Cisco Blogs


Cisco Blog > Security > Threat Research

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like amazon.com, ads.yahoo.com, www.winrar.com, youtube.com and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.

img_new_numbers

The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network Threatens Windows and Mac Users With Mutating Malware

This post was authored by Shaun Hurley, David McDaniel and Armin Pelkmann.

Update 2014-09-22: Updates on this threat can be found here

img_MetricsHave you visited amazon.com, ads.yahoo.com, www.winrar.com, youtube.com, or any of the 74 domains listed below lately? If the answer is yes, then you may have been a victim to the “Kyle and Stan” Malvertising Network that distributes sophisticated, mutating malware for Windows and even Macs.

Table of contents

Attack in a Nutshell
Timeline
Technical Breakdown
Reversing of the Mac Malware
Reversing of the Windows Malware
IOCs
Conclusion
Protecting Users Against These Threats

Malvertising is a short form for “malicious advertising.” The idea is very simple: use online advertising to spread malware. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Retailers Lying Awake at Night – Who’s Next?

In the past few weeks, I’ve received two replacement credit cards. And, no, this does not indicate I’ve done too much shopping! It means that hackers are continuing to target retailers and the bank decided I needed to be protected by new credit card numbers.

I’m Carol Ferrara-Zarb, and as the leader of Cisco’s Security Solutions team, I’m joining the Cisco Retail blog today to talk to you about security and compliance in the store. While consumers certainly worry about security, the concerns of retailers are magnified because you are among the highest-profile targets right now for professional hacker attacks. Store owners and operators are just about lying awake at night wondering who is going to be next.

At the same time, change is continuing on the security front, particularly in the area of PCI compliance. At the end of this calendar year, the new 3.0 version of the PCI DSS mandate will come into force. Are you ready for the new requirements?

If you’re a Cisco customer, you very well may be. Join us on July 23 for a free, one-hour webcast called, “Straight Talk about Reducing Complexity and Maintaining Compliance in Retail.” Cisco Security Architect Christian Janoff, who sits on the PCI Security Standards Council Board of Advisors, and Aaron Reynolds, PCI Managing Principal for Cisco partner Verizon, will lead a candid discussion on retail security. The session covers:

  • The changes in the PCI DSS 3.0 mandate and their impact on your retail business
  • How to satisfy three standards—PCI, SOX, and HIPAA—by configuring one control
  • Implementing the latest, simplified strategies for PCI scope reduction, and how they can be superior to traditional methods for many retailers

You’ll come away with an overview of today’s threat landscape, and we’ll put it all into perspective to support your continued pursuit of compliance and retail success. Registrants will also receive the Simplifying Compliance Answer Kit, a set of documents and tools to help you understand compliance better.

The webcast takes place on July 23 at 10:00 am PT/1:00 pm ET. Please register today! Be sure to bring your questions to take part in the discussion.

We’ll see you there!

Tags: , , , , , , , , , , , , , ,

Attack Analysis with a Fast Graph

TRAC-tank-vertical_logo-300x243This post is co-authored by Martin Lee, Armin Pelkmann, and Preetham Raghunanda.

Cyber security analysts tend to redundantly perform the same attack queries with different input data. Unfortunately, the search for useful meta-data correlation across proprietary and open source data sets may be laborious and time consuming with relational databases as multiple tables are joined, queried, and the results inevitably take too long to return. Enter the graph database, a fundamentally improved database technology for specific threat analysis functions. Representing information as a graph allows the discovery of associations and connection that are otherwise not immediately apparent.

Within basic security analysis, we represent domains, IP addresses, and DNS information as nodes, and represent the relationships between them as edges connecting the nodes. In the following example, domains A and B are connected through a shared name server and MX record despite being hosted on different servers. Domain C is linked to domain B through a shared host, but has no direct association with domain A.

graph_image_1 This ability to quickly identify domain-host associations brings attention to further network assets that may have been compromised, or assets that will be used in future attacks.

Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Angling for Silverlight Exploits

VRT / TRACThis post is co-authored by Andrew Tsonchev, Jaeson Schultz, Alex Chiu, Seth Hanford, Craig Williams, Steven Poulson, and Joel Esler. Special thanks to co-author Brandon Stultz for the exploit reverse engineering. 

Silverlight exploits are the drive-by flavor of the month. Exploit Kit (EK) owners are adding Silverlight to their update releases, and since April 23rd we have observed substantial traffic (often from Malvertising) being driven to Angler instances partially using Silverlight exploits. In fact in this particular Angler campaign, the attack is more specifically targeted at Flash and Silverlight vulnerabilities and though Java is available and an included reference in the original attack landing pages, it’s never triggered.

Rise in Angler Attacks

HTTP requests for a specific Angler Exploit Kit campaign

Exploit Content Type

Angler exploit content types delivered to victims, application/x-gzip (Java) is notably absent

 

Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,