10 years of virtual dynamite: A high-level retrospective of ATM malware

By Talos Group It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer’s ATM API functions and parameters, which were not publicly documented.
Before the discovery of Skimer, anti-malware researchers‘ considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.
Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.
Over time, ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.
Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we’ve seen during that time and attempt to find out if the different families share any code.
The post 10 years of virtual dynamite: A high-level retrospective of ATM malware appeared first on Cisco Blog.

Source:: Cisco Security Notice

Office 365 phishing

By Ben Nahorney Let’s be honest: administering email is a pain. Routing issues, disk quotas, bouncebacks, the times when users can send but not receive emails, receive but not send, or they flat out cannot send or receive—the list goes on.
It’s no wonder that email-hosting services like Office 365 have become so popular. Such cloud-based email services remove a lot of the headaches caused by email configuration. They even include basic security features, meant to keep users safe from the latest threats.
They also provide options to simplify the user experience. Users can go directly to an Office 365 web page, enter their company credentials and log right into their email accounts from anywhere they like.
Take all this into account, add the reduction in costs that cloud email solutions often bring, and it sounds like the perfect solution. As a result, the use of services like Office 365 has skyrocketed.
Attackers have taken notice
Of course, its popularity has led to malicious attacks. Attackers are crafting and launching phishing campaigns targeting Office 365 users. The attackers attempt to steal a user’s login credentials with the goal of taking over the accounts. If successful, attackers can often log into the compromised accounts, and perform a wide variety of malicious activity:
Spread malware, spam, and phishing emails from within the internal network.
Carry out tailored attacks such as spear phishing and Business Email Compromise.
Target partners and customers.
At first glance, this may not seem very different than external email-based attacks. However, there is one critical difference: The malicious emails sent are now coming from legitimate accounts. For the recipient, it’s often even someone that they know, eliciting trust in a way that would not necessarily be afforded to an unknown source. To make things more complicated, attackers often leverage “conversation hijacking,” where they deliver their payload by replying to an email that’s already located in the compromised inbox.
Figure 1 – An example Office 365 phishing email.
Reconnaissance attacks
However, there’s so much more that an attacker can do besides sending emails. Once an attacker has access to a legitimate mailbox, they can also do the following:
Obtain global company email address lists.
Scan mailbox for other credentials, personal information, or company information.
Attempt to gain further access to company resources.
These activities can go unnoticed, simply because the attacker is gathering information while logged in using authorized credentials. This gives the attacker time for reconnaissance: a chance to observe and plan additional attacks. Nor will this type of attack set off a security alert in the same way something like a brute-force attack against a webmail client will, where the attacker guesses password after password until they get in or are detected.
The attack chain
The methods used by attackers to gain access to an Office 365 account are fairly straightforward. The phishing campaigns usually take the form of an email from Microsoft. The email contains a request to log in, claiming the user needs to reset their password, hasn’t logged in recently, or that there’s a problem with the account that needs their attention. A URL is included, enticing the reader to click to remedy the issue.
The chain of events usually plays out like this:
Attacker sends a phishing email that appears to come from Microsoft or another trusted source.
User clicks on link in the email, which brings them to a page mimicking the Office 365 login page.
User enters login credentials, which are scooped up by the attackers.
The fake page does nothing, says that the login is incorrect, or redirects the user to the real Office 365 login page.
Given this series of events, the user would be none-the-wiser that their credentials had been stolen.

