Cisco Threat Research Blog

Cisco Talos works with many organizations around the world, monitoring and protecting against sophisticated threats every day. As such, we are watching the current state of events in the Middle East very closely for our customers and partners who may be impacted by the ongoing situation. We are continuing to evaluate potential threats and attack vectors, especially related to critical infrastructure and high-profile businesses and industries.

A challenge with protecting against state-sponsored campaigns is that the primary and ideal targets are potentially already compromised, either by a specific adversary or their allies who would be amenable to acting on their behalf. In previous research, Talos has observed footholds like this that can go undetected for extended periods, waiting to be modified remotely to exact a variety of potential malicious activities.

It may be difficult for primary target organizations to detect activity and defend themselves at the perimeter. Hopefully, they have employed a layered defense, which should include two-factor authentication, network segmentation and endpoint protection.

Of course, the potential also exists for the adversary to move away from a targeted maneuver to more broadly focused disruptions that could incorporate a much wider array of businesses and even consumers. This means that everyone should view this as a wake-up call — shore up defenses, update/patch your devices and focus on cyber hygiene. Employ authentication everywhere, beware of suspicious links, emails, etc. — phishing/credential theft continues to be popular among attackers. Every business should at least take a second look at every strange thing they see — don’t ignore anomalous activities, take the time to see if there is something nefarious at the end of the tunnel.

While prior campaigns in the region have heavily relied on wiper malware, this is no guarantee that future campaigns will continue this trend. At times like this, vigilance is key.

Read More >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 13 and Dec 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12202019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

This post authored by JJ Cummings and Dave Liebenberg

This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.

The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.

In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.

Read More >>

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 6 and Dec 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Introduction

Cisco Talos’ Systems Security Research Team investigates software, operating system, IOT and ICS vulnerabilities in order to discover them before malicious threat actors do. We provide this information to the affected vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. After these patches become available, the Talos detection content becomes public, as well. Talos regularly releases executive blogs (Vulnerability Spotlights) and in-depth analyses of vulnerabilities discovered by us. You can find all of the release information via the Talos Vulnerability Information page here.

Read the rest of the details on the Talos Blog

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 29 and Dec 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU12062019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov 15 and Nov 22. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference:

TRU11222019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Your business invests in all the latest security technologies. You run training. You meet your compliance requirements for scans and tests. You can stand up in front of the board and say with confidence “we’ve got this covered.”

But are you as prepared as you think?

New research from ESG sheds new light on threat readiness. Read on for four key findings you can’t afford to ignore.

Want the full story? Join us for a webinar on Dec. 4, 2019. You can register here.

Complacency is the enemy: The best are never satisfied

According to ESG’s latest research on incident readiness trends, 92 percent of IT security practitioners surveyed feel “good to excellent” about their ability to quickly detect and respond to cyber incidents. On average, they scored themselves eight out of 10 that they could completely mitigate a destructive attack.

But all the evidence tells us that the reality is very different. In the same survey, 35 percent of respondents said they had suffered a destructive attack, and of those, 41 percent indicated that it took a month or more to detect the attack.

We know that the ability to prevent, detect and respond quickly to security incidents is a trained behavior — it has to be practiced.

ESG’s research specifically surveyed security professionals who had engaged in threat-readiness activities within the last 18 months, asking about a whole range of activities, from pen testing, tabletop exercises, red teaming and more.

“From ESG’s data, and our own experiences in the field, we see a degree of overconfidence about threat readiness,” Sean Mason, director of Talos Incident Response, said. “Being blunt, that’s dangerous. As a CIO or CISO responsible for the results of incident response efforts, it’s incumbent on you to paint a real picture of risk for your board, without sugarcoating.

The fact is, security is hard work, threats are always changing, and perfect defense is impossible — but the only thing to do is to keep striving for continuous improvement and avoid complacency. Keep plans up to date. Test them. Train hard, and don’t stop.”

Prioritize budget and be realistic about talent

Nine out of 10 organizations surveyed have performed incident readiness exercises in-house over the last 12-18 months. Of those respondents who have used internal teams and third-party service providers to perform incident readiness exercises, 58 percent say they perform the majority of their incident readiness exercises in-house. And that trend isn’t going away. More than half say they’ll hire or train more security analysts over the next 12–18 months to improve incident readiness.

This is hard to reconcile with the harsh reality of the IT talent gap. According to ESG’s 2019 Technology Spending Intentions Survey, cybersecurity remains the discipline most acutely affected by skills shortages.

“The truth is that simply due to market dynamics, most in-house IT teams struggle to recruit, let alone retain, the very best talent,” Mason said.

Whether a CIO sticks with a recruitment strategy or chooses to source expertise from specialist vendors, budget becomes the sticking point.

“Security teams consistently cite lack of budget as one of the biggest weaknesses in their threat readiness,” says Christina Richmond, principal analyst at ESG. “In fact, it’s often that only after suffering an attack does the business assign more budget to incident readiness.”

ESG found that less than a third of security teams have C-level involvement in all incident readiness activities.

“In our experience, organizations with the strongest security practices and the healthiest budgets are those where there is C-level engagement in the strategy. I’ve been lucky enough to experience it in my career, but it’s all too rare,” Mason said. “The sad truth is that it’s often only a breach that gets the attention of the CEO — and no CIO or CISO wants to have that conversation.”

Drive your security with metrics, not hopes and fears

The key to winning board-level sponsorship and budget for security is the same as for any business initiative: prove your value with data. That’s the language your CEO speaks.

Only 29 percent of survey respondents said they are able to regularly report metrics aligned to business, risk management and C-level objectives.

The numbers that talk the loudest?

“Look for the financial impact of security success: benchmark fines and legal settlements from breaches in your industry,” Mason said. “Estimate the impact on customer trust and brand goodwill, the cost of supply-chain downtime and employee productivity.”

ESG data indicates that only 29 percent of organizations are actually able to measure the financial impact of an incident today — there’s work still to do. But it’s important work. These measures will speak louder to a non-technical audience than operational metrics. And when you do use operational metrics, such as time to respond, put them in context with industry benchmarks to make them more meaningful.

Practice, don’t just assess

Security leaders have a wide range of tools in their incident-readiness kit, ranging from strategic maturity assessments to automated scans, tabletop exercises, penetration testing, threat hunting and more.
“Our research found the use of various incident response activities in the last 18 months was unbalanced,” says Richmond. “Assessments made up three of the top five activities most commonly performed; while actual practice exercises made up all of the bottom five.”

“In truth, you can’t say that you have a plan until you’ve tested it to see if it works,” says Mason. “That’s closing the loop from assessment, to plan development, to testing and back around to assessment. Running exercises and simulations is critical for ensuring that teams can react calmly and decisively when an incident happens.”

Discover the full findings from ESG’s research and pose your questions to Sean Mason and Christina Richmond on our free webinar on Dec. 4 2019, 9 a.m. PST. Register now.

Find out how Cisco CX can help you improve your threat readiness.