This post was authored by Earl Carter & Jaeson Schultz.
Talos is always fascinated by the endless creativity of those who send spam. Miscreants who automate sending spam using botnets are of particular interest. Talos has been tracking a spam botnet that over the past several months that has been spamming weight loss products, male erectile dysfunction medication, and dating/casual sex websites. These are all typical products one would expect to be purveyed through spam. What interests us about this spam are some of the ways the spam is constructed to try and evade detection (a.k.a. spam filters).
Beginning in March, Talos noted an absolute explosion in the usage of link shortening services in spam. After looking into the cause we found botnet ‘unknown2250’, as it is called by the Composite Block List (CBL), to be one of the primary parties responsible for this massive increase.
Click For Larger Image
Read More »
Tags: spam, Talos, Threat Research
This post was authored by Cisco CSIRT’s Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.
In late 2013–early 2014, a compromised FTP client dubbed “StealZilla,” based off the open source FileZilla FTP client was discovered. The attackers modified a few lines of code, recompiled the program, and disbursed the trojanized version on compromised web servers. This new attack appears to involve the same actors who reused the same techniques to alter the source code of the widely used open source Telnet/SSH client, PuTTY, and used their network of compromised web servers to serve up similar fake Putty download pages. This new campaign is like the StealZilla campaign in almost every way. Read More »
Tags: CSIRT, security
There’s a lot of hype around securing the Internet of Things (IoT). At the end of the day, I suggest that a more reasoned approach is in order. Securing the IoT will not be achieved by frantic worry about the volume of endpoints. Myopic focus on the volume of devices in an IoT ecosystem can lead to an important misstep: forgetting that it’s the Internet of Things. That means that all this data is passing through the network. Therefore, tackling security can only occur with diligent attention to the core of the IoT, namely, the network stack. In that way security can become as pervasive as the IoT itself.
I recently had the privilege of participating in a panel discussion at LiveWorx’s CXO Forum on Securing the IoT. Here are two predictions with respect to the IoT and security that I shared with the audience and my co-panelists at the event:
- Access and identity management will be critical in an IoT ecosystem. However, the username and password won’t be part of tomorrow’s approach: the password will die – and soon. It’s not radical to point out that passwords are insufficient on their own for authenticating access to sensitive data. I don’t think that means we’re going to go immediately to 21 levels of authentication, for example. We do need a human factor, and it can be biometric, or it can be at an endpoint. We’re familiar with straightforward biometrics such as the iPhone’s fingerprint scan, but there are also newer methodologies that track the exact way a human swipes a smartphone screen. We can leverage technologies such as this to enhance security in the IoT and its member devices.
- Our industry must work together in public-private partnerships to put a stop to the proliferation of regulations – country by country or region by region – that are creating a tangled web of laws, regulations, and guidelines around security. Conflicting guidance, standards, and regulations cause confusion rather than clarity. International standards bodies and government regulators should consider removing territorial blinders and revisiting the real mission: ensuring, to the greatest extent possible, that information and communications technology (ICT) are genuine and free from compromise and will not permit control over the operations for which they are used.
While strong international standards for IoT security and new authentication methods are just two pieces of the larger puzzle that will make IoT more secure, they are essential pieces. We at Cisco are working to make inroads in both these areas. Stay tuned.
Tags: internet of things, IoT, security
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal. The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.
Read More »
Tags: 0-day, coverage, ms tuesday, rules, security, Talos
Macro malware is a good example of malware writers and distributors using old tricks that most users have forgotten to spread malware. Unlike earlier macro malware, these macros don’t infect other documents but download password stealing trojans and install them on targets. Macro malware typically arrives via email with an attachment that contains a macro-based phishing attack in the form of an MS Office document (usually Word or Excel). The malicious code is written using the older Visual Basic for Applications (VBA) scripting language.
What makes the current versions of macro malware particularly dangerous is that the code is often heavily obfuscated, making detection difficult. Furthermore, once the document is opened and macros are enabled, the malware installs and begins to monitor Internet Explorer, Chrome, and Firefox browser activities with the capability of grabbing screenshots and logging keystrokes. The attacker’s ultimate goal is stealing these login credentials that give access to corporate and financial data.
Distribution of malware by email using malicious Word and Excel files containing macros is on the rise. Popular malware used by cyber criminals including Dridex, Vawtrack, Betabot, and Rovnix have been distributed using this tactic. Based on data analyzed by Cisco Managed Threat Defense Team, email attacks where macros are the method of infection are up 50% from February and have more than doubled since October of last year.
Email Attacks per Month
Keep reading to learn more about Email Attacks Using Malicious Macros
Tags: cisco mtd, FireAMP, macro malware, Managed Threat Defense, MTD, ThreatGRID