Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Breaking down a two-year run of Vivin’s cryptominers

News Summary

  • There is another large-scale cryptomining attack from an actor we are tracking as “Vivin” that has been active since at least November 2017.
  • “Vivin” has consistently evolved over the past few years, despite having poor operational security and exposing key details of their campaign.

By Andrew Windsor.

Talos has identified a new threat actor, internally tracked as “Vivin,” conducting a long-term cryptomining campaign. We first began linking different samples of malware dropping illicit coin miners to the same actor in November of 2019. However, upon further investigation, Talos established a much longer timeline of activity. Observable evidence shows that Vivin has been active since at least November 2017 and is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.

Vivin has shown to rotate the use of multiple cryptocurrency wallet addresses, in addition to altering the delivery chain of their payloads, over different time periods of activity. An interesting aspect of the actor’s delivery method is their use of modified pirated software as their initial attack vector before the samples move on to common “living-off-the-land” methods at later stages of the attack. Vivin makes a minimal effort to hide their actions, making poor operational security decisions such as posting the same Monero wallet address found in our observable samples on online forms and social media. Nor do they discriminate in their targeting, attempting to capitalize on general user behavior, rather than targeting, to generate as large a victim pool as possible.

Despite the market downturn for cryptocurrency values in 2018, cryptomining remained a popular attack method for malicious actors throughout 2019 and heading into 2020. Over the course of last year, Talos Incident Response observed a number of cryptomining attacks, some of which potentially involved higher coordinated cybercrime groups and collaboration between multiple different threat actors. While more sophisticated actors certainly pose a significant threat, organizations should remain cognizant of the additional threat posed by less advanced actors employing wide or unrestricted targeting. Talos has previously documented one such actor, “Panda,” illustrating their potential for long-term exploitation of their victims’ resources and their resilience from being deterred from future action. These attributes make Vivin, and other actors like them, legitimate risks to organizational resource abuse and potential data theft.

Read More >>

Threat Roundup for January 10 to January 17

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 10 and Jan 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU01172020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

JhoneRAT: Cloud based python RAT targeting Middle Eastern countries

Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analyzed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

For more, read the rest on the Talos blog here.

New Snort rules protect against recently discovered Citrix vulnerability

By Edmund Brumaghin, with contributions from Dalton Schaadt.

Executive Summary

Recently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using CVE-2019-19781. A public patch has not yet been released, however, Citrix has released recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems.

Read More >>

Threat Roundup for January 3 to January 10

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan 3 and Jan 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU01102020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Continued Escalation of Tensions in the Middle East

Cisco Talos works with many organizations around the world, monitoring and protecting against sophisticated threats every day. As such, we are watching the current state of events in the Middle East very closely for our customers and partners who may be impacted by the ongoing situation. We are continuing to evaluate potential threats and attack vectors, especially related to critical infrastructure and high-profile businesses and industries.

A challenge with protecting against state-sponsored campaigns is that the primary and ideal targets are potentially already compromised, either by a specific adversary or their allies who would be amenable to acting on their behalf. In previous research, Talos has observed footholds like this that can go undetected for extended periods, waiting to be modified remotely to exact a variety of potential malicious activities.

It may be difficult for primary target organizations to detect activity and defend themselves at the perimeter. Hopefully, they have employed a layered defense, which should include two-factor authentication, network segmentation and endpoint protection.

Of course, the potential also exists for the adversary to move away from a targeted maneuver to more broadly focused disruptions that could incorporate a much wider array of businesses and even consumers. This means that everyone should view this as a wake-up call — shore up defenses, update/patch your devices and focus on cyber hygiene. Employ authentication everywhere, beware of suspicious links, emails, etc. — phishing/credential theft continues to be popular among attackers. Every business should at least take a second look at every strange thing they see — don’t ignore anomalous activities, take the time to see if there is something nefarious at the end of the tunnel.

While prior campaigns in the region have heavily relied on wiper malware, this is no guarantee that future campaigns will continue this trend. At times like this, vigilance is key.

Read More >>

Cisco ASA DoS Bug Attacked in Wild

This post authored by Nick Biasini

Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. The vulnerability, CVE-2018-0296, is a denial-of-service and information disclosure directory traversal bug found in the web framework of the appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information.

This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code. Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.

Read More>>

Threat Roundup for December 13 to December 20

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 13 and Dec 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12202019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Incident Response Lessons From Recent Maze Ransomware Attacks

This post authored by JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Read More >>