Talos Group- Cisco blog

Subscribe to Talos Group- Cisco blog hírcsatorna Talos Group- Cisco blog
Frissítve: 43 perc 52 másodperc
2020. október 24.

Threat Roundup for October 16 to October 23

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 16 and October 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201023-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 16 to October 23 appeared first on Cisco Blogs.

2020. október 20.

Dynamic Data Resolver – Version 1.0.1 beta

Cisco Talos is releasing a new beta version of Dynamic Data Resolver (DDR) today. This release comes with a new architecture for samples using multi-threading. The process and thread tracing has been completely reimplemented.

We also fixed a few bugs and memory leaks. Another new feature is that the DDR backend now comes in two flavors: a release version and a debugging version. The latter will improve code quality and bug hunting. It helps to detect memory leaks and minor issues which are silently handled by the underlying DynamoRIO framework in the release version. We also improved the installer and the IDA plugin is now installed to the user plugin directory instead to the IDA installation directory under Program Files. The IDA plugin and all its dependencies are also now automatically installed by a script.

Fantastic news! DDR has won the HexRays IDA plugin contest 2020

READ MORE>>

The post Dynamic Data Resolver – Version 1.0.1 beta appeared first on Cisco Blogs.

2020. október 16.

Threat Roundup for October 9 to October 16

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 9 and October 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201016-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 9 to October 16 appeared first on Cisco Blogs.

2020. október 13.

Lemon Duck brings cryptocurrency miners back into the spotlight

Attackers are constantly reinventing ways of monetizing their tools. Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as “Lemon Duck,” has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.

Read More >>

The post Lemon Duck brings cryptocurrency miners back into the spotlight appeared first on Cisco Blogs.

2020. október 9.

Threat Roundup for October 2 to October 9

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 25 and October 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More

Reference

20201009-tru.json – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The post Threat Roundup for October 2 to October 9 appeared first on Cisco Blogs.

2020. október 6.

90 days, 16 bugs, and an Azure Sphere Challenge

Cisco Talos reports 16 vulnerabilities in Microsoft Azure Sphere’s sponsored research challenge.

By Claudio Bozzato and Lilith [-_-]; and Dave McDaniel.

 

On May 15, 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. Among the teams and individuals selected, Cisco Talos conducted a three-month sprint of research into the platform and reported 16 vulnerabilities of various severity, including a privilege escalation bug chain to acquire Azure Sphere Capabilities, the most valuable Linux normal-world permissions in the Azure Sphere context.

 

The Azure Sphere platform is a cloud-connected and custom SoC platform designed specifically for IoT application security. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption). Externally, the Azure Sphere platform is supported by Microsoft’s Azure Cloud, which handles secure updates, app deployment, and periodic verification of device integrity to determine if Azure Cloud access should be allowed or not. Note however, that while the Azure Sphere is updated and deploys through the Azure Cloud, customers can still interact with their own servers independently. Read More

The post 90 days, 16 bugs, and an Azure Sphere Challenge appeared first on Cisco Blogs.

2020. október 6.

PoetRAT: Malware targeting public and private sector in Azerbaijan evolves

Cisco Talos discovered PoetRAT earlier this year. We have continued to monitor this actor and their behavior over the preceding months. We have observed multiple new campaigns indicating a change in the actor’s capabilities and showing their maturity toward better operational security. We assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. We currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. Previous versions of PoetRAT deployed a Python interpreter to execute the included source code which resulted in a much larger file size compared to the latest version’s switch to Lua script. As the geopolitical tensions grow in Azerbaijan with neighbouring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments.

Read more >>>

The post PoetRAT: Malware targeting public and private sector in Azerbaijan evolves appeared first on Cisco Blogs.