Threat Roundup for September 20 to September 27

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 20 to Sep 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU272019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

How to post a successful Mantis Request

Source:: Innovaphone

How to post a successful Mantis Request

Source:: Innovaphone

Cisco Security Supporting NATO’s Largest Cybersecurity Conference

By James McNab NIAS is NATO’s largest cyber security conference and provides an opportunity for NATO and government leaders, defence and cybersecurity specialists to discuss needs and priorities and effective cyber security solutions.
NATO’s mission is to protect the freedom of its members. It has innovated and adapted itself to ensure its policies, capabilities and structures meet current and future threats, including the collective defence of its members. In 2016, Allies reaffirmed NATO’s defensive mandate and also recognised cyberspace as a domain of operations in which NATO must defend itself as effectively as it does in the air, on land and at sea. Cybersecurity is also a critical component of its operations, enabling intelligence to be safeguarded and operational communications to be secure and confidential.
The demands on NATO associated with its cybersecurity mandate are significant as indeed are those for all organisations in keeping their workforces protected anywhere. They are up against active adversaries who are well-funded and endlessly patient. Nonetheless, effective cybersecurity should clear the path for any organisation to achieve its goals and not get in the way. It should be simple, yet powerful. Flexible, yet rock-solid. Invisible to users, yet easily managed behind the scenes.
At the heart of Cisco’s platform approach to cybersecurity is a simple idea that is consistent with the approach to air, land and sea defences: security solutions should be designed to act as a team. They should learn from each other. They should listen and respond as a coordinated unit. When that happens, security becomes more systematic and effective.
As the biggest security company in the world, Cisco has the breadth and depth of knowledge to solve platform-level challenges that span the data centre, network, cloud, internet, email, endpoints, and everywhere in between. As a global leader in networking that collaborates with customers to solve complex IT challenges, we’re uniquely positioned to embed security into any organisation’s network and architecture at scale.
Cisco Security will again have a prominent presence as Gold sponsor at NIAS, NATO’s largest cyber conference that takes place October 15-17 in Mons, Belgium, for engaging discussions on the critical role cyber security plays in securing the NATO Alliance. Under the banner Security Above Everything, Cisco’s presence includes Edna Conway, Cisco’s Chief Security Officer, Global Value Chain, as the keynote speaker talking about “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” and Martin Lee from Talos, Cisco Threat Intelligence, as host of a technical workshop focused on “Understanding Software Supply Chain Attacks”.
At the Cisco booth featuring the threat wall, delegates will be able to watch live demos and learn about security solutions that enable private and public organisations to prevent, detect and respond to cyber attacks. Visitors can book meetings with Cisco security experts through the event website.

Source:: Cisco Security Notice

Divergent: “Fileless” NodeJS Malware Burrows Deep Within the Host

By Talos Group Executive summary
Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called “Divergent.” We first dove into this malware after we saw compelling data from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention.
This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.
The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.
Read More >>

Source:: Cisco Security Notice

DevSecOps: Blending Critical Operations and Cultures to Increase Data Security

By Steve Martino Two major shifts are affecting organizational cybersecurity posture: digital product and service offerings are increasingly powered by mobile, cloud and data analytics; while developers of those products and services are migrating to Development Operations (DevOps) processes for greater agility and scale. Because both of these trends have security implications, CISOs are innovating approaches to build security in and shift it to a shared responsibility between the development and IT teams.
A new practice of DevSecOps—bridging DevOps workflows with Information Security (InfoSec) Operations—blends constructs familiar to both groups. Here are a few tips on how to start a DevSecOps initiative:
Establish the foundation. Using clearly defined guiding principles to drive security throughout the development process helps establish mutual trust among the Engineering, Operations and Security teams. This is also how expectations for mutual accountability and high security standards get defined. The org manifesto offers a great starting place. Their guidelines can be readily modified to fit a company’s unique requirements.
Prove it out first. It’s best to prove ideas manually before automating them. At Cisco, we ran an Agile security hack-a-thon with participants from the Information Security and application teams to first configure the most important security requirements – what we call the guardrails. Start by defining what your guardrails should be in the context of what platform you’ll use. For example, our first target environment was built on Amazon Web Services (AWS), so we defined 10 guardrails for our AWS accounts that fit our specific requirements. Then, conduct a hack-a-thon as you would for other Agile development efforts. Post-test readouts help the entire team be knowledgeable and support users in DevOps fashion.
Automate Your Guardrails. Provide an easy way for your teams to apply the guardrails, such as at the time of new account provisioning. Also develop simple scripting to retrofit those with existing accounts. This likely will require coordination among multiple teams – InfoSec, IT, Supply Chain, Procurement and possibly others. We achieved the security automation via our own tool we call the Continuous Security Buddy (CSB), which is built on several AWS services.
Continuously Validate. As new resources are on-boarded or other changes occur, keep guardrails up-to-date with constant security validation and real-time monitoring of security logs. Consider creating security “health reports” based on specific scoring or grading criteria to send to department tenants on a regular basis. That will empower tenants to address any critical security findings in a timely manner, and enable a cycle of teams always integrating and deploying code while getting ongoing security assurance.

Learnings and Results
At Cisco, our DevSecOps adoption and the subsequent security improvements actually exceeded our expectations. Within several weeks, our minimal viable tool ran in 72% of accounts hosting Cisco’s Cloud offers; 97% of these accounts, on average, received a health score of A or B in their daily report, indicating a healthy security posture relative to the established guardrails.
The whole effort taught us meaningful lessons about moving to a new model: the need for hands-on learning; setting realistic expectations for launch then growth; detailing the full range of compliance needs; building genuine, trusting partnerships with all key internal stakeholder groups; and taking necessary but reasonable risks. A mutually respectful and cooperative culture is perhaps the most essential ingredient. Complement your InfoSec team with other appropriately skilled resources to ensure successfully delivery of your DevSecOps principles and guardrails. The collective skills and knowledge will cross-pollinate. Bringing teams together guided by a common goal is always a recipe for success.
Also see, CISO Insights: Another side to Cyber Culture

Source:: Cisco Security Notice

The Criticality of the Network in Securing IoT and Critical Infrastructure

By Simon Finn Security is the key to the success of any digital project, whether you are connecting critical infrastructure, industrial Internet of Things (IoT), or delivering data and telemetry to reduce costs and increase revenue. We have long advocated the need for a holistic approach to IoT security, and with it, shared the vital role the network plays in embedding security. To further demonstrate the network’s role, let’s explore how it can help us tackle a series of IoT-related security challenges.
The challenge of securing communications
The first challenge is simply one of securing network communications. By default, any connected device can access anything on the network. This becomes a real problem when viewed with the realization that devices are unable to protect themselves; many devices were not designed with security built in – for example, think of your thermostat or refrigerator. Even if security is a design consideration and a devices initial state is secure, vulnerabilities will be discovered over time. Vendor support lifecycles and patching practices can vary, and it often leaves devices exposed for an extended periods. The logical conclusion to this is that we need to protect the device, and we need to protect other assets from the device.
Many organizations have undertaken extensive work to do broad grained, or macro-segmentation, which is immensely valuable from a security perspective. Yet, how do we isolate and protect devices within these segmented parts of the network, applying the principle of least access? How do we stop lateral movement of malware and reconnaissance activities within these segments themselves?
However, the IoT does represent a problem of scale. Organizations are struggling with the operational scale that is required to manage the explosion of connected devices. Operational overhead such as on-boarding devices and applying the required policy will be significantly exacerbated by the problem of sheer numbers and types of devices.
How the network can help
To deal with problems associated with lateral movement movement of threats and the need to isolate devices, we need to apply network policy as close as possible to the device. This method is commonly referred to as micro-segmentation, and Cisco taken this capability from theory to practice for years now.

To address the issues relating to scale, there are a couple of capabilities that help address these problems. Firstly, we are software defining the network, including its policy controls and segmentation. What this permits us to do is to provision controls centrally, in a fast, scalable and reliable manner. The network can also leverage what it can see, such as device profiling, location and identity, to help inform that policy. This contextual information, gathered by the network, can be also shared with other services and collected from other services. I’ll share more on the value of this in subsequent blog posts.
Secondly, we have been working on defining standards in collaboration with the Internet Engineering Task Force (IETF). For example, RFC 8520: Manufacturer Usage Description (MUD) allows manufacturers to define the policy, saving administrators many hours attempting to discern the appropriate policy to apply to new devices. The standard allows for automation of the entire process.
The network is well placed to act as a gatekeeper for devices, ensuring authentication and enforcing on-boarding workflows. Standards are currently in development, such as Bootstrapping of Remote Secure Key Infrastructure (BRSKI), that will help extend these capabilities by automating the provisioning of strong identity on devices. The network acting as the gatekeeper and orchestrator of on-boarding flows also enables protection of devices whilst in a potentially vulnerable state when first plugged in.
As you can see, the network plays a significant role protecting devices and data. Look for more to come in follow on blogs, as we explore how the network’s capabilities are extended to address other issues associated with securing the IoT.

Source:: Cisco Security Notice

The Circus is Coming to Town and Why You Should Stay Away

By Samuel Brown We are entering the integrated era
You’ve probably noticed the recent headlines of a few one-trick ponies getting together to form their own three ring circus. These events underscore a paradigm shift that is underway – the security world is entering the integrated era. Nowadays, customers want comprehensive solutions with seamless integrations across their endpoint, cloud and email security programs. Standalone vendors are just now realizing this and are scrambling to partner up with one another to satisfy the market’s demands. As an ambassador of Cisco’s integrated security portfolio, I would like to formally address these three vendors by saying: Congratulations – you finally realized what your customers need. But let me issue a caution: you’re going about it all wrong!
The new reality
A lot of things have fundamentally changed how users work today. Applications, data, and user identities have moved to the cloud, branch offices connect directly to the internet, and many users work off-network. This has given users an unprecedented ability to access, create, and share information online, which has concomitantly increased the risk of them exposing sensitive information. Additionally, advanced attackers have matured beyond the traditional defense models that rely on a patchwork of point solutions – they no longer rely on a single attack technique, and instead use multipronged approaches that may combine email phishing, fileless malware, and malicious websites.
Practitioners must protect against internet-born threats, phishing attacks, have control and visibility into their endpoints, and be able to quickly respond to incidents that arise – that’s a tall order for many reasons. First, the average enterprise has 75 security tools running in its environment. Second, most of these tools don’t communicate with one another. The sheer volume and complexity associated with responding to this information overload while simultaneously trying to correlate disparate datasets across multiple disaggregated sources is daunting. Security teams often find themselves drowning in a deluge of data and facing unmanageable workloads that make it nearly impossible for them to do their jobs well. This leaves them feeling overwhelmed and unmotivated, and further undermines cyber risk management by increasing the likelihood of them not responding to the threats that matter most fast enough, or missing them altogether. Additionally, 79% of respondents in Cisco’s 2019 CISO Benchmark Report said it was somewhat or very challenging to orchestrate alerts from multiple vendor products. To paraphrase, this implies that 79% of the security community does not view ‘Frankensteining‘ multiple point products together as a solution to their problems!
Now, don’t get me wrong – I love animals, am an avid fan of the Ringling Brothers, and think that one-trick ponies getting together is abso-friggin-lutely adorable. But frantically moving from console to console while correlating disparate threat data is a myopic approach that doesn’t solve the underlying problem. The inconvenient reality is that there always are and always will be threats to respond to, and with attack surfaces continually growing, the problem is only getting more complex. The only way to stand up to advanced attacks is by taking a highly integrated architectural approach to security.
Successful security integrations require a minimum of these 5 things – everything else will fail sooner or later:
Comprehensive coverage – Platforms that cover major threat vectors, like web and email security, span across all endpoints, and integrate with network security tools.
Intelligence sharing & automated response – Actionable threat intelligence that is shared amongst all incorporated solutions for data enrichment purposes, so that responses are automated (rather than ‘suggested‘) and if a threat is seen once anywhere, it is immediately blocked everywhere.
Centralization – Features and capabilities that allow users to consolidate information from multiple solutions on a single pane from which they can dynamically pull observables about unknown threats and kick off investigations.
Improved time to remediation (TTR) – Proven ability to significantly reduce TTR to enable SecOps teams to work more quickly and efficiently, thus decreasing likelihood of an incident becoming a full-blown breach.
Reliable integration – Integrations that wouldn’t disappear because one company changed their mind regarding their strategic direction or got acquired.
Security that works together for the integrated era
Fortunately, at Cisco, we foresaw this paradigm evolution years ago and invested in building a seamlessly integrated security platform across our SIG, email security, endpoint security, and advanced sandboxing solutions, along with our network security tools like IPS and NGFW. Backed by Cisco Talos – the largest non-governmental threat intelligence organization on the planet – real-time threat intelligence is shared amongst all incorporated technologies to dynamically automate defense updates so that if a threat is seen once, it is blocked everywhere. Teams can also kick off threat investigations and respond to incidents from a single console via Cisco Threat Response (CTR), which is a tool that centralizes information to provide unified threat context and response capabilities. In other words, Cisco’s integrated security portfolio, underscored by Threat Response streamlines all facets of security operations to directly addresses security teams‘ most pressing challenges by allowing them to:
Prioritize – SecOps teams can pinpoint threat origins faster and prioritize responding to the riskiest threats in their environment.
Block more threats – Threat Response automates detection and response, across different security tools from a single console, which allows SecOps team to operate more efficiently and avoid burnout.
Save time – Threat intelligence from Talos is shared across all integrated tools, so that you can see a threat once and block it everywhere.
As the largest cybersecurity vendor in the world, only Cisco has the scale, breadth and depth of capabilities to bring all of this together with Threat Response – and best of all, it’s FREE! Cisco Threat Response is included as an embedded capability with licenses for any tool in Cisco’s integrated security architecture.
Let’s compare the following two scenarios:
Scenario 1 – A patchwork of non-integrated security tools:
Security teams must review alerts from multiple solutions, correlate disparate datasets from various disaggregated sources investigate each threat. They triage and assign priorities, perform complex tasks with tremendous urgency with the goal of formulating an adequate response strategy based on situational awareness and threat impact, potential scope of compromise, and the criticality of damage that can ensue. This process is laborious, error-prone, and time-consuming, requiring an analyst to manually swivel through multiple consoles quickly. We’ve run internal simulations, in which all of this on average takes around 32 minutes. SOC analysts are left drained and high-severity threats risk being overlooked.
Scenario 2 – Cisco’s integrated security platform:
Security teams see an aggregated set of alerts from multiple Cisco security tools in Threat Response’s interface. The alerts are automatically compared against intelligence sources, SOC analysts can visualize a threat’s activities across different vectors, kick off an investigation, pinpoint the threats origin, and take corrective actions immediately – all from a single console. In our internal simulations this took 5 minutes.

Bottom line: Cisco’s integrated portfolio with Threat Response brings the time it takes to deal with a potential threat down from 32 minutes to 5 minutes, which is 85% faster than the non-integrated patchwork scenario!
In summary:
The recent news of partnerships combined with our internal testing has validated our strategy of developing an integrated architecture of security tools that work together. Furthermore, it has confirmed our belief that Cisco’s integrated security portfolio represents a game-changing and disruptive suite of technologies and integrations that pose a significant threat to any single point solution vendor focused on protecting just one threat vector, regardless of partnerships. Don’t be part of the circus by buying into this conglomeration of one-trick ponies, choose security that works together. Hone your security skills and attend one of our Threat Hunting Workshops.

