Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.
Observed watering-hole style domains containing the malicious iframe have included:
- An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
- A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
- A natural gas power station in the UK;
- A gas distributor located in France;
- An industrial supplier to the energy, nuclear and aerospace industries;
- Various investment and capital firms that specialize in the energy sector.
Encounters with the iframe-injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches. This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, versus spear phishing or other means to entice the intended targets through illicit means.
Read More »
On April 16th at 11:00pm GMT, the first of two botnets began a massive spam campaign to take advantage of the recent Boston tragedy. The spam messages claim to contain news concerning the Boston Marathon bombing. The spam messages contain a link to a site that claims to have videos of explosions from the attack. Simultaneously, links to these sites were posted as comments to various blogs.
The link directs users to a webpage that includes iframes that load content from several YouTube videos plus content from an attacker-controlled site. Reports indicate the attacker-controlled sites host malicious .jar files that can compromise vulnerable machines.
On April 17th, a second botnet began using a similar spam campaign. Instead of simply providing a link, the spam messages contained graphical HTML content claiming to be breaking news alerts from CNN.
Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have blocked this campaign from the start.
Read More »
Tags: botnets, cisco sio, malware, Security Intelligence Operations (SIO), TRAC
“Change is inevitable—except from a vending machine.”
In the spirit of Robert C. Gallagher’s famous quote—and in our quest to never be a vending machine—we’ve rolled out several updates to Cisco’s Security Intelligence Operations (SIO) Portal which I trust you will find useful. Thanks to your feedback, we continue to evolve the Portal to ensure that relevant security content is where you need it, when you need it. Providing timely information to our customers requires not only a global team of Cisco security experts to pipeline the latest information, but a complementary team who ensures that the most significant issues are also the most visible. In fact, that’s the most exciting change we made: a new ‘Security Highlights’ tab which allows a cross-functional group, led by our content managers, to call out the most important issues to our customers. That way, instead of looking at IntelliShield alerts, Cisco Security Notices, or Event Responses individually when time is scarce, this new tab gives you an at-a-glance view of Cisco security content our experts feel is most pressing given all of the events into which we have a view.
Read More »
Tags: Applied Mitigation Bulletins, blog, intellishield, IPS signatures, security, security advisories, Security Intelligence Operations (SIO)
The Cisco Security Intelligence Operations (SIO) Portal is the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content. This content ranges from Event Responses () to IntelliShield Alerts () to Cisco product Security Advisories (). The SIO Portal is intended to be the first place you visit when looking for security information from Cisco.
Customer input is very important to us. With this in mind, we’ve launched two new customer listening tools on the SIO Portal: an enhanced feedback mechanism and a short six-question survey.
Read More »
Tags: customer, customer feedback, customer listening, security, Security Intelligence Operations (SIO), SIO Portal
The past few weeks have had many on heightened alert from the initial threats to the ongoing attacks surrounding U.S.-based financial institutions; to say folks have been busy would be quite the understatement.
These events spawned a collaborative effort throughout the Cisco Security Intelligence Operations (Cisco SIO) organization, as depicted in the diagram below.
* Note: As Cisco products have not been found to be vulnerable to these attacks the Cisco PSIRT (Product Security Incident Response Team) provides feedback and peer-review, hence the reason that no Cisco Security Advisory (SA) is present for this activity.
Read More »
Tags: Attack, Cisco Security, DDoS, dns, DNS Server, intellishield, IPS, security, Security Intelligence Operations (SIO), targeted attacks