In June we have had new additions to our growing list of Machine-Learning-powered Confirmed Threat detections provided by the Cognitive Intelligence engine. Thanks to the improvement made to our Machine Learning backend (see Machine Learning Backend Improved blog) we have added 9 net-new Confirmed Threat types (see list below) and increased detection rates for the previously existing Confirmed Threats in the past six months.   Example of Shiz remote access trojan recently detected in monitored network   Newly Added Confirmed Threats Confirmed Threat ID Name Category Risk Description CTAL0102 Shiz information stealer Critical Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. CTAL0143 Vigorf information stealer High Vigorf trojan capable to establish a proxy server and steal sensitive information on a victim's computer. CTAL0088 Mikey trojan trojan High Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. CTAL0090 Spora ransomware ransomware High Spora encryps files, does not add any specific extensions. It also deletes volume shadow copy to avoid system restore point. It installs a startup link and modifies Internet Explorer proxies, also creates a html file with a dynamic filename. CTAL0128 Bublik malware distribution High Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host. CTAL0110 DNS Changer information stealer High DNS Changer modifies the DNS registry entries in Windows devices in order to replace the name servers on the host. The Trojan has backdoor functionality and, by bypassing Windows Powershell restrictions, can execute arbitrary commands on the infected device CTAL0089 Neurevt information stealer High Neurevt or Beta Bot botnet. Beta Bot is a modular malware with diverse capabilities. Beta Bot can perform DDoS attacks, steal information, perform DNS blocking and redirection, send spam through Skype, and spread itself like a worm through removable USB devices. Threat can disable existing anti-virus solutions and is able to escalate privileges through social engineering methods. CTAL0119 Coin miner variant cryptocurrency miner High Threat is being distributed through a Trojan downloader, that infects a computer to mine for Monero currency. It targets systems with high computational power, taking advantage of these capabilities to mine cryptocurrency. CTAL0109 Nymaim malware distribution High Nymaim can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control domains to connect to additional payloads.   Confirmed Threat Updates Note that our newly introduced semi-automatic Indicator-of-Compromise (IoC) hunt processes (see Machine Learning Backend Improved blog) allowed us to increase the IoC coverage of existing Confirmed Threats. In June 2019 we added more than 1445 High risk IoCs and 160 Mid risk IoCs, covering 40+ different Confirmed Threat types. In particular, more than hundred IoCs have been added to each of the following Confirmed Threats: Razy trojan (high risk), Suppobox information stealer (high risk), Ramnit banking trojan (high risk). ... View more

We are excited to announce new additions to our growing list of Machine-Learning-powered Confirmed Threat detections provided by the Cognitive Intelligence engine. Thanks to the improvement made to our Machine Learning backend (see Machine Learning Backend Improved blog) we have added 22 net-new Confirmed Threat types (see list below) and increased detection rates for the previously existing Confirmed Threats in the past six months.   Newly Added Confirmed Threats Confirmed Threat ID Name Category Risk Description CLKB00 LokiBot malware information stealer Critical LokiBot is a commodity malware sold on underground sites which is designed to steal private data from infected machines and submit it to the command and control (C2) server via a HTTP request. CORR01 Orcus RAT information stealer Critical A campaign that delivers the Orcus Remote Access Trojan embedded in video files and images. The trojan focuses on information stealing and .NET evasion. Capable of stealing browser cookies, passwords, manipulating webcam and microphone, even launching server stress tests (DDoS attacks). CRAT07 Gh0st RAT information stealer Critical Gh0st RAT. Gh0st RAT gives the attacker complete remote control and administration of the infected device. Threat is capable of stealing information, executing commands, modifying registry keys, and grabbing screen captures of the infected host. CRAT08 NanoCore RAT information stealer Critical NanoCore RAT. NanoCore RAT gives the attacker complete remote control and administration of the infected device. Threat is capable of stealing information, executing commands, modifying registry keys, and grabbing screen captures of the infected host. CDRP05 Malspam/Vidar malware distribution High Malicious spam (malspam) using Microsoft Office documents. This campaign is distributing the new version of Vidar, a powerful information stealer. CFEK01  Fallout EK exploit kit High Fallout exploit kit (EK) which exploits vulnerabilities in IE and Flash to infect the device with malware. The malware delivered by the EK varies, it usually spreads ransomware, lately focusing on GandCrab. CKRS01 Coin miner cryptocurrency miner High Linux coin miner which installs cryptocurrency-mining malware onto the device. It targets systems with high computational power. It is capable to survive reboots and deletions. CSHL01 OSX/Shlayer malware malware distribution High OSX/Shlayer variant, macOS malware. The Trojan horse infection is spread through a fake Flash Player installer. The initial infection leverages shell scripts to download additional malware or adware onto the infected system. CGCB01 GrandCrab ransomware ransomware High GandCrab ransomware which steals user data to hold it hostage. Distribution methods include automated attacks using exploit kits such as Fallout EK, Emotet, and credential stealers like Vidar. CTAL0001 Emotet banking trojan trojan High Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. (Talos cluster) CTAL0002 GrandCrab ransomware ransomware High GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". (Talos cluster) CTAL0003 Cerber ransomware ransomware High Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber". (Talos cluster) CTAL0004 Eldorado Ircbot trojan High Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files. (Talos cluster) CTAL0005 Autoit malware family trojan High Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. (Talos cluster) CTAL0006 Vobfus worm trojan High Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C&C servers. (Talos cluster) CTAL0007 Razy trojan trojan High Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. (Talos cluster) CTPG02 Emotet banking trojan banking trojan High Emotet banking Trojan, also known as Geodo. Geodo is a modular botnet which may steal confidential information including financial data and credit card information, modify encrypted traffic, and send spam. (Talos cluster) CZAC00 ZeroAccess rootkit click fraud High ZeroAccess outbound communication, a rootkit that relies on P2P for C2 communications. ZeroAccess is typically delivered through exploit kits hosted on compromised servers and used for click-fraud and/or bitcoin mining. CADI53 Browser ad-injector ad injector Med Potentially unwanted applications (PUAs) that inject advertising into the user’s browser session that may lead to further malware infections. CTSQ02 Typosquatting sites malicious content distribution Low Typosquatting campaigns that distribute malicious software through drive-by downloads. When users access these sites, such as 'twitter.om' instead of 'twitter.com,' they get redirected to malicious sites meant to lure the user into installing malicious software. CPRL01 Browser ad-injector PUA Low Potentially unwanted applications (PUAs) that inject advertising into the user’s browser session which may lead to further malware infections. CPHI06 Pied Piper phishing/RAT malware distribution Low Pied Piper phishing campaign. The infection vectors are Word documents containing macros that leverage the legitimate msiexec.exe binary from Microsoft to download and execute downloaders that deploy RATs (Remote Access Trojans) such as Ammyy RAT.     Sample finding of Emotet banking trojan (Confirmed Threat ID CTAL0001) Sample finding of ZeroAccess rootkit (Confirmed Threat ID CZAC00)   Confirmed Threat Updates Note that our newly introduced semi-automatic Indicator-of-Compromise (IoC) hunt processes (see Machine Learning Backend Improved blog) allowed us to increase the IoC coverage of existing Confirmed Threats. From November 2018 till May 2019 we added altogether 792 High risk IoCs, 446 Mid risk IoCs and 1886 Low risk IoCs, covering 49 different Confirmed Threat types. In particular, more than hundred IoCs have been added to each of the following Confirmed Threats: ngrBot (variant of Dorkbot, high risk), Necurs backdoor trojan (high risk), Pirrit and other forms of adware (mid risk), Adware InstallCore (mid risk), Typosquatting (low risk) and untrusted VPN services (low risk). ... View more

Throughout March, April and May 2019 we improved Machine Learning backend infrastructures and processes to accelerate discovery of new Indicators of Compromise (IoC). Higher number of discovered IoCs has two benefits: 1. higher percentage of Cognitive incidents will fall into Confirmed Threat category, 2. more IoCs used for (re)training of Machine Learned predictors means extended ability to get net-new detections. The improvemens include: Optimized RAndom Forests (OraF) - we implemented and open-sourced super-fast Random Forest training code (see http://github.com/cisco/oraf) Confirmed Threat IoC automated discovery - we implemented automation of new IoC discovery for existing Confirm Threats. The technique reduced manual confirmation load by half without compromising the precision of Confirmed Threat incidents (see IoC statistics below) Talos-integration - we built a Machine Learning pipeline and process for improved exchange of intelligence between Talos and Cognitive Intelligence (see Confirmed Threat IDs CTALxxxx in Coverage of Confirmed Threats Extended blog) Threat confirmation pipelines - we optimized infrastructures to take maximum effect of each verdict provided by analyst. IoC candidates come through Active Learning (see next item). Every manually confirmed or disproved IoC candidate gets automatically included in fresh Machine Learning ground truth, prediction models get re-trained, re-evaluated and queued for push-to-prod; existing Incident pool gets re-evaluated and Incidents related to the newly confirmed IoC move from Detected to Confirmed. Active Learning - we built clever prioritization of threat analytics tasks for human analysts - the Machine Learning system identifies the most promising potential new IoCs for confirmation by human, among millions of suspicious - previously unknown - findings each week. Note that we build on top of A.I. Loop, first introduced in Closing one learning loop blog. Note that we also improved robustness of Machine Learning evaluation pipelines (see our NeurIPS paper: Bad practices in evaluation methodology relevant to class-imbalanced problems)   The cumulative effect of these updates can be seen in Coverage of Confirmed Threats Extended blog, see net-new Confirmed Threats and increase in IoC numbers in updated Confirmed Threats. The increase of the number of maintained IoCs is seen in absolute nubers per week above. Note the difference between end of 2018 and 2019 so far. Note also the solid line - the percentage of Confirmed Threats covered by fully-automated Machine Learned update process. Higher percentage means less regular update work by human analyst, thus more time available for net new exploration. ... View more

We have updated existing Cognitive Intelligence GUI to provide users with extended descriptions for Activities on the Incident Detail Page. Before this update, Activities - that the Incident consists of - had been presented only through their short names. This led to misunderstandings and confusion. The current update provides more specific explanation of what individual Activities stand for.   Screenshot: the new Activity descriptions appear attached to the right from Activity name. Note that long descriptions are displayed partially only, full text gets displayed on mouse over   For list of extended descriptions see Cognitive Intelligence - List of Activities with Descriptions ... View more

List of Activity types that - when observed in telemetry - lead to creation of Incident in Cognitive Intelligence.    Activities related to Confirmed Threat Categories (both on StealthWatch and ProxyLogs) Note that each category covers up to dozens of different Confirmed Threat types Activity Extended Description in Incident Detail Page Risks Exfiltration Botnet infection with exfiltration capability and larger uploads observed Critical Information stealer Botnet infection with exfiltration capability Critical, High, Mid, Low Ransomware Infection with disk encrypting ransomware Critical, High, Mid Banking trojan Botnet infection with exfiltration capability that targets banking credentials High Click fraud Botnet infection with click fraud capability High, Mid Trojan Malicious software executed by user High, Low Exploit kit Execution of browser-based exploit kit High Cryptocurrency miner Software that uses your computing resources to mine cryptocurrencies High, Low Malware dropper Infection that can download additional malware such as droppers High, Mid, Low Malware distribution Web site that distributes malware High, Low Spam botnet Botnet infection that is capable of sending spam e-mail High Ad injector Web browser plugin that injects advertisements to visited pages Mid, Low PUA Potentially unwanted application Mid, Low Malicious advertising Advertisements that contain malicious code or lead to malicious pages Low Money scam Fraudulent web site tricking user into spending money Low Scareware Fraudulent web site tricking user into installing fake antivirus or product updates Low Anonymization software Free or paid software for enabling anonymous communication Low Spam tracking Visit of tracking back-link from spam e-mail Low   Activities related to specific Confirmed Threats (both on StealthWatch and ProxyLogs) Activity Extended Description in Incident Detail Page Confirmed Threat ID Risk WannaCry ransomware Encrypting ransomware exploiting the ETERNALBLUE SMB vulnerability CWNC01 Critical DNS changer Trojan capable of stealing user and system information CDCH01 High InstallCapital malware installer Family of malicious malware that profits from spyware and adware distribution CADW26 High Adups Android firmware Mobile firmware which transmits sensitive, personal information without disclosure or the user's consent CAEX01 Mid Rig exploit kit malware delivery Web site distributing malware associated with Rig exploit kit CMCD06 Low HotSpot Shield VPN Software for enabling anonymous communication CMPV01 Low In-browser cryptocurrency miner Javascript scriptlets that use your computing resources to mine cryptocurrencies CCMM03 Low ArcadeYum / GameVance Applications displaying malicious advertising that tricks user into installing other malware CAYM01 Mid   Activities related to StealthWatch-specific Detections (Unconfirmed) Activity Extended Description in Incident Detail Page Risk Unknown botnet Unknown communication to many external nodes, likely caused by botnet High Unknown threat - C&C channel Unknown communication - likely command and control (C&C) channel High SMB infecting malware Discovery of external SMB servers, e.g. as used by Wannacry malware High Malware download File download with name and other characteristics typical for malware High Disproportionately high DNS usage Likely caused by C&C search (DGA) or Exfiltration (DNS tunneling) Mid Phishing HTTP request with characteristics typical of phishing Mid Unknown threat - ICMP burst Surge of ICMP packets, sent to many external nodes Low Torrent Distributed protocol used for file sharing Low Vulnerability scanning tool Communication characteristic for vulnerability scanning tools such as Qualys or Nessus Low TOR Free software for enabling anonymous communication Low   Activities related to ProxyLog-specific Detections (Unconfirmed) Activity Extended Description in Incident Detail Page Risk Cryptowall C&C Command and control scheme used by Cryptowall ransomware and other malware Critical Remote Access Trojan Malicious software for remote control of a system Critical Ramnit malware Ramnit malware with remote access capability High Sality malware File infecting modular malware High Miuref malware Modular malware with exfiltration capability High Exploit kit Execution of browser-based exploit kit High Unknown threat Unknown high severity malware identified by machine learning classifier High Malware download Malicious file download High Unknown threat Unknown high severity threat identified by machine learning classifier High Brute-forcing botnet Botnet infection with observed brute-forcing of web password Mid Unknown threat - generated domain name Random domains used by advertisements or malware C&C channel Mid Unknown threat - data in URL Data encoded in URL used by advertisements or malware C&C channel Mid Cryptocurrency miner Software that uses your computing resources to mine cryptocurrencies Mid Click fraud Botnet infection with click fraud capability Mid E-mail infection Malware infection through an e-mail Mid Unknown threat - sinkholed domain Communication with domain sinkholed by Anubis Networks Mid Unknown threat Unknown threat identified by machine learning classifier Mid Unknown threat Hostnames flagged by sandbox Mid Unknown threat - bad reputation Bad reputation hostnames and IP addresses Mid Unknown encrypted threat Unknown malware using HTTPS identified by machine learning classifier Mid Phishing HTTP request with characterictics typical for phishing Mid Service login brute-forcing High number of consecutive login attempts to external or internal service Mid Service data leak Data leak from external or internal service Mid Adware Software displaying unwanted advertisements Low Supercookie tracking Visit to sites known to collect supercookie/evercookie tracking data Low Vulnerability scanning tool Communication characteristic of vulnerability-scanning tools such as Qualys or Nessus Low Hola VPN Software for enabling anonymous communication Low Ultrasurf Software for enabling anonymous communication Low TOR Free software for enabling anonymous communication Low Spam tracking Visit of tracking back-link from spam e-mail Low   ... View more

(written by Matthew Robertson)   This blog extends information from Cognitive Threat Analytics (CTA): Release Notes   As the machine learning engine in Cognitive Analytics was designed to be deployed in real production networks it can be challenging to generate a detection in a home or customer lab environment and generating an "on-demand" detection of the Encrypted Traffic Analytics solution can be even more difficult.  This page describes what we have found is the best way to test a Stealthwatch with Cognitive and ETA deployment and generate a detection in lab and on-demand environments.   Generating a Detection:   Classifiers for some of the same domains used to test Umbrella have been built into the Cognitive engine.  Specifically classifiers for the following:   https://examplemalwaredomain.com       (test site for malware) https://examplebotnetdomain.com           (test site for botnet) https://internetbadguys.com                     (test site for phishing)   Browsing to those URLs from a host, where the https session is passing through an enhanced NetFlow exporter will generate a detection in Cognitive which will display with the "Detected Using Encrypted Traffic Analytics" notifier. Note: The detection may initially show up as with a risk rating of 5.  The risk rating can increase with additional bad or repetitive behavior:  such as going to multiple of the above URLs or repeatedly visiting the same URL.   https://examplemalwaredomain.com (Malware)   Malware Detection in SMC Dashboard:   Malware detection in Cognitive Widget in the Host Report:   Malware Detection in the Cognitive Dashboard:   https://examplebotnetdomain.com (Botnet)   ETA TOR detections in SMC Dashboard Cognitive widget:   TOR detection in Cognitive Widget in the Host Report:   Potentially Unwanted Application in the Cognitive Dashboard:   https://internetbadguys.com (Phishing)   Phishing Detection in SMC Dashboard:   Phishing detection in Cognitive Widget in the Host Report:   Phishing Detection in the Cognitive Dashboard:   Generating a "Real" Detection   Cognitive is very effective at detecting the usage of TOR by a host and it is a significant value proposition for the technology.   A very simple way to demonstrate an active detection is to use the TOR browser on a host in the lab (a host behind the switch or router exporting the enhanced NetFlow). First download and install the TOR browser: https://www.torproject.org/projects/torbrowser.html.en After installing launch the TOR browser and do some internet browsing.  A detection will appear in the Cognitive widget/dashboard shortly.  The detection will display as a severity 4 possibly unwanted application with the “detected using encrypted traffic analytics” label.   ETA TOR detections in SMC Dashboard Cognitive widget:   TOR detection in Cognitive Widget in the Host Report:   Potentially Unwanted Application in the Cognitive Dashboard:     Basic Lab Overview:   In this scenario we have a host connected to a Catalyst 9300.  The Catalyst 9300 is configured to send Enhanced NetFlow (including ETA) to Stealthwatch.   ... View more

This blog extends information from Cognitive Threat Analytics (CTA): Release Notes   February 2018 Update   (by Ivan Nikolaev and Lukas Machlica)   Malicious hosting detection: CTA engine is able to detect new type of incidents. The incidents manifest communication with endpoints associated with malicious hosting activity. The association is determined from global behaviour of the host, learned accross various data sources.   Example: this incident is an example of communication with malicious hosting infrastructure. There are three domains labelled as malicious hosting. Two of them are associated with the the same IP. These IPs also host other DGA domains (domains generated algorithmically), as seen in the incident. The communication happens over HTTPS and there are several successful downloads from the domains. ... View more

This blog extends information from Cognitive Threat Analytics (CTA) Release Notes.   January 2018 Update   CTA Engine now detects new types of incidents: repetitive and persistent cryptomining activities on the endpoint in-browser cryptomining by websites   Cryptomining infections may not necessarily constitute a threat, but they do cause non-negligible financial harm by excessive consumption of computing resources. Detected incidents can signify either cryptomining infection or voluntary misuse of company resources.   Example: In this incident CTA alerts about repetitive communication with cryptomining pools. The endpoint exhibits persistent communication with nicehash.com, what adds to the conviction that cryptomining activity takes place on the endpoint. ... View more

This blog extends information from Cognitive Threat Analytics (CTA) Release Notes.   November 2017 Updates   Advanced Detection from Encrypted channels ETA Analytics. New and updated algorithms that use ETA features in StealthWatch-flows to detect: Malware families Cryptowall, Sality, and Ramnit, Malicious file download, Phishing, DNS sinkhole, Vulnerability scanning, Typo-squatting, Unicode typo-squatting. Note that CTA support for ETA works specifically for customers providing StealthWatch-flow telemetry. For customers providing ProxyLog telemetry CTA now provides HTTPS-based detection capability (see next item) Detection from HTTPS telemetry without decryption. From now on CTA provides industry-unique technology allowing to detect multiple infection types in HTTPS channel without decryption . The technology is the result of year-long research effort motivated by the fact that the increasing adoption of encryption across the Internet may diminish capabilities of industry-standard detection techniques. CTA makes the most of combining and correlating multiple very weak indicators available in HTTPS telemetry.   Example 1: Here the HTTPS classifier attributed the https communication to the ad injector activity. Connection to server is not shown as successful to cause harm, nevertheless the client node is clearly infected.   Example 2: Note the https flows in the bottom, that in this case proved sufficient to trigger the incident.   Verification Possibility for customers and field to generate on-demand test incidents in their lab ... View more

This blog extends information from Cognitive Threat Analytics (CTA) Release Notes.   October 2017 Updates   Advanced Stealthwatch flow record classification capability and lateral services monitoring Enhanced anomaly detection: Cognitive Analytics added a new set of anomaly detectors for Stealthwatch flow records based on global reputation and TLS features. This enhancement improves contextual information of individual incidents and increases the efficacy of the detection engine. New types of incidents: Cognitive Analytics added a new set of classifiers for detecting: Stealthy Command and Control communication channels by analyzing long-term behavior of users and devices. Unexpected DNS usage caused by DGA-based malware or data tunneling. Malicious SMB service discovery typical for fast-spreading malware such as WannaCry. Following is an example screen shot of a malicious SMB service discovery incident; note that the infected user is contacting unexpected server IP addresses and countries with SMB service protocol:     Note: You must have Cisco Cognitive Analytics configured on your Stealthwatch System to use these features. Cognitive Analytics quickly detects suspicious web traffic and/or Stealthwatch flow records and responds to attempts to establish a presence in your environment and to attacks that are already under way. For more information, go to the Cognitive Analytics website or the Cognitive Analytics documentation.   Following is an example screen shot of unexpected DNS usage, caused by DGA-based malware or data tunneling; note that the user has abnormally high number of DNS requests, valid or invalid, and transfers large amount of data in both directions:     Enhanced P2P analytics The new detection mechanism is able to detect BitTorrent clients in the network. The detection is independent of used ports and transferred data, as well as any other network flow statistics. Therefore, the detector is able to detect active BitTorrent clients in the network that use non- standards (randomized) ports and do not actively participate in file sharing activity. Following is an example screen shot of a torrent incident; note that the user is contacting 972 server IP addresses:     Enhanced data filtering The data sent to the Cognitive Analytics engine is filtered so that only flow records that cross the network perimeter are sent to the cloud. This filter is based on the Host Groups configuration – the flows that are going from the inside to outside host groups are sent for analysis (+DNS requests flows which are sent even for internal DNS servers). The enhancement in v6.10 adds the possibility for the user to modify the data that is sent by adding internal host groups to be monitored by the Cognitive Analytics engine. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the cloud for analysis. Adding specific host groups to Cognitive Analytic monitoring is especially useful for company internal servers – adding traffic from the end users to those servers can improve a visibility of the exposure of the data that can be potentially misused by malware running on the affected devices.     Following is a telemetry processing diagram for Lateral Services Stealthwatch flows from selected host groups:     Incident Detail There is a new pivot point from within the CTA portal over to Stealthwatch Management Console (SMC) to further investigate an activity of a particular remote IP. T here are new links next to the remote IP addresses that will open up the Stealthwatch Management Console (SMC) Host Reports for that particular IP. ... View more