Cisco Blogs

Cisco Blog > Security

It’s That Time Again—Announcing the Cisco IOS & XE Software Security Advisory Bundled Publication

Today, we released the last Cisco IOS & XE Software Security Advisory Bundled Publication of 2015. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (the fourth Wednesday of March and September each calendar year).  Last cycle, we began including Cisco Security Advisories addressing vulnerabilities in Cisco IOS XE Software in this publication.  This change was a direct result of your feedback, and we hope the timeline and additional “bundling” continues to allow organizations to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in their environments.

Today’s edition of the Cisco IOS & XE Software Security Advisory Bundled Publication includes three advisories that affect the following technologies:

  • IPv6 First-Hop Security
  • SSH Version 2 (SSHv2)
  • Cisco IOS XE Software

You may recall that Cisco announced enhancements to the Cisco IOS Software Checker last year. As my colleague Kevin Saling shared, the tool can display first-fixed software release data based on the combination of Cisco IOS Software releases and Cisco Security Advisories selected. Users can now quickly identify the first release that addresses all vulnerabilities disclosed in the selected advisories.   Read More »

Tags: , , , ,

SYNful Knock Scanner

This post was authored by William McVey.

Update 9/23: We updated the tool to version 1.0.1

Talos is constantly researching the ways in which threat actors are evolving to exploit systems. Recently, a piece of persistent malware coined as SYNful Knock was discovered on Cisco routers. While this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device, Cisco has published an Event Response Page for customers to provide the information needed to detect and remediate these types of attacks. We are also working with partners to identify compromised systems.

The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT worked with internal teams and customers to acquire copies of the malware. Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware.

Note: This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.

Read More »

Tags: , ,

Cognitive Research: Fake Blogs Generating Real Money


In the past several months Cisco Cognitive Threat Analytics (CTA) researchers have observed a number of blog sites using either fake content or content stolen from other sites to drive traffic to click on ad-loaded web sites. We have observed traffic volume up to 10,000 requests per hour, targeting hundreds of sites. The estimated lifetime of this campaign is at least 9 months. With a single click worth anywhere from $0.01 and $1, these scams can yield substantial returns for their owners.

Fake blogs are not new, but these actors are operating with a slightly different MO. Effort has been made to evade web reputation based blocks and hide from the eyes of investigators. First, we observe a large number of similar sites with word-based and topic-based generated domain names. These sites look like benign travel-related blogs full of content at first sight. Secondly, most of the intermediate infrastructure will redirect a random request away towards Google, making the investigation more difficult.

The general traffic pattern was observed as follows:

  1. Large numbers of requests arrive from infected clients to the fake blog sites. To look less suspicious, the requests look like search queries – for example:
  2. There is a series of redirects via intermediate sites, which are already associated with click-frauds – for example:
  3. These redirects bring the clients towards another set of fake sites, with travel related names (e.g., this time these sites have no content.
  4. Finally, clients are sent to browse arbitrary web sites to generate clicks and/or revenue.

Details of the analysis follow: Read More »

Tags: , , ,

Welcome Michelle Dennedy, Cisco’s Chief Privacy Officer

 “It’s our thesis that privacy will be an integral part of the next wave in the technology revolution and that innovators who are emphasizing privacy as an integral part of the product life cycle are on the right track.” —The Privacy Engineer’s Manifesto, 2014

Privacy in an always and increasingly connected world is a complex topic. Does privacy mean the same thing it did 20—or even 10 years ago—before we all used smartphones and social media? How does data that we generate in our connected day tell a story, become monetized, and get purposed and repurposed? How do vendors ensure that privacy is designed into products and services?

These are issues that Michelle Finneran Dennedy, a leading authority on privacy, corporate policies, and the protection of the Internet, is passionate about—and so is Cisco. So I’m very pleased to say that Michelle joined Cisco as Vice President and Chief Privacy Officer today. Simply stated, welcome, Michelle! Read More »

Tags: , , , ,

SYNful Knock: Acting to protect Cisco customers

The security of our customers is critical, and when needed, we pull out all stops to protect them.

Cisco participates in a large ecosystem of partners, industry peers (yes, that includes competitors), and non-profits that provides insight and awareness into a multitude of security threats. We also have deep internal expertise. The Cisco Talos organization is focused on threat research and content for our security offerings, our Information Security teams protect Cisco’s own network, and our PSIRT organization delivers coordinated vulnerability management.

Together these teams and partners represent a powerful ally for Cisco customers, working around the clock to develop robust detections and protect the integrity of Cisco IOS devices.

Our Talos team, along with one of our ecosystem partners Shadowserver, have been scanning to detect potential exposure to the malware now known as SYNful Knock. Many of our enterprise and service provider customers have seen the increase in scanning from Shadowserver to detect the related Indicators of Compromise (IOCs).

Shadowserver has established reporting capabilities, and at our request, additional data will now be included for potential matches to the SYNful Knock IOCs. Existing ShadowServer customers will benefit from this additional reporting soon. If you are not currently receiving their reports, you can request service on their website.

We believe this activity supports Cisco efforts that are already underway to identify and alert customers to potential exposures. It adds to the conversations we’re having with customers about the need for broad-based risk assessment, containment, and remediation. Our focus is on the integrity of Cisco devices, for this set of IOCs and beyond.

You can read my earlier blog posts on this subject: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks and SYNful Knock: Protect Your Credentials, Protect Your Network to obtain more information about protecting your credentials and infrastructure, as well about techniques for detecting and mitigating attacks against Cisco IOS Software.

We remain focused on leveraging the benefits of our extensive industry relationships for our customers, and sharing the information needed they need to respond to a changing threat landscape.

As a reminder, you can find more about Cisco’s response to SYNful Knock on our Event Response Page.