In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.
Two weeks ago, multiple Cisco Managed Threat Defense (MTD) customers received an email that appeared to come from the Microsoft Volume Licensing Service Center (VLSC). The email shown below is very similar to the real email Microsoft sends. It had a personalized welcome line and appears to contain a link to login to the Volume Licensing Service Center:
As the Cisco 2015 Annual Security Report shows, current security approaches aren’t sufficient. Attackers are shifting methods and becoming more sophisticated in their approaches, users are unwittingly complicit enablers, and defenders struggle to keep up with all of these things. It is time for defenders to take a different approach to security that not only outwits attackers but also makes security a competitive advantage that enables business growth.
By taking a threat-centric and operational approach to security, organizations can reduce complexity and fragmentation, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.
Using Cisco technology, this approach is enabled by broad visibility for superior intelligence across the extended network, where all the solutions a customer deploys communicate with each other. Organizations using siloed solutions will have holes in their security. Siloed solutions do not provide full protection since they do not communicate with one another, thus leaving security gaps and the inability to create actionable intelligence.
Cisco can provide a holistic solution to this problem by reducing the attack surface and extending protection across the network – before, during and after attacks.
Cisco recently announced the availability of Managed Threat Defense (MTD), an innovative managed security solution that applies real-time, predictive analytics to detect attacks and protect against advanced malware across extended networks. MTD helps our customers address the ever-changing nature of threats that threaten their most important asset—data. MTD is delivered through a cost-effective business model that allows our customers to leverage Cisco’s investment in security technology, global threat intelligence knowledge base, talent, and global reach.
To learn more about MTD, watch the video datasheet below:
While developing this solution, the MTD development team talked to dozens of customers around the world. As a result of these discussions, two dominant themes emerged:
As of May 1, 2014, we can confirm Cisco customers have been targets of this attack. For the latest coverage information and additional details see our new post on the VRT blog.
Protecting company critical assets is a continuing challenge under normal threat conditions. The disclosure of zero-day exploits only makes the job of IT security engineers that much harder. When a new zero-day vulnerability was announced on April 26, 2014 for Microsoft Internet Explorer, corporate security organizations sprang into action assessing the potential risk and exposure, drafting remediation plans, and launching change packages to protect corporate assets.
Some companies however, rely on Managed Security Services to protect those same IT assets. As a Cisco Managed Security services customer, the action was taken to deploy updated IPS signatures to detect and protect the companies critical IT assets. In more detail, the IPS Signature team, as a member of the Microsoft Active Protections Program (MAPP), developed and released Cisco IPS signature 4256/0 in update S791 and Snort rules 30794 & 30803 were available in the ruleset dated 4-28-2014. The Cisco Managed Security team, including Managed Threat Defense, received the update as soon as it became available April 28th. Generally, Cisco Managed Security customers have new IPS signature packs applied during regularly scheduled maintenance windows. In the event of a zero-day, the managed security team reached out to customers proactively to advise them of the exploit and immediately were able to apply signature pack updates to detect and protect customer networks.
While corporate security organizations must still assess ongoing risks and direct overall remediations to protect corporate data, Cisco can take the actions to provide security visibility into the targeted attacks, increase protection with fresh signatures, and reduce risk profile for the corporate InfoSec program.
For more detail on the vulnerability, please see Martin Lee’s blog post.
More details about this exploit and mitigation information can be found on the following links:
- Cisco IPS Signature S791
- Snort Ruleset
- Cisco IPS Sub-Signature 4256-1
- Cisco IntelliShield Alert 33961
For additional information about Cisco Managed Security solutions please refer to the following links and contact your Cisco Services sales representative: