Cisco Blogs


Cisco Blog > Security

New Fake UPS Malware Email Campaign

We have detected evidence of a malware distribution campaign using messages masquerading as UPS delivery notification emails. These campaigns attempt to deceive the targets into thinking they are receiving mail from a trusted sender in order to dupe the recipient into installing malware, possibly for financial gain. Once the initial attack vector is installed, further malware may be distributed.

This  appears to be part of the same campaign seen by MalwareMustDie (http://pastebin.com/n244xN32) and uses the email subject “UPS Delivery Notification Tracking Number”. We have seen a limited number of customers receiving this spam starting yesterday (Tue Nov 5), suggesting that this is a fairly low volume campaign (at the moment). The message contains an attachment with a filename such as “invoiceU6GCMXGLL2O0N7QYDZ” and extension .txt or .doc which is a disguised rtf file.

Section of the mail attachment containing rtf objocx tag

Section of the mail attachment containing rtf objocx tag

According to our analysis the malware attempts to download additional files by exploiting CVE-2012-0158 affecting old versions of Microsoft Office, which is detected by Cisco IPS signature 1131 and is available as a Metasploit module. In this case the malware being distributed seems to be a form of ransomware. Ransomware typically encrypts files on an infected machine and requires the user to pay for the release of their data. This particular piece of ransomware appears to be distinct from the samples we have been seeing as part of the Cryptolocker campaign, but comes in the wake of increased interest and discussion of this kind of attack.

    Attached malware making a request to the control server at 199.16.199.2

Attached malware making a request to the control server at 199.16.199.2

As ever, users should remain vigilant when opening email links and attachments, and be wary of a message purporting to be an automated order confirmation from a company such as FedEx and UPS, as this is a common tactic which has also been identified as a possible method for distributing Cryptolocker.

Additional analysis of this attack can be found here: http://bartblaze.blogspot.com/2013/11/latest-ups-spam-runs-include-exploits.html

Malicious rtf:   7c2fd4abfe8640f8db0d18dbecaf8bb4

Downloaded exe:     e5e1ee559dcad00b6f3da78c68249120

 

Thanks to Cisco researchers Craig Williams and Martin Lee for assistance with this post.

 

Tags: , ,

Security Drives Major Transition in the Network and Data Center

Today, rapid changes in the world we live in, driven by technology trends, business model changes and market transitions, like the Internet of Everything, profoundly impact our networks and our data centers. With the advent of all of these new capabilities, we have created a new paradigm for security—it is what I refer to as the “Any to Any” Problem. That is, any user on any device increasingly going over any type of connection, to any application, that could be running in any data center and on any cloud. Regardless of how or where our users are connecting, we have to provide the right levels of inspection and protection against malicious actors.

Today, Cisco is announcing the new Application Centric Infrastructure (ACI) designed to seamlessly integrate layer 4 through layer 7—and security, in particular—into next generation Data Center environments. As part of this framework, we are announcing ACI Security Solutions, which support next generation Cisco ASA physical and virtual firewall technologies by stitching them directly into the ACI network fabric, and can be managed using the ACI Policy Infrastructure Controller management tool.

The Cisco ASA 5585-X Series Next-Generation Security Appliance has been updated and certified to interoperate with the new Nexus 9000 switches—whether they are deployed in traditional or ACI modes. The new Cisco ASA Virtual Firewall (ASAv) performs the same functions as any ASA appliance. However, unlike an ASA 1000v Cloud Firewall, the ASAv maintains its own data path. This allows it to work with any virtual switch and it will be available on multiple hypervisors.  Read More »

Tags: , , , , ,

The Internet of Everything Including Security

It’s one thing to say that by 2020 the world will host 50 Billion Internet Protocol-connected devices. It’s even more amazing that the planet’s number of Internet-connected devices already exceeds the human population. So how do we secure tens of billions of devices when we know that the vast majority of them will not possess sufficient memory and processing power to accommodate conventional anti-malware or other security software? Two things are clear to me. We need to build security into Internet of Things solutions from the beginning, and that the network is the only option we have to bring security visibility and control to this new universe of connected devices.

The Internet of Things is going to transform the world, but unless we act to secure it now we will find ourselves asking at some future date whether it was worth doing in the first place. I don’t claim to have all the answers in the video post here, but we need to start asking the right questions about securing the Internet of Things now.

Tags: , , , , ,

Massive Increase in Reconnaissance Activity – Precursor to Attack?

Update 2013-11-12Watch our youtube discussion

Update 2013-11-05: Upon further examination of the traffic we can confirm that a large percentage is destined for TCP port 445. This is indicative of someone looking for nodes running SMB/DCERPC. With that in mind it is extremely likely someone is looking for vulnerable windows machines or it is quite possible that the “soon to be” attackers are looking for boxes compromised by a specific malware variant.

On 2013-11-02 at 01:00 UTC Cisco saw a massive spike in TCP source port zero traffic for three hours. This was the largest spike of reconnaissance activity we’ve seen this year. TCP source port zero is a reserved port according to the RFC and it should not be used. Customers who see port zero activity on their network should consider the traffic suspicious and investigate the source.

pscan

This graph displays the magnitude of the number of sensors logging this activity. Normally we see a magnitude of less than 20, this increased five fold on 2013-11-02. There was also an associated massive increase in the volume of traffic observed by signature 24199-0.

Read More »

Tags: , , ,

Education Embraces the Mobility Excitement

Let’s examine and consider mobile devices in education. Students need to become more tech savvy to compete in today’s economy, and mobile devices offer supplemental learning and a new style to learn. A recent report noted that educators see great potential in mobile technology for transforming learning. The most commonly expected and desired benefits are that mobile technology is engaging for students (62 percent of respondents) and that the devices can be used to personalize instruction to meet the needs of different students. There is no question educational institutions need to seize this mobility trend for better learning and to ensure our next generation is tech savvy.

Does your child’s school provide mobile devices for their learning or does it require your child to bring their own mobile device? I know in my case, my son’s school has a bring your own device (BYOD) policy. Yet some schools, whether higher education or primary or secondary schools, have made the decision to buy mobile devices for their student population. According to the Wall Street Journal, the Los Angeles Unified School District, the second largest district in the United States, headed down this path to offer all students and teachers Apple iPads — only to find some challenges like unseen costs, secure access issues, and unclear policies. Others, like Bucks County School District in Pennsylvania and McAllen School District in Texas, have enjoyed the benefits of providing mobile device usage (whether BYOD or school sanctioned) in a simple and secure manner in the education environment by leveraging Cisco infrastructure.

The use of mobile devices by young children, whether it be for education or entertainment, has soared. A new report from Common Sense Media, a child-advocacy group based in San Francisco, found that 17 percent of children 8 and younger use mobile devices daily, up from 8 percent in 2011. I am guessing that education and entertainment will continue to drive this number each year. What is your opinion on schools using mobile devices? Is this the shiny new penny to improve our education systems? And as an IT professional, what is your experience with the mobility and secure access considerations?

Tags: , ,