Figure 2 – Office 365 login vs. phishing login. Can you spot the difference?
The frequency of attacks
How successful are these attacks? While it’s unlikely anyone but the attackers would have data on the number of stolen credentials, or overall success rate, we can draw a few conclusions by looking at the phishing emails.
Agari Data Inc. is one company that monitors a variety of data points surrounding phishing campaigns. In fact, in their quarterly Email Fraud and Identity Deception Trends report, they often look at brand impersonation trends and provided some fresh numbers for us.
Over the last few quarters, there has been a steady increase in the number of phishing emails impersonating Microsoft. While Microsoft has long been the most commonly impersonated brand, it now accounts for more than half of all brand impersonations seen in the last quarter.
Figure 3 – Brand Impersonation Phishing Emails masquerading as “Microsoft”
Cloud email security efficacy
To its credit, Microsoft has baked a number of security technologies into its Office 365 offerings. However, given how these types of phishing attacks take place off their network, there is very little that can be done from within the cloud to protect against it. If an attacker gains valid credentials and uses them, how can you tell the difference based on a login attempt?
Fortunately, there are several steps you can take to further protect your email:
Use multi-factor authentication. If a login attempt requires a secondary authorization before someone is allowed access to an inbox, this will stop many attackers, even with phished credentials.
Deploy advanced anti-phishing technologies. Some machine-learning technologies can use local identity and relationship modeling alongside behavioral analytics to spot deception-based threats.
Run regular phishing exercises. Regular, mandated phishing exercises across the entire organization will help to train employees to recognize phishing emails, so that they don’t click on malicious URLs, or enter their credentials into malicious websites. For instance, Duo offers a free phishing simulation tool, called Duo Insight.

On the horizon
Cloud email services like Office 365 aren’t going anywhere. Given the many advantages that they present, there’s no reason they should. The fact is, given the current threat landscape, it’s often necessary to leverage additional security.
Based on a recent study conducted by ESG on behalf of Cisco, more than 80 percent of respondents reported that their organization is using SaaS email services. However, 43 percent of respondents still found that, after the move, they required secondary security technologies in order to shore up their email defenses.
At the end of the day, there are still valid needs for IT teams to set policies, gain visibility and control, utilize sandboxes, and leverage external blocking capabilities. Cloud email offers a lot of advantages, but to fully deliver on its promise, there is still a role for IT to ensure it is as secure as it can be.
Interested in reading more on email security? We’re about to launch the next installment in our Cybersecurity Report Series. “Email: Click with Caution, How to protect against phishing, fraud, and other scams” will be released early next month! Stay tuned…
Like this post? Subscribe to the Threat of the Month blog series and get alerted when the next blog post is released.
The post Office 365 phishing appeared first on Cisco Blog.

Source:: Cisco Security Notice

Die neue, modulare Cisco Catalyst 9600 Serie ist da

Die neue, modulare Cisco Catalyst 9600 Serie ist da

Leistungsfähige, neue Core-Switches von Cisco sind nun auch in der Catalyst 9000er Serie verfügbar. Die „Erben“ der bewährten 4500er und 6500er Catalysten sind verfügbar. Modulare, neue Switches mit folgenden Highlights:

  • granulare Port-Optionen mit 10G/25G/40G/100G
  • sichere Segmentierung von Netzbereichen
  • State-of-the-art Hochverfügbarkeit mit n+1 Netzteilen
  • Cisco Enhanced Limited Lifetime Warranty (E-LLW)

Mehr zu den Gründen für ein Upgrade auf die neue Catalyst 9600 Serie finden Sie in diesem PDF-Dokument. Fragen Sie uns nach einfachen Möglichkeiten, Ihr Upgrade mit Cisco Capital zu finanzieren.

Datenblätter zu den Catalyst 9600 Switches finden Sie an dieser Stelle.

DSC_2012 klein

Dennis Goslar


DSC_2022 klein

Bastian Breidenbach


Dirk Zurawski
02261 9155051

Threat Roundup for May 17 to May 24

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 17 and May 24. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The post Threat Roundup for May 17 to May 24 appeared first on Cisco Blog.

Source:: Cisco Security Notice

One year later: The VPNFilter catastrophe that wasn’t

By Talos Group One year ago, Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. This is the story of VPNFilter, and the catastrophe that was averted.
The post One year later: The VPNFilter catastrophe that wasn’t appeared first on Cisco Blog.

Source:: Cisco Security Notice

Sorpresa! JasperLoader targets Italy with a new bag of tricks

By Talos Group Nick Biasini and Edmund Brumaghin authored this blog post.
Executive summary
Over the past few months, a new malware loader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.

The attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There’s also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware.
The post Sorpresa! JasperLoader targets Italy with a new bag of tricks appeared first on Cisco Blog.

Source:: Cisco Security Notice

GDPR One Year On: What Have We Learned?

