In June we have had new additions to our growing list of Machine-Learning-powered Confirmed Threat detections provided by the Cognitive Intelligence engine. Thanks to the improvement made to our Machine Learning backend (see Machine Learning Backend Improved blog) we have added 9 net-new Confirmed Threat types (see list below) and increased detection rates for the previously existing Confirmed Threats in the past six months.
Example of Shiz remote access trojan recently detected in monitored network
Newly Added Confirmed Threats
Confirmed Threat ID
Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Vigorf trojan capable to establish a proxy server and steal sensitive information on a victim's computer.
Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information.
Spora encryps files, does not add any specific extensions. It also deletes volume shadow copy to avoid system restore point. It installs a startup link and modifies Internet Explorer proxies, also creates a html file with a dynamic filename.
Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
DNS Changer modifies the DNS registry entries in Windows devices in order to replace the name servers on the host. The Trojan has backdoor functionality and, by bypassing Windows Powershell restrictions, can execute arbitrary commands on the infected device
Neurevt or Beta Bot botnet. Beta Bot is a modular malware with diverse capabilities. Beta Bot can perform DDoS attacks, steal information, perform DNS blocking and redirection, send spam through Skype, and spread itself like a worm through removable USB devices. Threat can disable existing anti-virus solutions and is able to escalate privileges through social engineering methods.
Coin miner variant
Threat is being distributed through a Trojan downloader, that infects a computer to mine for Monero currency. It targets systems with high computational power, taking advantage of these capabilities to mine cryptocurrency.
Nymaim can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.
Confirmed Threat Updates
Note that our newly introduced semi-automatic Indicator-of-Compromise (IoC) hunt processes (see Machine Learning Backend Improved blog) allowed us to increase the IoC coverage of existing Confirmed Threats. In June 2019 we added more than 1445 High risk IoCs and 160 Mid risk IoCs, covering 40+ different Confirmed Threat types. In particular, more than hundred IoCs have been added to each of the following Confirmed Threats: Razy trojan (high risk), Suppobox information stealer (high risk), Ramnit banking trojan (high risk).
Hi Guys, just want to double check with you. In FTD, I have 2 subnet and if I need to have intervlan for those 2 VLAN, do I still need to configure an identity NAT or any NAT?My target is doing intervlan routing between the 2 VLAN without any IP change.th...
Hi,I set up DVTI in EVE with 2 routers. HUB------SPOKE.Virtual-template is not showing up/down. Instead of up/up.Checked Phase1 and Phase2 parameters but not sure where I made a mistake.Attached diagram and configuration.Please take a look.
I tested using both Cisco ISE 2.4 (patch 9) and Cisco ISE 2.6 (patch 1). I have a user who successfully authenticated via RADIUS against ISE. Under ISE, Operations > Live Logs (and Live sessions), I see the user authenticated. After the accounting requ...
Hello,I would like to download ESA software for C695. But I cannot find any versions for this model.https://software.cisco.com/download/home/282509130Does anyone know how to find it and download it? Thank you!SH SHAO