Malvertising: Online Advertisings’ Darker Side

By Talos Group
By Nick Biasini, Chris Neal and Matt Valites.
Executive summary
One of the trickiest challenges enterprises face is managing the balance between aggressively blocking malicious advertisements (aka malvertising) and allowing content to remain online, accessible for the average user. The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.
As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. In today’s enterprise, an aggressive approach to advertising is required to be protected against malicious threats. That may include securing your DNS or adding additional layers of inspection through a firewall, intrusion prevention system, or a web security platform. Regardless of the approach, it needs to be thorough and take into account not just the security impacts, but the potential of cascading impact on your users.
Advertising is a key part of the internet as a whole and, whether you realize it or not, is one of the most foundational aspects of it. It is one of the reasons that a large chunk of the content available on the internet is free. It allows people to support their passion projects, their small businesses, and the food blogs of people around the world. However, it is a highly complex and convoluted system that is ripe for abuse. This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.
This blog is going to walk through how online advertising works, what malvertising is and why it’s dangerous including real life examples, and finally the options that exist for organizations and private citizens to try and protect themselves from these threats.

Source:: Cisco Security Notice

Cisco Scores BIG With A New IETF-Approved Internet Standard

By Kevin Skahill All great teams have a shared language. Whether you’re the reigning World Cup Champions or an IT team on the frontlines of network defense, collaboration is the key to success. And effective collaboration hinges on communication.
For years, Cisco has operated on the cutting-edge of communication standards, working tirelessly to make multi-platform communication seamless and efficient.
This June, Cisco achieved a historic milestone when the Internet Engineering Task Force (IETF) declared our XMPP-Grid architecture an official Internet standard for security information exchange.

Cisco’s Extensible Messaging and Presence Protocol (XMPP) – the underpinnings of Cisco Platform Exchange Grid (pxGrid for short) 1.0 – ushered in a new era of seamless collaboration, allowing information to be shared between security platforms from multiple vendors. Prior to this innovation, IT teams faced a discouraging reality: Despite having a wealth of security information from dozens of multivendor platforms at their fingertips, it was nearly impossible for IT teams to configure these technologies to share identity and context information in real-time.
pxGrid enables IT teams to harness the full potential of their security technologies. An open, scalable, and highly-secure form of security information exchange, Cisco’s pxGrid technology facilitates integrations between its 60 Technical Alliance Partners today. These integrations eliminate the complexity of single-purpose APIs by allowing all integrated platforms to publish and subscribe to relevant security information. With this additional security context, actionable intelligence is available to perform automated incident response, for mitigating risks and containing threats more effectively. In short, pxGrid enhances the power of your security apparatus through effective communication.
And this is only the start: As Cisco’s nearly 40,000 Identity Services Engine customers migrate to pxGrid 2.0’s WebSocket based architecture, Cisco continues to lead the way in a growing ecosystem of open security information exchange.
Cisco’s implementation of the standard, pxGrid, is available on Cisco Identity Services Engine (ISE). If you are one of our Cisco ISE customers already collaborating effectively via Cisco pxGrid, thank you for supporting our community! And if you have technology partners who have not yet integrated their platforms with Cisco pxGrid, please request that they adopt this new standard.

If you are a Cisco ISE customer but have yet to benefit from security ecosystem integrations to address use cases such as intent based network segmentation and rapid threat containment, please learn about how Cisco pxGrid can be licensed and deployed.
Megan Rapinoe and Alex Morgan would probably be the first to say that the success of the US Women’s National Team depends on superior communication. As an IETF-approved internet standard, pxGrid helps elevate your information security practices. Through this open communication standard, your security technologies work together to form a solid defense, so your company is free to concentrate on business and score big where it matters.

Source:: Cisco Security Notice

Threat Roundup for July 19 to July 26

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 19 and July 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

