Category Archives: cryptomining

Modular Plurox Backdoor Comes with Cryptomining, Worm-Like Plugins

A new modular backdoor detected as “Plurox” comes with multiple plugins that expand its capabilities to include cryptomining and worm-like behavior. In February 2019, Kaspersky Lab’s researchers first detected the backdoor. Their analysis revealed that the backdoor, written in C, arrived with debug lines. This suggests that the malware was still in testing at the […]… Read More

The post Modular Plurox Backdoor Comes with Cryptomining, Worm-Like Plugins appeared first on The State of Security.

Cisco Encrypted Traffic Analytics: Necessity Driving Ubiquity

In June 2017, Cisco announced the Encrypted Traffic Analytics (ETA) solution – a breakthrough technology stack that allows us to gain insight into encrypted traffic without decryption. That insight provides an unprecedented view into the use of encryption across your entire network and allows us to identify malware using those encrypted network connections.

Today, I want to give a summary of our work-to-date and explain some exciting new expansions to the solution. As the nature of how organizations use encryption continues to change due to rising costs and fewer opportunities for inline decryption and inspection, Cisco ETA serves as an ideal addition to your detection arsenal and provide you with the necessary security analytics you need to cover these critical gaps.

A Security Analytics and ETA Primer

Traditional network security systems detect malicious behavior through the inspection of the network packet stream and matching against a library of patterns that are known to indicate compromise. Security analytics on the other hand, rely on advanced analytic techniques, including various forms of machine learning, applied to large volumes and varieties of telemetry and log data to detect threats.

ETA embodies that approach with the following elements:

  1. Specially designed metadata exported in telemetry from Cisco’s network element platforms
  2. Cisco Stealthwatch Enterprise to collect and analyze that telemetry for Cryptographic Audit (vulnerability discovery), threat investigation or hunting and malware detection using our multi-layer machine-learning engine.

This technology has the unique property of both allowing us to ensure the privacy of our most important business data and allowing us to detect malware that is using that same privacy to cover its tracks. As anyone who has been in the security industry for any amount of time knows, it is not often that you can satisfy both sides of that particular equation. Cisco Fellow David McGrew has great discussion on this here.

What Have We Found?

We continue to have great success in our customer environments and we can share the results of monitoring the Cisco Live USA 2018, Mobile World Congress 2018 and Mobile World Congress 2019 conferences. The categories of threats that the technology has detected in these and other environments include, but not limited to:

  • Illicit Cryptomining
  • Android OS Trojans
  • Ad Injectors
  • SALITY malware
  • Malware using SMB service discovery
  • Potentially unwanted applications such as Tor and BitTorrent

In addition, we can share an evaluation from testing and certification from Miercom, where Cisco Encrypted Traffic Analytics showed as much as 36 percent faster rates of detection in the presence of the ETA telemetry and related analysis.

Extending the ETA Telemetry Sources

At launch, ETA telemetry was available from our family of campus switches:

  • Cisco Catalyst 9300 and 9400 Series

Following that, we extended that capability to the routing platforms that span the branch, WAN, and cloud:

  • Cisco Integrated Services Router (ISR) 4000, 1000 Series and the ISRv on ENCS 5000 series
  • Cisco Aggregation Service Router (ASR) 1000 Series
  • Cisco Cloud Services Router (CSR) 1000V

Today, we are happy to extend our telemetry coverage to the wireless network through instrumentation in our wireless LAN controllers:

  • Cisco Catalyst 9800 Series

We are really happy with our progress on giving our customers more comprehensive visibility, both north-south and east-west, across their networks from campus, branch, cloud, and WAN. Security analytics become more effective as we increase the variety and completeness of the telemetry, so we are aggressively seeking every opportunity to instrument your digital business. These newest additions are just the first steps we’ve added with so much more to come!

ETA on the Stealthwatch Flow Sensor

This is the sort of expansion to the ETA solution that really gets me excited! If you did not already know, the Stealthwatch Flow Sensor is a packet sensing device that we use to extend the breadth and depth of visibility across the network.

It is really helpful in parts of the network that cannot natively produce telemetry. The canonical example of this is the traffic between virtual machines within a virtual machine server cluster (VMWare or KVM). This traffic never hits a physical network and the virtual network cannot be easily modified. The Flow Sensor can be dropped into that server cluster and produce telemetry that we never had before. We also provide appliance versions that can sit off a network TAP or mirror port.

For unencrypted traffic, the Flow Sensor already includes a high-speed DPI engine that can populate the telemetry with application identification and transaction metadata. Now, we have added ETA metadata to the telemetry export of the Flow Sensor which allows our security analytics to peer into those hard-to-reach areas of the network.

This is a fully baked-in feature of the Flow Sensor that will be available soon in the next software release, Stealthwatch 7.1. In other words, if you are an existing Flow Sensor customer, the ETA solution is just an upgrade away! And if you aren’t, now you can easily accelerate your ETA deployment to the entire network.

Security Analytics to Detect Cryptomining

We passionately believe that we need to keep turning-the-crank on making the most of the telemetry that we are collecting from across your digital business. Our multi-layer machine learning engine is a cloud-hosted service that we are constantly improving. Today, I’d like to highlight a recent and noteworthy addition.

Cryptomining is fast becoming the revenue-stream of choice for many cyber criminals. It is far more invisible to the targets and provides a more reoccurring revenue model versus extortion techniques such as ransomware.

We have now deployed a new cryptomining classifier that uses the ETA data features to detect behavior specific to cryptomining and connections to cryptomining pools. The key thing is that the classifier does not rely on external feeds or lists of IP addresses. Instead, it provides results with high precision and can distinguish between short-term and long-term mining activities just based on network behavior. This is one of the many ways in which Stealthwatch applies security analytics to detect illicit cryptomining.

