Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

New research: Are you really ready for today’s security threats?

Your business invests in all the latest security technologies. You run training. You meet your compliance requirements for scans and tests. You can stand up in front of the board and say with confidence “we’ve got this covered.”

But are you as prepared as you think?

New research from ESG sheds new light on threat readiness. Read on for four key findings you can’t afford to ignore.

Want the full story? Join us for a webinar on Dec. 4, 2019. You can register here.

Complacency is the enemy: The best are never satisfied

According to ESG’s latest research on incident readiness trends, 92 percent of IT security practitioners surveyed feel “good to excellent” about their ability to quickly detect and respond to cyber incidents. On average, they scored themselves eight out of 10 that they could completely mitigate a destructive attack.

But all the evidence tells us that the reality is very different. In the same survey, 35 percent of respondents said they had suffered a destructive attack, and of those, 41 percent indicated that it took a month or more to detect the attack.

We know that the ability to prevent, detect and respond quickly to security incidents is a trained behavior — it has to be practiced.

ESG’s research specifically surveyed security professionals who had engaged in threat-readiness activities within the last 18 months, asking about a whole range of activities, from pen testing, tabletop exercises, red teaming and more.

“From ESG’s data, and our own experiences in the field, we see a degree of overconfidence about threat readiness,” Sean Mason, director of Talos Incident Response, said. “Being blunt, that’s dangerous. As a CIO or CISO responsible for the results of incident response efforts, it’s incumbent on you to paint a real picture of risk for your board, without sugarcoating.

The fact is, security is hard work, threats are always changing, and perfect defense is impossible — but the only thing to do is to keep striving for continuous improvement and avoid complacency. Keep plans up to date. Test them. Train hard, and don’t stop.”

Prioritize budget and be realistic about talent

Nine out of 10 organizations surveyed have performed incident readiness exercises in-house over the last 12-18 months. Of those respondents who have used internal teams and third-party service providers to perform incident readiness exercises, 58 percent say they perform the majority of their incident readiness exercises in-house. And that trend isn’t going away. More than half say they’ll hire or train more security analysts over the next 12–18 months to improve incident readiness.

This is hard to reconcile with the harsh reality of the IT talent gap. According to ESG’s 2019 Technology Spending Intentions Survey, cybersecurity remains the discipline most acutely affected by skills shortages.

“The truth is that simply due to market dynamics, most in-house IT teams struggle to recruit, let alone retain, the very best talent,” Mason said.

Whether a CIO sticks with a recruitment strategy or chooses to source expertise from specialist vendors, budget becomes the sticking point.

“Security teams consistently cite lack of budget as one of the biggest weaknesses in their threat readiness,” says Christina Richmond, principal analyst at ESG. “In fact, it’s often that only after suffering an attack does the business assign more budget to incident readiness.”

ESG found that less than a third of security teams have C-level involvement in all incident readiness activities.

“In our experience, organizations with the strongest security practices and the healthiest budgets are those where there is C-level engagement in the strategy. I’ve been lucky enough to experience it in my career, but it’s all too rare,” Mason said. “The sad truth is that it’s often only a breach that gets the attention of the CEO — and no CIO or CISO wants to have that conversation.”

Drive your security with metrics, not hopes and fears

The key to winning board-level sponsorship and budget for security is the same as for any business initiative: prove your value with data. That’s the language your CEO speaks.

Only 29 percent of survey respondents said they are able to regularly report metrics aligned to business, risk management and C-level objectives.

The numbers that talk the loudest?

“Look for the financial impact of security success: benchmark fines and legal settlements from breaches in your industry,” Mason said. “Estimate the impact on customer trust and brand goodwill, the cost of supply-chain downtime and employee productivity.”

ESG data indicates that only 29 percent of organizations are actually able to measure the financial impact of an incident today — there’s work still to do. But it’s important work. These measures will speak louder to a non-technical audience than operational metrics. And when you do use operational metrics, such as time to respond, put them in context with industry benchmarks to make them more meaningful.

