Cisco Blogs


Cisco Blog > Threat Research

Rigging compromise – RIG Exploit Kit

This Post was Authored by Nick Biasini, with contributions by Joel Esler

Exploit Kits are one of the biggest threats that affects users, both inside and outside the enterprise, as it indiscriminately compromises simply by visiting a web site, delivering a malicious payload. One of the challenges with exploit kits is at any given time there are numerous kits active on the Internet. RIG is one of these exploit kits that is always around delivering malicious payloads to unsuspecting users. RIG first appeared in our telemetry back in November of 2013, back then we referred to it as Goon, today it’s known as RIG.

We started focusing on RIG and found some interesting data similar to what we found while analyzing Angler. This post will discuss RIG, findings in the data, and what actions were taken as a result.

The Exploit Kit Overview

RIG compromises users like any exploit kit. It starts with a user being redirected to a landing page. This is done via malicious iframes or malvertising and looks similar the following:

It begins with an initial link to a javascript:

Redirection

Read More >>>

Tags: , ,

Protecting the Video Headend and Data Center Infrastructure

George Tupy’s recent blog described how the growth of cloud and over the top (OTT) video presents a massive market opportunity for service providers to deliver video content anytime, anywhere, and on any screen. He also discussed how open IP networks and cloud-based delivery methods introduce new security vulnerabilities. To add fuel to the fire, content and customer data is often stored together inside the video headend and data centers making it more easily accessed by attackers. They can disrupt operations by launching denial of services (DoS) attacks, target your authorized users to gain access to your corporate network to steal, modify video content directly on your video headend, or even siphon out valuable customer and billing data. Theft of credit card numbers or customer identity information hurts your customers and damages your reputation in the industry.

Now the good news: Cisco has the security solutions to protect your video content and broadcast infrastructure so you can focus on developing premium content and services for your subscribers.

Imagine your video infrastructure protected by the leader in data center security. Envision multilayered solutions working together to ensure your content, services, and business are protected from advanced cyber threats – across the attack continuum – before, during and after an attack.

Cisco solutions address advanced threats

 

Before

Our Next-Generation Firewalls use granular access control and identity checks. This strengthens your network perimeter and locks your video headend and data centers to defend before an attack happens.

During

When an attacker tries to compromise your business – through the network, web, or email – our integrated Next-Generation Intrusion Prevention System (NGIPS), Distributed Denial of Service (DDoS), and Web and Email Security Solutions engage threats as they happen.

After

If malware does manage to get in, Advanced Malware Protection (AMP), Network Behavioral Analysis, and sandboxing solutions have you covered.  These solutions continuously scan traffic and files to find threats before they become active. If malware does become active, we can isolate the threat and remediate the infection to bring you back online quickly.

Cisco brings a wealth of robust security solutions to provide comprehensive protection across your headend infrastructure and corporate IT systems. Security Services are also available to help you design, implement, and manage your security each step of the way and ensure you have the best protection across your business.

For more detailed product information, see Cisco’s Secure Data Center Solution. For a compelling deployment story, read how Cisco’s security solution was deployed to help fortress BT against growing cyber threats. You can also learn more on how Sky has chosen to implement Cisco’s comprehensive VideoGuard Everywhere software security solution for its next generation home entertainment system.

Tags: , , ,

Security Insights with British Telecom

The explosive growth of video, mobility, Internet-of-Things, and cloud services has brought about enormous business opportunities. Service Providers are adopting open and programmable network architectures that increase business agility and lower costs. However, adversaries are increasingly exploiting the growing attack surface presented by these new services and expanded network connections.

British Telecom, the largest service provider in the UK, has recently announced a partnership with Cisco to deliver threat-centric security solutions based on our joint expertise and leadership. By partnering with Cisco, BT will strengthen network and advanced threat protection capabilities and automate its threat intelligence to detect, analyze and remediate attacks, while providing the same security capabilities in offerings to their customers, with BT Assure Cyber, BT’s Managed Security Portfolio.

