Cisco Blogs

Cisco Blog > Security

Be More Effective, Be More Efficient: The Mantra for Many Adversaries in 2014

Adversaries are committed to continually refining or developing new techniques to conceal malicious activity, decrease their reliance on other techniques that may be more detectable, and become increasingly more efficient and effective in their attacks. Below are just three examples—explored in detail in the newly released Cisco 2015 Annual Security Report—of how malicious actors met these goals in 2014. These trends were observed by Cisco Talos Security Intelligence and Research Group throughout last year, and analyzed by the team using a global set of telemetry data:

  • Use of malvertising to help deliver exploit kits more efficiently—Talos noted three exploit kits we observed “in the wild” more than others in 2014: Angler, Goon, and Sweet Orange. More than likely, their popularity is due to their technical sophistication in terms of their ability to evade detection and remain effective. The Sweet Orange kit, for example, is very dynamic. Its components are always changing. Adversaries who use Sweet Orange often rely on malvertising to redirect users (often twice) to websites that host the exploit kit, including legitimate websites.
  • Increase in Silverlight exploitation—As we reported in both the Cisco 2014 Midyear Security Report and the Cisco 2015 Annual Security Report, the number of exploit kits able to exploit Microsoft Silverlight is growing. While still very low in number compared to more established vectors like Flash, PDF, and Java, Silverlight attacks are on the rise. This is another example of adversaries exploring new avenues for compromise in order to remain efficient and effective in launching their attacks. The Angler and Goon exploit kits both include Silverlight vulnerabilities. Fiesta is another known exploit kit that delivers malware through Silverlight, which our team reported on last year.


  • The rise of “snowshoe spam”—Phishing remains an essential tool for adversaries to deliver malware and steal users’ credentials. These actors understand that it is more efficient to exploit users at the browser and email level, rather than taking the time and effort to attempt to compromise servers. To ensure their spam campaigns are effective, Talos observed spammers turning to a new tactic last year: snowshoe spam. Unsolicited bulk email is sent using a large number of IP addresses and at a low message volume per IP address; this prevents some spam systems from detecting the spam, helping to ensure it reaches its intended audience. There is also evidence that adversaries are relying on compromised users’ machines as a way to support their snowshoe spam campaigns more efficiently. Snowshoe spam contributed to the overall increase of spam volume by 250 percent in 2014.

These are only a few of the threat intelligence findings presented in the Cisco 2015 Annual Security Report. We encourage you to read the whole report, but also, to stay apprised of security trends throughout the year by following our reports on the Cisco Security blog. Talos is committed to ongoing coverage of security threats and trends. In fact, in the Cisco 2015 Annual Security Report, you’ll find links to several posts that our researchers published throughout 2014, and were used to help shape and inform our threat intelligence coverage in the report.

Tags: , , , , ,

Angling for Silverlight Exploits

VRT / TRACThis post is co-authored by Andrew Tsonchev, Jaeson Schultz, Alex Chiu, Seth Hanford, Craig Williams, Steven Poulson, and Joel Esler. Special thanks to co-author Brandon Stultz for the exploit reverse engineering. 

Silverlight exploits are the drive-by flavor of the month. Exploit Kit (EK) owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from Malvertising) being driven to Angler instances partially using Silverlight exploits. In fact in this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.

Rise in Angler Attacks

HTTP requests for a specific Angler Exploit Kit campaign

Exploit Content Type

Angler exploit content types delivered to victims, application/x-gzip (Java) is notably absent


Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Fiesta Exploit Pack is No Party for Drive-By Victims

This post was also authored by Andrew Tsonchev and Steven Poulson.


Update 2014-05-26Thank you to Fox-IT for providing the Fiesta logo image. We updated the caption to accurately reflect image attribution.

Cisco’s Cloud Web Security (CWS) service provides TRAC researchers with a constant fire hose of malicious insight and now that we are collaborating with Sourcefire’s Vulnerability Research Team (VRT) we have additional capabilities to quickly isolate and prioritize specific web exploit activity for further analysis. Thus when we were recently alerted to an aggressive Fiesta exploit pack (EP) campaign targeting our customers, we quickly compared notes and found that in addition to the typical Java exploits, this EP was also using a Microsoft Silverlight exploit. In the Cisco 2014 Annual Security Report (ASR) we discuss how 2013 was a banner year for Java exploits, and while updating Java should remain a top priority, Silverlight is certainly worth patching as threat actors continue to search for new application exploits to leverage in drive-by attacks.

Fiesta Exploit Pack

Image provided courtesy of Fox-IT

Over the past 30 days this specific Fiesta campaign was blocked across more than 300 different companies. The attacker(s) used numerous dynamic DNS (DDNS) domains – that resolved to six different IP addresses – as exploit landing pages. The chart below depicts the distribution of hosts used in this attack across the most blocked DDNS base domains.

CWS Fiesta Blocks by Distinct Requests

Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , ,