Cisco Blogs


Cisco Blog > Security

Possible Exploit Vector for DarkLeech Compromises

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited.  Read More »

Tags: , , , , , ,

Yesterday Boston, Today Waco, Tomorrow Malware

At 10:30 UTC one of the botnet spam campaigns we discussed yesterday took a shift to focus on the recent explosion in Texas. The miscreants responded to the tragic events in Texas almost immediately. The volume of the attack is similar to what we witnessed yesterday with the maximum volume peaking above 50% of all spam sent. We’ve seen 23 unique sites hosting the malware. This is an attempt to grow the botnet.

Read More »

Tags: , , , ,

Massive Spam and Malware Campaign Following the Boston Tragedy

Summary

On April 16th at 11:00pm GMT, the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy. The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explosions from the attack. Simultaneously, links to these sites were posted as comments to various blogs.

The link directs users to a webpage that includes iframes that load content from several YouTube videos plus content from an attacker-controlled site. Reports indicate the attacker-controlled sites host malicious .jar files that can compromise vulnerable machines.

On April 17th, a second botnet began using a similar spam campaign. Instead of simply providing a link, the spam messages contained graphical HTML content claiming to be breaking news alerts from CNN.

Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have blocked this campaign from the start.

Read More »

Tags: , , , ,

I Can’t Keep Up with All These Cisco Security Advisories: Do I Have to Upgrade?

“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”

This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.

Read More »

Tags: , , , , , , , , , , , ,

March Madness May Equal to Malware Madness

basketball1Are you excited about March Madness? Turn on a TV and it will be hard to avoid the games, the news, the commentaries, and the jokes about it. If you eavesdrop in any restaurant, bar, or office conversation, I can assure you that you will hear something about it. Even U.S. President Barack Obama filled out a March Madness bracket. Productivity in many offices drops significantly as employees search and watch videos to see how their bracket picks are progressing. At Cisco, we have an open policy and employees can watch and search the scores of their favorite teams. Watch this video posted by CNN where Kip Compton, Cisco’s Video Collaboration Group CTO, talks about March Madness.

During the last couple of years, the industry saw a spike in web malware during the March Madness season. SQL injection attacks, iframe injections, JavaScript, and Java malware were some of the most prevalent. A few months ago, I provided details about some of today’s cyber-criminal tools— exploit kits—and some of the weapons of choice like Blackhole, RedKit, Styx, CrimeBoss, and Cool.

A few things to keep in mind:

  • Legitimate business sites may have vulnerabilities that allow a hostile site to deliver malware.
  • In most drive-by downloads, the victim is willing to dismissively click pop-ups and warnings as they navigate to the desired content. In this case, users may just click on pop-ups or ads to watch videos about their favorite team.
  • Most drive-by downloads can be prevented by keeping software up to date. Read More »

Tags: , , , , , , , ,