Source:: Cisco Security Notice

How Tortoiseshell created a fake veteran hiring website to host malware

By Talos Group
Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce, https://www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.
This is just the latest actions by Tortoiseshell. Previous research showed that the actor was behind an attacker on an IT provider in Saudi Arabia. For this campaign Talos tracked, Tortoiseshell used the same backdoor that it has in the past, showing that they are relying on some of the same tactics, techniques and procedures (TTPs).
at Talosintelligence.com

Source:: Cisco Security Notice

Cybersecurity is a Team Sport

By Anthony Grieco The world is facing a collective challenge with a growing cyber threat landscape. Trends like the Internet of Things (IoT) and 5G are expanding the attack surface with over 40 billion devices expected online within five years. A new wave of advanced ransomware may cost our global economy up to $20 billion by the year 2021. Countries and regions alike are struggling to create consistent regulations that protect their citizens and stay ahead of emerging threats. Organizations wanting to go digital are looking around for who they can trust. To deliver security and trust on a global scale in this environment will require more than individual companies operating in silos, it is a multi-party responsibility including both the public and private sector. It will require a new set of diverse talent. It will require new technical capabilities. It will require research to help stay one step ahead. It will require collaboration. Each of these requirements need to be cultivated to get us where we need to be as an industry.

The time to plant the seeds for our collective future is with action – today.

We know the pain of digital transformation. At Cisco, we’ve gone through our own transformation in a highly complex environment. Think many clouds, operating 176,000 networks across the globe, blocking 20 billion threats on the internet a day, not to mention delivering our portfolio of over 600 product lines. The struggle is real. But even if we don’t have all the answers, the silver lining is that this experience has pushed us to learn at every stage of our journey. We see it as our role and responsibility to share our experience with others and are constantly looking for new opportunities to amplify those efforts. After all, cybersecurity is a team sport. As organizations, countries, and regions raise the bar for global cybersecurity…we all reap the benefits. Many are talking about co-innovation, collaboration and partnerships. We need to do more than talk. We need the right tools and the right environment where productive conversations, best practice sharing, and hands-on learning can happen.
That is why we are investing in our first Center of Excellence and Co-Innovation that will focus on cybersecurity and privacy. Opening in Milan in 2020, the center will bring together experts from both the public and private sectors to connect, learn, research and create solutions to help solve some of our most pressing security and privacy challenges. Leveraging our global network of Co-Innovation Centers and Cisco DevNet, a platform with more than 500,000 developers, the center will provide an environment to tackle complex challenges such as securing critical infrastructure (i.e. utilities, smartgrids) as well as evaluating the future complications of technologies like IoT and 5G. To supplement our investment on the future, we are also supporting a number of scholarships for a Master of Science in Cyber Risk Strategy & Governance at two Italian universities.
Cisco works with universities around the world in over a hundred different research projects and programs related to the enhancement of cybersecurity, data protection and privacy. This is in addition to more than 326,000 students worldwide who took cybersecurity courses last fiscal year through Cisco Networking Academy. Through collaboration and education, our goal is for these actions to cultivate future talent and build expertise for the next generation.
I am proud of the long-term commitment Cisco has laid down to help build the next generation of cybersecurity talent and co-innovation. My challenge to each of you is to join us – either physically at one of our programs or philosophically aligned to the spirit of collaboration. Regardless of where you are on your journey. Maybe you are new to cybersecurity. Or you are just starting to take your organization digital. There is a role and place for your contribution. If you have just started, I encourage you to seek out others who have a long history and experience with security and privacy challenges. For those of you who have that proven experience…it is your role to share it. Because the reality is that no one is going to win alone. It’s time for action and to get involved.
To succeed in tackling the world’s most critical and complex cybersecurity challenges we must work together. Join the team.
Want to hear more about Cisco’s cybersecurity journey? Check out our Trust Center to learn more.

Source:: Cisco Security Notice