Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • As Cryptocurrency Crash Continues, Will Mining Threat Follow?


    December 18, 2018 - 0 Comments

    Post authored by Nick Biasini.

    Executive Summary

    As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it’s safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

    Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

    But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn’t seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we’ve seen recently from some well-known actors who have a history with cryptocurrency mining.

    After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it’s likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it’s not going away — at least not yet.

    Read More >>

  • Connecting the dots between recently active cryptominers


    December 18, 2018 - 0 Comments

    Post authored by David Liebenberg and Andrew Williams.

    Executive Summary

    Through Cisco Talos’ investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

    This blog examines these actors’ recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

    We will cover the recent activities of these actors:

    • Rocke — A group that employs Git repositories, HTTP File Servers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts 2, Jenkins and JBoss.
    • 8220 Mining Group — Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts 2.
    • Tor2Mine — A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).

    These groups have used similar TTPs, including:

    • Malicious shell scripts masquerading as JPEG files with the name “logo*.jpg” that install cron jobs and download and execute miners.
    • The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim’s architecture.
    • Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts 2, Oracle WebLogic and Drupal.
    • Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
    • Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.

    We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.  

    The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value.  This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.

    Read More >>

  • Threat Roundup for Dec. 7 to Dec. 14


    December 14, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec. 7 and Dec. 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More at Talosintelligence.com
    TRU1207-1214

  • Bitcoin Bomb Scare Associated with Sextortion Scammers


    December 14, 2018 - 0 Comments

    Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient’s building. The emails stated the attackers would detonate these explosives unless the victim made a Bitcoin payment of several thousand dollars.

    Cisco Talos discovered that this campaign is actually an evolution of sextortion and extortion attacks that we reported on in October. The claims in the emails we’ve seen from this actor are completely false, yet they have caused untold amounts of damage as organizations have evacuated buildings and called upon law enforcement to investigate.

    Read More

  • in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal


    December 10, 2018 - 0 Comments

    Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed “secure instant messaging applications.” These apps claim to encrypt users’ messages and keep their content secure from any third parties.

    However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users’ confidential information at risk.

    This is a serious problem, considering users download these apps in the hopes that their photos and messages will stay completely protected from third parties. These apps, which have countless users, cannot assume that their users are security educated and understand the risk of enabling certain settings on their device. As such, they have an obligation to explain the risks to users, and when possible, adopt safer defaults in their settings. In this post, we will show how an attacker could compromise these applications by performing side-channel attacks that target the operating system these apps delegated their security to. This post will dive into the methods in which these apps handle users’ data. It will not include deep technical analysis of these companies’ security.

    Read more >>>

  • Threat Roundup for Nov. 30 to Dec. 7


    December 7, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 30 and Dec. 7. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More at Talosintelligence.com

    TRU12072018