Cisco Blogs

Threat Research

  • Threat Round-up for Mar 24 – Mar 31

    - March 31, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between March 24 and March 31. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

  • Threat Spotlight: Sundown Matures

    - March 31, 2017 - 0 Comments

    This post authored by Nick Biasini with contributions from Edmund Brumaghin and Alex Chiu

    The last time Talos discussed Sundown it was an exploit kit in transition. Several of the large exploit kits had left the landscape and a couple of strong contenders remain. Sundown was one of the kits still active and poised to make a move, but lacked a lot of the sophistication of the other large kits and had lots of easy identifiers throughout its infection chain. Most of these identifiers have been stripped, new exploits added, and Talos was able to uncover an interesting campaign focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.

    Read More>>

     

  • Vulnerability Spotlight: Certificate Validation Flaw in Apple macOS and iOS Identified and Patched

    - March 27, 2017 - 0 Comments

    Most people don’t give much thought to what happens when you connect to your bank’s website or log in to your email account. For most people, securely connecting to a website seems as simple as checking to make sure the little padlock in the address bar is present. However, in the background there are many different steps that are taken to ensure you are safely and securely connecting to the websites that claim they are who they are. This process includes certificate validation, or making sure that the servers that users are connecting to present “identification” showing they are legitimate. This helps to protect users from fraudulent servers that might otherwise steal sensitive information.

    Due to the sensitive nature of this process, software vulnerabilities that adversely impact the security of certificate validation could have major consequences. Unfortunately, digital systems are complex and bugs are an inevitable reality in software development. Identifying vulnerabilities and responsibly disclosing them improves the security of the internet by eliminating potential attack vectors. Talos is committed to improving the overall security of the internet and today we are disclosing TALOS-2017-0296 (CVE-2017-2485), a remote code execution vulnerability in the X.509 certificate validation functionality of Apple macOS and iOS. This vulnerability has been responsibly disclosed to Apple and software updates have been released that address this issue for both macOS and iOS.

    Read more »

  • Threat Round-up for the Week of Mar 20 – Mar 24

    - March 24, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed over the past week. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

  • How Malformed RTF Defeats Security Engines

    - March 23, 2017 - 0 Comments

    This post is authored by Paul Rascagneres with contributions from Alex McDonnell

    Executive Summary

    Talos has discovered a new spam campaign used to infect targets with the well known  Loki Bot stealer. The infection vector is an RTF document abusing an old exploit (CVE-2012-1856), however the most interesting part is the effort put into the generation of the RTF. The document contains several malformations designed to defeat security engines and parsers. The attacker has gone out of their way to attempt to evade content inspection devices like AV or network security devices. According to VirusTotal, the initial detection rate of a malicious RTF document recovered from a recent spam campaign is only 3 out of 45 available engines.

    Read More >>

  • Vulnerability Spotlight: Code Execution Vulnerability in LabVIEW

    - March 22, 2017 - 0 Comments

    Overview

    LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW.

    Read More>>

  • Necurs Diversifies Its Portfolio

    - March 20, 2017 - 0 Comments

    The post was authored by Sean Baird, Edmund Brumaghin and Earl Carter, with contributions from Jaeson Schultz.

    Executive Summary

    The Necurs botnet is the largest spam botnet in the world. Over the past year it has been used primarily for the distribution of Locky ransomware and Dridex. Earlier this year, we wrote about how the Necurs botnet went offline and seemingly disappeared, taking most of the high volume Locky malspam with it. Talos recently identified a significant increase in the amount of spam emails originating from the Necurs botnet, indicating that it may have come back to life, but rather than distributing malware in the form of malicious attachments, it appears to have shifted back to penny stock pump-and-dump messages. This is not the first time that Necurs has been used to send high volume pump-and-dump emails. In analyzing previous telemetry data associated with these campaigns, we identified a similar campaign on December 20, 2016 shortly before the Necurs botnet went offline for an extended period. This strategic divergence from the distribution of malware may be indicative of a change in the way that attackers are attempting to economically leverage this botnet.

    Read More >>

  • Threat Round-up for the Week of Mar 13 – Mar 17

    - March 17, 2017 - 0 Comments
    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed over the past week. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

  • Microsoft Patch Tuesday – March 2017

    - March 14, 2017 - 0 Comments
    Following a sparse February patch Tuesday, today’s March release brings a bumper crop of fixed vulnerabilities: 17 bulletins covering 140 different vulnerabilities, 47 of which are rated as critical. The critical vulnerabilities affect Internet Explorer, Edge, Hyper-V, Windows PDF Library, Microsoft SMB Server, Uniscribe, Microsoft Graphics Component, Adobe Flash Player and Microsoft Windows. 92 vulnerabilities are rated as important, additionally affecting Active Directory Federation Services, DirectShow, Internet Information Services, Microsoft Exchange Server, Microsoft Office, Microsoft XML Core Services, Windows DVD Maker, Windows Kernel, Windows Kernel-Mode Drivers.

  • Threat Roundup for the Week of Mar 6 – Mar 10

    - March 10, 2017 - 1 Comment
    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed over the past week. As with our previous threat round-up, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.