In June we have had new additions to our growing list of Machine-Learning-powered Confirmed Threat detections provided by the Cognitive Intelligence engine. Thanks to the improvement made to our Machine Learning backend (see Machine Learning Backend Improved blog) we have added 9 net-new Confirmed Threat types (see list below) and increased detection rates for the previously existing Confirmed Threats in the past six months.
Example of Shiz remote access trojan recently detected in monitored network
Newly Added Confirmed Threats
Confirmed Threat ID
Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Vigorf trojan capable to establish a proxy server and steal sensitive information on a victim's computer.
Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information.
Spora encryps files, does not add any specific extensions. It also deletes volume shadow copy to avoid system restore point. It installs a startup link and modifies Internet Explorer proxies, also creates a html file with a dynamic filename.
Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
DNS Changer modifies the DNS registry entries in Windows devices in order to replace the name servers on the host. The Trojan has backdoor functionality and, by bypassing Windows Powershell restrictions, can execute arbitrary commands on the infected device
Neurevt or Beta Bot botnet. Beta Bot is a modular malware with diverse capabilities. Beta Bot can perform DDoS attacks, steal information, perform DNS blocking and redirection, send spam through Skype, and spread itself like a worm through removable USB devices. Threat can disable existing anti-virus solutions and is able to escalate privileges through social engineering methods.
Coin miner variant
Threat is being distributed through a Trojan downloader, that infects a computer to mine for Monero currency. It targets systems with high computational power, taking advantage of these capabilities to mine cryptocurrency.
Nymaim can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.
Confirmed Threat Updates
Note that our newly introduced semi-automatic Indicator-of-Compromise (IoC) hunt processes (see Machine Learning Backend Improved blog) allowed us to increase the IoC coverage of existing Confirmed Threats. In June 2019 we added more than 1445 High risk IoCs and 160 Mid risk IoCs, covering 40+ different Confirmed Threat types. In particular, more than hundred IoCs have been added to each of the following Confirmed Threats: Razy trojan (high risk), Suppobox information stealer (high risk), Ramnit banking trojan (high risk).
Hello, I just started my security plus class and my teacher has asked that every student turns this in. i am not sure where to look because most of this isn't in the book and google has way too much information to sort through and on top of tha...
Hello Everyone, I am trying to configure a IPsec remote access VPN on a Cisco CSR 1000v on aws cloud but I'm unable to find any proper configurations for Cisco CSR 1000v Router. I have tried standard Cisco IOS Router configuration but nothing works.&...
Hello!I have ASA with FirePOWER (no AMP and URL). And have many (over 10) zones.yesterday my SIP server sometimes loss registration and vice also have poor quality.I try to PING 22.214.171.124 and get floating delay from 25 to 500! ms.i exclude sip server ...
Hello We are planning the migration of an ASA5540 to a Firepower 2110.The new implementation will use AnyConnect for remote access and ISE will be used as RADIUS server.The module NAM in anyconnect is compatible with Firepower versión 6.2.x? Accordin...
I'm using an ACL to limit access for one of my anyconnect users. The ACL does it's job and restricts the user from being able to connect to anything but the permitted IPs. However, once the user connects to a permitted server, they can then ssh to other s...