Black Hat’s 2018 world conference tour kicked off ter Singapore with Black Hat Asia: two days of Trainings, followed by two days of Briefings and the Business Hall. Cisco Security is now a total Technology Playmate of Black Hat, with Cisco Threat Grid for malware analysis, Cisco Umbrella for DNS and Cisco Visibility for threat intelligence, supporting the Network Operations Center’s (NOC) Security Operations.
The concentrate of the NOC is to provide secure and open Internet access to the conference presenters, attendees and sponsors. Many of the Trainings, Briefings and demonstrations require access to malicious files and domains, so the NOC do not block such traffic. Rather, wij concentrate on the security of the conference assets and ensuring there are no internal or outward attacks that would disrupt the educational and collaborative conference.
Cisco Threat Grid is integrated with RSA NetWitness Packets, for network forensics and investigation. The RSA team does total packet capture and its Malware Analysis component sends potentially malicious .exe, .dll, .pdf and .rtf files to Threat Grid for dynamic malware analysis. An significant fresh integration, right before the conference, wasgoed Cisco Umbrella’s domain reputation intelligence piped directly into Threat Grid. Now, if a sample contacts a domain that is known to belong to a malicious or potentially harmful Cisco Umbrella category, this triggers a Behavioral Indicator ter Threat Grid, which te turn contributes to that sample’s Threat Score and emerges ter the analysis report.
This is another way that you can effectively utilize broader Cisco threat intelligence to help identify malicious behaviors and to improve overall threat detection. Here is the list of the Network DNS Category indicators and their detections:
- network-dns-category-adware – Cisco Umbrella Categorized Domain Spil Adware
- network-dns-category-cnc – Cisco Umbrella Flagged Domain Spil A Directive &, Control Server
- network-dns-category-driveby-exploit – Cisco Umbrella Flagged Domain Spil Hosting An Exploit
- network-dns-category-dynamic – Cisco Umbrella Categorized Domain Spil A Dynamic DNS
- network-dns-category-harmful – Cisco Umbrella Categorized Domain Spil Potentially Harmful
- network-dns-category-new – Cisco Umbrella Categorized Domain Spil A Freshly Seen Domain
- network-dns-category-p2psharing – Cisco Umbrella Categorized Domain Spil P2P/Opstopping Sharing
- network-dns-category-phishing – Cisco Umbrella Flagged Domain Spil Phishing
- network-dns-category-proxy – Cisco Umbrella Flagged Domain Spil A Proxy Or Anonymizer
- network-dns-category-urlshortener – Cisco Umbrella Categorized Domain Spil A URL Shortener
- network-dns-category-webspam – Cisco Umbrella Categorized Domain Spil Web Spam
- network-dns-cnc-category – Cisco Umbrella Flagged Domain Spil A Instruction &, Control Server
Wij were also able to take advantage of the fresh Playbooks for automated interaction and the Network Uitgang Localization to the region.
Expanding the Behavioral Indicator, you can see the domains and Umbrella Security designation. Clicking on the listig next to the domain name will provide extra intelligence.
The WHOIS detail is also from the Umbrella integration, with the Related IPs and Hosted URLs from the threat intelligence observed during dynamic analysis by Threat Grid, and correlated with the global dataset.
Te the Black Hat Asia NOC, wij used the Threat Grid Glovebox to investigate suspicious domains identified by Umbrella, including related to potential malicious activity and cryptomining.
From the very first day of the conference, wij noted hourly DNS traffic to www.blekeyrfid.com with overheen 1,000 requests. The intelligence wasgoed collective with the RSA NetWitness team, and they determined the traffic wasgoed all from a single machine.
Wij pivoted into Umbrella Investigate to understand more about the domain and where it wasgoed hosted. The IP address to which it resolved is on the Umbrella block list. Vanaf Black Hat policy, wij permitted it for attendees, but would have blocked it on conference assets. Wij could see there wasgoed a spike ter activity at the Black Hat Asia conference, and only during conference hours, not at night.
Investigation ter the Threat Grid glovebox determined it is an access control spoofing application. I happened to be meeting with representatives from Interpol and collective the information.
The Rise of Cryptomining
At Black Hat Europe 2018, for the very first time wij witnessed an incident of cryptomining on a conference network. At Black Hat Asia, cryptomining became a major security event, to ensure it wasgoed consensual and not on conference assets.
authedmine.com (verbinding goes to Umbrella report on the domain) wasgoed of particular rente, spil most mining traffic wasgoed going to that domain the very first two days of the conference, and then the miners did not attend the last day. The webstek is associated with coinhive.com.
Taking a look at the domain ter Umbrella Investigate, wij could see DNS queries to the domain from many convicted samples ter Threat Grid, and it wasgoed classified under Cryptomining this month.
With fresh Cisco Visibility, wij were able to get a better visual of the architecture and relationships with IP addresses, samples, artifacts and URLs.
Cryptomining comes te two variations:
- Opt-in: the user specifically consents and takes act to permit their resources to be used for mining
- Non-consensual: the user is not aware that an open browser session is utilizing their resources for mining
AuthedMine.com purports to be explicitly opt-in, when reviewed te the Threat Grid Glovebox.
The webstek uses a .js for the mining, the same method spil non-consensual attacks. The script wasgoed downloaded into the Makeshift Internet Files, without an opt-in.
Using the integrated threat intelligence, the same .js wasgoed seen spil an artifact ter other samples within Threat Grid, which were certainly non-consensual.
Other cryptomining and cryptocurrency domain activity included (linksaf go to the Umbrella reports on the domains):