Cisco Blogs


Cisco Blog > Security

Far East Targeted by Drive by Download Attack

This blog was co-authored by Kevin Brooks, Alex Chiu, Joel Esler, Martin LeeEmmanuel Tacheau, Andrew Tsonchev, and Craig Williams.  

On the 21st of July, 2014, Cisco TRAC became aware that the website dwnews.com was serving malicious Adobe Flash content. This site is a Chinese language news website covering events in East Asia from a US base. The site is extremely popular, rated by Alexa’s global traffic ranking as the 1759th most visited website worldwide, and the 28th most visited in South Korea. In addition the news site also receives a substantial number of visitors from Japan, the United States and China.

This malware campaign does not appear to be tightly targeted. Twenty-seven companies across eight verticals have been affected:

Banking & Finance
Energy, Oil, and Gas
Engineering & Construction
Insurance
Legal
Manufacturing
Pharmaceutical & Chemical
Retail & Wholesale

This is indicative of the campaign acting as a drive-by attack targeting anyone attempting to view one of the affected sites.

Attack Progression

Read More »

Tags: , , , ,

Old and Persistent Malware

TRAC logo
Malware can find its way into the most unexpected of places. Certainly, no website can be assumed to be always completely free of malware. Typically, there are many ways that websites can be compromised to serve malware:
Read More »

Tags: , , , , ,

Big Data: Observing a Phishing Attack Over Years

google_drive_attack

Overview

Phishing attacks use social engineering in an attempt to lure victims to fake websites. The websites could allow the attacker to retrieve sensitive or private information such as usernames, passwords, and credit card details. Attacks of this kind have been around since 1995, evolving in sophistication in order to increase their success rate. Up until now, phishing attacks were generally viewed as isolated events that were dealt with on a case-by-case basis. The dawn of big data analysis in computer security allows us to store data indefinitely and watch the changes and growth of attacks over long periods of time. In 2012, we began tracking a sophisticated phishing campaign that is still going strong.

 

The Target

Google, one of the largest players in the cloud business, offers dozens of free cloud services: Google Email, Google Drive, Google Docs, Google Analytics, YouTube, etc. To enable easy access across all of these properties, Google built what they call, “One account. All of Google.”   Read More »

Tags: , , , , , , , , ,

Threat Spotlight: “A String of Paerls”, Part 2, Deep Dive

July 8, 2014 at 7:28 am PST

This post has been coauthored by Joel EslerCraig WilliamsRichard HarmanJaeson Schultz, and Douglas Goddard 

In part one of our two part blog series on the “String of Paerls” threat, we showed an attack involving a spearphish message containing an attached malicious Word doc. We also described our methodology in grouping similar samples based on Indicators of Compromise: static and dynamic analysis indicators. In this second part of the blog series we will cover the malicious documents and malicious executables. For the technical deep dive see the write up on the VRT blog here.

 

Tags: , , , , ,

The Art of Escape

Craig Williams and Jaeson Schultz have contributed to this post.

We blogged in September of 2013 about variants of Havex. A month ago on June 2, 2014, I had the chance to give a presentation at AREA41.  In my presentation “The Art of Escape,” I talked about targeted attacks involving watering holes.

If we look at the timeline of the attacks we see two clear impacting factors:

  • CVE release time
  • Timeframe of new PluginDetect

This explains why we saw an increase in watering hole attacks peaking in August

timeline_havex

Read More »

Tags: , , , , ,