• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

From Kaspersky SAS to RSA 2016

Author avatar of Dhia MahjoubDhia Mahjoub
Updated — March 4, 2020 • 5 minute read
View blog >

Three weeks ago, OpenDNS Research Labs was at the annual Kaspersky Security Analyst Summit held in Tenerife, Spain, February 7 to 11. Thomas Mathew and I were delighted to talk about “Defeating malware with signal analysis techniques” on the 9th. SAS is one of my favorite security conferences of the year because it combines great quality talks, a very tech-savvy yet jolly crowd, and highly entertaining activities. We had the chance to catch up with friends from the community and meet with our friends from the Talos research team. As a matter of fact, we are pleased to invite Nick Biasini from Talos to contribute to this blog.

IMG_7259SAS first day was at the Magma Art & Congress Center, Tenerife [Nick Biasini].

fireballSunset view from the hotel [Alisha Anderson].

After the 2 days conference, we had a full day of entertainment organized by Kaspersky for all attendees. We took a trip to Teide National Park, a must-see wonder in Tenerife. At 3,700 m, this is the highest peak on Spanish soil and it is regarded as the world’s third-tallest volcanic structure. The views were breathtaking and otherworldly. We also visited the Teide Observatory which is an astronomical observatory on Mount Teide operated by the Instituto de Astrofísica de Canarias. Several technicians at the observatory gave us a tour of several world-class telescopes financed by various European countries for advanced astronomical projects. Teide Observatory is known for its great astronomical seeing conditions.

volcanoLas Cañadas volcanic cauldron in Tenerife [Nick Biasini].

sunsetSunset view on the way down from El Teide [Alisha Anderson].

Insights from Dhia Mahjoub

There were numerous quality talks at SAS, and it’s hard to go over all of them here. A nice appearance was that of Reuben Paul as a keynote speaker. He demonstrated live attacks and delivered inspiring words, from his 9-year-old perspective, on teaching kids to be curious and enthusiastic about security. I was pleased to meet Reuben’s family afterwards.

reubenWith friends Reuben and Mano Paul [Mano Paul].

In “Poseidon’s APT boutique” Kaspersky researchers unveiled the first Portuguese-speaking targeted attack group, named “Poseidon.” The group is more likely a commercial threat player and appears to have been active since at least 2005. Poseidon’s campaigns were particularly tailored towards the MS Windows family, and heavily focused on espionage for commercial interests with at least 35 enumerated victims including companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing. These victims are mostly in Brazil, USA, France, Kazakhstan, United Arab Emirates, India, and Russia. Poseidon used spear phishing as the main infection vector packaged with embedded, executable elements inside office documents with the executables often digitally signed to avoid detection or blocking. After the infection, the malware reports to CnC servers, then starts a lateral movement phase. This phase will often leverage a specialized tool that automatically collects a variety of information including credentials, group management policies, or system logs to better adapt further attacks. The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm under the threat of exchanging the stolen information with competitors. This extortion component of this campaign is what differentiates the Poseidon group from others. It is also noteworthy that the group did not leverage zero-day vulnerabilities in the samples analyzed. Poseidon focused primarily on conventional means to deceive users with executables posing inside office documents, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets. Finally, it seems this group managed to stay under the radar because many of its campaigns were designed to run on specific machines with diverse CnC servers located in different countries that are swiftly discarded.

Insights from Thomas Mathew

Thomas Rid, professor at Imperial College London and author of Rise of the War Machines, gave an excellent talk about the Moonlight Maze APT group. The talk was part detective story and part historical overview. Many security practitioners are familiar with APT groups that have been named in the last five years by companies like Kaspersky and Mandiant. Information about older APT groups has been more rare. What made the talk interesting were the details about an APT group that had been around in the 1990s. Through a painstaking investigation involving multiple Freedom of Information Act requests to obtain first hand government documents and interviews with personnel involved with the case. Rid was able to piece together how a suspected Russian APT group was able to enter classified US networks and exfiltrate data. The group ‘Moonlight Maze’ used universities with close connections to government run programs as entry points to into the government networks. This gave them the ability to not only obtain sensitive material but also run jobs on US supercomputers. Ultimately the discovery of the Moonlight Maze group led to a classified congressional hearing. Rid had to conduct many personal interviews to obtain information about the group because many of the original documents detailing the group’s MO were destroyed. Moonlight Maze also has a connection to the present. Parts of the Maze infrastructure were also used by the Turla group as they hacked satellites.
In another talk, Sergey Golovanov and Vladislav Roskov of Kaspersky gave an update on the Carbanak group that Kaspersky discovered last year. This year the group exposed Metel/Corkow, another Trojan that infected a Russian bank and surreptitiously transferred money to criminals. By identifying flaws in the groups code, Kaspersky was able to identify servers involved in the money transfers. They accomplished this by scanning the entire IP space for servers that output a particular error string when asked a question. It was a cool demonstration of using network tools like scanning to help find malicious servers.

Insights from Nick Biasini

A couple weeks ago I was given the opportunity to present at Kaspersky’s Security Analyst Summit.  The topic was Bedep, a favorite payload of Angler, and associated threats.  This was a continuation to the previous work on Angler by Talos. It was my first SAS experience and I thoroughly enjoyed spending time in Tenerife. The venue was excellent, including the accommodations and the conference tracks.  In particular, I enjoyed the duration of the talks. The 20-30 minute window provided time for technical details, without a lot of excess information. This allowed for more talks, covering a diverse range of topics.
Overall, I found SAS to be a good mixture of technical and high-level presentations with an emphasis on APT.  The conference opened with an interesting presentation from Reuben Paul, giving a glimpse into the future of information security. I really enjoyed the opportunity to meet up with colleagues and discuss threats, including Angler and Bedep. One takeaway from the presentations is how much crimeware is evolving. It’s clear that adversaries are becoming more sophisticated and have really progressed over the last handful of years. There were plenty of examples of crimeware carrying out operations and executing them effectively with substantial financial returns.

See you at RSA 2016

Next Thursday, March 3 at 10:20am, OpenDNS Research Labs will be presenting at RSA on “Using Large Scale Data to Provide Attacker Attribution for Unknown IoCs”. Hope to see you there.
rsa-2016

[Photo Credits]

We thank our friends Alisha Anderson @AlishaAndersonA, Nick Biasini @infosec_nick, and Mano Paul @manopaul for the photos used in this blog.

Suggested Blogs

  • The Perfect Blend: Qdoba’s SASE Transformation May 30, 2023 2 minute read
  • Creating a Cybersecurity Program That Complies With the FTC Safeguards Rule May 9, 2023 4 minute read
  • Cisco Umbrella® Now Integrates With Protective DNS May 5, 2023 2 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella