Cisco Blogs


Cisco Blog > Security

Attackers Slipping Past Corporate Defenses with Macros and Cloud Hosting

Macro malware is a good example of malware writers and distributors using old tricks that most users have forgotten to spread malware. Unlike earlier macro malware, these macros don’t infect other documents but download password stealing trojans and install them on targets. Macro malware typically arrives via email with an attachment that contains a macro-based phishing attack in the form of an MS Office document (usually Word or Excel). The malicious code is written using the older Visual Basic for Applications (VBA) scripting language.

What makes the current versions of macro malware particularly dangerous is that the code is often heavily obfuscated, making detection difficult. Furthermore, once the document is opened and macros are enabled, the malware installs and begins to monitor Internet Explorer, Chrome, and Firefox browser activities with the capability of grabbing screenshots and logging keystrokes. The attacker’s ultimate goal is stealing these login credentials that give access to corporate and financial data.

Distribution of malware by email using malicious Word and Excel files containing macros is on the rise. Popular malware used by cyber criminals including Dridex, Vawtrack, Betabot, and Rovnix have been distributed using this tactic. Based on data analyzed by Cisco Managed Threat Defense Team, email attacks where macros are the method of infection are up 50% from February and have more than doubled since October of last year.

email-attacks-per-month-clustered

Email Attacks per Month

Keep reading to learn more about Email Attacks Using Malicious Macros

Tags: , , , , ,

On Letting Uniqueness Shine

I am often asked about how I transitioned from a music teacher to a Data Privacy and Compliance Leader. Reflecting on my journey over the last 15 years, I have realized that it’s the same strengths that I demonstrated as a music teacher that have contributed to my success in the high tech sector. One of the lessons I learned is trying to turn weaknesses into strengths doesn’t work for me. Focusing on my core strengths regardless of which sector I work in is what enables me to achieve my best results. I encourage you to do the same as too often we don’t focus enough on our strengths and what sets us apart. Here’s what’s worked for me: Read More »

Tags:

Industrial Cybersecurity and Service Delivery Don’t Need to Be Mutually Exclusive

Industrial control system (ICS) operators and owners have found themselves in an unenviable position. Once air-gapped, serial-based critical industrial control systems are now becoming more and more connected. And while many of the systems themselves have not changed, the networking world around them has changed dramatically, introducing vulnerabilities and threats that had been nearly non-existent ten or 20 years ago. Each networked connection from the control network to the corporate network is another potential avenue of attack. Control networks are designed to be static and predictable, but more and more commercial off-the-shelf applications and operating systems, as well as routable protocols, are now being introduced. This is creating more complexity with no greater visibility leaving operators blind to what is on their networks.

Read More »

Tags: , ,

Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors

This post was authored by Ben Baker and Alex Chiu.

Executive Summary

Threat actors and security researchers are constantly looking for ways to better detect and evade each other.  As researchers have become more adept and efficient at malware analysis, malware authors have made an effort to build more evasive samples.  Better static, dynamic, and automated analysis tools have made it more difficult for attackers to remain undetected. As a result, attackers have been forced to find methods to evade these tools and complicate both static and dynamic analysis.

Table of Contents
Executive Summary
The 10,000 Foot View at Rombertik
Analysis
A Nasty Trap Door
The Actual Malware
Coverage and Indicators of Compromise
Conclusion

It becomes critical for researchers to reverse engineer evasive samples to find out how attackers are attempting to evade analysis tools. It is also important for researchers to communicate how the threat landscape is evolving to ensure that these same tools remain effective. A recent example of these behaviors is a malware sample Talos has identified as Rombertik. In the process of reverse engineering Rombertik, Talos discovered multiple layers of obfuscation and anti-analysis functionality. This functionality was designed to evade both static and dynamic analysis tools, make debugging difficult. If the sample detected it was being analyzed or debugged it would ultimately destroy the master boot record (MBR).

Talos’ goal is to protect our customer’s networks.  Reverse engineering Romberik helps Talos achieve that goal by better understanding how attackers are evolving to evade detection and make analysis difficult.  Identifying these techniques gives Talos new insight and knowledge that can be communicated to Cisco’s product teams.  This knowledge can then be used to harden our security products to ensure these anti-analysis techniques are ineffective and allow detection technologies to accurately identify malware to protect customers. Read More »

Tags: , , , , ,

The Cisco Security Dojo

Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an application security awareness program.

When you think about security awareness, do you envision phishing e-mails, Nigerian princes, and tailgating cyber criminals? Security vulnerabilities are a fact of life, but we can help our organizations develop a greater level of understanding and a desire to put security first in their development efforts. At Cisco, we believe that security awareness training should feature traditional training about crazy links you should not click under any circumstances and how to stop strangers from entering your buildings, as well as application security awareness. Application security awareness, when done well, can drive security culture change to make a company and its products and solutions safer. Moving an organization to focus on security is possible, because we have done it.

Enough talking about it, please take a sneak peek at how we do it here in this video.

Read More »

Tags: , ,