Cisco Blogs


Cisco Blog > Threat Research

Bedep Lurking in Angler’s Shadows

This post is authored by Nick Biasini.

In October 2015, Talos released our detailed investigation of the Angler Exploit Kit which outlined the infrastructure and monetary impact of an exploit kit campaign delivering ransomware. During the investigation we found that two thirds of Angler’s payloads were some variation of ransomware and noted one of the other major payloads was Bedep. Bedep is a malware downloader that is exclusive to Angler. This post will discuss the Bedep side of Angler and draw some pretty clear connections between Angler and Bedep.

Adversaries continue to evolve and have become increasingly good at hiding the connections to the nefarious activities in which they are involved. As security researchers we are always looking for the bread crumbs that can link these threats together to try and identify the connections and groups that operate. This is one of those instances were a couple of crumbs came together and formed some unexpected connections. By tying together a couple of registrant accounts, email addresses, and domain activity Talos was able to track down a group that has connections to threats on multiple fronts including: exploit kits, trojans, email worms, and click fraud. These activities all have monetary value, but are difficult to quantify unlike a ransomware payload with a specific cost to decrypt.

 

Read More >>

Tags: , , , , , ,

Simplifying Security Architectures with SAFE

Safe. The very sound of it resonates with security. It is with some irony that Cisco has decided to reuse the term. Why ironic? For one, there is the idea among security folk that in reality, nothing is entirely safe. Why would Cisco sell intrusion detection if no intruders can, well…intrude? For those of you who remember SAFE from the early days of Cisco, it might seem like a familiar friend that has grown up a bit. Cisco historians ask, “What does SAFE stand for?” In our underground tunnels that forge firewalls and FirePOWER, you might get responses such as “Security Architecture for Enterprise” or “Secure Architecture for Everything.” In truth, the meaning has been lost to the annals of time.

One thing that everyone can agree on is that security is growing more complex by the day. While attackers are developing more lucrative schemes and advanced threats, security professionals have been running faster and faster in a race to keep up. Most organizations have deployed security technologies across some combination of networks, endpoints, web and email gateways, virtual systems, mobile devices, and the cloud. But how do we know that we have all of the right capabilities at the right places across the extended network? This is where SAFE comes in.

SAFE simplifies security.

Read More »

Tags: ,

The Internet of Things Is Not Always So Comforting

Over the past few years, the Internet of Things (IoT) has emerged as reality with the advent of smart refrigerators, smart HVAC systems, smart TVs, and more. Embedding internet-enabled devices into everything presents new opportunities in connecting these systems to each other, making them “smarter,” and making our lives more convenient than ever before.

Despite the new possibilities, there are major concerns about the IoT which inspire a legitimate question: “What happens if it’s not ‘done right’ and there are major vulnerabilities with the product?

The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers. Some manufactures do not have the necessary infrastructure to inform the public about security updates or to deliver them to devices. Other manufacturers are unaccustomed to supporting products past a certain time, even if a product’s lifespan may well exceed the support lifecycle. In other cases, the lack of a secure development lifecycle or a secure public portal to report security defects makes it near impossible for researchers to work with a vendor or manufacturer. These problems expose users and organizations to greater security risks and ultimately highlight a major problem with the Internet of Things.

What does this mean for the average user? For starters, a smart device on their home or office network could contain unpatched vulnerabilities. Adversaries attacking the weakest link could exploit a vulnerable IoT device, then move laterally within an organization’s network to conduct further attacks. Additionally, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario.

 

Read More >>

Tags: , , , , , ,

Vulnerability Spotlight: Libgraphite Font Processing Vulnerabilities

Vulnerabilities Discovered by Yves Younan of Cisco Talos.

Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library, which is used for font processing in Linux, Firefox, OpenOffice, and other major applications. The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution. A second vulnerability is an exploitable heap overflow. Finally, the last two vulnerabilities result in denial of service situations. To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities. Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).

In this post, we will discuss the following vulnerabilities:

  • CVE-2016-1521
  • CVE-2016-1522
  • CVE-2016-1523
  • CVE-2016-1526

Read More>>

Tags: ,

Cisco Hosting Amsterdam 2016 FIRST Technical Colloquium

Amsterdam 2016 FIRST Technical ColloquiumWe’d like to announce a “Save the Date” and “Call for Speakers” for the FIRST Amsterdam Technical Colloquium (TC) 2016. The event, hosted by Cisco Systems in Amsterdam, Netherlands will be a plenary style conference held on the 19th and 20th of April 2016.

Event registration is open now. This will be free event with no registration charges (although registration is required). This event will be open to all (not just FIRST members). Please register here.

A list of recommended hotels and travel information is available on our website.

Call for Speakers

FIRST is looking for speakers that would like to present at this Technical Colloquium. This is a GREAT opportunity to give something back to FIRST and the industry, while practicing your speaking skills and sharing your hard work.

Read More »

Tags: