FBI InfaGard a connection between the Public and private
sectors to share information, Chapter are all over the USA go to here for More information
DNSstuff performs forensic analysis of name
and email servers, path analysis, authenticate and locate domains..
Internet Storm Center great information about
current issues go here
Verizon Data Breach Investigations
report – go here
Cisco Threat Research Blog go here
FireEye lots of information about security issues go here
Microsoft Security Blog go here
Microsoft Security Intelligence Report (SIR), great read on state
of security go here
Sector-based Information Sharing and Analysis Centers (ISACs) collaborate and
coordinate with each other via the National Council of ISACs (NCI). Formed in
2003, the NCI today comprises 24 organizations designated by their sectors as
In September of 2017 X-Force
researchers from IBM discovered a new banking Trojan called IcedID. IcedID primarily targets financial institutions such as banks,
payment card providers, and e-commerce sites. IcedID utilizes Emotet for
delivery to target hosts.
Emotet is most commonly linked to
small cybercrime organizations in Eastern Europe targeting western countries
and is known as a successor of the Dridex
malware that was designed to amass and maintain botnets. Emotet itself is most
often delivered by opening a macro-enabled malicious file usually delivered by
spam mail. Once executed, the malware embeds itself within normal machine
processes, connects home, and installs additional modular components as
directed. Of the components installed consists of spamming modules, network
worm modules, and data stealers.
The main known tactics and
techniques of IcedID consist of common network propagation, victim monitoring,
and web URL tampering. More specifically the malware leverages a local web
proxy which listens to web traffic and based on what it sees can unknowingly
redirect or inject parameters to the victim which causes them to browse to
malicious web content controlled by the attacker instead of the original content
they wanted to see. Reverse engineering of the malware revealed a PropagationThroughNetwork
function, which enumerated the network propagation module that allows the
malware to affect local, or remote connected end points as a way of spreading
to other systems. Additionally, IcedID can query LDAP looking for other users
to attack and can look for other important information to send back to the
command and control server.
As a way of hiding itself IcedID utilizes
a full reboot after storing start up files to the Windows %LocalAppData% folder
to evade sandboxes and other defenses on victim hosts. Additionally, the
malware uses SSL to communicate home and launch its attacks to avoid intrusion
detection systems planted within the victim infrastructure. The malware also
uses a random value as the RunKey to establish persistence on the target host.
As an example, the startup file would be “C:UsersUserAppDataLocalewonlia rlewonliarl.exe”
and the Runkey would be at “HKCUSoftwareMicrosoftWindowsC urrentVersionRunewonliarl”.
IcedID listens on local network port 49157 and exfiltrates victim information
of its choosing to its command and control server. Interestingly enough IcedID can
still be identified by its original process IcedID which continues to run even
after reboot which researchers think will likely change in the future.
Thanks to Peraton and their Cyber Intelligence Program (CIP) for this information.
here information from Talos http://blog.talosintelligence.com/2017/02/cisco-coverage-for-smart-install-client.html
Cisco Coverage for Smart Install Client Protocol Abuse
Talos has become aware of active scanning against customer infrastructure with the intent of finding Cisco Smart Install clients. Cisco Smart Install is one component of the Cisco Smart Operations solution that facilitates the management of LAN switches. Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices. The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.
We are aware that a tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET), has been publicly released and is available here. This tool may be being used in these attacks.
To assist customers in understanding their exposure to this issue, we have released our own scanning tool as well as preliminary Snort rules which can be used to identify affected systems and detect SIET activity.
Talos Scanning Utility
Talos has produced a scanning utility which all users can run against their infrastructure to determine if they could be affected by abuse of the Smart Install Client Protocol. This tool can be found here.
Talos has created coverage for this issue in the form of sids 41722-41725. These rules are being provided immediately as part of the community rule set and can be downloaded here:
Cisco FirePOWER and Snort Subscriber Rule Set customers should ensure they are running the latest rule update in order to receive coverage.
Additionally, generic TFTP activity rules sid:518 and sid:1444 are available but these are not issue specific and must be explicitly enabled.
Cisco PSIRT has published a blog post related to the issue here:
Further guidance on Smart Install security practices here:
Additional third-party research about Smart Install is available here:
Talos encourages all partners to quickly take steps to protect their systems in accordance with the published security guidelines.
If you have a network security emergency, contact the Cisco Technical Assistance Center (TAC) at the following phone numbers:
Inside the United States or Canada: +1 800 553-2447
Outside the United States: Worldwide Contacts
Cisco responds quickly to attacks in progress and works with your staff to develop an incident response plan that minimizes the effect of current and future attacks.
I have started seeing this kind of attack.
Look at the email address !! Be careful on any of you emails and think before you click because the link sends you to a bogus site.
Here some new Technology that i have come across
PuriFile’s software suite provides market-leading inspection
and sanitization of digital files, preventing the loss of critical data and
ensuring business continuity for government and commercial customers. Built to
protect your inbox and halt release of sensitive information, PuriFile
inherently understands your email, Microsoft Word, PowerPoint, Excel, PDF, and
image files, so it can provide thorough email and file inspection and
sanitization while maintaining the integrity of your network and information.
Microsoft Exchange Server (MXS) is a collaborative
enterprise server application designed by Microsoft to run on Windows Servers.
MXS supports organizational email, contacts and tasks, calendar, data storage
and web based and mobile information access. By residing on an organizational
endpoint – the Exchange Server, PuriFile can provide email security through identification
and remediation of content entering and exiting through your organizations
communication lifeline, provide Data Loss Prevention and mitigate Zero-Day
How it Works
Exchange Server Plugins – Microsoft provides an Application
Programming Interface (API), as well as information and resources to extend
Microsoft Exchange Server allowing for the customization of a unique customer
focused email environment.
PuriFile Exchange Plugin – Using the Exchange Server API, the
PuriFile plugin provides Data Loss Prevention, limits Zero-Day attacks and
controls content leaving an organization.
Highly configurable, PuriFile is capable of identifying content within
email and attachments based on well-defined policies and takes corrective
action to alert the recipient and sender to remediate violations.
Message Scanning – Residing on a corporate exchange server,
PuriFile is capable of scanning incoming and outgoing email to identify suspect
content based on an organizational policy. When an individual receives an email
or attempts to send email to a recipient, the PuriFile engine scans the content
and attachments checking for violations. In the event a violation is detected,
the recipient/sender is alerted and is able to take corrective action to accept
or modify the content prior to it being received or sent to the recipient:
Removing Attachments – In addition to the normal email
message scanning, PuriFile is able to provide scanning and insight into content
residing in email attachments. When an individual receives or completes an
email and attempts to send it to the recipient, PuriFile scans the message
along with any attachments and checks for violations. In the event of a
violation in the attachment, the PuriFile engine replaces the content with a
text file identifying the violations. A return notification is sent back to the
sender along with the text file of violations.
The user will then be given an opportunity to review the violations and
address as appropriate. Once all violations are addressed, the email is
reprocessed for reading or sent on to the recipient:
Figure 2: Attachment Mode
Message Cleansing – The Message Cleansing mode is similar to
Replacing Attachments mode. Rather than alerting the recipient/sender of
content in violation, the Message Cleansing capability cleanses the offending
content from the document. When an individual receives or completes an email
and attempts to send it to the recipient, PuriFile scans the message along with
any attachments and checks for violations. In the event of a violation in the
attachment, the PuriFile engine removes the content from the file prior to
reading or sending the offending file.
The added effect of the cleansing operation removes any
malicious content, effectively halting in excess of 90% of zero-day attacks.
Combined with an effective Anti-Virus/Anti-Malware solution organizations will
have gained the upper hand on virulent viruses and malware.
Here is a cool offer if you interested in testing this let me know i will forward you info to the Beta test team. They are offering to get the software for 12 months (plus
support) for doing the beta test for us.
Send email to Jferron @ Interactive Security Training.com (NO spaces)
Hyper-V virtual machines don’t start after you upgrade to Windows 10 Version 1709
This is a know issue that is caused by Antivirus programs.
Bellow is the Microsoft Solution and article.
Consider the following scenario:
- You have a Windows 10-based computer that has the Hyper-V role installed.
- You upgrade the computer to Windows 10 Version 1709.
In this scenario, you cannot start virtual machines. Also, you receive the following error message:
Start-VM : ‘VM_NAME’ failed to start. (Virtual machine ID XXXXXX)
‘VM_NAME’ failed to start worker process: %%3228369022 (0xC06D007E). (Virtual machine ID XXXXXXX)
At line:1 char:1
+ Start-VM VM_NAME
+ CategoryInfo : NotSpecified: (:) [Start-VM], VirtualizationException
+ FullyQualifiedErrorId : OperationFailed,Microsoft.HyperV.PowerShell.Commands.StartVM
Additionally, you see the following entry in the System log:
The Hyper-V Host Compute Service service terminated unexpectedly. It has done this 11 time(s).
And you see the following entry in the Application log:
Faulting application name: vmcompute.exe, version: 10.0.16299.15, time stamp: 0x1a906fe6
Faulting module name: vmcompute.exe, version: 10.0.16299.15, time stamp: 0x1a906fe6
Exception code: 0xc0000005
Fault offset: 0x000000000000474b
Faulting process id: 0x3d78
Faulting application start time: 0x01d34d80559647e6
Faulting application path: C:WINDOWSsystem32vmcompute.exe
Faulting module path: C:WINDOWSsystem32vmcompute.exe
Report Id: 0ec19ef4-d52a-4135-ae72-5cba92ec909f
Faulting package full name:
Faulting package-relative application ID:
Response: Not available
Cab Id: 0
These files may be available here:
Rechecking for solution: 0
Report Id: 0ec19ef4-d52a-4135-ae72-5cba92ec909f
Report Status: 4
This issue occurs because Windows 10 Version 1709 enforces a policy that configures Vmcompute.exe not to allow any non-Microsoft DLL files to be loaded.
To fix this issue, check whether you have a non-Microsoft DLL file loaded in the Vmcompute.exe process. One possible cause of this issue is your antivirus software.