Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Project APT: How to Build an ICS Network and Have fun at the Same Time

    - September 26, 2016 - 0 Comments

    The Industrial Control System (ICS) security team at Talos frequently see requests from peers and from students on how to build an ICS test lab. After all, the best way to learn is to get some equipment and learn with good old-fashioned hands-on tinkering. Unfortunately, many frame their test lab inquiries based on more traditional IT standards and network topologies. This is an easy error to make. After all, we can all generally name the components of a modern IT network – workstations, servers,switches, routers and firewalls for example. It’s easy to fall back on things for which we are most familiar.  It’s only natural. It would be easy to assume building an ICS network is just assembling the usual suspects of ICS equipment, and soon you will have an ICS test lab.

    The truth is, nothing is atypical with industrial control system networks. Understanding industrial control systems and how they work together to deliver a process is not an easy thing. An electrical utility and an oil refinery may make use of the exact same ICS equipment in completely different environments and configurations, which effectively makes understanding implementation difficult. With such a diversity of industries and verticals, it can be difficult to even find a starting point much less procure (often expensive) equipment to start a proper ICS test lab.

    Members of the ICS team (Joe Marshal, Patrick DeSantis II & Carlos Pacho) were challenged with this problem by Talos senior leadership, and were told to find a way to build a ICS test lab. No easy task! As it turns out, the answer was easy, but the road to get there would not be.

  • The Rising Tides of Spam

    - September 21, 2016 - 1 Comment

    This blog post was authored by Jaeson Schultz.

    For the past five years we have enjoyed a relatively calm period with respect to spam volumes. Back at the turn of the decade the world was experiencing record-high volumes of spam. However, with the evolution of new anti-spam technologies, combined with some high-profile takedowns of spam-related botnets, voluminous and indiscriminate spam attacks fell precipitously in popularity with spammers. Subsequently, having lower volumes of spam to contend with, anti-spam systems had the luxury of dedicating more computer processing resources to analyzing fewer messages for email-based threats. But, as the fashion industry adage goes, “everything old is new again.” Spam volumes are back on the rise.

    Read More

  • Microsoft Patch Tuesday – September 2016

    - September 13, 2016 - 1 Comment

    This post was authored by Jaeson Schultz.

    Well it’s Microsoft Patch Tuesday, again, and that must mean we are girding our systems against another round of security vulnerabilities. This month Microsoft has released fourteen (14) bulletins covering fifty (50) security vulnerabilities. There are seven bulletins in the set whose severity is considered “Critical”. These “Critical” bulletins affect Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft Exchange Server, Microsoft Office, OLE Automation for VBScript Scripting Engine, and the Adobe Flash Player. The remaining seven bulletins impact products such as Silverlight, Windows, Windows Kernel, Windows Lock Screen, Windows Secure Kernel Mode, Windows SMBv1 Server, and the Microsoft Windows PDF Library.

    Read More

  • Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted

    - September 1, 2016 - 1 Comment

    This blog authored by Nick Biasini.

    Exploit kits are a class of threat that indiscriminately aims to compromise all users. Talos has continued to monitor this threat over time resulting in large scale research and even resulting in a large scale takedown. The focus of this investigation is on the tools and techniques being used to drive users to the exploit kits. This blog looks at the anatomy of a global malvertising campaign and how users interact with exploit kit gates, regardless of the sites they visit and the countries they reside.

    Talos observed a large malvertising campaign affecting potentially millions of users visiting sites in North America, Europe, Asia Pac, and the Middle East. The research culminated in a joint effort with GoDaddy to mitigate the threat by taking back the registrant accounts used to host the activity, and taking down all applicable subdomains. This is yet another example of how organizations work together to stop threats affecting users around the globe. If you are a provider or online ad company that would like to work with Talos, please contact us.

    Online advertising is a key component of the Internet today, especially for sites that provide content free of charge. In this blog we will be discussing a global malvertising campaign that has affected a wide array of websites. These websites don’t bear responsibility for these malicious ads; it is just the nature of online advertising. As security organizations get better at identifying and shutting down malicious content, adversaries are going to continue to move and stay agile. The advantage to malicious advertising is if you visit the same site twice you are unlikely to receive the same content from an advertising perspective. This is where protections like ad blockers, browsers with advanced sandboxing technologies, and detection/prevention technologies are paramount to ensure protection from this type of content.

    Read More >>

  • Vulnerability Spotlight: Multiple DOS Vulnerabilities Within Kaspersky Internet Security Suite

    - August 26, 2016 - 0 Comments

    Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.

    The vulnerabilities affect Kaspersky Internet Security 16.0.0, KLIF driver version 10.0.0.1532, but may affect other versions of the software too. Since anti-virus software runs with low level privileges on any system, vulnerabilities in these software are potentially very interesting for attackers. Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched.

    Read More >>>

    Vulnerabilities discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.

  • Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

    - August 15, 2016 - 0 Comments

    Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos.

    Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.

    These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

    Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

    The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

    Read More >>