Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

img_new_numbers

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network Threatens Windows and Mac Users With Mutating Malware

This post was authored by Shaun Hurley, David McDaniel and Armin Pelkmann.

Update 2014-09-22: Updates on this threat can be found here

img_MetricsHave you visited amazon.com, ads.yahoo.com, www.winrar.com, youtube.com, or any of the 74 domains listed below lately? If the answer is yes, then you may have been a victim to the “Kyle and Stan” Malvertising Network that distributes sophisticated, mutating malware for Windows and even Macs.

Table of contents

Attack in a Nutshell
Timeline
Technical Breakdown
Reversing of the Mac Malware
Reversing of the Windows Malware
IOCs
Conclusion
Protecting Users Against These Threats

Malvertising is a short form for “malicious advertising.” The idea is very simple: use online advertising to spread malware. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

The increasing prevalence and complexity of malware

In recent months, many organizations are becoming more interested in the information security landscape and how these threats can affect their business today.

In the recent Cisco 2014 Midyear Security Report, the results showed that 90% of select customer networks were found issuing DNS queries to domain names known to be associated with malware distribution. Results also showed an increase in Point of Sale (POS) exploits over the past year. These threats are growing and may put at risk many users using websites where personal or financial information is being submitted. These users need to know how this malware works, that malware is becoming more sophisticated, and that it is becoming increasingly difficult to identify that users’ machines have been compromised by malware. Read More »

Tags: , , , ,

Putting a Damper on ‘Lateral Movement’ due to Cyber-Intrusion

Analysis of high-profile cyber breaches often reveals how intruders gain their initial footprint in the targeted organizations and bypass perimeter defenses to establish a backdoor for persistent activities. Such stealthy activities may continue until intruders complete their ultimate mission—claiming the “crown jewels” of the victim organization.

“Lateral movement” is a term increasingly used to describe penetration activities by intruders (more information on lateral movement is available in Verizon’s 2014 Data Breach Investigations Report[1]). These activities begin with network reconnaissance, typically leading to compromises, hijacking of user accounts and ultimately privilege escalation to access sensitive data. Organizations may go to great lengths to detecting and stopping the initial breach and final data exfiltration as well as establishing more intelligence at their ingress/egress perimeters. But how can you minimize the damage caused by an intruder’s lateral movement once your network is already compromised?

Read More »

Tags: , , ,

Cisco 2014 Midyear Security Report: Exploit Kit Creators Vying for ‘Market Leader’ Role

Even in the world of cybercrime, when a top “vendor” drops out of the market, competitors will scurry to fill the void with their own products. As reported in the Cisco 2014 Midyear Security Report, when Paunch—the alleged creator and distributor of the Blackhole exploit kit—was arrested in Russia in late 2013, other malware creators wanted to fill the gap.

“Blackhole” and its more expensive brother “Cool” were the most widely used and well-maintained exploit kits. After Paunch’s takedown, we observed that many other exploit kits, including Fiesta and Neutrino, became more active in the market. However, a clear leader has yet to emerge.

While there’s more competition in the exploit kit market, it’s not translating to a greater number of deployed kits, as Cisco research shows. In fact, the total number of active exploit kits has dropped dramatically—by 87 percent—since Paunch’s arrest.

Read More »

Tags: , , ,