Cisco Blogs

Threat Research

  • Vulnerability Spotlight: Multiple Nvidia D3D10 Driver Pixel Shader Vulnerabilities

    - March 28, 2018 - 0 Comments

    Discovered by Piotr Bania of Cisco Talos


    Today, Cisco Talos is disclosing multiple vulnerabilities that exist within the Nvidia D3D10 driver. This driver is used throughout multiple GPU product lines available from Nvidia. This is a commonly used driver, and can be found within VMware, thus giving rise to a potential guest-to-host escape. It is strongly recommended that patches are applied immediately.


  • Forgot About Default Accounts? No Worries, GoScanSSH Didn’t

    - March 26, 2018 - 0 Comments

    This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.

    Executive Summary

    During a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. However, it is relatively uncommon to see malware written in this programming language. In this particular case, we also observed that the attacker created unique malware binaries for each host that was infected with the GoScanSSH malware. Additionally, the GoScanSSH command and control (C2) infrastructure was observed leveraging the Tor2Web proxy service in an attempt to make tracking the attacker-controlled infrastructure more difficult and resilient to takedowns.


  • Talos Threat Research Summit at Cisco Live US 2018

    - March 26, 2018 - 0 Comments

    Cisco Talos presents a conference by Defenders, for Defenders.

    Talos had one goal in mind when creating a brand new conference: Make something that we’d want to attend ourselves.  As such, the Talos Threat Research Summit is aimed at being a one-day conference by defenders, for defenders. This summit is designed to assist you in keeping your users and network safer. Our roster of experienced speakers will share their deep expertise in network defense, tracking the bad guys and identifying trends in the threat landscape. The goal of the summit is that you will leave with up-to-date, actionable intel you can take back to your network and use immediately.  There are also opportunities for networking with your defense-focused peers and security leaders.

    More information, including the agenda and speaker line-up will be released in the coming weeks, so stay tuned!


    WHEN: JUNE 10, 2018



    Here is what you can expect:

    Read More>>

  • Microsoft Patch Tuesday – March 2018

    - March 13, 2018 - 0 Comments

    Today, Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 74 new vulnerabilities, with 14 of them rated critical and 59 of them rated important. These vulnerabilities impact Internet Explorer, Edge, Exchange, Scripting Engine, Windows Shell and more.


  • Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution

    - March 6, 2018 - 0 Comments

    Gozi ISFB is a well-known and widely distributed banking trojan, and has been in the threat landscape for the past several years. Banking trojans are a widely distributed type of malware that attackers leverage in an attempt to obtain banking credentials from customers of various financial institutions. The source code associated with Gozi ISFB has been leaked several times over the years, and the robust features available within the Gozi ISFB code base have since been integrated into additional malware, such as GozNym. Talos published detailed research about GozNym in a September 2016 blog post. Talos has been monitoring Gozi ISFB activity since then, and has discovered a series of campaigns over the past six month that have been making use of the elusive “Dark Cloud” botnet for distribution. In investigating the infrastructure associated with Dark Cloud, we identified a significant amount of malicious activity making use of this same infrastructure, including Gozi ISFB distribution, Nymaim command and control, and a variety of different spam campaigns and scam activity. Talos is publishing details related to ongoing Gozi ISFB activity, the Dark Cloud botnet, as well as the additional threats we have observed using this infrastructure over the past couple of years.


  • Vulnerability Spotlight: Simple DirectMedia Layer’s SDL2_Image

    - March 1, 2018 - 0 Comments


    Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer’s SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve’s award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. Simple DirectMedia Layer has released a new version of sdl image, 2.0.3 to address this issue, which can be downloaded here. Talos recommends installing this update as quickly as possible on affected systems.


  • Vulnerability Spotlight: Dovecot out-of-bounds Read Vulnerability

    - March 1, 2018 - 0 Comments


    Today, Cisco Talos is disclosing a single out-of-bounds read vulnerability in the Dovecot IMAP server. Dovecot is a popular internet message access protocol, or IMAP, server with performance and security-oriented design. It is a popular choice for robust email servers. In accordance with our coordinated disclosure policy, Talos has worked with Dovecot to ensure that this issue has been resolved. Dovecot has released version 2.2.34 to address this issue. Talos recommends installing this update as quickly as possible on affected systems.


  • CannibalRAT targets Brazil

    - February 28, 2018 - 0 Comments

    Malware continues to evolve in different ways and forms, one of which is the language it is written in, from Visual C++, to Powershell, almost everything has been used to develop malware. Today, we will focus on a remote access trojan, otherwise known as a RAT, written entirely in Python and wrapped into a standalone executable.

    Talos identified samples of two different versions of this RAT, both versions (3.0 and 4.0 according to the information within the samples analyzed) were written using Python and packed into an executable using a common tool called py2exe. The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules’ bytecode is compressed and stored in the executable overlay.

    Both versions have all the usual RAT capabilities, however, during our investigation it became clear that version 4.0 (the latest) is a stripped-down version, where some features were removed, as explained later, to be part of a targeted campaign.
    The target of such campaign are the users of INESAP – Instituto Nacional Escola Superior da Administração Pública, which is a Brazilian public sector management school that also does consulting work.

  • Who Wasn’t Responsible for Olympic Destroyer?

    - February 26, 2018 - 0 Comments

    This blog post is authored by Paul Rascagneres and Martin Lee.


    Absent contributions from traditional intelligence capacities, the available evidence linking the Olympic Destroyer malware to a specific threat actor group is contradictory, and does not allow for unambiguous attribution. The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers to false attribution flags. This false attribution could embolden an adversary to deny an accusation, publicly citing evidence based upon false claims by unwitting third parties. Attribution, while headline grabbing, is difficult and not an exact science. This must force one to question purely software-based attribution going forward.

    Read More >>>

  • Vulnerability Spotlight: Adobe Acrobat Reader DC Document ID Remote Code Execution Vulnerability

    - February 23, 2018 - 0 Comments

    Today, Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

    A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.


    Read More >>>