Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user’s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim’s computer.
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 30 and July 07. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
Vulnerability discovered by Marcin Noga, Lilith Wyatt and Aleksandar Nikolic of Cisco Talos.
Overview
Talos has discovered multiple vulnerabilities in the freedesktop.org Poppler PDF library. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim’s machine. If an attacker builds a specially crafted PDF document and the victim opens it, the attackers code will be executed with the privileges of the local user.
Just returning from Cisco LIVE US 2017. This was the most exciting & inspiring event since I started attending the conference a number of years ago. You could just feel the energy this year. It was electric.
Having spent a lot of time with customers & partners in the digital financial services demo area in the world of solutions and across the entirety of the conference, it was very evident that people are thinking differently about their businesses.
One financial services client from Florida said they’re already servicing their clients differently today and are actively looking at deploying new digital services. Working with Cisco they are offering remote expert services in their branches and are seeing utilization by their customers who are looking for immediate responses to service requests their branch employees can’t address. They are also modernizing their network infrastructure & partnering with FinTechs to deploy new services. Another IT leader said that they have never seen so much innovation in one place and that Cisco LIVE was an eye opening experience. They are now rethinking how they can apply technology to everything from guest services to logistics. Another customer simply said,
“With all of this innovation around me I have to reconsider how I keep up my tech skills.”
And, many, many more conversations like this occurred throughout the week. How are you reimagining your business and where are you placing your investments for the future?
Tons and tons of questions about Cisco Digital Network Architecture. This is where the big announcements were. The Network. Intuitive. New Catalyst switches with the world’s most advanced programmable networking processors, DNA Center that will allow you to design, provision and apply policy across your entire network & Encrypted Traffic Analytics to help sense malware in encrypted traffic. All game changing, making Cisco the only networking company that can help you manage the scale of network demands for today & tomorrow. With billions of things coming onto the network, banks and insurance companies are challenged with costly, legacy manual net ops processes that are consuming resources so, they need automation, programmability, segmentation, analytics, and security. CLUS showed attendees Cisco is delivering solutions today so your business is digital ready.
I think Rowan Trollope summed up what is happening across all industries best. He described the 3 factors that the leading tech companies have harnessed to change the game and how their astonishing market capitalizations reflect their advantages.
Data, Insights, Action and a close-loop process that continuously feeds back on itself to create more value.
They are the digital natives like Amazon, Facebook, Google, etc. who have created massive businesses and in some ways are also becoming competitors in the financial services industry. From processing payments through messaging apps to venture arms funding disruption they may be the next gladiators in the financial services coliseum. Traditional financial services companies are not immune to the disruption digital natives will create. Along with deregulation gaining steam here in the US, we are likely to see more market entrants and speed of change will hasten. The question customers at Cisco LIVE were asking is – who will I partner with to arm us for success.
Finally, you can’t leave Cisco LIVE without seeing old friends & making some new ones like D’Auria Henry who runs our digital marketing for financial services.
Consider joining us next year. Even if you’re a business leader outside of IT, the conference will provide a different perspective for your functional focus. After all, the business of the future is a digital business. See you next year Cisco LIVE!
IDC recently released their latest data on the Converged Systems space, vendor revenue grew 4.6% YoY in calendar Q1 of this year. This is impressive considering the server market dipped moderately prior to the next wave of technology refreshes coming this summer.
Cisco UCS: It’s not a server. It’s a system.
Cisco UCS and Nexus switches anchor the industry-leading solutions in the certified reference systems & integrated infrastructure category, contributing to an estimated 64% revenue market share represented by our partnerships in VxBlock and FlexPod. Add to that the traction we’re seeing with VersaStack and FlashStack and it becomes evident that customers have chosen certified reference systems and integrated infrastructure solutions based on Cisco UCS because they deliver simplified fabric-centric architecture which provides pools of policy-based programmable infrastructure.
Unique innovation, unique benefits
Each of our integrated systems brings unique benefits to our customers and each has a strong innovation tempo and commitment from us and our partners:
FlexPod: we announced the new FlexPod SF, extending a portfolio that posted 26.1% YoY revenue growth in Q1.
FlashStack: Introduced new solutions for enterprise applications like Oracle, SAP HANA, and desktop virtualization
VersaStack: Expanded the portfolio to include hybrid cloud capabilities and software defined storage technologies to address cloud-scale applications.
Dell EMC VxBlock is the leader in the certified reference systems & integrated infrastructure segment, anchored with UCS and Nexus, and offering customer choice in SDN technologies.
Visualizing Workflow In One Place Saves Korean Power Customer Millions
A network that operates intuitively shows you what you need to know. As you need to know it. And, the more complex things that are connected, the more critical that insight is to your entire operation.
What’s working? What’s not? What could work better? Can you fix it now? Maybe. If you have the right partner.
Our partner N3N builds software to help customers detect, manage and predict business operations through a single pane of glass. This includes pan and zoom technology, mapping, sensors, and videos that you can monitor on a phone or tablet.
It’s made a big difference for their customers, especially one in South Korea.
N3N says…
KOEN, the biggest electricity provider in South Korea, recently moved their HQ 300 miles, from Seoul to Jinju. But they needed to keep watch over the six power plants they left behind. So, they used an array of 1,500 cameras and sensors to catch safety issues like fires or break-ins.
The problem is, it was costing them millions to stream so much video over so many miles. And it took several people to watch all the different feeds.
KOEN asked us to help simplify the process. In three months, we helped them install INNOWATCH, which combines hundreds of video and data feeds into a single pane of glass. It saves bandwidth by sending new pixels only when the image changes. And they can manage it all on Cisco UCS servers.
The results have been electric. KOEN’s video bandwidth costs went down by 90%, which saved them $7.1 million a year. They also saved another $700k in the first three months by catching 207 safety issues more quickly than they would have before. All with only one person watching the feeds.
That’s what we call keeping the lights on.
Thanks, N3N!
The story doesn’t end there.
More stories on what our customers and partners are doing all over the world.
Meet other Cisco partners like N3N. Get started here.
In my previous post, we talked about the complexity that Containers can bring to the network and what that means to different roles within an organisation.
We also introduced Contiv in this context and touched on its high-level architecture.
In this post, we aim to get a big more into detail… 🙂
So let’s begin…
Contiv Architecture
Contiv is made of a master node and an agent that runs on every host of your server farm:
Contiv’s support for clustered deployments
The master node(s) offer tools to manipulate Contiv objects. It is called Netmaster and implements CRUD (create, read, update, delete) operations using a REST interface. It is expected to be used by infra/ops teams and offers RBAC (role based access control).
The host agent (Netplugin) implements cluster-wide network and policy enforcement. It is stateless: very useful in case of a node failure/restart and upgrade.
A command line utility (that is a client of the master’s REST API) is provided: it’s named netctl.
Contiv’s architecture
Examples
Learning Contiv is very easy: from the Contiv website there is a great tutorial that you can download and run locally.
For your convenience, I executed it on my computer and copied some screenshots here, with my comments to explain it step by step.
First, let’s look at normal docker networks (without Contiv) and how you create a new container and connect it to the default network:
Networks in Docker
You can inspect the virtual bridge (in the linux server) that is managed by Docker: look at the IPAM section of the configuration and its Subnet, then at the vanilla-c container and its ip address.
How Docker sees its networks
You can also look at the network config from within the container:
Now we want to create a new network with Contiv, using its netctl command line interface:
Here you can see how Docker lists and uses a Contiv network:
Look at the IPAM section, the name of the Driver, the name of the network and of the tenant:
We now connect a new container to the contiv-net network as it is seen by Docker: the command is identical when you use a network created by Contiv.
Multi-tenancy
You can create a new Tenant using the netctl tenant create command:
A Tenant will have its own networks, that can overlap other tenants’ network names and even their subnets: in the example below, the two networks are completely isolated and the default tenant and the blue tenant ignore each other – even though the two networks have the same name and use the same subnet.
Everything works as if the other network did not exist (look at the “-t blue” argument in the commands).
Two different networks, with identical name and subnet
Let’s attach a new container to the contiv-net network in the blue tenant (the tenant name is explicitly used in the command, to specify the tenant’s network):
All the containers connected to this network will communicate. The network extends all across the cluster and benefits of all the features of the Contiv runtime (see the website for a complete description).
The policy model: working with Groups
Contiv provides a way to apply isolation policies among containers groups (regardless of the tenants, eventually within the tenants). To do that we create a simple policy called db-policy, then we associate the policy to a group (db-group, that will contain all the containers that need to be treated the same) and add some rules to the policy to define which ports are allowed.
