Black Hat’s 2018 world conference tour kicked off in Singapore with Black Hat Asia: two days of Trainings, followed by two days of Briefings and the Business Hall. Cisco is now a full Technology Partner of Black Hat, with Cisco Threat Grid for malware analysis, Cisco Umbrella for DNS and Cisco Visibility for threat intelligence; supporting the Network Operations Center’s (NOC) Security Operations.

The focus of the NOC is to provide secure and open access to the conference presenters, attendees and sponsors. Many of the Trainings, Briefings and demonstrations require access to malicious files and domains; so the NOC do not block such traffic. Rather, we focus on the security of the conference assets and ensuring there are no internal or external attacks that would disrupt the educational and collaborative conference.

Cisco Threat Grid is integrated with RSA NetWitness Packets, for network forensics and investigation. The RSA team does full packet capture and its Malware Analysis component sends potentially malicious .exe, .dll, .pdf and .rtf files to Threat Grid for dynamic malware analysis. An important new integration, right before the conference, was Cisco Umbrella’s domain reputation intelligence piped directly into Threat Grid. Now, if a sample contacts a domain that is known to belong to a malicious or potentially harmful Cisco Umbrella category, this triggers a Behavioral Indicator in Threat Grid; which in turn contributes to that sample’s Threat Score and appears in the analysis report.

This is another way that you can effectively utilize broader Cisco threat intelligence to help identify malicious behaviors and to improve overall threat detection. Here is the list of the Network DNS Category indicators and their detections:

We were also able to take advantage of the new Playbooks for automated interaction and the Network Exit Localization to the region.

- 5ab539733778e - Black Hat Asia 2018: Cryptomining on the Rise

Expanding the Behavioral Indicator, you can see the domains and Umbrella Security designation. Clicking on the link next to the domain name will provide additional intelligence.

- 5ab53b32d58c0 - Black Hat Asia 2018: Cryptomining on the Rise

The WHOIS detail is also from the Umbrella integration; with the Related IPs and Hosted URLs from the threat intelligence observed during dynamic analysis by Threat Grid, and correlated with the global dataset.

- 5ab53b5e589a3 - Black Hat Asia 2018: Cryptomining on the Rise

In the Black Hat Asia NOC, we used the Threat Grid Glovebox to investigate suspicious domains identified by Umbrella, including related to potential malicious activity and .

From the first day of the conference, we noted hourly DNS traffic to with over 1,000 requests.  The intelligence was shared with the RSA NetWitness team, and they determined the traffic was all from a single machine.

- 5ab53ca7727bd - Black Hat Asia 2018: Cryptomining on the Rise

We pivoted into Umbrella Investigate to understand more about the domain and where it was hosted. The IP address to which it resolved is on the Umbrella block list. Per Black Hat policy, we allowed it for attendees, but would have blocked it on conference assets. We could see there was a spike in activity at the Black Hat Asia conference, and only during conference hours, not at night.

- 5ab53ccfd25da - Black Hat Asia 2018: Cryptomining on the Rise

Investigation in the Threat Grid glovebox determined it is an access control spoofing application. I happened to be meeting with representatives from Interpol and shared the information.

- 5ab53cfd193e5 - Black Hat Asia 2018: Cryptomining on the Rise

The of Cryptomining

We have seen many cyber criminals move away from ransomware to cryptomining; where they can make money by stealing the processing power of unsuspecting users who visit infected websites. Often the mining software will run as a javascript while the browser is open. With the fluctuation of cryptocurrency making hosted farms less profitable, using the electricity and resources of others is a way to continue to make illicit profits, without the scrutiny of ransomware attacks. The victims rarely know they have been a victim, and can be exploited over and over.

At Black Hat Europe 2017, for the first time we saw an incident of cryptomining on a conference network. At Black Hat Asia, cryptomining became a security event, to ensure it was consensual and not on conference assets. (link goes to Umbrella report on the domain) was of particular interest, as most mining traffic was going to that domain the first two days of the conference; and then the miners did not attend the last day. The website is associated with

- 5ab53d45a9790 - Black Hat Asia 2018: Cryptomining on the Rise

Taking a look at the domain in Umbrella Investigate, we could see DNS queries to the domain from many convicted samples in Threat Grid, and it was classified under Cryptomining this month.

- 5ab53d6b1a809 - Black Hat Asia 2018: Cryptomining on the Rise

With new Cisco Visibility, we were able to get a better visual of the architecture and relationships with IP addresses, samples, artifacts and URLs.

- 5ab53d91b06c9 - Black Hat Asia 2018: Cryptomining on the Rise

Cryptomining comes in two variations:

  • Opt-in: the user specifically consents and takes action to allow their resources to be used for mining
  • Non-consensual: the user is not aware that an open browser session is utilizing their resources for mining purports to be explicitly opt-in, when reviewed in the Threat Grid Glovebox.

- 5ab53dc13b89b - Black Hat Asia 2018: Cryptomining on the Rise

The website uses a .js for the mining, the same method as non-consensual attacks. The script was downloaded into the Temporary Internet Files, without an opt-in.

- 5ab53def5d432 - Black Hat Asia 2018: Cryptomining on the Rise

Using the integrated threat intelligence, the same .js was seen as an artifact in other samples within Threat Grid, which were definitely non-consensual.

- 5ab53e1d54e96 - Black Hat Asia 2018: Cryptomining on the Rise

Other cryptomining and cryptocurrency domain activity included (links go to the Umbrella reports on the domains):

During the conference, Cisco Umbrella updated its Security – Prevent reporting in the Activity Volume, and now includes Cryptomining. Like many training events, we also saw a lot of Newly Seen Domains, created just for the excellent training. Total DNS requests for the conference were over 5.1 million.

- 5ab53ecbc3b4c - Black Hat Asia 2018: Cryptomining on the Rise

As in other conferences, the volume decreased during the Briefings and Business Hall vs. the Training days. Below is the distribution of the requests over the week.

- 5ab555cc0cef3 - Black Hat Asia 2018: Cryptomining on the Rise

Top Domains for the week:

- 5ab555f4c85aa - Black Hat Asia 2018: Cryptomining on the Rise

Top Categories for the week:

- 5ab5561f6df26 - Black Hat Asia 2018: Cryptomining on the Rise

Black Hat USA 2018 will be 4-9 August 2018. See you in Vegas!

And, if you are attending RSA Conference in San Francisco, 16-20 April 2018; the RSA and Cisco team who in the Black Hat NOC will be in the RSAC Security Operations Center (SOC).

At the SOC, you will receive a security briefing and have time for Q&A with RSA and Cisco engineers. Advanced registration is highly recommended. Please fill out the RSA SOC Tour Request Form to request your spot.


Source link


Please enter your comment!
Please enter your name here