While “SYNful Knock” is the latest identified malware targeting Cisco devices running Cisco IOS, we have identified and investigated six other malware incidents during the last four years that target Cisco devices running Cisco IOS. The nature of threats is evolving and Cisco will continue to adapt technology delivering trustworthy solutions that our customers can rely on. This also means that customers will need to evolve, fully utilizing the security tools that are available, as well as ensuring security best practices are in place.
The malware used in these evolved Cisco IOS attacks show increasing levels of complexity in the type of modifications made to Cisco IOS, the behavior of its Command and Control (C&C) network (when present), and the platforms they target.
Before talking about specifics of each investigated malware incident, it is important to note that in all cases, no evidence has been found that attackers exploited a previously known or unknown vulnerability to install the malware. All available data points suggest either the use of compromised administrator credentials or physical access to the devices or images.
The following table and associated description provides a brief overview of the malware samples, as well as an overview of the actions that Cisco took in response to those findings. The source of this information is internal analysis performed by Cisco forensics teams.
Read More »
Tags: cisco ios, SYNful Knock
In the past few years, the security industry has invested heavily in the detection and containment of attacks and breaches as a primary focus of innovation. To help protect Cisco, its customers, products, services and partners, we have embarked on a journey to build security and trust into every aspect of our business, including the culture of our workplace itself. The rapid evolution of the threat landscape has made this trust journey a necessity. Exploits are more frequent, better financed, more sophisticated and are causing more damage. Technology shifts like mobility and BYOD are the new normal and have resulted in more points of access for malware, resulting in a larger attack surface. In order to be more effective against the broad range of security threats, the industry must focus on foundational security being present in critical systems. By ensuring that trustworthiness is built into the technology, processes and policies involved in your IT systems, you can reduce risk and the attack surface while enabling more effective overall security.
Read More »
Tags: NCSAM, security, trust, trustworthy systems
This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.
Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit. Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.
In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually. This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.
Cisco then took action:
- Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
- Released Snort rules to detect and block checks from the health checks
- All rules are being released to the community through Snort
- Publishing communications mechanisms including protocols so others can protect themselves and customers.
- Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers
This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.
Watch Angler compromise a box and install ransomware at the end of the video.
Read More »
Tags: angler, exploit kit, Talos, threat spotlight
Cisco is committed to protecting customers by sharing critical security-related information in different formats. Guided by customer feedback, Cisco’s Product Security Incident Response Team (PSIRT) is seeking ways to improve how we communicate information about Cisco product vulnerabilities to our Customers and Partners. As John Stewart mentioned on his blog post, the Cisco PSIRT has launched a new and improved security vulnerability disclosure format. The new Cisco Security Advisories can be accessed at http://www.cisco.com/go/psirt and at http://cisco.com/security
The intent is to make it easier for Customers and Partners to access information about all security vulnerabilities in Cisco products. Each vulnerability disclosed through our new security advisories are assigned a Common Vulnerability and Exposures (CVE) identifier to aid in identification. Additionally, Cisco will continue to assess all vulnerabilities using the Common Vulnerability Scoring System (CVSS). Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher.
Read More »
Tags: Cisco PSIRT, cvrf, Open Vulnerability and Assessment Language (OVAL), OVAL, psirt, security advisories, security automation, vulnerabilities, vulnerability disclosure, vulnerability management
With security threats evolving at a staggering pace, we’re hearing from our customers that their network administrators are often finding it difficult to keep up. They are challenged to make informed decisions quickly enough and prioritize their responses to incoming threats. Not surprising since with each new threat and the related vulnerabilities IT leaders are faced with several questions:
- Where do I go to find information?
- Which information is for background and which requires immediate action?
- What has changed since the original publication?
- Does this apply to my network of devices?
- What resources should I go to for prevention, detection and remediation?
We are constantly looking at ways to help our customers and partners reduce the time it takes to mitigate security breaches so I’m pleased to announce a new and improved security vulnerability disclosure format for Cisco Security Advisories that should make it much easier for administrators to understand and respond to threats.
Read More »