Threat Roundup for March 27 to April 3

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 27 and Apr 3. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200403-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 27 to April 3 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Top 5 features of a Network Traffic Analysis (NTA) tool- Why you need Stealthwatch now more than ever

By Matt Stauffer According to research from Enterprise Strategy Group (ESG) and the Information Systems Security Association, 91% of cybersecurity professionals believe that most organizations are either extremely or somewhat vulnerable to a significant cyber-attack or data breach.1 CISOs have tried many different solutions. Many are increasing hiring in a field with a steep talent shortage, which may have some long-term returns but doesn’t solve the problems they are facing today. Some also purchase a patchwork of security solutions that aren’t really integrated – an approach that can cause major complications for security architects. These strategies are clearly not increasing confidence in their overall security effectiveness.
What are the primary reasons you believe cybersecurity analytics and operations are more difficult today than they were 2 years ago?Research indicates that organizations can’t hire their way out of their cybersecurity woes. CISOs must improve security efficacy, streamline operations and bolster employee productivity, and they must rely on their existing workforce. That’s where Network Traffic Analysis (NTA) tools can provide a cybersecurity quick-win. An effective and modern NTA solution can continuously monitor the network and detect threats that might have bypassed the perimeter or even originated within the business. Top-tier NTA solutions take the weight off of the employees‘ shoulders by giving them the tools they need to speed up threat detection and remediation. To help you evaluate an NTA solution effectively, let’s take a look at the top features identified by cybersecurity professionals as part of the research conducted by ESG:

Built-in analytics and threat intelligence services
44% of survey respondents said that built-in analytics to help analysts detect suspicious/malicious behavior is one of the most important features. Best-in-class NTA tools have different algorithms and signatures built-in to model behavior and crunch data, allowing for high-fidelity alerts that streamline workloads and accelerate incident response. The same percentage also said that threat intelligence services/integrations to enable comparisons between suspicious behavior and known threats is another top feature. These integrations allow NTA tools to “enrich” network telemetry, making alerts more thorough and actionable.

Ability to monitor IoT traffic/devices
Users also need the ability to monitor niche equipment that is unique to their industries. This is especially important in industries that have made aggressive investments in IoT like healthcare, manufacturing and transportation. IoT devices generate telemetry and increase the threat surface like any other connected device, and therefore need to feed into an NTA tool.

Ability to monitor all network nodes
37% of respondents stated that alerts for when new network nodes are connected are essential for an NTA tool. This means security professionals want NTA tools to issue alerts when unsanctioned devices connect. This is incredibly important for monitoring and mitigating cyber-risks.

Proven integrations with other security technologies
37% also said that one of the most important features is documented and tested integrations with other types of security technologies. These other technologies could be malware sandboxes, network segmentation enforcement technologies and much more. These integrations allow for a closed-loop process that includes network security development, monitoring and enforcement.

Public cloud visibility
More than a third of respondents said that the ability to monitor cloud traffic is an essential feature. In order to provide true end-to-end visibility, NTA tools need to be able to tap into VPCs, cloud monitoring logs and APIs across AWS, Azure, GCP, etc.
Cisco Stealthwatch
Stealthwatch aligns well with the most important NTA attributes cited by the surveyed cybersecurity professionals. For example, Stealthwatch:
Features multiple types of built-in analytics. Its behavioral modeling and multi-layered machine learning algorithms can detect hidden threats- even those hiding in encrypted traffic.
Provides comprehensive visibility. In addition to monitoring on-premises environments, Stealthwatch also offers agentless visibility into the public cloud. It can also detect when a new network node connects, monitor traffic from IoT devices and more. Nothing slips through the cracks with Stealthwatch.
Backed by Cisco Talos threat intelligence. Threat intelligence is one of the most important features of an NTA tool. Stealthwatch ties its multi-layered analytics with global threat intelligence from Talos, the largest non-governmental threat intelligence organization in the world, and can take immediate action when activity is associated with a known threat, no matter the origin.

CISOs of the world can’t keep up with their security workloads, especially with a global cybersecurity talent shortage. They need quick wins– fast, efficient and accurate alerts that allow them to focus on what really matters. Cisco Stealthwatch is the tool they need right now.

You can find the full ESG Research Whitepaper here
To learn more about Stealthwatch, go to https://cisco.com/go/stealthwatch or sign up for our free visibility assessment.

1 Source: ESG Research Report, The Life and Times of Cybersecurity Professionals 2018, May 2019.
The post Top 5 features of a Network Traffic Analysis (NTA) tool- Why you need Stealthwatch now more than ever appeared first on Cisco Blogs.

Source:: Cisco Security Notice

AZORult brings friends to the party

By Talos Group By Vanja Svajcer.
Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign with several different executable payloads, all focused on providing financial benefits for the attacker in a slightly different way. The first payload is a Monero cryptocurrency miner based on XMRigCC, and the second is a trojan that monitors the clipboard and replaces its content. There’s also a variant of the infamous AZORult information-stealing malware, a variant of Remcos remote access tool and, finally, the DarkVNC backdoor trojan.
Defenders need to be constantly vigilant and monitor the behavior of systems within their network. Attackers are like water — they will attempt to find the smallest crack to achieve their goals. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.
Read More >>
The post AZORult brings friends to the party appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Expanding Free Security Offers into Customers’ Endpoints

By Dr. Gee Rittenhouse During this global health crisis, normal has been redefined. We are living through a dynamic situation that has required us to reorient our personal and professional lives in ways we never have before. Companies have had to do the same. Many have taken the extraordinary step of moving the majority, if not the entirety, of their workforces to a virtual workplace. As companies adapt to their new normal, securing this sudden exponential growth of remote workers and their devices remains a challenge.
A few weeks ago, we shared that Cisco would provide extended free licenses and expanded usage counts at no extra charge for three of our key security technologies that are designed to protect remote workers: DNS-layer security from Cisco Umbrella, zero-trust security from Duo and secure network access from AnyConnect. As a result of this, there has been a huge demand for these technologies. Cisco has supported an additional 9 million-plus users during this crisis with this rollout.
Security teams generally start by securely connecting employees to the network with the VPN, and multi-factor authentication provides an additional layer of security to customers‘ remote access strategy. As security teams work to protect a larger remote workforce, Duo is seeing the number of daily authentications from VPNs increase by 157 percent. But we know that 85 percent of corporate users bypass the VPN when working remotely. So, customers are increasingly looking to DNS-layer security to secure users on and off the network, and we have seen the need for Umbrella licenses increase by 100 percent.
Through all of this, we have been listening to customers feedback on how else we can best support them. What we heard is that more than ever there is a need to protect both user-owned and company-owned devices. Based on that input, today we are extending our free security offers to also include Cisco Advanced Malware Protection (AMP) for Endpoints. This technology prevents breaches and blocks malware at the point of entry as well as detects, contains and remediates advanced threats if they evade the frontline of defense.
With this new addition, existing customers can exceed their device limit by two times to support an increase in remote workers. To take advantage of this offer, they simply install AMP for Endpoints Connectors on extra devices, and no other action is required. As with our AnyConnect, Umbrella and Duo offers, this will be available until July 1, 2020.
Our mission is to be our customers‘ most trusted partner by providing effective security solutions. This current situation demands this more than ever, and we will continue to stand with our customers and partners through this challenging time.
You can learn more about our Cisco Security Remote Worker offerings here and find additional resources on the Business Continuity site. If you have any questions, please contact your Cisco representative or email us at pandemicsupport@cisco.com.
The post Expanding Free Security Offers into Customers‘ Endpoints appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Buyers Beware: Scamming Is Rife, Especially In a Time of Crisis

By Dean De Beer For years, scammers have been using a combination of Blackhat SEO techniques, phishing sites and newsworthy events to either trick individuals into giving up personal information including credit card numbers or to install malware or both. Preying on an individual’s fears has always been a go to tactic for scammers.
Recently a friend texted me and asked if I could take a look at a website his wife used to try and buy some 3M N95 face masks from. He was concerned that the site did not appear to be legitimate. “Sure”, I said, “What is the domain?” He sent it over. mygoodmask[.]com. Having spent the last decade looking at malware, spammers and scammers, I responded immediately, “Yes, it’s very bad. Tell her to cancel her credit card as soon as possible.”
I figured I’d take a closer look at the domain to confirm if I was right. Dropping the domain into Cisco Threat Response – our platform that accelerates investigations by automating and aggregating threat intelligence and data across your security infrastructure. Threat Response didn’t return anything useful aside from the IP Addresses it resolved to. Since the platform is configured for my test organization at the office, it’s not going to show me any hosts that may have visited that domain, but it is still a great source of intelligence. It showed that Cisco was aware of the domain, but there was no additional information – not surprising for newly created and used domains. There is more than one way to determine if a domain is suspicious.

Enriching the two IP addresses, 50[.]97.189.190 and 66[.]147.244.168, returned everything I needed to decide that the original site was malicious. Nearly two hundred domains resolving to those two addresses, none of which looked like ones I’d like to end up on.

At this point I was curious about the website itself and wanted to take a closer look. I submitted the domain to Threat Grid, Cisco’s malware analysis tool. It immediately redirected to greatmasks[.]com which resolved to 37[.]72.184.5. Using Glovebox, a capability in Threat Grid that allows full interaction with the virtual machine, I attempted to buy some masks from the website. I used an expired card number to purchase my masks. They are using PayPal to collect payments and validate card numbers.

The results produced from the analysis highlighted further details on the website, indicating a high level of suspicious activity.

Drilling down on the IP address that the new domain resolved to, we found another related domain, safetysmask[.]com. At this point it would be easy to create a new Casebook and add these observables to the investigation.

For me, one of the most telling signs of an unknown domain is the lookup frequency and activity mapped to the domain creation date and DNS changes. A scammer may register domains and park them until they’re ready to use them. At that point they’ll set up a website and point that domain to an IP.

Looking at the timeline and domain lookup activity in Cisco Umbrella, our DNS-layer SaaS solution, it’s clear that this website has been up for less than a month which is unusual, especially in context of this investigation.

Using a combination of our platform capability and our DNS-layer security, I was able to validate that this domain, IP Addresses, and related domains were malicious. With investigations of this nature, the domain or IP might not always have a known disposition at a certain point in time but often, by following the breadcrumb trail of related information, it’s easy to make a determination and judgement about the original domain. Another path to determining the disposition of these domains is to drill down into the observables in Umbrella.

Cisco Security products not only integrate via Threat Response, there are multiple direct integrations between products as well. These integrations are used to share threat intelligence produced by individual products and to share capabilities across products through API integrations, data visualization and cross product capabilities such as Casebook’s browser plugin.
Umbrella, our cloud-delivered DNS- layer of protection, integrates with Threat Grid, our malware analysis tool, and this allows Umbrella to show information produced through dynamic analysis, mapping domains and IP addresses to samples seen in Threat Grid’s global database, providing another method of determining disposition.
By the end of my digging, I had found hundreds of scams related to sports events, fashion accessories, flu season and more. All easily searchable within your organization via Threat Response and just as easily blocked via Umbrella.

What began as just a way to help a friend one evening, became a quick but comprehensive investigation into how bad actors are trying to capitalize on a global health crisis. Hopefully this was helpful in showing how easy it can be to validate the disposition of a domain using related observables, and in doing so, build out a collection of new content to be leveraged in your environment for detection and prevention. Writing this up took longer than the investigation itself.
Note to readers:
If you’re using Threat Response and Umbrella, you’ll be able to reproduce this investigation using the original domain and the domains and IP found in Threat Grid’s analysis of the website.
Dean used the following in his investigation:
Cisco Threat Response: cisco.com/go/threatresponse
Cisco Umbrella: cisco.umbrella.com/
Cisco Threat Grid: cisco.com/go/threatgrid

The post Buyers Beware: Scamming Is Rife, Especially In a Time of Crisis appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Trickbot: A primer

By Talos Group In recent years, the modular banking trojan known as Trickbot has evolved to become one of the most advanced trojans in the threat landscape. It has gone through a diverse set of changes since it was first discovered in 2016, including adding features that focus on Windows 10 and modules that target point of sale (POS) systems. Not only does it function as a standalone trojan, Trickbot is also commonly used as a dropper for other malware such as the Ryuk ransomware. The wide range of functionality allows this malware to adapt to different environments and maximize effectiveness in a compromised network.
Read More >>
The post Trickbot: A primer appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Zero chance of tackling zero trust without a platform approach

By Ben Munroe Zero trust has gone mainstream. Everyone’s either promoting the concept, offering solutions to address the challenge, or just wanting to understand what it’s all about. And that’s the trouble: it means different things to different people, especially the word “trust,” which is a loaded term in security.
Just as we don’t trust hackers and cybercriminals, we do want to trust our employees, contractors, and business partners, don’t we? How do we succeed in business, after all, without trusting our users and guests to seamlessly access our data and resources?
That’s actually where zero trust comes in. We permit users to access the resources they need to get their jobs done. We try to stay out of our users‘ way when we can. And we don’t do so blindly. We put safeguards in place to make sure users don’t leverage their access for wrongdoing, and that outsiders don’t usurp that access to carry out attacks.
As discussed on a recent security podcast, while zero trust is not new, it is now moving from the realm of hype to a pragmatic, accepted standard. In fact, Cisco was recently named a leader in the 2019 Forrester Zero Trust Wave.
Don’t let just anyone into your home…
Think of it this way. We choose to let certain visitors into our homes, but we don’t let just anybody in. We make sure we know them first, or that they can prove they’re from the plumbing company we called, for example.
We have security cameras so we can watch what people are doing when they approach our home and door. We have locks on our doors, and fences and gates around our yards, so we can decide who gets in and out. And when people do come in, we often confine them to certain areas of the house.
In a nutshell, that’s what zero trust is for our computing environments. It’s a comprehensive approach to securing access across your networks, applications, and infrastructure – including access from users, computers, phones, IoT devices, cloud applications, and more.

Amidst today’s complex computing environment, security teams are losing visibility into and control over who and what is accessing their networks and data. According to our 2020 CISO Benchmark Report, 52 percent of respondents find mobile devices very or extremely challenging to defend. And, 52 percent also said that it is very or extremely challenging to secure data stored in the public cloud.
Traditional security solutions were based on the concept of a finite network perimeter. But with the evolution of today’s workplace, the perimeter has changed due to the introduction of technologies like cloud, mobile, and the internet of things (IoT). We can no longer base security on the location from which an access request originates – because today’s users and devices are everywhere.
Cisco Zero Trust
By verifying the validity of every access request, no matter which user, location, and device it comes from, zero trust ensures that only the right users and devices get access, and that attackers cannot move laterally across the network. However, not all zero trust models are created equal.
Cisco Zero Trust protects your workforce, workloads, and workplace.Some zero trust solutions focus on just one component of your ecosystem, while Cisco Zero Trust offers comprehensive security across your workforce, workloads, and workplace, and dynamically adjusts to address new levels of risk. Cisco also extends zero trust across our security portfolio, and to third-party technologies, to enhance visibility and policy enforcement across your entire infrastructure.
In other words, your home security measures can protect your house and yard, but can they also secure the people, appliances, and other objects in and around your home?

Cisco Zero Trust video
Main components of Cisco Zero Trust
Zero trust is a framework and way of doing security, versus a single product or solution. That’s why vendors who want to sell you a single product to solve your zero trust challenges should be looked at with suspicion. Zero trust takes the precise coordination of people, processes, and technology to do it right. The key pillars of Cisco’s zero trust strategy include the following:
Secure your workforce
Duo Security secures your workforce, ensuring that only the right users and devices can access applications. It helps protect your users and their devices against stolen credentials, phishing, and other identity-based attacks. And, it verifies users‘ identities and establishes device trust before granting access to applications – from any location.
According to Vivian Ho, Software Engineer at Lyft, “My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey…we see Duo serving as a core technology building block to enable our zero trust security philosophy.”
Protect your workload
Cisco Tetration protects your workloads, securing all connections within your applications across data centers and multi-cloud environments. It contains breaches and minimizes lateral movement through application micro-segmentation.
“Tetration gives me 20/20 vision in the data center,” said Eugene Pretorius, CIO of Infrastructure and Security at First National Bank. “It’s the only tool in the world that can show what is happening across the network, application, and server planes all on one screen.”
Defend your workplace
Cisco SD-Access segments your workplace, securing user and device connections across your network, including for IoT devices like cameras, manufacturing equipment, heart pumps, and more.
“With Cisco SD-Access, we can automate and apply segmentation and security policies to our network devices up to 10 times faster than before,” said Frank Weiler, who heads up the networking department for the City of Luxembourg.

Cisco SecureX – A platform approach to zero trust
The above technologies work together, and with other Cisco and third-party technologies, through our platform approach to security – SecureX. Today’s security professionals can no longer get by with siloed technologies. With SecureX, the whole is greater than the sum of its parts as multiple security technologies are integrated to share information and work together as a team. Ninety-five percent of customers say SecureX is valuable for helping them take action and remediate threats.
Cisco SecureX is the industry’s broadest, most integrated security platform.Much like the security sensors on the windows in your home can trigger an alarm, which alerts your home security provider, who can call the police – SecureX seamlessly unifies visibility, enables automation, and strengthens security across network, endpoint, cloud, and applications. It’s all about greater simplicity and better security.
At the heart of our platform approach is the belief that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it more holistic and effective. With this kind of strategy, implementing zero trust becomes less of a manual, onerous process, and more of an invisible, yet powerful means of protecting your environment – reducing the attack surface and accelerating incident response.
Get started with zero trust
Protect your network like you protect your home. Go to cisco.com/go/zero-trust and cisco.com/go/securex for further details.
The post Zero chance of tackling zero trust without a platform approach appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Stealing passwords with credential dumping

By Ben Nahorney What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.
From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.
It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.
So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.
The usual suspects
Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.
Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.
While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.
Credential dumping
There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.
Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.
However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal
An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.
WDigestThis is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
Security Accounts Manager (SAM)This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
LSA SecretsThe Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
KerberosThe Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.
If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.
NTDSThis is where Active Directory stores information about members of a domain in order to verify users and credentials.
Group Policy Preference filesThis Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
DCSyncInstead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.
However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.
For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”
There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping.
Monitor access to services like LSASS and databases like SAM.
Keep an eye out for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look out for unexpected connections from IP addresses not assigned to known domain controllers.
The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.
Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.
Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.
A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

Source:: Cisco Security Notice

COVID-19 relief package provides another platform for bad actors

By Talos Group The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.
Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.
Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

The post COVID-19 relief package provides another platform for bad actors appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Roundup for March 20 to March 27

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 20 and Mar 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200327-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 20 to March 27 appeared first on Cisco Blogs.

Source:: Cisco Security Notice