By Robert Waitman It’s been an eventful year since the EU’s General Data Protection Regulation, or GDPR, became enforceable one short year ago on May 25, 2018. One of the biggest impacts of the GDPR has been the way in which it has altered the conversation about data privacy. Data privacy has become an increasingly global issue, and the GDPR and other similar regulations have been a forcing factor in getting companies and countries to begin taking customer privacy more seriously and strengthening their risk posture
A new Cisco white paper, Privacy Gains: Business Benefits of Privacy Investment, co-authored with the Beacon Group, looks at the ways privacy is driving value for enterprises worldwide, beyond complying with regulatory standards. The paper analyzes and details the benefits of privacy and contemplates the future state of data privacy.
Based on global survey data from the Cisco 2019 Data Privacy Benchmark Study, and Beacon’s qualitative conversations with select data privacy leaders worldwide, the paper identifies top business benefits realized through privacy investments including better agility and innovation, operational efficiencies, and competitive advantage, and fewer, less costly, data breaches. As one CEO put it, “Good privacy and being compliant can vastly reduce the risk of a data breach.”

The paper also sheds light on the challenges that privacy professionals face across disparate geographies and how they see privacy creating value. Our conversations with business leaders reveal that privacy-related sales delays are frequently caused by issues or misalignment during the vendor contracting process. Specifically, when companies‘ privacy practices or policies are subpar, or they are unwilling to share their current practices, the result can be delays in contract signing or even product redesigns. Furthermore, privacy leaders across the globe clearly articulated the ways in which privacy creates business value for their organizations, and the message is clear: good privacy is good for business.
Our Recommendations
Invest in a comprehensive privacy program and determine the outcomes you want. Then figure out how to curate data to help achieve your business objectives. Untended and uncurated assets can become liabilities. When you actively curate data, you not only achieve compliance, but also efficiency, effectiveness and profitability.
Embed privacy-awareness into your culture using employee training and awareness programs to communicate the value of privacy to all levels of your organization.
Be transparent and accountable. Demonstrate your commitment to protecting and respecting personal data, no matter where it comes from or where it flows.
For a look at Cisco’s eventful privacy journey over the past few years, check out this infographic.

More Information
Cisco and Beacon Privacy Gains White Paper
Cisco 2019 Data Privacy Benchmark Study
Cisco Data Protection and Privacy
The post GDPR One Year On: What Have We Learned? appeared first on Cisco Blog.

Source:: Cisco Security Notice

Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market

By Megha Mehta According to Gartner1, “Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.”
The case for network traffic analysis to uncover hidden threats
You are charged with protecting your organization and have made multiple investments to do so. But you might be under-utilizing one of the biggest investments your organization has already made – the network infrastructure. With 1 in 4 organizations running the risk of a major breach in the next 24 months, it’s not a matter of if but when you will be breached. And you need to be able to detect and respond quickly to incidents.
The network is a rich data source, and by analyzing how the different entities are “behaving” within the network, we can identify malicious activities associated with a breach. This helps detect attacks in near real-time. Today, average time to detect a breach is 197 days2. Can you really afford to wait more than 6 months to know whether you have been compromised? Additionally, network security analytics can expedite investigations to pinpoint the source of the threat so you can take appropriate actions. This considerably cuts down the time to contain a threat from the average 69 days3 to a few hours!

Cisco’s network traffic analysis (NTA) solution, Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. Using a combination of behavioral modeling, machine learning and global threat intelligence powered by Cisco Talos, Stealthwatch can quickly and with high confidence, detect threats such as command and control attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, as well as insider threats. With a single, agentless solution, you get comprehensive threat monitoring across the data center, branch, endpoint and cloud, and even find threats hidden in encrypted traffic.
Stealthwatch has some key attributes that you should demand from your network traffic analysis solution for the following outcomes:
Contextual network-wide visibility
First and foremost, network traffic analysis provides visibility into every device on the network and what it is doing. Legacy servers, IoT, mobile, and remote users – a lot of organizations simply don’t know what’s on their network, let alone be able to protect it. And this visibility extends across all the dynamic environments that are typical of the modern digital enterprise – from the campus, branch and data center to the cloud. And with the rise in encrypted traffic and the internet going dark, you also need visibility into threats hiding in encrypted traffic.
Predictive threat analytics
Secondly, there are some unique threats that can only be detected if you are continuously monitoring network activity. Your traditional security tools will not be able to catch insider threats – caused due to a rogue employee trying to exfiltrate sensitive data or a compromised admin credential that the attackers are now using to swoop the entire organization. Additionally, you have created a lot of security policies to prevent threats, or simply to remain compliant. But how do you know those are being enforced? That the controls you have set up are actually working? Also, as mentioned earlier, network traffic analysis tries to identify malicious behavior and therefore, can help detect threats like unknown malware.
Accelerated response
Lastly, let’s talk about incident response. What do you do if you know that you have been compromised? Where do you begin investigating? With network traffic analysis, you can attribute the malicious behavior to a specific IP and perform forensic analysis to determine how the threat has moved laterally within the organization. What other devices might be infected, where is the communication occurring externally, etc. This leads to faster response in order to prevent any business impact.
Download your complimentary copy of the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market here.
To learn more about Cisco Stealthwatch, go to https://cisco.com/go/stealthwatch

