Cisco Blogs


Cisco Blog > Security

DNS Compromise Distributing Malware

DNS records are an attractive target for distributors of malware. By compromising the DNS servers for legitimate domains, attackers are able to redirect visitors to trusted domains to malicious servers under attacker control. DNS requests are served from dedicated servers that may service many thousands of domains. Compromising these servers allows attackers to take over domains as a wholesale attack, serving malware from any domain that uses the DNS service.
Read More »

Tags: , ,

Zeus Botnet Impersonating Trusteer Rapport Update

July 19, 2013 at 12:50 pm PST

Starting Friday, July 19, 2013 at 14:45 GMT, Cisco TRAC spotted a new spam campaign likely propagated by the Zeus botnet. The initial burst of spam was very short in duration and it’s possible this was intended to help hide the campaign, since it appears to be targeted towards users of a Trusteer product called Rapport. Within minutes of the campaign starting, we were seeing millions of messages.

spam3

This spam impersonated a security update from Trusteer. Attached to this file was the “RaportUpdate” file, which contained a trojan. We’ve identified this specific trojan as Fareit. This file is designed to impersonate an update to the legitimate Rapport product, which, as described by Trusteer, “Protects end users against Man-in-the-Browser malware and phishing attacks. By preventing attacks, such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover.”

It’s important to note that while this end-point solution is designed to protect against browser-based threats, this specific attack is email-based. If the user downloads and executes the attachment via their mail client, it could bypass their browser and the protections of a legitimate Rapport client, entirely. If an end user is tricked into running malicious software for an attack via an avenue the attacker can reasonably predict, it becomes much easier to bypass network security devices and software.

 

Read More »

Tags: , , , , , , ,

Network Solutions Customer Site Compromises and DDoS

July 17, 2013 at 10:03 am PST

Network Solutions is a domain name registrar that manages over 6.6 million domains. As of July 16, 2013, the Network Solutions website is under a Distributed Denial of Service (DDoS) attack. Recently, Network Solutions has been a target for attackers; in a previous outage, domain name servers were redirected away from their proper IP addresses. This was reported to be a result of a server misconfiguration while Network Solutions was attempting to mitigate a DDoS attack. It is possible that the DDoS attacks are related.

According to isitdownrightnow.com, the Network Solutions site has been having issues for at least the last 24 hours.

response_time

Response time in ms (GMT -8:00)

Read More »

Tags: , , , , , ,

BYOD: Many Call It Bring Your Own Malware (BYOM)

June 24, 2013 at 2:02 pm PST

It is not new that people are referring to Bring Your Own Device (BYOD) as Bring Your Own Malware (BYOM). In 2012 alone, Android malware encounters grew 2,577 percent (for details, see Cisco’s Annual Security Report). Many organizations are struggling to keep up with the BYOD trend by allowing employees to bring their favorite gadgets to the office to increase productivity and employee satisfaction. However, they are also struggling when trying to protect critical corporate assets, user’s data, and intellectual property in their employees’ mobile devices. Read More »

Tags: , , , , , ,

Plesk 0-Day Targets Web Servers

June 5, 2013 at 1:24 pm PST

Update 6/6/2013:

We’re seeing reports of exploitation of this vulnerability. We can confirm Global Correlation - Network Participation telemetry is seeing multiple exploitation attempts across many customers. Customers who participate in Global Correlation -- Inspection have a higher chance of this signature blocking in the default configuration since the sensor will take the reputation of an attacker into account during the risk rating evaluation. One of the reports mentioned the use of an IRC-based botnet as a payload for a large number of compromised machines. Since this report is similar to one I previously blogged about, I examined the IRC payloads in depth. Many of the variable names and functions are identical, with the new bot’s source code indicating that it is a later revision of the one we saw previously. Additional features have been added in this revision, which can allow the bots to transfer files directly to other bots via the command and control channel. Given the nature of this vulnerability and the ease of exploitation, it is very likely that unpatched machines will continue to be compromised if not remediated.

A 0-day vulnerability has been publicly posted which affects older versions of the Parallels Plesk software. The author of the exploit included an informational text file, which appears to indicate public servers have already been exploited. This vulnerability does not affect the latest major version of the software; nevertheless we expect to see widespread exploitation, due to the age of the affected versions — sites still running these versions of Plesk, which should enter End of Life of June 9, are unlikely to be regularly maintained.

plesk_2_1  Read More »

Tags: , , , ,