Creating a policy in Contiv
Adding rules to a policy
Finally, we associate the policy with a group (a group is an arbitrary collection of containers, e.g. a tier for a microservice) and then run some containers that belong to db-group:
Creating a group
The policy named db-policy (defining, in this case, what ports are open and closed) is now applied to all the 3 containers: managing many end points as a single object makes it easy and fast, just think about auto-scaling (especially when integrated with Swarm, Kubernetes, etc.).
The tutorial shows many other interesting features in Contiv, but I don’t want to make this post too long 🙂
Picture this… I’m at the Cisco Live opening keynote. Chuck Robbins has an explosive opening with heart-pounding Thunder and immersive light visuals. Over 26,000 people are in the stands cheering. Chuck Robbins opens by introducing the new era in networking and makes Cisco’s biggest networking launch in over a decade. And, Chuck talks about how the new network is programmable! Then, I hear Chuck say “Susie Wee and the team… DevNet… DevNet… DevNet…” and he jokes “I get twenty bucks every time I say DevNet!”
Then, Chuck is on stage with Apple CEO Tim Cook. I’m thinking, “this is epic. I’m here with two of the most important leaders of global digital transformation. They’re discussing applications and the network! This is huge!” Tim Cook is talking about the importance of developers when I hear Chuck say, “DevNet… Susie that’s 80 bucks.” Boom! Chuck’s on stage with Tim Cook … and he’s talking about DevNet!
“80 bucks” becomes the joke of Cisco Live… and I feel compelled to tell everyone that I never asked Chuck to say DevNet. But inside the DevNet team and I are thinking— This is so cool! It is awesome to have a CEO who fully understands and appreciates APIs, developers, the ecosystem, and DevNet, the developer program and community we have been building with all our hearts. Chuck understands how strategic DevNet is to Cisco. He fully appreciates the value of APIs for empowering Cisco partners and customers to build solutions, to innovate, on top of Cisco platforms.
As always, the DevNet team was in full gear for Cisco Live. Let me share some of the highlights.
DevNet launches the DevNet DNA developer center for programming the intent-based network
The main theme of Cisco Live was the launch of the Intent-based Network, which is Cisco’s biggest networking launch in over a decade. In my opinion, the most exciting feature of the new network is that programmability is now built into the network from top to bottom – from apps to infrastructure – from DNA Center to the Cat 9k to the ASIC in the Cat 9k. DevNet played a major role in this launch and we created a whole set of resources to help app developers and network developers learn about and get hands on with network programmability. Check out our new DevNet DNA Developer Center to see demos, take learning labs, and program on real kit in the developer sandbox.
The Data Center is programmable too
We kicked off our Cisco Live DevNet activities the weekend before Cisco Live… We held two DevNet Express events: one on Cloud Collaboration and our first-ever DevNet Express on Data Center Programmability! We covered data center programmability starting with coding basics, working our way through UCS programmability, and making our way to IOS-XE and ACI. Don’t worry if you missed it- together with our Cisco SEs and partners we host DevNet express events around the world and there is sure to be one coming to a location near you!
Innovation keynote on the Rise of the Network-Powered Developer
I gave an innovation keynote where I discussed the opportunities that arise for application developers and network developers now that the new network is truly programmable. I built on the theme I discussed at DevNet Create and InterOp ITX keynotes on the changing boundaries of where applications meet infrastructure, now that the infrastructure is programmable, but I was able to dive in deeper now that we unveiled the programmable intent-based network. I had a guest speaker from Apple join me on stage to share the details of the innovations we developed together with our Apple-Cisco relationship, ranging from wireless to security to collaboration. Together we showed the benefits that app developers and network developers have when using APIs in the network. We discussed the Apple-Cisco Fast Lane offering where fast-lane enabled iOS apps can work better on a fast-lane enabled enterprise network. I discussed the new DevNet Fast Lane validation program that gives DevNet fast-lane validation to these iOS apps. This is a true demonstration of the benefits app developers can get from a programmable network.