Practice, don’t just assess

Security leaders have a wide range of tools in their incident-readiness kit, ranging from strategic maturity assessments to automated scans, tabletop exercises, penetration testing, threat hunting and more.
“Our research found the use of various incident response activities in the last 18 months was unbalanced,” says Richmond. “Assessments made up three of the top five activities most commonly performed; while actual practice exercises made up all of the bottom five.”

“In truth, you can’t say that you have a plan until you’ve tested it to see if it works,” says Mason. “That’s closing the loop from assessment, to plan development, to testing and back around to assessment. Running exercises and simulations is critical for ensuring that teams can react calmly and decisively when an incident happens.”

Discover the full findings from ESG’s research and pose your questions to Sean Mason and Christina Richmond on our free webinar on Dec. 4 2019, 9 a.m. PST. Register now.

Find out how Cisco CX can help you improve your threat readiness.

Custom dropper hide and seek

Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users’ passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we’re seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we’ll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user’s online privacy.

READ MORE>>

Hunting For LolBins

Attackers’ trends tend to come and go. But one popular technique we’re seeing at this time is the use of living-off-the-land binaries — or “LoLBins”. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we’re seeing, there are binaries supplied by the victim’s operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco’s product telemetry.We’ll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You’ll also find an overview of a few recent campaigns we’ve seen using LoLBins, along with recommendations for how to detect malicious LoLBins’ activities.

>>> Read More

Threat Roundup for November 1 to November 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 1 and Nov8. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

talos.tru.json  – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

 

How Adversaries Use Politics for Compromise

This blog post was authored by Nick Biasini and Edmund Brumaghin of Cisco Talos.

Executive Summary

With the U.S. presidential primaries just around the corner, even malware authors can’t help but get behind the frenzy. Cisco Talos recently discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of several prominent political figures, chief among them U.S. President Donald Trump. We discovered a series of ransomware, screenlockers, remote access trojans (RATs) and other malicious applications that play off of Trump’s likeness, as well as former presidential candidate Hillary Clinton.

Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks. In many cases, it is clear that the authors of these applications were motivated by their political beliefs, which were reflected in the software that they created. In this post, we’ll analyze several of these examples and provide a look at the types of malware they deployed.

There is a wide array of threats that adversaries are willing to deliver through any means necessary, including leveraging political themes and overtones. This is one of the reasons why organizations need to be diligent in protecting their environments through various technologies, applying best practices, and taking a thorough defense-in-depth approach when implementing various security controls. Additionally, ensure you have an employee information security education program that exposes users to the variety of lures that can be leveraged by adversaries to deliver these threats.

Read More >>

C2 With It All: From Ransomware To Carding

 

Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims’ infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack.

We found a great variety of malicious files on this server, ranging from ransomware like the DopplePaymer, to credit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from the command and control (C2)

The data found on this server shows how malicious actors can diversify their activities to target different organizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an adversary that is resourceful and has a widespread infrastructure shared across different operations.

>>> Read More

Threat Roundup for October 25 to November 1

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 25 and Nov 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU11012019  – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The commoditization of mobile espionage software

Mobile stalkerware has all sorts of wide-ranging consequences. The creators of these types of apps can track user’s locations, see their social media usage and more. And they certainly open the door for abuse by governments hoping to spy on their citizens, parents looking to track their children or controlling spouses hoping to track every move their partners make. This class of software exists to surreptitiously get and provide this personal information, sometimes in real time.

Cisco Talos recently spotted a wave of vendors hawking this software, designed to spy on unsuspecting users. We observed apps across the globe — including activities in countries that have some of the worst human rights records — with vendors offering language- and country-specific services. In all, there were 87 vendors we discovered as part of our research, which we believes poses a serious threat to at-risk individuals. The stalkerware space is completely unregulated, and these apps are allowed to exist on many app stores for extended periods of time, with their creators even offering easy to follow tutorials online as to how to trick users into downloading these apps. This is an easily accessible, yet volatile, market.

Read More >>

Threat Roundup for October 18 to October 25

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 18 and Oct 25. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU10252019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.