Cisco Blogs

Cisco Blog > Threat Research

Microsoft Patch Tuesday – November 2015

Microsoft’s Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 12 bulletins addressing 53 vulnerabilities. Four bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, Windows Journal, and Windows. The remaining eight bulletins are rated important and address vulnerabilities in .NET, IPsec, Kerberos, Lync/Skype for Business, NDIS, Office, SChannel, and Winsock.

Bulletins Rated Critical

Microsoft bulletins MS15-112 through MS15-115 are rated as critical in this month’s release.

MS15-112 and MS15-113 are this month’s Internet Explorer and Edge security bulletin respectively. In total, 25 vulnerabilities are addressed with four of them specifically affecting both IE and Edge. The remaining 21 vulnerabilities only affect Internet Explorer. The majority of the vulnerabilities that are resolved in this month’s release are memory corruption defects. In addition, an ASLR bypass, an information disclosure vulnerability, and a couple of scripting engine flaws are also addressed.


Tags: , , ,

Easy-to-Use Threat Intelligence for Organizations of All Sizes: Threat Awareness Service

From credit card numbers to medical records, small and midsize organizations hold the same sensitive information as large enterprises. We often think of multinational corporations and governments as the primary targets for cybersecurity breaches, but smaller companies face the same threats. As enterprises start to spend more on security, hackers are increasingly looking to pick lower-hanging fruit by targeting smaller organizations. In recent years, more than half of known breach victims have been organizations with less than 1,000 employees, and 66% have fewer than 10,000.[1]

Without the large security budget or dedicated cybersecurity expertise of a major enterprise, smaller organizations struggle to implement threat intelligence solutions that can help them see suspicious activity occurring in their networks. These solutions are generally hard to deploy, difficult to use, and costly to obtain.

To help organizations of all sizes gain continuous visibility into suspicious activity occurring on their networks, we are introducing Cisco Threat Awareness Service, a threat intelligence service that enhances threat visibility by making security information available 24 hours a day, 7 days a week. Accessed through a web portal, this cloud-based service provides visibility into inbound and outbound network activity from the outside and highlights potential threats requiring additional attention. Cisco Threat Awareness Service requires no configuration changes, network infrastructure, or new software, so you can deploy the service quickly, easily, and cost-effectively.

Read More »

Tags: , , , , , ,

Pushing Security from Edge to Endpoint

On November 3rd, Cisco announced that we are extending our Security Everywhere strategy with new solutions and services aimed at helping our customers gain greater visibility, context, and control from the cloud to the network to the endpoint. Providing organizations more visibility means being able to see all their systems, not just Windows but Mac, mobile, virtual machines, and now Linux!

AMP for Endpoints now has a dedicated Linux connector. Attacks against datacenters are on the rise. Given that these systems contain highly sensitive customer and corporate data, and more often than not custom applications that are central to the day to day business, organizations need to have deep visibility into these attack vectors in order to prevent, detect, scope, contain, and remediate targeted attacks faster and more efficiently. At the moment, the Linux connector will be available for RHEL 6.5 and 6.6 as well as CentOS 6.4, 6.5 and 6.6. It is available to all current AMP customers with existing accounts, and will also be available to ELA v4 customers.

Edge to Endpoint Malware Analysis

A critical component of this launch is the extension of our advanced malware analysis and threat intelligence solution, AMP Threat Grid.

We have integrated AMP Threat Grid into our ASA with FirePOWER Services models, FirePOWER NGIPS appliances and the AMP for Networks solution. These are three huge integrations that can now tap into the power of the Threat Grid malware analysis engine. Why is this so big? Well, we acquired ThreatGRID in the summer of 2014. By January 2015 we had it integrated into our AMP for Endpoints products. We reached another critical milestone in the summer of 2015 by adding the AMP Threat Grid sandboxing capability to Cisco’s Email and Web Security solutions. Now, just a few months later, we are realizing the vision of providing full edge-to-endpoint sandboxing on a single platform – AMP Threat Grid. This is immensely powerful for anyone using the solution.

Read More »

Tags: , , , ,

OpenDNS Introduces IP-Layer Enforcement for Umbrella

Cisco announced on Tuesday that OpenDNS was updating its cloud-delivered network security and threat intelligence solutions, as part of the company’s strategy to provide Security Everywhere across the extended network. Acquired in August, OpenDNS handles nearly 80 billion daily DNS requests and uses its unique view of the Internet to extend security for an increasingly mobile and off-network workforce.

Umbrella, OpenDNS’s cloud-delivered network security solution, already provides advanced threat protection for any device, anywhere, anytime. Umbrella encrypts DNS requests from endpoints and ensures the laptops and mobile devices employees use are not contacting malicious domains. But not all attacks rely solely on domains to communicate and deliver malware over the Internet. That’s why, with this latest announcement, the security service now protects direct IP connections.

Read More »

Tags: ,

Reverse Social Engineering Tech Support Scammers

This post is authored by Jaime Filson and Dave Liebenberg.


A mosaic made up of 1-800 tech support scam websites

The amount of fraudulent actors masquerading as legitimate tech support has been on the rise since 2008. According to David Finn, executive director at the Microsoft Cybercrime Center, tech support scammers have made nearly $1.5 billion off of 3.3 million unwitting victims just this year. These scammers typically convince the victim into allowing them access to his/her computer through remote control applications such as TeamViewer. They then present benign processes as malicious, or at times even spread malware themselves. Afterwards, they charge hundreds of dollars for the service.

There are several avenues through which these scammers reach their victims. One of the most insidious are pop-ups and websites asserting that the user’s computer is riddled with viruses, and that the only way to fix the problem is to call a provided tech support number.

Talos has been monitoring the incessant creation of these fake tech support websites in order to better understand the way in which these scams operate. We decided to call a company ourselves for some reverse social engineering. Our experiment provided some interesting insights into the methods these scammers use to fool their victims as well as the infrastructure supporting their operations. In addition, we discovered a broad New Delhi-based scamming network employing multiple websites and VOIP phone numbers to carry out their duplicitous activities.


Tags: , , , , , ,