ReferenceTRU07262019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

DNS under attack

By Ben Nahorney You’ve probably heard the stories by now: one of the fundamental technologies that keeps the internet working has recently become a regular target for attackers.
Earlier this month, the UK’s National Cyber Security Centre released an advisory warning of DNS hijacking attacks across multiple regions and sectors. (This was their second such advisory in six months.) Last month, in their 2019 Global DNS Threat Report, IDC highlighted an increased number of DNS attacks and the subsequent costs. And earlier this year, ICANN warned of “ongoing and significant risk to key parts” of the internet’s DNS infrastructure, calling for the adoption of more robust security implementations.
Cisco Talos, Cisco’s threat intelligence group, had been watching DNS closely during this time. Talos spotted multiple attacks relying on DNS hijacking and manipulation as their main infection vector, releasing research that prompted many of these warnings.
Attacks against DNS is of significant concern. But what exactly is DNS? How is it being attacked? And what can be done to protect against these attacks?
DNS basics
Let’s start with a brief explanation of the technology. The Domain Name System (DNS) is the core technology that directs users to different web sites and other locations on the internet. Think of it like asking a librarian for help locating a book. Only instead of asking about a book, you ask for a particular web site. DNS checks its records, and then tells your computer where the web site is located.
DNS also works as a translator of sorts. It takes the human-readable domains (e.g. and matches it to the site’s IP address, the number that computers use to identify the location of the domain. In short, the user asks, “What is the IP address of this domain?” and DNS tells you.
Figure 1- How DNS works
The standard process for looking up domains is a little more complicated than described, involving more than one DNS server. The first server contacted, the DNS Resolver, is much like the librarian. The process from there often goes as follows:
The resolver will ask the DNS Root Server where the web site resides in much the same way the librarian will consult the card catalog for the location in the library.
The root server will send the resolver to the Top Level Domain server (TLD)—the DNS servers broken down by .com, .net, .org, etc. Think of this as a digital Dewey Decimal System.
The TLD server will know where the DNS Name Server is—the official DNS server of the domain you are trying to reach—and will tell the resolver the IP address. The name server is the card for the book.
The resolver tells your computer the IP address of the domain, and your computer goes to the site. This is the location of the book printed on the card.
Figure 2- How DNS works (detailed)
Where it all goes wrong
The thing about DNS attacks is that they don’t go directly after their intended target. Rather, they attack the librarian.
This attack is commonly referred to as “DNS hijacking” or “DNS redirection.” You are asking for the location of a particular book, but the information the librarian has is compromised. Instead of sending you to the correct location where your book resides, the librarian instead sends you to a dark, spiderweb-infested corner of the library. Even the book you pull off the shelf may look like what you wanted, but actually be something entirely different—the supposed children’s book turns out to be the Anarchist Cookbook instead.
The attack comes down to altering the route to a legitimate website to lead to a malicious one, ultimately compromising the target. You ask for the IP address of a particular domain you want to visit, but the DNS records have been changed so that you are sent to a malicious IP address instead.
Figure 3 – DNS redirection
There are a number of points at which a malicious actor can compromise DNS records. To name a few:
The DNS administrator may be phished, giving up his or her credentials, and the attackers log into the DNS interface and change the site’s IP address.
The DNS hosting interface—where records are managed and updated—may be compromised, allowing the attacker to change records for the domain.
Any of the DNS servers or infrastructure along the DNS request chain could be compromised, leading to a redirection.

A decade of redirection attacks
While various flaws and weaknesses in the DNS system had been known for a while, the first notable DNS attacks began in 2009. At the time, attackers managed to briefly change the DNS records for to point to a hacktivist website for the Iranian Cyber Army.
Over the course of the next few years, a number of DNS-related attacks occurred:
In 2011 a Turkish hacker managed to redirect roughly 186 domains to point to a “you’ve been hacked”-type page.
The Syrian Electronic Army managed to redirect The New York Times, Twitter, and The Huffington Post to a hacktivist web site, and then attempted the same against Facebook, in attacks carried out in 2013 and 2014. (The Facebook attack was stopped in part thanks to multi-factor authentication.)
In 2015, regional Google sites for Vietnam and Malaysia were hijacked via DNS redirection.
The cryptocurrency company, Blockchain, had its DNS records hijacked in 2016. (Fortunately, the record change was quickly spotted by OpenDNS and restored.)
There have been many more such attacks during this 10-year timespan, some successfully, some not. However, Talos researchers discovered DNS attacks had reached a whole new level in late 2018.
It all started with a LinkedIn message. The DNS administrator, thinking it was from a recruiter who was impressed with their work, clicked on a link that lead to a document that they thought they could fill out to apply for an open position.
Figure 4 – Malicious document used in DNSpionage
However, the document was actually infected with malicious macros. The administrator’s machine was compromised as a result, allowing the attackers to steal DNS login information.
Having gained the ability to control the domain, the attackers subsequently redirected a webmail server to a malicious IP address, and registered valid certificates to “legitimize” the redirected domain. Any visitor to this site would be wholly unaware that anything was out of the ordinary.
Figure 5 – DNSpionage attack process
In the process of investigating the tactics, techniques, and procedures of the DNSpionage attackers, Talos Intelligence discovered another separate, and arguably more concerning, attack against TLD DNS servers.
Sea Turtle

While having a similar end-goal as DNSpionage—stealing information—the attackers behind Sea Turtle went after the network infrastructure where the TLD servers were hosted, exploiting known vulnerabilities in these servers to gain access. Once the TLD servers where compromised, they modified the IP addresses of the name servers for particular domains.
This approach gave the attackers more control over the redirection. Setting up a malicious name server, the attacker can choose when requests for a particular domain is sent to the legitimate site or a malicious site.
Figure 6 – Sea Turtle attack process
Similar to DNSpionage, Sea Turtle changed records of webmail servers, where they can intercept and steal the information that they were after, and then send the target on to the legitimate system when done.
Other related attack techniques
In this blog we’ve focused on various DNS redirection attacks and techniques. There is far, far more to the attacks than is covered here. Talos has published multiple blogs on the attack that include details on payloads and the malicious techniques used by the attackers. Links to these blogs are included in the “Additional Reading” section below.
There are a few other ways that attackers have used DNS to perform malicious activities. Some threats, such as DNSpionage and DNSMessenger, communicate with command and control (C2) systems using DNS. DNSMessenger, along with other threats, has also been seen tunneling through DNS in order to exfiltrate stolen data.
Another recent area of concern is threats using the DNS over HTTPS (DoH) protocol. The purpose of this protocol is to increase the security of DNS queries, preventing eavesdropping and MitM attacks. However, earlier this month, a malware family named Godlua was found using the protocol for malicious communications. Given DoH’s ability to mask traffic, it’s possible more threats will follow suit.
How to protect against DNS attacks
Unfortunately, as a end-target of a DNS attack, there isn’t too much you can do. From a user’s standpoint, the DNS communication to get to a web site appears legitimate, especially when the attacker creates valid certificates for the malicious sites after compromising the DNS records.
The responsibility to defend in this case falls to those who administer and host DNS services. Fortunately, there are steps that can be taken at this level.
Monitor your DNS records. Tools like Umbrella Investigate allow you to quickly look up changes to DNS records.
Require multi-factor authentication (MFA) for DNS record changes. MFA solutions, such as those offered by Cisco Duo, can prevent arbitrary changes to your records without authentication.
Use tools such as BGPmon to monitor for DNS hijacking attempts, changes to TLD records, or traffic redirection and interception.
Keep your systems patched. In the case of Sea Turtle, attackers got in by exploiting vulnerabilities, some of which were 10 years old.
Implement DNSSEC in your environment. DNSSEC adds digital signatures to DNS communications, allowing for origin authentication and ensuring the request hasn’t been modified.
Finally, if you host a web site or domain, be sure to confirm that your DNS provider’s security posture includes the above.

Additional reading
DNSpionage Campaign Targets Middle East
DNSpionage brings out the Karkoff
DNS Hijacking Abuses Trust In Core Internet Service
Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
Covert Channels and Poor Decisions: The Tale of DNSMessenger
Spoofed SEC Emails Distribute Evolved DNSMessenger
Detecting DNS Data Exfiltration

Like this post? Subscribe to the Threat of the Month blog series and get alerted when the next blog post is released.

