Cisco Threat Research Blog

Today, Talos is launching a new community survey to solicit feedback on SNORTⓇ documentation.

When Snort alerts the end user, the rule documentation is their first and possibly only avenue to find information on malicious traffic in their network. We know this can be better, and we want your help in determining what we can do to make Snort users more knowledgeable and provide them more information.

So, we’re polling the community to find out what they need. To facilitate this, we’re sending out a five-minute survey to all users. We also plan to add feedback options to Snort documentation pages so users can communicate with us on an ongoing basis.

With the feedback we receive from the survey, our analysts can provide targeted information to communicate the most useful details on rule alerts. The more information we gather on customer frustrations, the better chance we have of finding ways to solve them to create a community and customer base with the right arsenal to overcome their security challenges.

For more information on this survey process, read the entire Snort blog post on this matter here. You can fill out the survey here.

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, seven of which are rated “critical,” 40 that are considered “important” and one that is “moderate.” This release also includes a critical security advisory for multiple bugs in Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Jet Database Engine, Office SharePoint and the Chakra Scripting Engine. Check out Talos’ complete coverage of Microsoft Patch Tuesday here.

Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing several vulnerabilities in MacPaw’s CleanMyMac X software. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them. In all of these bugs, an attacker with local access to the victim machine could modify the file system as root.

In accordance with our coordinated disclosure policy, Cisco Talos worked with MacPaw to ensure that these issues are resolved and that an update is available for affected customers.

Read_More>>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec. 14 and Dec. 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com

Reference

TRU1221 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Cisco Talos is happy to announce that the Talos Threat Research Summit is returning in 2019. This time, we are expanding the number of attendees to 500 — double what we had last year.

Next year’s conference will take place on June 9 in San Diego, Calif. — the same day that Cisco Live! kicks off. We are also opening our call for proposals now, which can be found here.

For more, check out our full post at TalosIntelligence.com.

It was easy to see a wild year coming in cybersecurity. It started with a bang, with Olympic Destroyer targeting the Winter Olympics in February in an attempt to disrupt the opening ceremonies.

Things only got crazier from there, with cryptocurrency miners popping up everywhere, and VPNFilter taking the world by storm over the summer. There was never a shortage of cybersecurity news this year, and Talos was there to dissect all of it.

As the year wraps up, Talos takes a look back on the most prominent malware we discovered and the major trends we saw — some of which we expect to continue into 2019.

Read more at TalosIntelligence.com.

Post authored by Nick Biasini.

Executive Summary

As 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it’s safe to say that cryptocurrencies have had a massive impact globally, especially on the threat landscape. However, 2018 is ending on a sour note for these currencies, as they have been in steady decline, ending in a sudden drop resulting in losses in excess of 75 percent of their value from the highs of late 2017 and early 2018.

Malicious cryptocurrency mining was the new payload of choice for adversaries and recurring revenue, dislodging the lump-sum payouts of threats like ransomware atop the threat landscape.

But the sudden collapse of the market, after a gradual decline, raises the question about how the threat landscape would be impacted, if at all. Despite conventional wisdom, Cisco Talos hasn’t seen a notable shift away from cryptocurrency mining. We have seen pockets of movement, but they have lived explicitly in the email space where both threat distribution and botnets play a crucial role. As 2018 proceeded, adversaries have shifted payloads in the email space away from cryptocurrency mining and toward more modular threats like Emotet and remote access trojans (RATs). Talos is also releasing another blog today outlining some of the campaigns we’ve seen recently from some well-known actors who have a history with cryptocurrency mining.

After reviewing the real-world impact and associated data, it appears that cryptocurrency mining is not slowing down, and if anything, could be slightly increasing in frequency for certain aspects of the landscape. As we move into 2019, it’s likely that the payloads of choice will continue to diverge between different aspects of the threat landscape. Regardless, enterprises need to be prepared to deal with malicious or unauthorized cryptocurrency mining activities on their respective networks, because it’s not going away — at least not yet.

Read More >>

Post authored by David Liebenberg and Andrew Williams.

Executive Summary

Through Cisco Talos’ investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined.

This blog examines these actors’ recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies.

We will cover the recent activities of these actors:

• Rocke — A group that employs Git repositories, HTTP File Servers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts 2, Jenkins and JBoss.
• 8220 Mining Group — Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts 2.
• Tor2Mine — A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).

These groups have used similar TTPs, including:

• Malicious shell scripts masquerading as JPEG files with the name “logo*.jpg” that install cron jobs and download and execute miners.
• The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim’s architecture.
• Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts 2, Oracle WebLogic and Drupal.
• Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.
• Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.

We were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in.  

The recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value.  This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.

Read More >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec. 7 and Dec. 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More at Talosintelligence.com
TRU1207-1214