Articles
Threat Spotlight: Spam Served With a Side of Dridex
5 min read
This post was authored by Nick Biasini with contributions from Kevin Brooks Overview The use of macro enabled word documents has exploded over the last year, a primary example payload being Dridex. Last week, Talos researchers identified another short lived spam campaign that was delivering a new variant of Dridex. This particular campaign lasted less than […]
Research Spotlight: FreeSentry Mitigating use-after-free Vulnerabilities
13 min read
This post was authored by Earl Carter & Yves Younan. Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows. […]
Research Spotlight: Project FTR
3 min read
Intro Historically, networks have always been at risk for new, undiscovered threats. The risk of state sponsored hackers or criminal organizations utilizing 0-day was a constant, and the best defense was simply to keep adding on technologies to maximize the odds of detecting the new threat – like adding […]
Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA
12 min read
This post was authored by Alex Chiu & Angel Villegas. Overview Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications. In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in […]
Threat Spotlight: The Imperiosus Curse –A Tool of the Dark Arts
9 min read
Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post. As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from […]
Research Spotlight: Exploiting Use-After-Free Vulnerabilities
2 min read
This blog post was authored by Earl Carter & Yves Younan. Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed […]
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
6 min read
This post was authored by Andrea Allievi, Ben Baker, Nick Biasini, JJ Cummings, Douglas Goddard, William Largent, Angel Villegas, and Alain Zidouemba Cisco’s Security Solutions (CSS) consists of information security experts with a unique blend of law enforcement, enterprise security and technology security backgrounds. The team works directly with Cisco’s Talos Security Intelligence & Research […]
Talos Discovery Spotlight: Hundreds of Thousands of Google Apps Domains’ Private WHOIS Information Disclosed
5 min read
This post was authored by Nick Biasini, Alex Chiu, Jaeson Schultz, and Craig Williams. Special thanks to William McVey for his contributions to this post. Table of Contents Overview WHOIS Privacy Protection Why Does This Exist The Issue Implications for the Good/Bad Guys Current State and Mitigations Disclosure Timeline Conclusion Footnotes Overview In mid-2013, a problem […]
Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK Patched
5 min read
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are […]
Threat Spotlight: Angler Lurking in the Domain Shadows
10 min read
This post was authored by Nick Biasini and edited by Joel Esler Overview Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit […]
Talos is Hiring
1 min read
If you’re an experienced malware reverse engineer, exploit developer, response specialist, intel analyst, or looking to start your career in security, Talos might be the place for you. We have a number of positions open in Columbia, Maryland; Austin, Texas; San Jose, California; and San Francisco, California. If you are open to relocation to one […]
Malicious PNGs: What You See Is Not All You Get!
3 min read
This post was authored by Earl Carter and Nick Randolph. Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is […]
Equation Coverage
1 min read
Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on […]
Tax Time: Let the Phishing Begin
3 min read
This post was authored by Earl Carter and Craig Williams. With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online […]
Bad Browser Plug-ins Gone Wild: Malvertising, Data Exfiltration, and Malware, Oh my!
4 min read
This post was authored by Fred Concklin, William Largent, Martin Rehak, Michal Svoboda, and Veronica Valeros. During an average day of surfing the web via computer, smartphones, and tablets, we...
Microsoft Patch Tuesday for February 2015: 56 vulnerabilities fixed
3 min read
Microsoft’s Patch Tuesday for February 2015 has arrived. This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs. 3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy. The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group […]
Cryptowall 3.0: Back to the Basics
6 min read
This post was authored by Andrea Allievi & Earl Carter Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was […]
Angler Exploit Kit – New Variants
2 min read
This post was authored by Nick Biasini On January 27th, Talos researchers began observing a new Angler Exploit Kit (EK) campaign using new variants associated with (CVE-2015-0311). Based on our telemetry data the campaign lasted from January 26th until January 30th with the majority of the events occurring on January 28th & 29th.
