SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New botnet supports cryptocurrency mining for Monero
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
References: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html
Snort SIDs: 54610 - 54612
Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance
Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.
References: https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/
Snort SIDs: 54598 - 54601