Cisco Blogs

Threat Research

  • GPlayed younger brother is a banker and targets Russian banks


    October 29, 2018 - 0 Comments

    Cisco Talos published its findings on a new Android trojan known as “GPlayed” on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware’s code patterns, strings and telemetry visibility. Since then, we discovered that there’s already a predecessor to GPlayed, which we are calling “GPlayed Banking.” Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that’s looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.

    GPlayed Banking is spread in a similar way to the original GPlayed. It’s disguised as a fake Google app store, but actually installs the malware once it’s launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.

    Read More >>

  • Threat Roundup for October 19-26


    October 26, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 19 and 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More

    TRUjson10262018

     

  • Vulnerability Spotlight: Talos-2018-0694 – MKVToolNix mkvinfo read_one_element Code Execution Vulnerability


    October 26, 2018 - 0 Comments

    Piotr Bania, Cory Duplantis and Martin Zeiser of Cisco Talos discovered this vulnerability.

    Today, Cisco Talos is disclosing a vulnerability that we identified in the MKVToolNix mkvinfo utility that parses the Matroska file format video files (.mkv files).

    MKVToolNix is a set of tools to create, alter and inspect Matroska files on Linux, Windows and other operating systems.

    Matroska is a file format for storing common multimedia content, like movies or TV shows, with implementations consisting of mostly of open-source software. Matroska file extensions are MKV for video, MK3D for stereoscopic video, MKA for audio-only files and MKS for subtitle-only files.

    Read More >>

  • Vulnerability Spotlight: TALOS-2018-0635/0636 – Sophos HitmanPro.Alert memory disclosure and code execution vulnerabilities


    October 25, 2018 - 0 Comments

    Overview

    Cisco Talos is disclosing two vulnerabilities in Sophos HitmanPro.Alert, a malware detection and protection tool. Both vulnerabilities lie in the input/output control (IOCTL) message handler. One could allow an attacker to read kernel memory contents, while the other allows code execution and privilege escalation.

    <<READ MORE>>

  • Threat Roundup for October 12-19


    October 19, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 12 and 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More

  • Tracking Tick Through Recent Campaigns Targeting East Asia


    October 18, 2018 - 0 Comments

    Since 2016, an advanced threat group that Cisco Talos is tracking has carried out cyberattacks against South Korea and Japan. This group is known by several different names: Tick, Redbaldknight and Bronze Butler.

    Although each campaign employed custom tools, Talos has observed recurring patterns in the actor’s use of infrastructure, from overlaps in hijacked command and control (C2) domains to differing campaign C2s resolving to the same IP. These infrastructure patterns indicate similarities between the Datper, xxmm backdoor, and Emdivi malware families. In this post, we will dive into these parallels and examine the methods used by this actor.

    Read more>>

  • Vulnerability Spotlight: Live Networks LIVE555 streaming media RTSPServer code execution vulnerability


    October 18, 2018 - 0 Comments

    These vulnerabilities were discovered by Lilith Wyatt of Cisco Talos.

    Cisco Talos is disclosing a code execution vulnerability that has been identified in Live Networks LIVE555 streaming media RTSPServer.

    LIVE555 Streaming Media is a set of open-source C++ libraries developed by Live Networks Inc. for multimedia streaming. The libraries support open standards such as RTP/RTCP and RTSP for streaming, and can also manage video RTP payload formats such as H.264, H.265, MPEG, VP8, and DV, and audio RTP payload formats such as MPEG, AAC, AMR, AC-3 and Vorbis. It is used internally by well-known software such as VLC and MPlayer.

    An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library, which is not part of media players, but interacts with them. A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability.

    Read More >>

  • Vulnerability Spotlight: Linksys ESeries Multiple OS Command Injection Vulnerabilities


    October 16, 2018 - 0 Comments

    These vulnerabilities were discovered by Jared Rittle of Cisco Talos

    Today, Talos is disclosing several vulnerabilities that have been identified in Linksys E Series of routers operating system.

    Multiple exploitable OS command injection vulnerabilities exist in the Linksys ESeries line of routers. Specially crafted requests to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send an authenticated HTTP request to trigger these vulnerabilities.

    Linksys E Series is a product line of routers for small and home offices supporting various features including easy management, security and QoS. It is designed to connect home computers, Internet-ready TVs, game consoles, smartphones, and other Wi-Fi devices at fast transfer rates for an unrivalled experience.

    Read More >>

  • Old dog, new tricks – Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox


    October 15, 2018 - 0 Comments

    This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau.

    Executive Summary

    Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called “Agent Tesla,” and other malware such as the Loki information stealer. Initially, Talos’ telemetry systems detected a highly suspicious document that wasn’t picked up by common antivirus solutions. However, Threat Grid, Cisco’s unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don’t detect it. In this post, we will outline the steps the adversaries took to remain undetected, and why it’s important to use more sophisticated software to track these kinds of attacks. If undetected, Agent Tesla has the ability to steal user’s login information from a number of important pieces of software, such as Google Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots, record webcams, and allow attackers to install additional malware on infected systems.

    <<READ MORE>>

  • Threat Roundup for October 5-12


    October 12, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 5 and 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More