Cisco Blogs

Threat Research

  • New KONNI Campaign References North Korean Missile Capabilities

    - July 6, 2017 - 0 Comments

    This blog was authored by Paul Rascagneres

    Executive Summary

    We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes:

    • A new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;
    • The dropper includes a 64 bit version of KONNI;
    • A new CC infrastructure consisting of a climbing club website.

    North Korea conducted a test missile launch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology. This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.

    Read More >>>

  • The MeDoc Connection

    - July 5, 2017 - 0 Comments


    The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.


  • Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities

    - June 30, 2017 - 0 Comments
    Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user.

  • New Ransomware Variant “Nyetya” Compromises Systems Worldwide

    - June 27, 2017 - 1 Comment

    Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues. For the most current info, please read our full blog on

    Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.

    Today a new malware variant has surfaced that is distinct enough from Petya that people have referred to it by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. The sample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected network. This behavior is detailed later in the blog under “Malware Functionality”. Unlike WannaCry, Nyetya does not appear to contain an external scanning component.

    Read more »

  • Threat Round-up for June 16 – June 23

    - June 23, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 16 and June 23. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or
    Read more »

  • Vulnerability Spotlight: Multiple Vulnerabilities in InsideSecure MatrixSSL

    - June 22, 2017 - 0 Comments

    These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos


    MatrixSSL is a TLS/SSL stack offered in the form of a Software Development Kit (SDK) that is geared towards application in Internet of Things (IOT) devices and other embedded systems. It features low resource overhead and supports many different embedded platforms. It also features FIPS 140-2 compliant cryptography making it suitable for use in high security environments. Talos recently discovered multiple vulnerabilities in MatrixSSL version 3.8.7b including two remote code execution (RCE) vulnerabilities as well as an information disclosure vulnerability.