This post was authored by Alex Chiu and Xabier Ugarte Pedrero.
Talos recently spotted a targeted phishing attack with several unique characteristics that are not normally seen. While we monitor phishing campaigns used to distribute threats such as Dridex, Upatre, and Cryptowall, targeted phishing attacks are more convincing because the format of the message is personalized to the targeted user. This targeted attack was more difficult to detect because adversaries chose to leverage AutoIT, a well known freeware administration tool for automating system management in corporate environments. This notable characteristic made this attack worthy of further analysis.
Utilizing AutoIT within a payload is unique because it is a legitimate management tool. In this attack, AutoIT was utilized to install a Remote Access Trojan (RAT) and maintain persistence on the host in a manner that’s similar to normal administration activity. RATs allow adversaries to fully control compromised hosts remotely to conduct malicious operations, such as exfiltrating sensitive information. The use of AutoIT is potentially an extremely effective method of evading detection by traditional anti-virus technologies and remaining hidden on the system if it is used by the target to manage systems. The combination of a legitimate administration tool being used to install a back-door onto a target system is unique and is why this attack caught our attention.
Another characteristic of this attack that was notable is how adversaries went to great lengths to spoof a phishing message that would appear credible to the user. In this attack, an actual business was impersonated, using the logo and physical address of the business, in order to appear legitimate. The bait in this case is a Microsoft Word document containing a macro that downloads and executes a binary from hxxp://frontlinegulf[.]com/tmp/adobefile.exe.
Figure 1: A screenshot of the Word document, demonstrating how adversaries impersonated a real company to trick the target.
Read More »
Tags: Attack, Phish, RAT, Talos, trojan, worm
I’m often asked how to deal with the security threat landscape within the context of running a business. The security threat landscape can seem like a highly complex challenge, yet as I’ve looked at it through my work with Cisco and the broader industry, it can actually be boiled down into three simple phases: before, during and after attack.
It sounds simple in theory, but in practice the conversation often focuses predominantly on the “before” phase; that is, minimizing a hacker’s chances of success. While this is clearly the most important phase, it’s also crucial to have a clear threat containment strategy for “during” an attack, and a visibility and forensics plan for “after” it as well. It seems complex, but it can be surprisingly simple. Take a look at a recent video blog I did on the topic.
Tags: Attack, Cisco, forensics, John Stewart, security
The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.
These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.
* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.
Read More »
Tags: Attack, Cisco Security, DDoS, dns, DNS Server, intellishield, IPS, security, Security Intelligence Operations (SIO), targeted attacks
In the recently posted research paper “Off-Path TCP Sequence Number Inference Attack: How Firewall Middleboxes Reduce Security“, Zhiyun Qian and Z. Morley Mao from the University of Michigan discuss a method to try to infer the sequence numbers in use by a TCP connection – and if successful, how to try to hijack the connection and inject data on it in order to, as an example, steal credentials to web sites (banking, social networking, etc.)
Before talking further about their research, I would like to talk a bit about the Maginot Line. The Maginot Line was a line of fortifications located in France, established after World War I, and roughly following France’s borders with Germany and Italy. The idea behind it: in case of another war with Germany, the line would hold the enemy attacks, giving the French Army the chance to regroup and counterattack. The problem: the line only extended so far up North. So during World War II, and instead of attacking the line from the East, the German army completely bypassed it – by attacking Belgium first and then flanking the line.
So a lot of resources were allocated to set-up defenses for a very specific attack scenario – but that scenario never happened, as an easier way was found to bypass the defenses. And the mere fact of allocating so many resources to counter a specific threat significantly reduced the number of resources available to protect against other threats.
The method posited by Qian and Mao on their research paper strongly reminds me of the assumptions made by the French while building the Maginot Line.
Read More »
Tags: Attack, research, security, TCP