Gartner Market Guide for Network Traffic Analysis, Lawrence Orans, Jeremy D’Hoinne, Sanjit Ganguli, 28 February 2019.

Source: Ponemon 2018 Cost of a Data Breach Study

Source: Ponemon 2018 Cost of a Data Breach Study

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Cisco is a Representative Vendor in the first ever Gartner 2019 Market Guide for the NTA (Network Traffic Analysis) market appeared first on Cisco Blog.

Source:: Cisco Security Notice

Innovaphone PBX V13 ist veröffentlicht

Der Trend zum flexiblen, modernen und ortsunabhängigen Arbeiten geht weiter. Die Herausforderung dabei besteht darin, Lösungen zu entwickeln, die sich ständig an neue Anforderungen anpassen. Kreativität und Mobilität, das Arbeiten in generations- und länderübergreifenden Teams und das Verschwinden der Grenzen zwischen Arbeit und Freizeit werden Kernpunkte unseres zukünftigen Arbeitslebens sein. innovaphone nimmt diese Herausforderung an und führt mit der neuen Version 13 die innovaphone myApps Gesamtlösung mit dem Communications Client myApps ein.

Highlights der V13

  • Die innovaphone PBX ist weiterhin eine leistungsstarke und durchdachte IP-Telefonanlage. Mit der Version 13r1 wird die Installation und Konfiguration der innovaphone PBX noch schneller, einfacher und bequemer. Zusammen mit den Unified Communications-Funktionalitäten im Rahmen der innovaphone myApps Plattform entfaltet sie ihre volle Leistungsstärke.
  • Die myApps Gesamtlösung besteht aus vielen eigenständigen Komponenten, die einzeln gut funktionieren, aber vor allem zusammen ihre beeindruckende Leistungsfähigkeit entfalten.
  • Mit der innovaphone PBX und der App Platform als Basis können alle Unified Communications-Funktionalitäten ohne Probleme, unabhängig vom Standort und vom verwendeten Gerät angewendet werden.
  • Der Communications Client myApps ist der neue Arbeits- und Kommunikations Client. Er erfüllt alle gewohnten UC- und Telefonie-Funktionalitäten, die in Form von einzelnen Apps gesteuert werden können.
  • Audio- und Videotelefonie, der schnelle Austausch via Messenger-Lösungen oder eine Konferenz mit Application Sharing sind mit den Apps zum Kommunizieren ganz einfach möglich.
  • Die Verwaltung der individuellen Arbeitsumgebung, das Einrichten eines Benutzerkontos oder die übersichtliche Anzeige einzelner Favoriten wird mit Hilfe der Apps zum Arbeiten ein Kinderspiel.
  • Das Anlegen und Einbinden neuer Mitarbeiter sowie eine Vielzahl an Installationen, Wartungen und Konfigurationen lassen sich mit den Apps für Administratoren blitzschnell und einfach durchführen.
  • Auch für die App Entwicklung bietet innovaphone die volle Transparenz.

Oberberg-Online ist seit über 15 Jahren zertifizierter Innovaphone-Partner und hat bereits heute die Zertifizierung für die neue V13 erhalten. Mit dieser Erfahrung stehen wir gerne auch Ihnen als Partner zur Seite.


DSC_2022 klein
Jörg Wegner
02261 9155052

Marcus Schultes


Dirk Zurawski
02261 9155051