Anyone can purchase an exploit pack (EP) license or rent time on an existing EP server. The challenge for threat actors is to redirect unsuspecting web browsing victims by force to the exploit landing page with sustained frequency. Naturally, like most criminal services in the underground, the dark art of traffic generation is a niche specialty that must be purchased to ensure drive-by campaign success. For the past year we have been tracking a threat actor (group) that compromises legitimate websites and redirects victims to EP landing pages. Over the past three months we observed the same actor using malvertising -- leveraging content delivery networks (CDNs) to facilitate increased victim redirection -- as part of larger exploit pack campaigns. Read More »
One of the big lessons I learned during the early days, when I was first creating Snort®, was that the open source model was an incredibly strong way to build great software and attack difficult problems in a way that the user community rallied around. I still see this as one of the chief strengths of the open source development model and why it will be with us for the foreseeable future.
As most every security professional knows, cloud applications are one of the most prevalent attack vectors exploited by hackers and some of the most challenging to protect. There are more than 1,000 new cloud-delivered applications per year, and IT is dependent on vendors to create new visibility and threat detection tools and keep up with the accelerating pace of change. The problem is that vendors can’t always move fast enough and IT can’t afford to wait. Countless custom applications pile on even more complexity.
So today, Cisco is announcing OpenAppID, an open, application-focused detection language and processing module for Snort that enables users to create, share, and implement application detection. OpenAppID puts control in the hands of users, allowing them to control application usage in their network environments and eliminating the risk that comes with waiting for vendors to issue updates. Practically speaking, we’re making it possible for people to build their own open source Next-Generation Firewalls.
This post was also authored by Andrew Tsonchev and Steven Poulson.
Cisco’s Cloud Web Security (CWS) service provides TRAC researchers with a constant fire hose of malicious insight and now that we are collaborating with Sourcefire’s Vulnerability Research Team (VRT) we have additional capabilities to quickly isolate and prioritize specific web exploit activity for further analysis. Thus when we were recently alerted to an aggressive Fiesta exploit pack (EP) campaign targeting our customers, we quickly compared notes and found that in addition to the typical Java exploits, this EP was also using a Microsoft Silverlight exploit. In the Cisco 2014 Annual Security Report (ASR) we discuss how 2013 was a banner year for Java exploits, and while updating Java should remain a top priority, Silverlight is certainly worth patching as threat actors continue to search for new application exploits to leverage in drive-by attacks.
Over the past 30 days this specific Fiesta campaign was blocked across more than 300 different companies. The attacker(s) used numerous dynamic DNS (DDNS) domains -- that resolved to six different IP addresses -- as exploit landing pages. The chart below depicts the distribution of hosts used in this attack across the most blocked DDNS base domains.
Tags: behavioral, clamAV, CVE, defense, Detect, drive-by, Exploit, Fiesta, FireAMP, flash, heuristics, java, Kit, Pack, PDF, REGEX, Silverlight, Snort, Sourefire, TRAC, victims, VRT, vulnerability, web
Cisco Security has announced the closing of the acquisition of Sourcefire. Sourcefire founder and CTO (and creator of Snort®) Martin Roesch posted to Sourcefire’s blog this morning to share the news:
“I can tell you with certainty that this is a great match for Sourcefire, for Cisco and, ultimately, for our customers, partners and open source communities” said Roesch. “From a technology perspective, after having dedicated 15 years to Snort and then to Sourcefire, it’s personally gratifying to be part of building this strong foundation.”
Roesch, now vice president and chief architect of Cisco’s Security Business Group, is excited for the new opportunities presented. “It’s the new model of security I’ve been talking about for some time. Now working as part of the Cisco team, led by Chris Young, we can accelerate execution of this vision and make this even more impactful.”
This is just the first exciting news about the acquisition. As Roesch states in his post, “expect more great things as we continue down this path as ONE team.”