Cisco Blogs


Cisco Blog > Connected Life Exchange

Most People Don’t Think about Mobile Security – But They Should

JasonHeadShot,cropped

By Jason Kohn, Contributing Columnist

In the 20 years we’ve had to get used to the Internet, we’ve learned a lot about web security and our own role in keeping ourselves safe from the nastiest things out there. At the very least, most of us now recognize the need to install antivirus software on our computers and to keep that software updated.

When it comes to the other kinds of computers we use though – our ubiquitous smartphones and tablets – it’s a different story. According to a 2011 report by Canalys, just 4 percent of the smartphones and tablets shipped the previous year had some form of mobile security installed.

Read More »

Tags: , , , , , , ,

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »

Tags: , , , , , , , , , , , , , , , , , , ,

Possible Exploit Vector for DarkLeech Compromises

April 24, 2013 at 5:34 am PST

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited.  Read More »

Tags: , , , , , ,

Yesterday Boston, Today Waco, Tomorrow Malware

April 18, 2013 at 10:18 am PST

At 10:30 UTC one of the botnet spam campaigns we discussed yesterday took a shift to focus on the recent explosion in Texas. The miscreants responded to the tragic events in Texas almost immediately. The volume of the attack is similar to what we witnessed yesterday with the maximum volume peaking above 50% of all spam sent. We’ve seen 23 unique sites hosting the malware. This is an attempt to grow the botnet.

Read More »

Tags: , , , ,

Massive Spam and Malware Campaign Following the Boston Tragedy

April 17, 2013 at 3:18 pm PST

Summary

On April 16th at 11:00pm GMT, the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy. The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explosions from the attack. Simultaneously, links to these sites were posted as comments to various blogs.

The link directs users to a webpage that includes iframes that load content from several YouTube videos plus content from an attacker-controlled site. Reports indicate the attacker-controlled sites host malicious .jar files that can compromise vulnerable machines.

On April 17th, a second botnet began using a similar spam campaign. Instead of simply providing a link, the spam messages contained graphical HTML content claiming to be breaking news alerts from CNN.

Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have blocked this campaign from the start.

Read More »

Tags: , , , ,