Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Incident Response Lessons From Recent Maze Ransomware Attacks

This post authored by JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Read More >>

Threat Roundup for December 6 to December 13

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 6 and Dec 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Talos Vulnerability Discovery Year in Review – 2019

Introduction

Cisco Talos’ Systems Security Research Team investigates software, operating system, IOT and ICS vulnerabilities in order to discover them before malicious threat actors do. We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases executive blogs (Vulnerability Spotlights) and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos Vulnerability Information page here.

Read the rest of the details on the Talos Blog

Threat Roundup for November 29 to December 6

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 29 and Dec 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12062019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Threat Roundup for November 15 to November 22

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 15 and Nov 22. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU11222019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

New research: Are you really ready for today’s security threats?

Your business invests in all the latest security technologies. You run training. You meet your compliance requirements for scans and tests. You can stand up in front of the board and say with confidence “we’ve got this covered.”

But are you as prepared as you think?

New research from ESG sheds new light on threat readiness. Read on for four key findings you can’t afford to ignore.

Want the full story? Join us for a webinar on Dec. 4, 2019. You can register here.

Complacency is the enemy: The best are never satisfied

According to ESG’s latest research on incident readiness trends, 92 percent of IT security practitioners surveyed feel “good to excellent” about their ability to quickly detect and respond to cyber incidents. On average, they scored themselves eight out of 10 that they could completely mitigate a destructive attack.

But all the evidence tells us that the reality is very different. In the same survey, 35 percent of respondents said they had suffered a destructive attack, and of those, 41 percent indicated that it took a month or more to detect the attack.

We know that the ability to prevent, detect and respond quickly to security incidents is a trained behavior — it has to be practiced.

ESG’s research specifically surveyed security professionals who had engaged in threat-readiness activities within the last 18 months, asking about a whole range of activities, from pen testing, tabletop exercises, red teaming and more.

“From ESG’s data, and our own experiences in the field, we see a degree of overconfidence about threat readiness,” Sean Mason, director of Talos Incident Response, said. “Being blunt, that’s dangerous. As a CIO or CISO responsible for the results of incident response efforts, it’s incumbent on you to paint a real picture of risk for your board, without sugarcoating.

The fact is, security is hard work, threats are always changing, and perfect defense is impossible — but the only thing to do is to keep striving for continuous improvement and avoid complacency. Keep plans up to date. Test them. Train hard, and don’t stop.”

Prioritize budget and be realistic about talent

Nine out of 10 organizations surveyed have performed incident readiness exercises in-house over the last 12-18 months. Of those respondents who have used internal teams and third-party service providers to perform incident readiness exercises, 58 percent say they perform the majority of their incident readiness exercises in-house. And that trend isn’t going away. More than half say they’ll hire or train more security analysts over the next 12–18 months to improve incident readiness.

This is hard to reconcile with the harsh reality of the IT talent gap. According to ESG’s 2019 Technology Spending Intentions Survey, cybersecurity remains the discipline most acutely affected by skills shortages.

“The truth is that simply due to market dynamics, most in-house IT teams struggle to recruit, let alone retain, the very best talent,” Mason said.

Whether a CIO sticks with a recruitment strategy or chooses to source expertise from specialist vendors, budget becomes the sticking point.

“Security teams consistently cite lack of budget as one of the biggest weaknesses in their threat readiness,” says Christina Richmond, principal analyst at ESG. “In fact, it’s often that only after suffering an attack does the business assign more budget to incident readiness.”

ESG found that less than a third of security teams have C-level involvement in all incident readiness activities.

“In our experience, organizations with the strongest security practices and the healthiest budgets are those where there is C-level engagement in the strategy. I’ve been lucky enough to experience it in my career, but it’s all too rare,” Mason said. “The sad truth is that it’s often only a breach that gets the attention of the CEO — and no CIO or CISO wants to have that conversation.”

Drive your security with metrics, not hopes and fears

The key to winning board-level sponsorship and budget for security is the same as for any business initiative: prove your value with data. That’s the language your CEO speaks.

Only 29 percent of survey respondents said they are able to regularly report metrics aligned to business, risk management and C-level objectives.

The numbers that talk the loudest?

“Look for the financial impact of security success: benchmark fines and legal settlements from breaches in your industry,” Mason said. “Estimate the impact on customer trust and brand goodwill, the cost of supply-chain downtime and employee productivity.”

ESG data indicates that only 29 percent of organizations are actually able to measure the financial impact of an incident today — there’s work still to do. But it’s important work. These measures will speak louder to a non-technical audience than operational metrics. And when you do use operational metrics, such as time to respond, put them in context with industry benchmarks to make them more meaningful.

Practice, don’t just assess

Security leaders have a wide range of tools in their incident-readiness kit, ranging from strategic maturity assessments to automated scans, tabletop exercises, penetration testing, threat hunting and more.
“Our research found the use of various incident response activities in the last 18 months was unbalanced,” says Richmond. “Assessments made up three of the top five activities most commonly performed; while actual practice exercises made up all of the bottom five.”

“In truth, you can’t say that you have a plan until you’ve tested it to see if it works,” says Mason. “That’s closing the loop from assessment, to plan development, to testing and back around to assessment. Running exercises and simulations is critical for ensuring that teams can react calmly and decisively when an incident happens.”

Discover the full findings from ESG’s research and pose your questions to Sean Mason and Christina Richmond on our free webinar on Dec. 4 2019, 9 a.m. PST. Register now.

Find out how Cisco CX can help you improve your threat readiness.

Custom dropper hide and seek

Most users assume they are safe when surfing the web on a daily basis. But information-stealing malware can operate in the background of infected systems, looking to steal users’ passwords, track their habits online and hijack personal information.

Cisco Talos has monitored adversaries which are behind a wave of ongoing campaigns dropping well-known information-stealer like Agent Tesla, Loki-bot and others since at least January 2019. The adversaries using custom droppers, which inject the final malware into common processes on the victim machine. Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers.

The injection techniques we’re seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we’ll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware. Any internet user is a potential target of this malware, and if infected, has the potential to completely take away a user’s online privacy.

READ MORE>>

Hunting For LolBins

Attackers’ trends tend to come and go. But one popular technique we’re seeing at this time is the use of living-off-the-land binaries — or “LoLBins”. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we’re seeing, there are binaries supplied by the victim’s operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

In this post, we will take a look at the use of LOLBins through the lense of Cisco’s product telemetry.We’ll also walk through the most frequently abused Windows system binaries and measure their usage by analyzing data from Cisco AMP for Endpoints.

You’ll also find an overview of a few recent campaigns we’ve seen using LoLBins, along with recommendations for how to detect malicious LoLBins’ activities.

>>> Read More

Threat Roundup for November 1 to November 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 1 and Nov8. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

talos.tru.json  – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.