The document discusses emerging cybersecurity threats and the Cisco Talos threat intelligence team. It provides examples of recent threats like Angler exploit kit campaigns, CryptoWall ransomware versions, and the SamSam ransomware targeting hospitals. Talos uses a multi-tiered approach with over 250 researchers and global data from over a billion daily events to provide threat intelligence that protects Cisco security products.
11. Cloud to Core
Visibility web requests a day
16 BILLION
email messages a day
600 BILLIONEndpoint malware
queries a day
18.5 BILLION
12. TALOS PRODUCTS & INTELLIGENCE
Talos is the backbone for all Cisco Security Products and Services.
P R O D U C T S
D E T E C T I O N S E R V I C E S
Email
ESA | ClamAV
SpamCop
SenderBase
Email Reputation
Malware
Protection
URL, Domain, IP
Reputation
Phishing
Protection
Spoof & Spam
Detection
Open Source
Snort Rules
ClamAV Sigs
ClamAV
Vulnerability
Protection
Malware
Protection
Policy & Control
End Point
AMP
ClamAV
Cloud & End
Point IOCs
Malware
Protection
IP Reputation
Cloud
CWS
CES
OpenDNS
URL, Domain, IP
Reputation
Malware
Protection
AVC
Web
WSA
CWS
URL, Domain, IP
Reputation
Malware
Protection
AVC
Network
FirePower/ASA
ISR
Meraki
Policy & Control
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Services
ATA
IR
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Vulnerability
Protection
Custom
Protection
Intelligence
ThreatGrid
Cloud & End
Point IOCs
Malware
Protection
URL, Domain, IP
Reputation
Network
Protection
29. LEADING THREAT INTELLIGENCE
SSHPsychos
• Brute Force SSH Attacks until
password guess
• 300K Unique Passwords
• Login from different address
space
• Drop DDoS Rootkit on server
• Accounted for 1/3 of all SSH
Traffic ON THE INTERNET
SSH Brute Force Attempts
32. Drive-by Download Attacks
• The act of downloading something unintentionally,
usually malicious
• No need to click to download
• Malvertising is a common vector
42. Attacker Innovation
• Angler is the most successful exploit kit
• Demonstrates continued innovation
• New Functionality Quickly Spreads
– Exploit kits competing for business
• Exploits kits get overlooked as a sophisticated threat
43. Importance of Patching
Angler Exploit
Vulnerability
User Activity
Update Published
Version
15.0.0.246
16.0.0.235
16.0.0.257
16.0.0.287
16.0.0.296
16.0.0.305
17.0.0.134
17.0.0.169
17.0.0.188
CVE-2015-0310
CVE-2015-0313
CVE-2015-0336
CVE-2015-0359
CVE-2015-0390
1 FEB 1 MAR 1 APR 1 MAY 1 JUN
44. What is an exploit kit?
• A software package designed to exploit vulnerable
browsers and plugins
• Blackhole was the first major exploit kit
45. Monetization of Hacking
There are three main payload types:
• Ransomware
• Cryptowall, Teslacrypt
• Click-fraud agents
• Bedep
• Miscellaneous
• trojans, keyloggers, spyware
46. Detection Challenges
• Hashes
• Found 3,000+ Unique Hashes
• 6% in VT
• Most detec+on <10
• Encrypted Payloads
• Using Diffie Helman Encryp+on for IE Exploit
• Unique to each user
• Domain Behavior
• DDNS
• Domain Shadowing
• Adversary Owned Domains
• Hard Coded IP
68. Tor All the Things
New Payload to Avoid C&C Detec+on
69. Summary
• Started looking and found majority of ac+vity at one provider
• Worked with Digital Ocean to Expose Ac+vity
• Found majority of traffic outside of US
• Lots of Adult/Pornographic sites involved in campaign
• 150+ Countries involved
• Health Monitoring Found
• Virtually no logging on proxy server
• Coverage Developed for back-end communica+on
• Tor as a payload is new and could become more common as visibility
con+nues to increase around these types of threats
• Gates and 302 Cushioning are being used heavily
74. Excluded Local Regions
• CryptoWall 4 checks local region seyngs with an
undocumented API Call
• Following regions are excluded from infec+ons:
• Russian
• Kazakh
• Ukrainian
• Uzbek
• Belarusian
• Azeri
• Armenian
• … other Eastern Europe countries
79. Sam Sam Targets Healthcare
• Exploits Jboss Vulnerability
• Moves Laterally
• Targeted Across Organiza+on
• Used recently against mul+ple hospitals
85. Changes in the Threat Landscape
• Vulnerable JBoss servers are being used as an attack
vector
86. Web Shells!
• Web shells are a major
security concern and are
an indicator of
compromise!
• If a web shell has been
installed on a server, take
immediate steps to
remediate the issue