Cisco CTOs discuss APIs and the future of IoT, Networking, Security, Collaboration, and the Cloud
We hosted a CTO panel in the DevNet Zone with Cisco CTOs John Apostolopoulos (Enterprise Networking), Shaun Cooley (IoT and Industry Verticals), Colin Kincaid (Service Provider), Jonathan Rosenberg (Collaboration), Lew Tucker (Cloud), and myself. The conversation ranged from machine learning and artificial intelligence in networks to new wireless technologies that can detect people’s heartbeats in neighboring rooms to application and infrastructure technologies needed for AR/VR and gaming applications (yes, we talked about Zork). Colin observed that we have entered an era where cross training of skills is critical to project success, career success, and indeed to innovation. Network engineers need to acquire coding skills. Developers need to understand how to interface with network infrastructure. That’s why, for the past three years, DevNet has been developing learning labs, building developer sandboxes, and growing a community to help networkers and application developer alike acquire the skills they need to realize success and grow their careers.
DevNet sits squarely at the intersection of programmable networks and application development. There are now literally hundreds of learning labs on DevNet, organized into learning tracks. Hundreds of well documented APIs ready to download and use.
Activity in the DevNet Zone
Getting back to the DevNet Zone … I knew people were psyched about the programmability aspects of Cisco’s ground shaking intent-based network announcement. Still, the stampede to the DevNet Zone when they opened the doors on Tuesday morning, was quite a sight to see. It’s day two…it’s Vegas. You’d think maybe the first sessions of the morning would get off to a slow start. No way, and a quick look at the morning session line-up tells you what triggered the stampede:
Hank Preston’s “How to be a Network Engineer in a Programmable Age.”
Karthik Kumaravel’s “Exploring Network Programmability with Python and YANG.
Ralph Schmieder’s workshop on “NETCONF/RESTCONF/YANG API.”
All three sessions, along with Ryan Shoemaker’s “Leveraging Python on IOS XE,” Bryan Byrne’s “Application Hosting on IOS XE,” and Adam Radford’s “APIC-EM API” were part of DevNet’s Network Programmability Foundations Learning Path that ran throughout Cisco Live. All played to standing room only audiences.
Of course it wouldn’t be a DevNet Zone without mixing a healthy dose of fun in with the learning, and CLUS 2017 was no exception. The Sandbox team brought their new IoT foosball table (featuring IOx, Docker, Python, Collaboration APIs, Arduinos and sensors) where participants could play and learn how any application can be integrated and tested with Cisco APIs via the Sandbox for rapid application development.
Also added for the first time was the DevNet Escape Room. Attendees could grab a few friends and sign up to be locked into the Escape Room where they had to use their API skills to solve challenges in network programmability, IoT, and collaboration to pull off a superhero rescue of Captain Cloud from captivity by the evil Shadow. Lots of fun.
There was far more happening in the DevNet Zone. Sessions and hands-on workshops in IoT, Cloud, Data Center, Collaboration, Security, Mobility, and Open Source also drew crowds. Session presentations for all are available now, and video replays will be available within a couple weeks.
Design thinking in the DevNet Zone
DevNet developers are solving problems and building solutions every day. We think it is important for our developers to have another skill in their tool chest… Design Thinking. I’m very excited to announce that we are adding Design Thinking to DevNet. We kickstarted this in the DevNet Zone with a Design Thinking panel with user experience and design leaders from across Cisco: Edwin Zhang (DevNet), Hallgrim Sagen (Collaboration), David Sward (Security), Matt Cutler (Collaboration), Dale Heninger (Enterprise Networking), and Michael Kopscak (Enterprise Networking). We also had a Design Thinking pod to help developers learn the basics of design thinking and use it to think through and frame some of the problems they are solving.
Where Apps meet Society with Project Opportunity
Finally, now that DevNet has built our foundation, we think it’s time to give back. We kickstarted a collaboration with the U.S. Department of Commerce on using open data to solve important problems that can help society. Project Opportunity frames important problems around open data. The U.S. government opened over 200,000 data sets in the last few years. This includes census data and data on public transportation routes and homeless shelters. This data can be used to solve interesting problems for society. Also, the 2020 census is coming up and it turns out that nearly 10% of the country is not counted properly in the census, which means that this segment of the population is not represented or served by government initiatives. DevNet is sponsoring Opportunity Projects by forming teams to solve specific problems, including the hard-to-count problem. We can also form projects to help with homelessness, education, and veterans affairs. I would like invite all of our DevNet developers to join a DevNet Opportunity Project — together we will define and solve a project that can help society and change people’s lives.
Final comments
As the network becomes code, app developers gain a new platform to innovate, to transform workflows, to build applications, and drive business results. Through APIs, programmable ASICs and software layers, apps can talk to the network, allowing for improved performance, analytics, intelligence, tighter security, and quick provisioning of network resources.