CVE-2015-0235: A GHOST in the Machine
2 min read
This post was authored by Nick Biasini, Earl Carter, Alex Chiu and Jaeson Schultz On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for […]
Flash 0-day Exploited by Angler Exploit Kit
3 min read
This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s […]
Microsoft Update Tuesday January 2015: Another Light Month, No IE Bulletins, More Changes to Reporting
3 min read
This post was written by Yves Younan. Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were […]
Ransomware on Steroids: Cryptowall 2.0
6 min read
This post was authored by Andrea Allievi and Earl Carter. Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple […]
Wiper Malware – A Detection Deep Dive
5 min read
This post was authored by Christopher Marczewski with contributions from Craig WIlliams *This blog post has been updated to include Command and Control IP addresses used by the malware. A new piece of wiper malware has received quite a bit of media attention. Despite all the recent press, Cisco’s Talos team has historic examples of […]
Ancient Mac Site Harbors Botnet that Exploits IE Vulnerability
6 min read
This post was authored by Alex Chiu and Shaun Hurley. Last month, Microsoft released a security bulletin to patch CVE-2014-6332, a vulnerability within Windows Object Linking and Embedding (OLE) that could result in remote code execution if a user views a maliciously crafted web page with Microsoft Internet Explorer. Since then, there have been several […]
Dridex Is Back, then it’s gone again
2 min read
This post was authored by Armin Pelkmann and Earl Carter. Talos Security Intelligence and Research Group noticed a reappearance of several Dridex email campaigns, starting last week and continuing into this week as well. Dridex is in a nutshell, malware designed to steal your financial account information. The attack attempts to get the user to install the […]
Microsoft Patch Tuesday for December 2014: Light Month, Some Changes
3 min read
This post was authored by Yves Younan. Today, Microsoft is releasing their final Update Tuesday of 2014. Last year, the end of year update was relatively large. This time, it’s relatively light with a total of seven bulletins, covering 24 CVEs. Three of those bulletins are rated critical and four are considered to be important. […]
MS14-063 A Potential XP Exploit
5 min read
This post was written by Marcin Noga with contributions by Earl Carter and Martin Lee. New vulnerabilities for old operating systems may not seem particularly interesting, until you consider the large number of legacy machines running outdated versions of Windows. Windows XP has reached its end of life, meaning that new vulnerabilities will not be […]
Cisco Coverage for ‘Regin’ Campaign
1 min read
This post was authored by Alex Chiu with contributions from Joel Esler. Advanced persistent threats are a problem that many companies and organizations of all sizes face. In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed. The threat actors behind ‘Regin’ appear to be targeting organizations […]
Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities
3 min read
This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. […]
Talos Discovered Three More Vulnerabilities in Pidgin
3 min read
This post was authored by Yves Younan and edited by Armin Pelkmann Table of contents CVE-2014-3697, VRT-2014-0205 CVE-2014-3696, VRT-2014-0204 CVE-2014-3695, VRT-2014-0203 Cisco Talos is announcing the discovery and patching of another three 3 CVE vulnerabilities in Pidgin (An open-source multi-platform instant messaging client – see wikipedia page). These vulnerabilities were discovered by our team and reported to the Pidgin team. They were […]
Threat Spotlight: Group 72, Opening the ZxShell
17 min read
This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba. Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high […]
Weaponized Powerpoint in the Wild
1 min read
This post was written by Jaeson Schultz. On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.
Reversing Multilayer .NET Malware
9 min read
This post was authored by Dave McDaniel with contributions from Jaeson Schultz Recently, we came across a malware sample that has been traversing the Internet disguised as an image of a woman. The malware sample uses several layers of obfuscation to hide its payload, including the use of steganography. Steganography is the practice of concealing […]
POODLE and The Curse of Backwards Compatibility
2 min read
This post was written by Martin Lee Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a […]
Threat Spotlight: Group 72
3 min read
This post is co-authored by Joel Esler, Martin Lee and Craig Williams Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a […]
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
2 min read
This post was authored by Yves Younan Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft […]
Evolution of the Nuclear Exploit Kit
6 min read
This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas. Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched […]