Martin Grill and Ivan Nikolaev.
In order to complement the comprehensive information about the Angler exploit kit from our Talos colleagues [Talos Intel: Angler Exposed], let’s have a very brief look at what an Angler and CryptoWall infection looks like from the network perspective. We will present one of the recent Angler incidents discovered by Cognitive Threat Analytics (CTA).
Cognitive Threat Analytics works after the attack. It sifts through the logs produced by the client’s web proxy for any malware that may have slipped through the perimeter defences, such as this specific case here. CTA was able to observe the attack in its entirety (including the phases where the perimeter defence successfully blocked several stages in the attacker’s plan) and notify the security team immediately for follow-up and investigation.
So, how does an incident start for the analyst?
We can see that the incident has been categorised as an Exploit Kit infection. The system asserts 95% confidence in this incident being a true positive, and classifies it on the level 8 (out of 10) on the risk scale.
Read More »
Tags: Advanced Malware Protection, angler, Cognitive Threat Analytics, Cryptowall, exploit kit, ransomware
In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.
Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.
The general traffic pattern was observed as follows:
- Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example: cruiserly.net/search/q/greyhounds.
- There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example: findreek.com.
- These redirects bring the clients towards another set of fake sites, with travel related names (e.g. tourxperia.com), this time these sites have no content.
- Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.
Details of the analysis follow: Read More »
Tags: AMP, Cognitive Threat Analytics, PPC scam, Threat Research
Cisco Cognitive Threat Analytics is a security analytics product that discovers breaches in Cisco customer’s networks by means of advanced statistical analysis, machine learning and global correlation in Cisco security cloud. Attached to Cloud Web Security (CWS) and Web Security Appliances (WSA), it is also capable of integrating the non-Cisco data sources in order to help the broadest possible set of clients.
Our team discovers tens of thousands of ongoing malware infections (aka breaches) per day. These findings are delivered in a customer-specific report or directly into customer’s SIEM system. The customers can easily identify and re-mediate breaches, get to the root cause and apply policy changes that minimize the risk of further infections in the future. Read More »
Tags: analytics, Cognitive Threat Analytics, security
“There is no silver bullet.” That’s one of our favorite sayings at Cisco Security. We use it to convey the point that malware prevention is not 100%. As new attack vectors emerge and the threat landscape evolves, some malware will get through – regardless of which security vendor you choose.
In fact, our recently released 2014 Annual Security Report found that “100 percent of business networks analyzed by Cisco have traffic going to websites that host malware.” Basically, everyone will be compromised to one degree or another.
There are two factors at play. First, as modern networks have expanded and extend beyond the traditional perimeter to include endpoints, mobile devices, virtual desktops, data centers, and the cloud, new attack vectors have emerged. Attackers don’t discriminate and will take advantage of any gap in protection to accomplish their mission.
Second, attackers are focused on understanding security technologies, how they work, where they are deployed, and how to exploit their weaknesses. For example, they outsmart point-in-time defenses – like sandbox technologies that only scan files once – by creating targeted, context-aware malware that can modify its behavior to evade detection and infiltrate the extended network where it is difficult to locate, let alone eradicate.
So what can you do about it? Well, at Cisco we advocate for continuous protection across the entire attack continuum – before, during, and after an attack. We believe security strategies that focus solely on perimeter-based defenses and preventive techniques will only leave attackers free to act as they please, once inside your network.
Read More »
Tags: 2014 annual security report, Cisco Cloud Web Security, Cognitive Threat Analytics, malware
Malware is everywhere and it’s incredibly challenging to combat, using whatever unprotected path exists to reach its target and accomplish its mission.
Malware has become the weapon of choice for hackers. According to the 2013 Verizon Data Breach Investigation Report, of the top 20 types of threat actions last year, malware is the most common method used, followed by hacking and social engineering. Increasingly, blended threats that combine several methods – for example, phishing, malware and hacking – are being used to introduce malware, embed the malware in networks, remain undetected for long periods of time and steal data or disrupt critical systems. More specifically on blended threats, the report tells us that more than 95 percent of all attacks intended for conduct espionage employed phishing. What is more, a prominent recent retail breach began with a targeted email phishing attack that ultimately led to access to payment system data via malware uploaded to PoS systems.
Read More »
Tags: 2014 annual security report, Advanced Malware Protection, Cisco Cloud Web Security, Cognitive Threat Analytics, malware, Sourcefire