Cisco Blogs

Threat Research

  • Blocking Cryptocurrency Mining with Cisco Talos


    July 19, 2018 - 1 Comment

    The value of cryptocurrencies has fluctuated wildly, but the value is still high enough to garner a lot of attention, both legitimate and malicious. Most of the malicious activity we see is done for financial gain, and cryptocurrencies have provided attackers with a lucrative new avenue to pursue: cryptocurrency mining.

    Over the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. This threat is spreading across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. That doesn’t include the quasi-legitimate in-browser mining that is becoming increasingly common.

    Read More >>

  • Vulnerability Spotlight: Foxit PDF Reader JavaScript Remote Code Execution Vulns


    July 19, 2018 - 0 Comments

    Overview

    Discovered by Aleksandar Nikolic of Cisco Talos.

    Talos is disclosing a pair of vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available.

    TALOS-2018-0588

    Read More >>

  • Vulnerability Spotlight: Multiple Vulnerabilities in ACD Systems Canvas Draw 4


    July 19, 2018 - 0 Comments

    These vulnerabilities were discovered by Tyler Bohan of Cisco Talos

    Today, Talos is disclosing several vulnerabilities that have been identified in Canvas Draw graphics editing tool for Macs.

    Canvas Draw 4 is a graphics editing tool used to create and edit images, as well as other graphic-related material. This product has a large user base, and is popular in its specific field. The vulnerable component is in the handling of TIFF images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format for such an application.

    Read More >>

  • Threat Roundup for July 6-13


    July 13, 2018 - 1 Comment

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between July 6 and 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is not exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More>>

  • Advanced Mobile Malware Campaign in India uses Malicious MDM


    July 12, 2018 - 1 Comment

    This blog post is authored by Warren Mercer and Paul Rascagneres and Andrew Williams.

    Summary

    Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices. At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register. In social engineering attacks the victim is tricked into clicking accept or giving the attacker physical access to a device. This campaign is of note since the malware goes to great lengths to replace specific mobile apps for data interception. Talos has worked closely with Apple on countering this threat. Apple had already actioned 3 certificates associated with this actor when Talos reached out, and quickly moved to action the two others once Talos tied them to the threat.

    An MDM is designed to deploy applications on enrolled devices. In this campaign we identified five applications that have been distributed by this system to the 13 targeted devices in India. Two of them appear to test the functionality of the device, one steals SMS message contents, and the remaining two report the location of the device and can exfiltrate various data.

    Read More >>

  • Vulnerability Spotlight: Computerinsel Photoline Multiple Vulnerabilities


    July 11, 2018 - 0 Comments

    Vulnerabilities discovered by Tyler Bohan from Talos

    Overview

    Today, Cisco Talos is disclosing several vulnerabilities within Computerinsel PhotoLine. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerabilities are present in the parsing functionality of the software.

    Read More >>

  • Vulnerability Spotlight: Multiple Antenna House Vulnerabilities


    July 10, 2018 - 0 Comments

    Discovered by Marcin Noga of Cisco Talos

    Overview

    Cisco Talos has identified six vulnerabilities in the Antenna House Office Server Document Converter (OSDC). These vulnerabilities can be used to remotely execute code on a vulnerable system. Antenna House Office Server Document Converter is a product designed to convert Microsoft Office documents into PDF and SVG documents.

    The vulnerabilities can be exploited to locally execute code, or even remotely if the product is used in batch mode by the owners. In this context, the maliciously crafted document could be automatically handled by the product, and a successful exploitation could result in full control of the vulnerable system.

    The six vulnerabilities can be exploited by a specially crafted Microsoft Office document.

    Read More >>

  • Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties


    July 10, 2018 - 0 Comments

    Discovered by Aleksandar Nikolic of Cisco Talos

    Overview

    Today, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

    Read More >>

  • Threat Roundup for June 29 to July 6th


    July 6, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, it will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read_More>>

  • Smoking Guns – Smoke Loader learned new tricks


    July 3, 2018 - 0 Comments

    Cisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to load other malware — for the past several months following an alert from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but further analysis showed some developments in the Smoke Loader sample resulting from this chain of malware that intrigued us. This includes one of the first uses of the PROPagate injection technique in real-world malware. Besides a report released at the end of last week describing a different RIG Exploit Kit-based campaign, we haven’t seen real-world malware using this.

    <<READ MORE>>