Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

    - August 15, 2016 - 0 Comments

    Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos.

    Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.

    These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

    Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

    The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

    Read More >>

  • Vulnerability Spotlight: Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability

    - August 12, 2016 - 0 Comments

    This vulnerability was discovered by Patrick DeSantis.

    Description

    Talos recently discovered a vulnerability in Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controllers (PLCs) related to the default configuration that is shipped with devices running affected versions of firmware. This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.

    In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.

    Read More >>

  • Vulnerability Spotlight: BlueStacks App Player Privilege Escalation

    - August 10, 2016 - 1 Comment

    Discovered by Marcin ‘Icewall’ Noga of Cisco Talos

    Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.

    Details

    A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.

    Read More>>

  • Microsoft Patch Tuesday – August 2016

    - August 9, 2016 - 0 Comments

    This post was authored by Edmund Brumaghin and Jonah Samost

    Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.

    Bulletins Rated Critical

    Microsoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical in this month’s release.

    MS16-095 and MS16-096 are this month’s bulletins addressing security vulnerabilities associated with Microsoft Internet Explorer and Edge. The Internet Explorer bulletin addresses a total of nine vulnerabilities, including five memory corruption bugs and four information disclosure vulnerabilities. The Edge bulletin covers a total of eight vulnerabilities, including a remote code execution vulnerability, four memory corruption bugs and three information disclosure vulnerabilities. The Internet Explorer bulletin is rated Critical for affected Windows clients and Moderate for affected Windows Servers.

    Read More >>

  • Macro Intruders: Sneaking Past Office Defenses

    - August 2, 2016 - 0 Comments

    Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.

    In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.

    Read More >>

  • Ransomware: Because OpSec Is Hard?

    - July 25, 2016 - 0 Comments

    This blog was authored by Edmund Brumaghin and Warren Mercer

    Summary

    Talos recently published research regarding a new variant of destructive ransomware, which we dubbed Ranscam. During further analysis of Ranscam samples, we discovered several indicators of compromise (IOCs) that piqued our curiosity as to which malware this threat actor might be involved in or responsible for besides Ranscam. We began to expand the scope of our research into other destructive “ranscamware” in an effort to determine if they had any shared characteristics that might indicate the same threat actor or group might be responsible for multiple variants. We found several interesting ties between known destructive ransomware variants such as Jigsaw and AnonPop which correlated with the threat actor we believe to be responsible for Ranscam.

    Read More >>