Introducing Anomali ThreatStream Integrator 6.3.5

Anomali ThreatStream Integrator is a software with a small footprint that allows you to integrate the powerful threat intelligence of Anomali ThreatStream with your existing security tools. Today I’m excited to announce the latest version of Integrator.

In addition to the SIEMs, endpoints and numerous other security solutions (e.g. IDS, DNS, and DHCP tools) Integrator can currently sync threat intelligence data with, the release of Integrator 6.3.5 provides an additional integration destination to growing list of best-of-bread firewall integrations, Cisco ASA devices.

Introducing Cisco ASA Support

Syncing threat intelligence from ThreatStream to Cisco ASA devices using Integrator enables you to automatically blacklist known malicious indicators of compromise (IOCs) on your Cisco firewalls to either monitor/alert or block any incoming or outgoing traffic. Cisco ASA Fire Power currently supports the ability to sync domain, IP, and URL IOCs from ThreatStream.

In some cases, Anomali customers have thousands of Cisco ASA devices in their environments. Syncing threat intelligence to multiple Cisco ASA destinations is a simple and efficient process with Integrator because of its flexible user interface, which is designed to give you an easy way to add and edit new configurations.

Once threat intelligence connection points and data flows are established, customers can use the Integrator confidence filter to ensure only the most current and highest scoring and therefore most malicious threats are synced to Cisco ASA devices. Integrator also supports a number of other useful filters, including indicator type (e.g. malware domains, Phishing domains, etc) and intelligence source. New IOCs are automatically synced to Cisco ASA devices to keep the blacklists up-to-date and to both detect and protect your network from newly identified potentially hostile activity.

 

Further, the combined usage of the Integrator filter plus the Firepower user interface can help you maintain agile, yet complete control of the blacklists under the Security Intelligence tab. As you can see in the example above, you can create a number of categories for each threat type for easy administration and ongoing management.

Where can I download the latest version of Anomali ThreatStream Integrator?

Anomali ThreatStream Integrator 6.3.5 is now available to download via the ThreatStream Platform.

It doesn’t stop there…

In addition to adding threat intelligence to Cisco ASA devices, Integrator can support many other solutions including Splunk, Arcsight, QRadar, Carbon Black, and Tanium (to name but a few).

If you’re not already an Anomali customer, view a handful of the hundreds of other products Anomali ThreatStream Integrator can sync intelligence with, and register for Anomali ThreatStream today.


Source: Honeypot Tech

Hak5 2319 – [[ PAYLOAD ]] – OS Detection Payload

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Source: Security news


Source: Zologic

Anomali Raises $40 Million in Series D Funding

Today I’m pleased to share the news of our latest fundraising efforts, and the addition of Lumia Capital, Deutsche Telekom Capital Partners, Telstra Ventures and Sozo Ventures to the Anomali family. With this funding, we’ll continue to invest in developing innovative threat management and collaboration solutions and expand our global reach.

This milestone comes on the heels of a very exciting 2017 at Anomali – a year in which we:

On the Products and Engineering side we kept the teams very busy, rolling out release after release with tons of new capabilities and functionality to help organizations stay ahead of threats and react more quickly and efficiently. Here’s a sampling of the updates:

  • ThreatStream: added Phishing Indicator extraction, bi-directional STIX/TAXII 2.0 support, multi-analyst collaboration on threat bulletins, powerful new rules engine that can trigger automated actions
  • Anomali Enterprise: launched AE 3.0 including updated UI with streamlined workflows and new dashboards; released Real Time Forensics for automatic threat indicator threat detection, and added Malware family attribution for DGA domains
  • STAXX: released STAXX 2.0 (and, more recently 3.0) including bidirectional threat sharing, support for STIX/TAXII 2.0, threat indicator expansion on STAXX portal, Anomali Limo feed integration, and STIX/TAXII “bridge” translator between v1.0 and 2.0
  • Limo: launched a free collection of threat intelligence feeds, curated by the Anomali Intelligence Acquisition Team, and fully integrated with STAXX.

The best news of all is the growth in our relationship with you. In 2017 we saw record customer growth and added many new ISACs, ISAOs and other threat sharing communities to the Anomali platform. 2018 is already off to fast start and we are looking forward to another exciting year working closely with our customers and partners.

Hope to see you at our Detect ’18 Conference!


Source: Honeypot Tech

WTB: New Mirai Variant Targets Billions of ARC-Based Endpoints

The intelligence in this week’s iteration discuss the following threats: APT, Disk-wiper, DNS hijacking, Malicious extensions, Malicious application, Malvertising, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Mirai Variant Targets Billions of ARC-Based Endpoints (January 16, 2018)
Security researchers are discussing a new variant of the Internet-of-Things (IoT) malware “Mirai” dubbed “Okiru.” The new malware was first observed by MalwareMustDie researcher “@unixfreaxjp.” Researchers now believe that Okiru is the first malware designed to target “Argonaut RISC Core” (ARC) processors. In addition, researchers also believe that there are over 1.5 billion devices that have ARC processors such as cameras, cars, cell phones, and televisions (among others). At the time of this writing, it is unknown how many devices have been infected with Okiru, however, researchers state that the malware is specifically targeting ARC Linux devices.
Click here for Anomali recommendation

New KillDisk Variant Hits Financial Organizations in Latin America (January 15, 2018)
A new variant of the disk-wiping malware “KillDisk” is targeting financial organizations in Latin America, according to Trend Micro researchers. The malware appears to be dropped by another process rather than being directly installed. This KillDisk variant changes its file name to “c:windows23456789” while it is running. In addition, KillDisk will go through all logical drives and before it deletes a file, it is first randomly renamed. It is capable of reading the Master Boot Record (MBR) as well as overwriting the Extended Boot Record (EBR).
Click here for Anomali recommendation

Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses (January 15, 2018)
Researchers from U.S.-based cyber security firm “ICEBERG” have discovered four malicious Chrome browser extensions which were available for download on the official Chrome Web Store. The four extensions were titled “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “Lite Bookmarks,” and “Stickies – Chrome’s Post-it Notes” which were found to have been downloaded approximately 500,000 times. The extensions were designed in such a way that could allow a threat actor to send commands to an affected user’s browser via JavaScript code. Researchers discovered that the actors behind this campaign are using the extension to conduct click fraud by loading a website in the background and clicking on advertisements.
Click here for Anomali recommendation

Warning: New Undetectable DNS Hijacking Malware Taregting Apple macOS Users (January 12, 2018)
A security researcher has published information regarding what may be the first reported macOS specific malware of 2018. The malware was first identified via a post on a Malwarebytes forum. The malware, dubbed “OSC/MaMi,”is an unsigned Mach-O 64-bit executable that is reported to be similar another malware family called “DNSChanger.” In 2012, DNSChanger infected millions of machines around the globe. DNSChanger would change Domain Name Server (DNS) server settings to route traffic through actor controlled servers, this would allow actors to intercept potentially sensitive data. OSC/MaMi appears to be doing the same thing, in addition to installing a new root certificate in an attempt to intercept encrypted communications.
Click here for Anomali recommendation

Update on Pawn Storm: New Targets and Politically Motivated Campaigns (January 12, 2018)
The Advanced Persistent Threat (APT) group “APT28” has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. Researchers note that the group’s tactics in this campaign have remained the same. APT28 uses well prepared, politically-themed spear phishing emails to target political organizations around the world. The group has been conducting this campaign since 2015. Now researchers have observed the group distributing phishing emails that attempt to steal user credentials. In October and November APT28 distributed emails that purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password, and another that purported that there is a new file on the recipient company’s OneDrive system.
Click here for Anomali recommendation

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Server (January 11, 2018)
Researchers Johannes B. Ullrich (SANS) and Renato Marinho (Morphus Labs) have discovered that threat actors are actively exploiting a vulnerability in Oracle WebLogic servers. The vulnerability, registered as “CVE-2017-10271,” was patched by Oracle in October 2017. However, the proof-of-concept code released for the vulnerability is likely a driving force behind the current malicious activity. Actors have been able to compromise enterprise-owned WebLogic server and gain access to corporate networks. Interestingly, instead of stealing information, the actors installed a “Monero” cryptocurrency miner. As of this writing, the actors have been able to mine approximately 611 Monero, valuing at approximately $226,000 USD.
Click here for Anomali recommendation

Adobe Patches Information Leak Vulnerability (January 10, 2018)
As part of Patch Tuesday, Adobe has issued a security patch to address a vulnerability registered as “CVE-2018-4871.” The vulnerability could be exploited by threat actors to leak sensitive data. This vulnerability affects Adobe Flash Player on Mac, Linux, and Windows machines. In addition, Adobe Flash Player for the web browser Chrome, Edge, and Internet Explorer versions 28.0.0.126 and earlier are also affected.
Click here for Anomali recommendation

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-day (January 9, 2018)
In Microsoft’s first Patch Tuesday of 2018, the company addressed 56 CVE-registered vulnerabilities that affect multiple products including ASP.NET, ChakraCore, Edge, Internet Explorer, and the .NET framework. Microsoft issued a patch for a zero-day vulnerability, registered as “CVE-2018-0802,” in Office that was observed to have been exploited by threat actors in the wild.
Click here for Anomali recommendation