I loved meeting all the developers and developers-to-be in the DevNet Zone. I am truly humbled and inspired by our DevNet developers, who are actively learning new skills and driving our industry forward. That’s why I love taking selfies with all of you- you inspire me!
To finish the “80 bucks” story, we decided that this was the most effective marketing we could buy, so we gave Chuck a DevNet $100 when he visited the DevNet Zone. And sure enough, he earned the last 20 by showing the DevNet $100 in his closing keynote and making everyone say “DevNet”… twice!
The DevNet Zone at Cisco Live 2017 may now be in the rear view mirror, but we know that your learning and growth are not slowing down. So neither are we. Check out the schedule of live DevNet Express events to see if there’s one that’s convenient for you. And, check out all of our free online resources at developer.cisco.com. And, let us know how we can make DevNet more valuable to you.
Join the evolution! Become a DevNet member and join the community of more than 450,000 developers and network programmers who are learning and growing together.
But first, talk to me! What were your highlights and most memorable moments of Cisco Live?
Although it was hot outside in the 117F Las Vegas temperatures, it was cool in the ‘Bay at Cisco Live! There were some exciting new announcements that directly affect our manufacturing customers and can help accelerate their smart manufacturing initiatives.
Manufacturers are expecting a flood of data from their factories especially with IoT. This flood of data needs a new type of network to really enable a ‘digital factory core’- which gets to the heart of our announcements last week. Built on Cisco’s Digital Network Architecture (DNA), ‘The Network. Intuitive’ ushers a new era of networking and is the culmination of the work of thousands of engineers. Analysts and press agree that this is Cisco’s most significant development achievement in the last decade– a new, intuitive, learning network powered by intent, and informed by context.
There were two big innovations here – intent-driven infrastructure and a command center for the enterprise network today announced as DNA Center. We knew our customers were spending too much time and expense operating their networks, and their infrastructure wasn’t agile enough. This is particularly true in the manufacturing and industrial space where IoT and smart manufacturing require a robust networking foundation.
Now we have one unified system that spans the entire enterprise access network, covering all type of devices. It acts as a single platform, driven by intent. This intent-based infrastructure is programmable and integrated so that it can be automated, just like your production process. With comprehensive network automation, assurance, and security, Cisco Digital Network Architecture (DNA) simplifies management of your factory floor, reduces total cost of ownership, and provides deep network insights.
Check out this video that explains the ‘so what’ for manufacturers:
Security was (as always) a big focus at the show especially in light of the Nyetya attack that happened last week. Read more in my colleague Eric Ehler’s blog here. In the manufacturing booth in the World of Solutions area, we had experts available to discuss IoT Threat Defense and your factory challenges.
Our experts described how Cisco IoT Threat Defense for manufacturing is an architecture approach to security, with a prescribed, regimented approach to security while still adhering to a standard Defense in Depth approach commonly followed in manufacturing facilities. You can then employ a suite of integrated, interoperability tested security products, starting with Identity Services Engine (ISE) and TrustSec, which facilitate extensible, scalable segmentation using group-and device-based access policy throughout the network. Check out more in this ZDNet article.
The heavy traffic around these demos indicated a lot of interest:
The big security buzz was around Cisco’s other major announcement, where engineers had discovered how to solve one of the biggest challenges in network security, previously thought impossible. Finding malware in encrypted traffic. Engineers were already showing four nines of accuracy in their test cases with Encrypted Traffic Analytics (ETA) and no information was being decrypted. The fact that no decryption was involved meant their approach did not come at the expense of privacy. Security and privacy together – at last!
It was a great show, with exciting new announcements! If you missed CiscoLive, check out many of the videos and pictures by following @CiscoMfg. And, learn more about Cisco DNA for Manufacturing here.
Each of our integrated systems brings unique benefits to our customers and each has a strong innovation tempo and commitment from us and our partners:
Creating a policy in Contiv
Adding rules to a policy
Creating a group
Getting back to the DevNet Zone … I knew people were psyched about the programmability aspects of Cisco’s ground shaking intent-based network announcement. Still, the stampede to the DevNet Zone when they opened the doors on Tuesday morning, was quite a sight to see. It’s day two…it’s Vegas. You’d think maybe the first sessions of the morning would get off to a slow start. No way, and a quick look at the morning session line-up tells you what triggered the stampede:
