Talos Group

10 min read

This post was authored by Nick Biasini and edited by Joel Esler Overview Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit […]

1 min read

If you’re an experienced malware reverse engineer, exploit developer, response specialist, intel analyst, or looking to start your career in security, Talos might be the place for you.  We have a number of positions open in Columbia, Maryland; Austin, Texas; San Jose, California; and San Francisco, California.  If you are open to relocation to one […]

3 min read

This post was authored by Earl Carter and Nick Randolph. Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is […]

1 min read

Cisco Talos is aware of the public discourse surrounding the malware family dubbed “The Equation Family”. As of February 17th the following rules (33543 – 33546 MALWARE-CNC Win.Trojan.Equation) were released to detect the Equation Family traffic. These rules may be found in the Cisco FireSIGHT Management Console (Defense Center), or in the Subscriber Ruleset on […]

3 min read

This post was authored by Earl Carter and Craig Williams. With the April 15th US tax deadline only about 2 months away, a new wave of tax related phishing is underway. In this latest spear-phishing campaign, attackers are attempting to gain access to your system so that they can steal your banking and other online […]

4 min read

This post was authored by Fred Concklin, William Largent,  Martin Rehak,  Michal Svoboda, and Veronica Valeros. During an average day of surfing the web via computer, smartphones, and tablets, we...

3 min read

Microsoft’s Patch Tuesday for February 2015 has arrived.  This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs.  3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy.  The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group […]

6 min read

This post was authored by Andrea Allievi  & Earl Carter Ransomware continues to impact a large number of organizations and the malware continues to evolve. In January, we examined Cryptowall 2.0 and highlighted new features incorporated into the dropper and Cryptowall binary. When Cryptowall 3.0 appeared, we were interested in seeing what new functionality was […]

2 min read

This post was authored by Nick Biasini On January 27th,  Talos researchers began observing a new Angler Exploit Kit (EK) campaign using new variants associated with (CVE-2015-0311). Based on our telemetry data the campaign lasted from January 26th until January 30th with the majority of the events occurring on January 28th & 29th.

2 min read

This post was authored by Nick Biasini, Earl Carter, Alex Chiu and Jaeson Schultz On Tuesday January 27, 2015, security researchers from Qualys published information concerning a 0-day vulnerability in the GNU C library. The vulnerability, known as “GHOST” (a.k.a. CVE-2015-0235), is a buffer overflow in the __nss_hostname_digits_dots() function. As a proof-of-concept, Qualys has detailed a remote exploit for […]

3 min read

This post was authored by Nick Biasini, Earl Carter and Jaeson Schultz Flash has long been a favorite target among Exploit Kits (EK). In October 2014 the Angler EK was believed to be targeting a new Flash vulnerability. The bug that the Angler exploit kit was attempting to exploit had been “accidentally” patched by Adobe’s […]

3 min read

This post was written by Yves Younan. Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were […]

6 min read

This post was authored by Andrea Allievi and Earl Carter. Ransomware holds a user’s data hostage. The latest ransomware variants encrypt the user’s data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple […]

5 min read

This post was authored by Christopher Marczewski with contributions from Craig WIlliams *This blog post has been updated to include Command and Control IP addresses used by the malware. A new piece of wiper malware has received quite a bit of media attention. Despite all the recent press, Cisco’s Talos team has historic examples of […]

6 min read

This post was authored by Alex Chiu and Shaun Hurley. Last month, Microsoft released a security bulletin to patch CVE-2014-6332, a vulnerability within Windows Object Linking and Embedding (OLE) that could result in remote code execution if a user views a maliciously crafted web page with Microsoft Internet Explorer. Since then, there have been several […]

2 min read

This post was authored by Armin Pelkmann and Earl Carter. Talos Security Intelligence and Research Group noticed a reappearance of several Dridex email campaigns, starting last week and continuing into this week as well. Dridex is in a nutshell, malware designed to steal your financial account information. The attack attempts to get the user to install the […]

3 min read

This post was authored by Yves Younan. Today, Microsoft is releasing their final Update Tuesday of 2014. Last year, the end of year update was relatively large. This time, it’s relatively light with a total of seven bulletins, covering 24 CVEs. Three of those bulletins are rated critical and four are considered to be important. […]

5 min read

This post was written by Marcin Noga with contributions by Earl Carter and Martin Lee. New vulnerabilities for old operating systems may not seem particularly interesting, until you consider the large number of legacy machines running outdated versions of Windows. Windows XP has reached its end of life, meaning that new vulnerabilities will not be […]

1 min read

This post was authored by Alex Chiu with contributions from Joel Esler. Advanced persistent threats are a problem that many companies and organizations of all sizes face.  In the past two days, information regarding a highly targeted campaign known as ‘Regin’ has been publicly disclosed.  The threat actors behind ‘Regin’ appear to be targeting organizations […]

3 min read

This month Microsoft is releasing 14 security bulletins. Originally they had planned to release 16, but due to issues that emerged in late testing, two bulletins that were announced in the Advance Security Notification, MS14-068 and MS14-075, have been postponed. Of the 14 bulletins, four are considered critical, eight are important, while two are moderate. […]

3 min read

This post was authored by Yves Younan and edited by Armin Pelkmann Table of contents CVE-2014-3697, VRT-2014-0205 CVE-2014-3696, VRT-2014-0204 CVE-2014-3695, VRT-2014-0203 Cisco Talos is announcing the discovery and patching of another three 3 CVE vulnerabilities in Pidgin (An open-source multi-platform instant messaging client – see wikipedia page). These vulnerabilities were discovered by our team and reported to the Pidgin team. They were […]

17 min read

This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba. Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN.  This group is sophisticated, well funded, and exclusively targets high profile organizations with high […]

1 min read

This post was written by Jaeson Schultz. On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.

9 min read

This post was authored by Dave McDaniel with contributions from Jaeson Schultz Recently, we came across a malware sample that has been traversing the Internet disguised as an image of a woman. The malware sample uses several layers of obfuscation to hide its payload, including the use of steganography. Steganography is the practice of concealing […]

2 min read

This post was written by Martin Lee Old protocol versions are a fact of life. When a new improved protocol is released, products still need to support the old version for backwards compatibility. If previous versions contain weaknesses in security, yet their continued support is mandated, then security can become a major issue when a […]

3 min read

This post is co-authored by Joel Esler, Martin Lee and Craig Williams Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a […]

2 min read

This post was authored by Yves Younan Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft […]

6 min read

This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas. Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched […]