Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

img_new_numbers

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network Threatens Windows and Mac Users With Mutating Malware

This post was authored by Shaun Hurley, David McDaniel and Armin Pelkmann.

Update 2014-09-22: Updates on this threat can be found here

img_MetricsHave you visited amazon.com, ads.yahoo.com, www.winrar.com, youtube.com, or any of the 74 domains listed below lately? If the answer is yes, then you may have been a victim to the “Kyle and Stan” Malvertising Network that distributes sophisticated, mutating malware for Windows and even Macs.

Table of contents

Attack in a Nutshell
Timeline
Technical Breakdown
Reversing of the Mac Malware
Reversing of the Windows Malware
IOCs
Conclusion
Protecting Users Against These Threats

Malvertising is a short form for “malicious advertising.” The idea is very simple: use online advertising to spread malware. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Hacking Made Easy – Courtesy of IoT

July 31, 2013 at 9:12 am PST

For most of us, technology has become an integral part of our daily lives and promises to become even more prevalent in the near future due to the emerging technological revolution called the Internet of Things (IoT). The number of connected objects now exceeds the world’s human population, and is expected to grow exponentially over the next three to five years.

The early stage of IoT has already started making our lives easier and far more comfortable, giving us the ability to remotely monitor our homes and businesses, turn on the lights and heat before we return home from a long day, and even help us find a place to eat in an unfamiliar city. In fact, so many of our daily activities are becoming automated through the use of IoT technologies, we will soon wonder how we could have functioned without them – similar to looking back now on the pre-smart phone era! Read More »

Tags: , , , , , ,

Hard Lessons about Hacking and Proxy Services

I was disheartened to read about the 22 September arrest of alleged LulzSec/Anonymous member Cody Kretsinger (known by the handle ‘recursion’) by the FBI as a suspect in the SQL injection attacks on multiple Sony websites. Note that I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI.

Cody Kretsinger, second from right, at BlackHat 2011

One of the things we at Cisco try to do is reach out to those studying infosec and wanting to make a career in security. At BlackHat Cisco had a contest where the winner got a Pwnie Express PWN Phone, effectively a modified Nokia N900 with some pentesting software loaded. A group of guys, volunteers with the show from an IT school, were fascinated by the PWN Phone – possibly because in their circle a couple of them had Nokia N900s, a device relatively unknown in North America but somewhat popular in certain hacking circles due to the fact that its OS is Linux-based and thus can be made to run things like metasploit (like the PWN Phone does).

Read More »

Tags: , , , , , ,

Cisco Annual Security Review

January 20, 2011 at 11:06 am PST

Its that time of year again -- the Annual Cisco Security Review.  We decided to feature a whole show on this one -- which makes it fun but also of course brings a fair set of challenges.  As good as we are…we can’t cover it all.  You MUST read the report. It is quite good.

So where did we go with it?
We brought in some friends and fun with a few topics as well -- notes are below…but let us know your favorites! Read More »

Tags: , , , ,