Automated ETA Deployment

We have been working hard on making our vision of intent-based networking a reality. A key part of that vision is the automation of tasks that do not require deep engineering oversight. That automation has now been extended to make it easier than ever before to configure and deploy Network-as-a-Sensor (NaaS) and Encrypted Traffic Analytics (ETA) within the network infrastructure and Stealthwatch.

Cisco Digital Network Architecture Center (Cisco DNA Center) is at the heart of this automation and will contain a provisioning service called Stealthwatch Security Analytics which provides a workflow that gets things up and running in just a few clicks.

The outline of the workflow goes something like this:

  • Register your Stealthwatch Management Console (SMC) with Cisco DNA Center so that it can understand your Stealthwatch Enterprise deployment
  • Automatic readiness check of the network elements based on required software, hardware, roles, and licenses, to identify which locations are ready to deploy
  • Select where to deploy by site, building, or even floor and then select where to send the telemetry. Perfect for when you have multiple Stealthwatch Flow Collectors
  • Schedule the roll out of the configuration changes
  • Visibility into the ongoing state of the deployment

The Stealthwatch Security Analytics service will be available in Cisco DNA Center 1.4

Easily Ensure Cryptographic Compliance

We have also recently introduced the “ETA Cryptographic Audit” app within Stealthwatch that provides an assessment of the “quality” of encryption being used, which is helpful to audit cryptographic compliance. For example, using SSL or early TLS violates PCI compliance. It also helps to understand trends and changes in the amount and type of encryption.

What’s Next for ETA?

We are really excited by our progress-to-date and the expansions to the solution that I have discussed. I hope that this illustrates Cisco’s commitment to the Encrypted Traffic Analytics solution and more generally to security analytics as a first-class component of a security architecture.

We have much more that we are pushing through the R&D pipeline, especially when it comes to security monitoring and analytics of the cloud and in the cloud.

I cannot wait to give you all the next update on the exciting new features to come!


To learn more about Cisco Encrypted Traffic Analytics, go to


The post Cisco Encrypted Traffic Analytics: Necessity Driving Ubiquity appeared first on Cisco Blog.

Cryptojacking Up 4,000% How You Can Block the Bad Guys

Cryptojacking RisingThink about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick up countless, undetectable malware or javascript that can infect our devices.

Which is why it’s possible that hackers may be using malware or script to siphon power from your computer — power they desperately need to fuel their cryptocurrency mining business.

What’s Cryptocurrency?

Whoa, let’s back up. What’s cryptocurrency and why would people rip off other people’s computer power to get it? Cryptocurrencies are virtual coins that have a real monetary value attached to them. Each crypto transaction is verified and added to the public ledger (also called a blockchain). The single public ledger can’t be changed without fulfilling certain conditions. These transactions are compiled by cryptocurrency miners who compete with one another by solving the complex mathematical equations attached to the exchange. Their reward for solving the equation is bitcoin, which in the crypto world can equal thousands of dollars.

Power Surge

Cryptojacking RisingHere’s the catch: To solve these complex equations and get to crypto gold, crypto miners need a lot more hardware power than the average user possesses. So, inserting malicious code into websites, apps, and ads — and hoping you click — allows malicious crypto miners to siphon power from other people’s computers without their consent.

While mining cryptocurrency can often be a harmless hobby when malware or site code is attached to drain unsuspecting users CPU power, it’s considered cryptojacking, and it’s becoming more common.

Are you feeling a bit vulnerable? You aren’t alone. According to the most recent McAfee Labs Threats Report, cryptojacking has grown more than 4,000% in the past year.

Have you been hit?

One sign that you’ve been affected is that your computer or smartphone may slow down or have more glitches than normal. Crypto mining code runs quietly in the background while you go about your everyday work or browsing and it can go undetected for a long time.

How to prevent cryptojacking

Be proactive. Your first line of defense against a malware attack is to use a comprehensive security solution on your family computers and to keep that software updated.

Cryptojacking Blocker. This new McAfee product zeroes in on the cryptojacking threat and helps prevent websites from mining for cryptocurrency (see graphic below). Cryptojacking Blocker is included in all McAfee suites that include McAfee WebAdvisor. Users can update their existing WebAdvisor software to get Cryptojacking Blocker or download WebAdvisor for free.

Cryptojacking Rising

Discuss it with your family. Cryptojacking is a wild concept to explain or discuss at the dinner table, but kids need to fully understand the digital landscape and their responsibility in it. Discuss their role in helping to keep the family safe online and the motives of the bad guys who are always lurking in the background.

Smart clicks. One way illicit crypto miners get to your PC is through malicious links sent in legitimate-looking emails. Be aware of this scam (and many others) and think before you click on any links sent via email.

Stick with the legit. If a website, an app, or pop-up looks suspicious, it could contain malware or javascript that instantly starts working (mining power) when you load a compromised web page. Stick with reputable sites and apps and be extra cautious with how you interact with pop-ups.

Install updates immediately. Be sure to keep all your system software up-to-date when alerted to do so. This will help close any security gaps that hackers can exploit.

Strong passwords. These little combinations are critical to your family’s digital safety and can’t be ignored. Create unique passwords for different accounts and be sure to change out those passwords periodically.

To stay on top of the latest consumer and security threats that could impact your family, be sure to listen to our podcast Hackable? And, like us on Facebook.

The post Cryptojacking Up 4,000% How You Can Block the Bad Guys appeared first on McAfee Blogs.