Archiv für das Monat: März, 2020

By Talos Group In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.
Read More >>
The post Trickbot: A primer appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Ben Nahorney What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.
From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.
It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.
So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.
The usual suspects
Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.
Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.
While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.
Credential dumping
There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.
Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.
However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal
An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.
WDigestThis is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
Security Accounts Manager (SAM)This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
LSA SecretsThe Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
KerberosThe Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.
If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.
NTDSThis is where Active Directory stores information about members of a domain in order to verify users and credentials.
Group Policy Preference filesThis Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
DCSyncInstead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.
However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.
For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”
There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping.
Monitor access to services like LSASS and databases like SAM.
Keep an eye out for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look out for unexpected connections from IP addresses not assigned to known domain controllers.
The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.
Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.
Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.
A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 20 and Mar 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200327-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 20 to March 27 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Radhika Mitra Public cloud is still a hotly debated topic amongst organizations, and take a guess as to why? Security. However, that hasn’t kept businesses from investing heavily in public cloud strategies. By the end of 2020, Forbes has forecasted “67% of enterprise IT infrastructure and software will be cloud-based.” If you’re trying to increase your network scale, realize greater network value or transform to a more dynamic infrastructure, you’re either already in the midst of your journey or at least part of the way there. And with services and assets shared between your on-premises networks and the cloud, it can be a little fuzzy on how or what to secure. The public cloud Shared Responsibility model was designed to combat exactly that—and make clear delineation on who is responsible for securing what.
There are two key areas of the Shared Responsibility model:

“Security of the Cloud” – The cloud vendor is accountable to protect and ensure availability of the infrastructure and the services that make up the cloud. Cloud infrastructure is composed of the hardware, software, networking, and facilities that run the respective vendor’s cloud services.

“Security in the Cloud” — You are responsible for your cloud-based assets and management. Ultimately you design your own unique security strategy and manage your risks for any and all cloud services, asset and data you add in a public cloud. For example, any compute instances you run, you are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the cloud-based firewall on each instance. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
With all the different security offerings available in each of the public cloud providers marketplaces, it becomes overwhelming and confusing trying to identify the right tools to help you fulfill your end of the shared responsibility model. To alleviate the confusion and to help you maintain a consistent posture both on premises and in the cloud, a good rule of thumb is to partner with a security partner that supports a broad range of cloud providers. Likewise, leveraging the same tools you use to secure your premises-based networks in clouds ensures a faster deployment, alleviates misconfigurations and ensures stronger security for all your cloud-based investments.

At Cisco, we do the heavy lifting for you. We offer a comprehensive suite of security solutions for public cloud environments and maintain strong technology partners with the leading public cloud providers (AWS, Google Cloud, Azure). This allows you to integrate security seamless into your cloud environments, deliver a consistent experience for your users and maintain visibility and control over all your cloud data and assets. The depth and breadth of our solutions ensures your business can safely transition to the cloud while aligning security to the speed of your digital business:
Cloud security: Cisco Umbrella integrates multiple security services in the cloud including DNS-layer security, firewall, secure web gateway, cloud access security broker, and more to secure internet access. Since DNS is built into the foundation of the internet, security at the DNS-layer can be simple to deploy and highly effective for securing the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established.
Secure On-prem to Public Cloud: Cisco Next Generation Firewall can bring advanced capabilities of your firewall into your cloud environment, acting as a gateway and also extending your data center security policies into cloud and remaining compliant. What’s more, you can create a consistent security posture that extends from your on-premises environment to your cloud infrastructure, making the migration to public cloud seamless and painless.
Cloud Workload Security & Microsegmentation: One of the most vulnerable assets are your applications(read more on app security) and securing application workloads using microsegmentation with Cisco Tetration in your cloud can unleash the potential of your developers and security operation reaching harmonious freedom.
Advanced Threat Detection: What about network flow? Get advanced threat detection in your cloud network with Stealthwatch Cloud.
Secure Access to your Cloud: Also, ensure you have secure access using Duo multi-factor authentication to your cloud-based services.
Cisco Services is a true partner in your journey to a shared responsibility model by helping you deploy and manage your security solutions in the cloud. With Cisco you are not alone, you have the power of a trusted partner to bring along with you on your digital transformation journey to ensure a consistent security posture for your hybrid network.
The post Understanding the Shared Responsibility Model: Securing Public Cloud Just Got Easier appeared first on Cisco Blogs.

Source:: Cisco Security Notice