Cisco Blogs


Cisco Blog > Threat Research

Angler Exploit Kit – New Variants

This post was authored by Nick Biasini

On January 27th,  Talos researchers began observing a new Angler Exploit Kit (EK) campaign using new variants associated with (CVE-2015-0311). Based on our telemetry data the campaign lasted from January 26th until January 30th with the majority of the events occurring on January 28th & 29th.

angler_dates

Read More »

Tags: , , , ,

Cisco 2015 Annual Security Report: Java on the Decline as Attack Vector

As recently as 2013, vulnerabilities involving Java appeared to be a favored tool of adversaries: Java was easy to exploit and, and exploits involving the programming language were difficult to detect. However, as reported in the Cisco 2015 Annual Security Report, Java is losing its front-runner position as a favored tool of bad actors looking to breach network security.

The decline in Java’s high profile as an attack vector in 2014 was recorded by Cisco Security Research. Only one of the top 10 most commonly exploited vulnerabilities in 2014 was related to Java (see chart below). In 2013, Cisco tracked 54 urgent new Java vulnerabilities; in 2014, the number of tracked vulnerabilities fell to just 19. We saw a corresponding decline in reports from the National Vulnerability Database (NVD), which includes all reported vulnerabilities: from 309 Java vulnerabilities in 2013, down to 253 in 2014.

Read More »

Tags: , , , , ,

Cisco 2015 Annual Security Report: Strong Leadership Helps Address Security Challenges

For security strategies to succeed, security needs a seat at the table. In my work as an investigations manager for Cisco, I’ve seen first-hand how much more passion and enthusiasm enterprise leaders will put into security efforts when there is support all the way to the top of the organization.

The Cisco Security Capabilities Benchmark Study, as detailed in the Cisco 2015 Annual Security Report, shows that when there is executive-level responsibility for security, organizations are in a better position to tackle security challenges. As part of the survey, Cisco asked chief information security (CISO) and security operations managers about their views on security readiness. The good news, from my standpoint, is that 91 percent of the security professionals surveyed said their organization has an executive with direct responsibility for security – usually a CISO or CSO. It’s an encouraging finding, because security leaders help define and enforce policies.

Read More »

Tags: , , , , ,

Cisco Email Security Stays Ahead of Current Threats by Adding Stronger Snowshoe Spam Defense, AMP Enhancements, and More…

If you read the recently released Cisco Annual Security Report, you will have learned how spammers have adopted a “Snowshoe” strategy, using a large number of IP addresses with a low message volume per IP address, to send spam, preventing some spam systems from sinking the spam. This yielded a 250 percent increase in spam from January 2014 to November 2014. Or, perhaps the fact that malicious actors are using malvertising (malicious advertising) from web browser add-ons as a medium for distributing malware and unwanted applications caught your eye in the report. In order to protect against these types of emerging threats, Cisco showcases its continued thought leadership in email security to offer even greater protection and control across the attack continuum, while also providing additional flexibility for centralized management. Read More »

Tags: , , , , , , , , , , ,

CVE-2015-0235: A GHOST in the Machine

This post was authored by Nick BiasiniEarl Carter, Alex Chiu and Jaeson Schultz

On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for the Exim mail server that bypasses all existing protections, and results in arbitrary command execution. Qualys intends to release the exploit as a Metasploit module.

CVE-2015-0235 affects the functions gethostbyname() and gethostbyname2() –functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6.  The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow.  Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.

Read More »

Tags: , ,