Cisco Blogs


Cisco Blog > Security > Threat Research

Weaponized Powerpoint in the Wild

This post was written by Jaeson Schultz.

On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.

Read More »

Tags: , ,

Threat Spotlight: Group 72

This post is co-authored by Joel Esler, Martin Lee and Craig Williams

Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.

Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat actors from the crowd of malicious activity on the internet.

Talos security and intelligence research group collects attack data from our various telemetry systems to analyse, identify and monitor threat actors through their different tactics, techniques, and procedures. Rather than give names to the different identified groups, we assign numbers to the threat actors. We frequently blog about significant attack campaigns that we discover, behind the scenes we integrate our intelligence data directly into our products. As part of our research we keep track of certain threat actor groups and their activities. In conjunction with a number of other security companies, we are taking action to highlight and disrupt the activities of the threat actors identified by us as Group 72. Read More »

Tags: , , , , , ,

Visualizing a String of Paerls

Researchers from the Cisco Talos Security Intelligence and Research Team recently discovered an elaborate attack dubbed the String of Paerls. The attack, a combined spearphishing and exploit attempt, was able to bypass most antivirus engines and used a targeted phishing email that included a malicious Word document attachment. Upon opening the Word attachment, a macro downloaded and launched an executable on the victim’s machine, which then called out to command and control servers.

In the graphic below you can see an illustration of each of the major steps of the attack. A common thread is that Cisco security provides protection against attacks like this one using the approach of integrated threat defense. Specifically, Advanced Malware Protection tools were used throughout the discovery and analysis process to expose the exploit.

paerls-blog-1024x714

For a complete play-by-play of this attack, read the String of Paerls blog post from Talos. For more about integrated threat defense in our products, see the new Cisco ASA with FirePOWER Services.

Tags: , , , , , ,

Shellshock Exploits in the Wild

This post was authored by Joel Esler & Martin Lee.

The recently discovered Bash vulnerability (CVE-2014-6271) potentially allows attackers to execute code on vulnerable systems. We have already blogged about the issue and provided more technical detail in a further blog. The rapid release of IPS signatures for our platforms allowed us to follow very quickly, the attempts at exploitation of the vulnerability in the wild.

For further details of our response to the issue, please see the Event Response Page.
Read More »

Tags: , , , , , ,

Another Major Vulnerability Bashes Systems

Vulnerabilities that permit remote network attacks against ubiquitous software components are the nightmares of security professionals. On 24 September the presence of a new vulnerability, CVE-2014-6271 in Bash shell allowing remote code execution was disclosed.
Read More »

Tags: , , , , , ,