Diplomats in Eastern Europe Bitten by a Turla Mosquito (January 9, 2018)
Researchers from the IT security company ESET, have released a report discussing new malicious activity which is attributed to Advanced Persistent Threat (APT) group “Turla.” Researchers discovered that a custom backdoor used by the group called “Mosquito” was packaged with the legitimate Flash installer and it appeared to have been downloaded from adobe[.]com. Turla has been observed using a fake Adobe Flash installer in previous campaigns. The group was also observed using their “Gazer” malware to primarily target consulates and embassies in Eastern Europe, although some private companies were also infected.
Click here for Anomali recommendation

RIG Exploit Kit Campaign Gets Deep Into Crypto Craze (January 9, 2018)
As cryptocurrencies continue to become more popular, due in part to the significant rise in value of Bitcoin, so too are malicious campaigns designed to mine cryptocurrency. Researchers have discovered such a campaign, dubbed “Ngay,” is distributing the RIG exploit kit via malicious advertisements (malvertising). If a malvertisement is followed, a user is infected with RIG, which then downloads a “Monero” or “Electroneum” cryptocurrency miner on to the affected machine.
Click here for Anomali recommendation

First Kotlin-Developed Malicious App Signs User Up for Premium SMS Services (January 9, 2018)
Trend Micro researchers have identified a malicious application on the Google Play store that impersonated the utility cleaning tool application for Android devices called “Swift Cleaner.” The application was written in the “Kotlin” programming language, which was announced by Google in May 2017, used to create Android applications. The fake application was observed to have been downloaded between 1,000 and 5,000 times. The malicious application is capable of click advertisement fraud, data theft, remote code execution, URL forwarding, and signing up for paid SMS subscription services without user permission.
Click here for Anomali recommendation

Apple Releases Multiple Security Updates (January 8, 2018)
The United States Computer Emergency has issued an alert regarding vulnerabilities in multiple Apple products. The affected Operating Systems (OS) are macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6. The products affected by vulnerabilities are iPhone 5s and later, iPad Air and later, and iPod 6th generation. A threat actor could exploit these vulnerabilities to gain access to sensitive information.
Click here for Anomali recommendation

A North Korean Monero Cryptocurrency Miner (January 8, 2018)
A new application, identified to have been compiled on December 24, 2017, is being used to mine “Monero” cryptocurrency, according to AlienVault labs researchers. The currency, after being mined, is then sent to “Kim Il Sung University” in Pyongyang, North Korea. Researchers believe that it is likely that the installer is associated with the open source Monero mining software “XMRig.” Interestingly, it was discovered that the actors behind this campaign used a hostname no longer resolves, which means XMRig cannot send the mined currency to actors on most networks. Researchers believe that this fact, in addition to the use of a North Korean server, may indicate that this a testing phase of a potential malicious campaign, or this may be a genuine Monero mining operation. However, the use of a North Korean server may indicate that actors within the country are mining cryptocurrencies as a way to bypass United Nation’s sanctions. Lastly, the observation of Monero being sent to Kim Il Sung University does not necessarily attribute this activity to a North Korean citizen because the university is “unusually open” and analysis of the code samples reveal French text.
Click here for Anomali recommendation


Source: Honeypot Tech

Doh!!! The 10 Most Overlooked Security Tasks

Here’s a list of gotchas that often slip past overburdened security pros.
Source: Vulnerabilitys & Threats

IoT-Driven Manufacturing Trends to Look for in 2018

Male models pose in a factory run by women.

With Internet of Things (IoT) technology spending forecast to reach $772.5 billion this year — an increase of 15 percent over 2017 — the world’s top manufacturers are set to shift into exhilarating overdrive down the path to AI-driven and IoT-enabled automation. So where will 2018 take us on this journey? First and foremost, the year ahead will see manufacturers rapidly connecting the unconnected, consolidating workloads, focusing on data analytics and virtualizing as much as they can on the manufacturing floor. Furthermore, the manufacturing industry will continue its quest to connect to the data halos transmitted by all of the instrumented people, places and things. They will make further sense of this data by applying analytic algorithms to turn data into actionable information, providing better insight into facilities and production.

Shifting Roles and Revealing Value in IoT

While the industry is embracing IoT, they’ll begin to reveal its value in 2018. Unlike the enterprise resource projects (ERPs) of the 1980s and ‘90s, manufacturers understand that there’s tremendous value in IoT. As a result, 2018 will see a growth in pilots that will showcase results to inform further investment and business benefits — from intelligent manufacturing and field service automation to industrial system consolidation and robotic assembly. Industry leaders will emerge and apply these experiments at high-value locations where they see that they can automate functions.

The rapid growth in automation of routine tasks will free up humans to apply their own unique intuition and creativity to infer associations from disassociated objects. That’s where humans are most effective. Manufacturers will increasingly look for places and ways to automate functions while also looking for ways to apply IoT for improving their business processes. This will certainly appear across the supply chain as businesses take a closer look at the quality of the raw materials that arrive, work in progress and quality steps along the way.

As businesses dig in and begin to uncover the value of IoT, they will increasingly deploy analytic solutions where it makes sense. It’s a tremendously exciting time for the industry, at a time when IoT technology is still growing and being developed. There are nuances and new discoveries that need to be made, as with any new major evolution in the industry. While we’re still very early on, everyone is experimenting, learning quickly, failing quickly, and gleaning solid learning objectives out of the pilots they deploy, slowly bringing it on board.

Positive Disruption through Automation

IoT will also disrupt the market in places where technology can enable businesses to provide more personalization for customers. If a customer wants a certain part created from a certain pattern, from a certain material, delivered on a certain date then they should be able to convert that request to a manufacturing line to delight the customer when it shows up at their door. Manufacturing is heading down the path toward personalization, shaped by the increasing amounts of data insights that are streaming from people, places and things. It will give manufacturers the ability to become so much more efficient and safe in how they deliver their product to customers, aided by disruption in automation and controls, virtualization and software-defined machine control.

The Path to a Smarter Factory

As manufacturers continue on their journey with IoT they can start to make sense of industrial data by applying algorithms and analytics. This, in turn, will enable the ability to leverage machine learning that will inform them on normal versus abnormal behaviors. The next phase will be able to make smart machines to use that data in decision-making and the introduction of control logic. As a result, analytics for large, unstructured data sets like video and audio will increasingly occur at the edge, or other places along the network. This will allow manufacturers to detect anomalies for further examination back at the factory command center.

Looking Ahead

From workload consolidation and virtualization to revealing IoT insights and expanding automation, as manufacturers apply analytic algorithms that turn data into actionable information there’s not a place in our lives that won’t be touched by industrial IoT. We are in as transformative a phase right now as when electricity was invented. In 100 years, people will look back at this time and wonder how we ever got along without IoT devices, or solutions invented because of IoT. 2018 is shaping up to be a tremendously transformative year that will usher us forward to a better tomorrow.

To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit intel.com/IoTLinkedInFacebook and Twitter.


Source: Network News

The Rise of Malware Using Legitimate Services for Communications

Malware often includes the ability to communicate with attacker controlled systems on the Internet from within compromised networks. This gives the attacker several important capabilities.

Some examples of this communication include:

  • Receive “heartbeats” to maintain an inventory of compromised systems
  • Send Remote control commands and receive the results of those commands
  • Exfiltrate data from inside compromised networks
  • Send updates or new capabilities to already compromised hosts

This communication between malware and attacker controlled servers on the Internet is often referred to as “command and control.” This is also a primary area of focus for detection of malware infections in security software outside of detecting the malware itself.

As defenders have gotten better at detecting Internet hosts and domains used for malware command and control, attackers have had to develop their own countermeasures to try and stay ahead of detection and blocking efforts. Techniques such as Domain Generating Algorithms have been employed to try and evade traditional detection mechanisms put in place by defenders.

One of the new evolutions in malware capabilities is the use of legitimate services as a conduit for command and control communications. Imagine malware that uses Github, or Google Docs, or Facebook to communicate with attackers.  Defenders are stuck trying to discern between legitimate traffic and malicious traffic that is all encrypted and going to the same popular and very legitimate services on the Internet. The dominant way to refer to this technique is “Legit Services C2.”

A variety of legitimate services seen abused for C2

There are many possible services available across the Internet that could be used for malware command and control. As new services are constantly popping up, there is essentially an unlimited supply of options for using legit services for malware command and control.

We did some detailed research into malware that uses legit services for C2. We identify a number of malware families that have been observed taking advantage of legit services. We also dig into how malware uses legit services for C2.  Finally, we offer some suggestions for potentially sifting out malware usage vs. legitimate usage of these services.  We packed all this research into a white paper titled, Rise of Legit Services for Backdoor Command and Control which can be downloaded here without registration. Please feel free to use this research and we hope that others will expand on it.


Source: Honeypot Tech

Hak5 2318 – [[ PAYLOAD ]] – Best Payload Practices

——————————-
Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ
——————————

Source: Security news


Source: Zologic

'Back to Basics' Might Be Your Best Security Weapon

A company’s ability to successfully reduce risk starts with building a solid security foundation.
Source: Vulnerabilitys & Threats

CISOs' Cyber War: How Did We Get Here?

We’re fighting the good fight — but, ultimately, losing the war.
Source: Vulnerabilitys & Threats