Source:: Cisco Security Notice

With Cisco Threat Response, The Best Things in Threat Hunting are Free

By Scott Bower For those of us in security operations, it could be easy to feel discouraged. After all, it’s an unfair fight. The bad actors seem to have unlimited time and budget. And we certainly don’t!
But here’s some good news: one of the most valuable tools available in threat hunting is free. Just like the golden oldie tune (or the Janet/Luther pop classic) says, the best things in life don’t always cost money. For customers with Cisco Next-Generation Firewalls, Intrusion Prevention (IPS), AMP for Endpoints, Cisco Umbrella, Email Security, and/or Threat Grid, Cisco Threat Response helps detect, investigate, and take corrective action against cyber threats—at no additional cost.
Making the Fight More Fair
We work with security professionals in organizations of all types and sizes. No matter their differences, they all say they’re bombarded. They wish they could “hit pause” on the flood of security events to allow for the time-consuming manual work they have to do after an attack. Not only that, they’re often in the difficult position of having to make decisions with inadequate information. They’re concerned about blocking too much and compromising productivity. Or not blocking enough to protect the business.
Cisco Threat Response provides an automated process to help. It’s a key pillar of Cisco’s integrated security architecture and designed to give you the contextual awareness you need so you can see, investigate, and act on threats fast. If you’ve invested in Cisco security products that support it, Threat Response is on your side to make the fight against cyberattacks a little fairer.
Getting started with Cisco Threat Response is easy.
Fast for Anyone to Use
You don’t have to be an expert to use Cisco Threat Response. The interface is simple, intuitive, and interactive. Users can ask the tool to investigate a threat by simply cutting and pasting threat From the first click, Cisco Threat Response provides details on suspicious behaviors, files, and activities. Then click again, and it can be just as easy and quick to see, and in many cases remediate the root cause.
Easy-to-read, configurable graphics map the targets that have communicated with the malicious domain you’re investigating.
Not only that, information about the threat is collected and results are aggregated in the Cisco Threat Response portal. Here you get one common view, made even more powerful with knowledge from your other supported Cisco products. These products are fed by Talos, which delivers comprehensive threat intelligence with continuous updates to Cisco devices, automatically. In the Cisco Threat Response portal, it provides your network’s local sightings of the threat you’re investigating plus details to help you make timely and confident decisions about the best corrective actions.
Cisco Threat Response provides insights of integrated products to Investigate. The portal provides access to continuous threat intelligence geared to helping you respond quickly.
The browser plug-in makes it easy and convenient to pull indicators of compromise from any webpage or console and get verdicts directly from the drop-down. You can take corrective action or undertake a complete investigation (with collaboration and sharing) right from the page.
The More Cisco You Have, The More Value You Get
With the Firepower integration, Cisco Threat Response can now utilize intrusion alerts from the Firepower devices. This enrichment will amplify the contextual awareness in your network by harnessing the power of effective integrations with products such as AMP for Endpoints, Email Security, Threat Grid Umbrella and your Next-generation firewall. Another exciting thing about Cisco Threat Response is that when you have more Cisco solutions deployed, the integration drives more data enrichment and response capabilities. Contextual analysis becomes more detailed. We will continue to add new Cisco product integrations with Threat Response – the firewall products are only the most recent addition. Not only that, we’re adding integrations with third parties as well.
To learn more, go to Better yet, if you’re a customer with a Cisco Next-Generation Firewall, Intrusion Prevention (IPS), AMP for Endpoints, Cisco Umbrella, Email Security, or Threat Grid, log in or create your account now at

Source:: Cisco Security Notice

RSA Conference 2019 Security Operations Center Findings Report Released

By Jessica Bair RSA and Cisco released the first ever Findings Report from the RSA Conference 2019 Security Operations Center (SOC).
The RSA® Conference SOC analyzes the Moscone Center wireless traffic, which is an open network during the week of the Conference. The SOC began collecting traffic on Monday, March 4, 2019 and through 4:00PM Thursday, March 7, 2019. There were 70,440,988 sessions throughout this period.
The role of the SOC at RSA Conference is an educational exhibit sponsored by RSA and Cisco. It is not a true SOC like you would create to protect an organization. The RSAC SOC doesn’t have an infrastructure at the Moscone Center and only has a SPAN of the network traffic from the Moscone Center wireless network. There are not any logs, firewalls or endpoint protection infrastructure; just a copy in real time of the traffic traversing the wireless network.
The goal of the RSAC SOC is to use technology to educate conference attendees about what happens on a typical wireless network. The education comes in the form of daily SOC tours, an RSA Conference session and after the event, a RSA Conference virtual webcast reviewed the findings and a Cisco Security webinar on the technology in the SOC.
This year did have encouraging metrics in that our encrypted traffic increased over last year. Keep it up! Use a VPN!
The findings report addresses several security topics, including:
Plain text passwords
Unencrypted network traffic
DNS security
Cryptomining…and more
We will be back in 2020 and we’ll report once again how we’re doing as a community.

Download the RSA Conference 2019: Lessons from Monitoring the Wireless Network report here.
Acknowledgements: Special thanks to Neal R. Wyler and Percy Tucker of RSA Security; and to the team members of the RSA and Cisco SOC staff.
As always, we welcome your comments below. Did anything in the report surprise you? Are you in the process of setting up a SOC?

