Cisco Blogs


Cisco Blog > Security

More Effective Threat Visibility Using Identity and Device-Type Context

Following my previous blog post about identity and device aware IT platforms making IT operations easier and more effective, I wanted to delve a little deeper into a specific element of the IT infrastructure: Security Event & Information Management (SIEM) and Threat Defense (TD) systems.

Read More »

Tags: , , ,

MS Detours: Ongoing vigilance keeps customers on the right track.

Detours is a library offered by Microsoft Research for interception of functions on x86 and x64 platforms. It is sold for commercial use to various vendors that build products ranging from security to gaming applications.

Detours is often injected into most or all of the processes, either system-wide or in the context of the logged in user. The most common way this is done is through the AppInit_Dlls registry value. Because the injection is typically applied to a large number of processes running under various permissions, extra care must be taken to ensure the library and its usage are very carefully reviewed by engineers with a strong understanding of the implications of such wide hooking.

We have used this library in our own security products at Cisco (both CSA and AnyConnect) to provide certain security functions on the system. During one of our research projects earlier this year, we noticed a peculiar pattern on Windows systems where processes we were hooking had a change in the in-memory permissions, which marked the headers of the modules from the normal READ/EXECUTE to now include WRITE as well.

This was quite alarming to us, because a dll should not be writeable when loaded into memory. What was interesting, and led to clues of what might be the cause, was that it was only the dlls that had functions we were actively trying to hook. They were the common Win32 dlls that one would typically intercept methods for, such as Kernel32.dll.

Read More »

Tags: , , , ,

The Phishing Grounds

On August 15, 2013, Brian Krebs featured a screen shot of a fake Outlook webmail login page used by the Syrian Electronic Army in a phishing attack against the Washington Post. If you look carefully at the location bar, you will note that the domain used in the phishing attack is ‘webmail.washpost.site88.net’.

Washington Post Phishing Attack Page

Read More »

Tags: , , ,

Syrian Electronic Army Continues Spree: Cracks New York Times, Twitter and Huffington Post

The Syrian Electronic Army continues to hammer away at media organizations.  This afternoon the Syrian Electronic Army appears to have compromised the registrar Melbourne IT which hosts the domains of notable media organizations like Twitter, The New York Times, and The Huffington Post.

Syrian Electronic Army cracks Melbourne IT Registrar

Read More »

Tags: ,

Crumbling to the Cookiebomb

Recently we have seen a spate of government websites hosting malicious Cookiebomb JavaScript. We have observed URLs with the top level domains such as ‘.gov.uk’, ‘.gov.tr’, ‘.gov.pl’ and the website of a middle eastern embassy in the US become compromised and expose visitors to malware infection. For malicious actors, highly reputable websites are a valuable target to compromise. Politically motivated attackers, such as the Syrian Electronic Army, can use these websites to highlight their cause, to cause embarrassment to an adversary, or to spread malware, possibly as part of a watering hole attack. Profit motivated distributors of malware can use these websites to infect the steady stream of visitors who trust the website and who are unlikely to suspect that it has been compromised.
Read More »

Tags: , , , ,