Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Roundup for May 8 to May 15

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 8 and May 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

 

Reference

20200515-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Dark Stealer

By Nick Biasini, Edmund Brumaghin and Nick Lister.

Executive summary

The threat landscape is littered with various malware families being delivered in a constant wave to enterprises and individuals alike. The majority of these threats have one thing in common: money. Many of these threats generate revenue for financially motivated adversaries by granting access to data stored on end systems that can be monetized in various ways. To maximize profits, some malware authors and/or malware distributors go to extreme lengths to evade detection, specifically to avoid automated analysis environments and malware analysts that may be debugging them. The Astaroth campaigns we are detailing today are a textbook example of these sorts of evasion techniques in practice.

The threat actors behind these campaigns were so concerned with evasion they didn’t include just one or two anti-analysis checks, but dozens of checks, including those rarely seen in most commodity malware. This type of campaign highlights the level of sophistication that some financially motivated actors have achieved in the past few years. This campaign exclusively targeted Brazil, and featured lures designed specifically to tailor to Brazilian citizens, including COVID-19 and Cadastro de Pessoas Físicas status. Beyond that, the dropper used sophisticated techniques and many layers of obfuscation and evasion before even delivering the final malicious payload. There’s another series of checks once the payload is delivered to ensure, with reasonable certainty, that the payload was only executed on systems located in Brazil and not that of a researcher or some other piece of security technology, most notably sandboxes. Beyond that, this malware uses novel techniques for command and control updates via YouTube, and a plethora of other techniques and methods, both new and old.

This blog will provide our deep analysis of the Astaroth malware family and detail a series of campaigns we’ve observed over the past nine to 12 months. This will include a detailed walkthrough of deobfuscating the attack from the initial spam message, to the dropper mechanisms, and finally to all the evasion techniques astaroth has implemented. The goal is to give researchers the tools and knowledge to be able to analyze this in their own environments. This malware is as elusive as it gets and will likely continue to be a headache for both users and defenders for the foreseeable future. This will be especially true if its targeting moves outside of South America and Brazil.

Read More >>

Threat Roundup for May 1 to May 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 24 and May 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

 

Reference

20200508-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Threat Roundup for April 24 to May 1

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 24 and May 1. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

 

Reference

20200501-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

 

Security Stories 4: Building the best cybersecurity team, with Mark Weatherford

For the Security Stories podcast, I try and interview people who have had a tremendous impact on the cybersecurity industry, and have a really interesting story to tell.  This is very much the case for Mark Weatherford, whom I chat to in our latest episode (available to listen to now).

Mark has one of the most impressive cybersecurity CVs I’ve ever seen. He sits on quite a few security advisory boards – I counted seven but it might well be more than that now! This includes being on the board of directors for the National Cybersecurity Centre.

He became the first deputy under-secretary for cybersecurity at the US Department of Homeland Security from 2011 to 2013. He was also a US Navy cryptologic officer and led the Navy’s Computer Network Defense operations and the Naval Computer Incident Response Team.

After that he became the CISO for both the state of California (hired by Arnold Schwarzenegger to help “change the way California did technology”) and the state of Colorado, and was instrumental in working with the state’s legislature to get laws passed to formerly establish a security program for the first time.

He’s a fascinating person to listen to, and he has now reached a point now where he wants to give back and develop new cybersecurity talent. So, this interview is brimming with advice for security leaders, and it has one or two things to ponder over….

“For a lot of security professionals, we’re looking at how do we gain credibility within our organizations. FUD (Fear, uncertainty and doubt) was the easy way to do that in the past, but thankfully we’ve veered away from that now. Because you can build a security program around FUD, but it will be a program built on sand, not rock.”

Oh, and we also talk about Batman…

For our ‘On this Day’ feature, Ben and I go back in time to 1999. We uncover the origins of ‘Snort’, and its journey from a fun rainy day and weekends project through to entering InfoWorld’s Open Source Hall of Fame as one of the “greatest pieces of open source software of all time”.

And finally, for our ‘emerging threats’ feature, Ben talks about a new breed of RAT (Remote Access Trojan) recently discovered by Cisco Talos which we’re calling ‘PoetRAT’.  Learn what it is, who it’s targeted, and how to protect against remote access trojans.

You can listen to Security Stories on Apple Podcasts, Spotify, Google Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

We’ll be back with another episode in two weeks time. Listen to the first three episodes with more incredible guests, here: Security Stories website.

Upgraded Aggah malspam campaign delivers multiple RATs

By Asheer Malhotra

  • Cisco Talos has observed an upgraded version of a malspam campaign known to distribute multiple remote access trojans (RATs).
  • The infection chain utilized in the attacks is highly modularized.
  • The attackers utilize publicly available infrastructure such as Bitly and Pastebin (spread over a number of accounts) to direct and host their attack components.
  • Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What’s New?

Cisco Talos has observed a new Aggah campaign consisting of the distribution of malicious Microsoft Office documents (maldocs) via malicious spam (malspam) emails distributing a multi-stage infection to a target user’s endpoint.

The final payload of the infection consists of a variety of Remote-Access-Tool (RAT) families such as:

Read More>>

Threat Roundup for April 17 to April 24

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 17 and Apr 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

20200424-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Threat Spotlight: MedusaLocker

By Edmund Brumaghin, with contributions from Amit Raut.

Overview

MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

While most of MedusaLocker’s functionality is consistent with other modern ransomware families, there are features that set MedusaLocker apart from many of the other ransomware families commonly observed. 

  • MedusaLocker can encrypt the contents of mapped network drives that may be present on infected systems. 
  • It manipulates Windows functionality to force network drives to be remapped so that their contents can also be encrypted.
  • The malware uses ICMP sweeping to profile the network to identify other systems that can be used to maximize the likelihood of a ransom payment.

MedusaLocker can also perform ICMP sweeping to identify other systems on the same network. If the malware is able to locate them, MedusaLocker then attempts to leverage the SMB protocol to discover accessible network locations and if files are discovered in those locations, they are also encrypted and ransomed in the same manner as other locally stored data.

Read More >>

Vulnerability Spotlight: Zoom Communications User Enumeration

Video conferencing and calling software has spiked in popularity as individuals across the globe are forced to stay home due to the COVID-19 pandemic. There are a plethora of players in this space, with one or two getting increased attention. One service in particular — Zoom — has received an enormous amount of attention from the media and users.

Today, Cisco Talos is disclosing a user enumeration vulnerability in Zoom Communications that could allow a malicious user to obtain a complete list of Zoom users inside a specific organization. There has been a lot of discussion around what is and is not a vulnerability and what security features should exist in video conferencing software. This is not the purpose of this blog. This disclosure is made in accordance with our vulnerability disclosure policy, in the interests of ensuring the security and privacy of users at-large against this information disclosure vulnerability.

Read More >>