I recently had the opportunity to sit down with Les Anderson, VP of BT Cyber, and ask him how BT manages security to protect their networks and their customers and to get his take on our new partnership.

Sam Rastogi – Cisco Security: What changes in the threat landscape are you observing?
Les Anderson: Over the last 13 months, BT has experienced a 1,000% increase in threats. We’ve seen our networks targeted in ways that we haven’t seen before. There is unprecedented speed in the innovation, resiliency and evasiveness of cyber attacks.

CS: How do you counter these threats?
LA: Partnership with Cisco for threat-centric security and consolidating where it makes sense for our business and our customers.

CS: What security technologies are top of mind for you?
LA: We need threat-centric technologies that are able to stop threats. We look to solutions, such as ASA with FirePOWER Services, Advanced Malware Protection (AMP), and Next-Generation IPS (NGIPS) – all, working together. They amount to a differentiated capability in the market – to see and stop more threats for us and our customers.

CS: How do you view security as a growth engine for organizations?
LA: BT doesn’t compromise when it comes to prioritizing our own cybersecurity; security can be a growth engine for business like BT to take full advantage of today’s opportunities to be more productive, make organizations more efficient and customers happier by keeping systems — both ours and our customers — secure.  By relying on threat-centric security, we’re thus able to focus on our core business goals, making security a differentiator. Investing in security in turn inspires further trust in doing business with us and with our customers.

CS: Why did you choose to partner with Cisco? And why now?
LA: Cisco has made smart security acquisitions and technology innovations that provide a significant differentiation in the market. I’m seeing that Cisco has the ability to deploy security products into SDN and virtualized environments to unlock additional value that is critical to security. Lastly our joint portfolio has allowed us to sell the largest cyber strategic security capability globally to a nation state. This is all possible with the strong partnership we have in place together.

Watch this video to learn how BT is taking advantage of security solutions from Cisco to protect its own environment and its customers:

Tags: , , ,

New Cisco AnyConnect Network Visibility Module App for Splunk

Users on the network are an important layer of an organization’s security strategy – and a particularly vulnerable one. In fact, a recent IBM cybersecurity report found that human error was a contributing factor in 95% of all security incidents! It is critical to know what users are doing on the network, especially since some potential high-risk behaviors like data disclosure and shadow IT may not trigger current security layers (e.g. malware protection).

Cisco AnyConnect Network Visibility Module (NVM) empowers organizations to see endpoint and user behavior on their network. Cisco AnyConnect NVM collects flows from endpoints (e.g., laptops) both on and off-premise along with additional context like users, applications, devices, locations and destinations.  Now, IT administrators can use Splunk Enterprise to analyze and correlate this rich data with the new  Cisco AnyConnect Network Visibility (NVM) App for Splunk, which  provides collection and reporting of flows generated by the Cisco AnyConnect NVM endpoint sensor technology.

Read More »

Tags: , , , , ,

Update for Customers

Following a recent Juniper security bulletin discussing unauthorized code, we have fielded a number of related questions from our customers. Being trustworthy, transparent, and accountable is core to our team, so we are responding to these questions publicly.

First, we have a “no backdoor” policy and our principles are published at trust.cisco.com

Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:

  • Undisclosed device access methods or “backdoors”.
  • Hardcoded or undocumented account credentials.
  • Covert communication channels.
  • Undocumented traffic diversion.

Second, we have no indication of unauthorized code in our products.

We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.

Third, we have initiated an additional review of our products for similar malicious modification.

Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. We are tracking the case as PSIRT-0551621891, and will release any findings in accordance with our Security Vulnerability Policy.

Fourth, we initiated this additional review of our own accord.

Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.

Finally, we will investigate all credible reports and disclose findings with customer implications.

We ask all our customers and others to report any suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Consistent with our long-standing process, we will manage and disclose results under the terms of our Security Vulnerability Policy.

Please see more information at our Trust & Transparency Center. Customers with additional questions can contact the Cisco PSIRT at psirt@cisco.com, referencing case: PSIRT-0551621891.

Tags: , , ,