Cisco Blogs

Threat Research

  • Vulnerability Spotlight: AntennaHouse DMC Library Arbitrary Code Execution Flaws

    - May 4, 2017 - 0 Comments

    These vulnerabilities were discovered by Marcin ‘Icewall’ Noga of Talos.

    Today, Talos is disclosing several vulnerabilities that have been identified in the AntennaHouse DMC library which is used in various products for web-based document searching and rendering. These vulnerabilities manifest as a failure to correctly parse Microsoft Office documents and could be exploited to achieve arbitrary code execution. These vulnerabilities are being disclosed in coordination with AntennaHouse.

    Vulnerability Details

    Multiple heap corruption vulnerabilities exist within AntennaHouse DMC HTMLFilter that could be exploited to achieve arbitrary code execution on the targeted machine. These vulnerabilities manifest due to improper handling of Microsoft Office documents, such as Word and PowerPoint files. An adversary that passes a specifically crafted document to the converter could exploit one of these vulnerabilities. Note that the method that an adversary could compromise a vulnerable machine varies as this library is known to be incorporated into other third-party products.

    Read more »

  • Gmail Worm Requiring You To Give It A Push And Apparently You All Are Really Helpful

    - May 3, 2017 - 0 Comments

    This post authored Sean Baird and Nick Biasini

    Attackers are always looking for creative ways to send large amount of spam to victims. A short-lived, but widespread Google Drive themed phishing campaign has affected a large number of users across a variety of verticals. This campaign would be bcc’d to a target while being sent to hhhhhhhhhhhhhhhh@mailinator[.]com, to make this email appear legitimate the sender would be someone who had the target in their address book.

    Mailinator is a “free, public, email system where you can use any inbox you want,” often used for throwaway accounts. In this instance, the Mailinator inbox in question could have been used by the spammer to monitor whether or not the email was successfully sent. The use of Mailinator, however, is not what made this campaign unique.


  • KONNI: A Malware Under The Radar For Years

    - May 3, 2017 - 0 Comments

    Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI.


  • Threat Round-up for Apr 21 – Apr 28

    - April 28, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 21 and April 28. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or
    Read more »

  • Vulnerability Spotlight: Randombit Botan Library X509 Certificate Validation Bypass Vulnerability

    - April 28, 2017 - 1 Comment

    This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.


    Talos has discovered a vulnerability in the Randombit Botan library. A programming error exists in a way Botan library implements x500 string comparisons which could lead to certificate verification issues and abuse. A specially crafted X509 certificate would need to be delivered to the client or server application in order to trigger this vulnerability. A security advisory was published on the Randombit website to inform users the vulnerability is now fixed in versions 2.1.0 and 1.10.16.


  • Vulnerability Spotlight: Multiple Vulnerabilities in Zabbix

    - April 27, 2017 - 0 Comments

    These vulnerabilities were discovered by Lilith Wyatt of Cisco ASIG


    Zabbix is an enterprise monitoring solution that is designed to give organizations the ability to monitor the health and status of various systems within their networks, including: network services, servers, and networking equipment. Cisco recently discovered multiple vulnerabilities in the Zabbix Server software component that could be leveraged by attackers to write directly to the Zabbix Proxy database or achieve remote code execution on the Zabbix Server. Cisco worked with Zabbix to responsibly disclose these vulnerabilities and ensure that a patch is available. Zabbix has released public advisories regarding these vulnerabilities which are located here and here.