Source:: Cisco Security Notice

Let’s Destroy Democracy

By Talos Group Election security through an adversary’s eyes

This post was authored by Matt Olney.
Executive summary
Over the past few years, Cisco Talos has increasingly been involved in election security research and support, most recently supporting the Security Service of Ukraine in their efforts to secure the two Ukrainian presidential elections in April. Experiences like these, along with discussions with state and local elections officials and other parties, have helped us better understand the election security space. These discussions are especially important to us because combining their expertise with our experience in the security space — and specifically our understanding of some of the actors that may be involved — is a powerful model to achieve the ultimate goal of providing free and fair elections.
Based on our research and real-world experience working to secure elections, we have recommendations for several different groups, each of which have a role to play in working against attackers who would interfere in free and fair elections:
Everyone should understand that interference in, and attacks on, the election system are part of a larger, coordinated attack on the very concept of free democracies.
Security improvements in election security can best be achieved by combining the expertise of election officials with that of traditional security practitioners.
Election officials should extract maximum value from this period of heightened interest in election security.
Security practitioners should recognize the specialized nature of the elections environment and be careful to provide the best advice for that unique environment.
Everyone has a role to play in ensuring that faith in democratic institutions is reinforced and that social divides aren’t unnecessarily aggravated.

Source:: Cisco Security Notice

Threat Roundup for July 12 to July 19

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 12 and July 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

ReferenceTRU07122019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

Is Network Security Complexity Holding You Back?

By Brian Remmel At its most fundamental level, the objective of network security is a simple one. Organizations need to protect their people, assets, and the data that travels across and resides within their networks. They do this by setting security policies that detail parameters like who or what is allowed to access which resources.
Over time, even small organizations can accumulate large libraries of security policies across a variety of different security products. The old processes used to create, update and audit these policies become a burden for the IT team and cause a number of problems for the organization.
Research firm Enterprise Strategy Group (ESG) recently surveyed 200 IT and cybersecurity decision-makers to understand their views on network security complexity and its consequences. They examine some of the top challenges facing these organizations today in their new report “Navigating Network Security Complexity.”

It’s not just your imagination. Security is getting more complex.
Unsurprisingly, a majority (83%) of respondents felt that network security has gotten more complicated in the last two years. There are many reasons for this, but the top responses included:
More devices deployed on the network
More traffic on the network
The operations team managing more networking and security technologies
Taken together, these responses paint the picture of a growing attack surface and increasing workload for teams responsible for protecting organizations‘ critical assets.
Challenges on the horizon
What are the biggest network security challenges facing organizations in the next few years? According to the survey, they are:
Business initiatives being adopted without the proper security involvement
A lack of dedicated network security staff
It takes too long to manage network security policies
Businesses are innovating at a record pace, and they aren’t waiting for the security team. Hiring staff continues to be challenging, and outdated processes are compounding the issue.
Brace for impact: outages, disruption and data breaches
Nearly a third (29%) of organizations said they experienced a security event resulting from network security complexity. The most common incidents included network outages, application or network availability, loss of sensitive data, and lost productivity. Given the critical nature of these risks, it’s clear that network security management needs to be addressed when assessing an organization’s risk management strategy.
Recommendations: technology integration, automation, simplification
ESG offers three headline recommendations for CISOs dealing with network security complexity today. First, look for solutions that are integrated and centrally managed when possible. Next, seek out solutions that emphasize ease-of-use and time-to-value. Finally, organizations should strive for process automation and use technology to accomplish this.
Whether you’re directly involved in managing your organization’s security policies or not, you’re likely experiencing negative effects of the drain that these manual tasks can have on an IT department. It’s time to prioritize making security policy management more efficient, consistent and effective. Reading the full research report is a great place to get started.
Simplify network security management with Cisco Defense Orchestrator
At Cisco, we’re working hard to help our customers streamline their security operations. Cisco Defense Orchestrator is a cloud-based security policy and device manager that uses automation to eliminate complexity. Manage consistent security policies across Cisco ASA, FTD and Meraki MX devices, and reduce time spent on security management tasks by up to 90%. Visit the Cisco Defense Orchestrator webpage to learn more and sign up for a free trial.

Source:: Cisco Security Notice

SWEED: Exposing years of Agent Tesla campaigns

By Talos Group By Edmund Brumaghin and other Cisco Talos researchers.
Executive summary
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we’re calling “SWEED,” including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.
SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that’s been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we’ve seen in the past in the way that it is packed, as well as how it infects the system. In this post, we’ll run down each campaign we’re able to connect to SWEED, and talk about some of the actor’s tactics, techniques and procedures (TTPs).

Source:: Cisco Security Notice