In the past few years, the security industry has invested heavily in the detection and containment of attacks and breaches as a primary focus of innovation. To help protect Cisco, its customers, products, services and partners, we have embarked on a journey to build security and trust into every aspect of our business, including the culture of our workplace itself. The rapid evolution of the threat landscape has made this trust journey a necessity. Exploits are more frequent, better financed, more sophisticated and are causing more damage. Technology shifts like mobility and BYOD are the new normal and have resulted in more points of access for malware, resulting in a larger attack surface. In order to be more effective against the broad range of security threats, the industry must focus on foundational security being present in critical systems. By ensuring that trustworthiness is built into the technology, processes and policies involved in your IT systems, you can reduce risk and the attack surface while enabling more effective overall security.
Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit Generating $60M Annually From Ransomware Alone
Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.
In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.
Cisco then took action:
- Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
- Released Snort rules to detect and block checks from the health checks
- All rules are being released to the community through Snort
- Publishing communications mechanisms including protocols so others can protect themselves and customers.
- Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.
Watch Angler compromise a box and install ransomware at the end of the video.
Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners. As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at http://www.cisco.com/go/psirt and at http://cisco.com/security
The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.
With security threats evolving at a staggering pace, we’re hearing from our customers that their network administrators are often finding it difficult to keep up. They are challenged to make informed decisions quickly enough and prioritize their responses to incoming threats. Not surprising since with each new threat and the related vulnerabilities IT leaders are faced with several questions:
- Where do I go to find information?
- Which information is for background and which requires immediate action?
- What has changed since the original publication?
- Does this apply to my network of devices?
- What resources should I go to for prevention, detection and remediation?
We are constantly looking at ways to help our customers and partners reduce the time it takes to mitigate security breaches so I’m pleased to announce a new and improved security vulnerability disclosure format for Cisco Security Advisories that should make it much easier for administrators to understand and respond to threats.
Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.
This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.
MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.
When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called: