Cisco Blogs

Threat Research

  • Vulnerabilities in ProcessMaker, WebFOCUS, and OpenFire Identified and Patched

    - July 19, 2017 - 0 Comments

    Today, Talos is disclosing several vulnerabilities that have been identified by Portcullis in various software products. All four vulnerabilities have been responsibly disclosed to each respective developer in order ensure they are addressed. In order better protect our customers, Talos has also developed Snort rules that detect attempts to exploit these vulnerabilities.

    Vulnerability Details

    TALOS-2017-0313 (CVE-2016-9048) ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities

    TALOS-2017-0313 was identified by Jerzy Kramarz of Portcullis.

    TALOS-2017-0313 encompasses multiple SQL injection vulnerabilities in ProcessMarker Enterprise Core These vulnerabilities manifest as a result of improperly sanitizing input received in web requests. An attacker who transmits a specifically crafted web request to an affected server with parameters containing SQL injection attacks could trigger this vulnerability. This could allow exfiltration of the database information, user credentials, and in certain configuration access the underlying operating system.

    Read more »

  • Unravelling .NET with the Help of WinDBG

    - July 19, 2017 - 0 Comments

    This blog was authored by Paul Rascagneres and Warren Mercer.


    .NET is an increasingly important component of the Microsoft ecosystem providing a shared framework for interoperability between different languages and hardware platforms. Many Microsoft tools, such as PowerShell, and other administrative functions rely on the .NET platform for their functionality. Obviously, this makes .NET an enticing language for malware developers too. Hence, malware researchers must also be familiar with the language and have the necessary skills to analyse malicious software that runs on the platform.

    Analysis tools such as ILSpy help researchers decompile code from applications, but cannot be used to automate the analysis of many samples. In this article we will examine how to use WinDBG to analyse .NET applications using the SOS extension provided by Microsoft.

    Read More

  • The Official Talos Guide to BlackHat 2017

    - July 18, 2017 - 3 Comments

    It is once again time for Security Summer Camp – the week in July that many of us descend upon Las Vegas for Black Hat and DEFCON. This is your official guide to what Cisco’s Talos Threat Intelligence team is doing at Black Hat 2017.

    Whether you are looking to catch some great talks, hunting down the best parties, or just trying to avoid LineCon in all it’s forms, here is a quick run-down of where and how you can catch Talos speakers, Cisco events, and some fun stuff from other teams within Cisco as well.  Read on for the full details of what Cisco has in store for this year!


  • PyREBox, a Python scriptable Reverse Engineering sandbox

    - July 17, 2017 - 0 Comments

    This post was authored by Xabier Ugarte Pedrero

    In Talos, we are continuously trying to improve our research and threat intelligence capabilities. As a consequence, we not only leverage standard tools for analysis, but we also focus our efforts on innovation, developing our own technology to overcome new challenges. Also, Talos has traditionally supported open-source projects, and has open-sourced many different projects and tools that are currently used as part of our workflow like FIRST and BASS.

     In this blogpost we present PyREBox, our Python scriptable Reverse Engineering sandbox. PyREBox is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. PyREBox allows to inspect a running QEMU VM, modify its memory or registers, and to instrument its execution with simple Python scripts. QEMU (when working as a whole-system-emulator) emulates a complete system (CPU, memory, devices…). By using Virtual Machine Introspection (VMI) techniques, it does not require to perform any modification into the guest operating system, as it transparently retrieves information from its memory at run-time.
    Several academic projects such as DECAF, PANDA, S2E, or AVATAR, have previously leveraged QEMU based instrumentation for reverse engineering tasks. These projects allow to write plugins in C/C++, and implement several advanced features such as dynamic taint analysis, symbolic execution, or even record and replay of execution traces. With PyREBox, we aim to apply this technology focusing on keeping the design simple, and on the usability of the system for threat analysts.

    Read More

  • Memcached – A Story of Failed Patching & Vulnerable Servers

    - July 17, 2017 - 0 Comments

    This blog authored by Aleksandar Nikolich and David Maynor with contributions from Nick Biasini

    Memcached – Not secure, Not Patched Fast Enough

    Recently high profile vulnerabilities in systems were used to unleash several global ransomware attacks that greatly impacted organizations. These types of vulnerabilities were previously patched and could have been addressed by organizations before the attacks commenced. This is just the latest example in a long line of threats that are successful in large part because of the inability for patches to be applied in a timely and effective manner. In late 2016 Talos disclosed a series of vulnerabilities in a software platform called Memcached. After releasing the vulnerabilities Talos has been monitoring the amount of systems that were vulnerable as well as the rate at which they have been patched. This blog will give a quick overview of the vulnerabilities and discuss the unfortunate findings of the Internet wide scans that we have been conducting over the last six months.


  • Microsoft Patch Tuesday – July 2017

    - July 11, 2017 - 0 Comments

    Today, Microsoft has release their monthly set of security updates designed to address vulnerabilities. This month’s release addresses 54 vulnerabilities with 19 of them rated critical, 32 rated important, and 3 rated moderate. Impacted products include Edge, .NET Framework,  Internet Explorer, Office,  and Windows.

    Read More

  • Vulnerability Spotlight: Iceni Infix PDF Editor Memory Corruption

    - July 11, 2017 - 0 Comments

    Today, Talos is disclosing a vulnerability that has been identified in Iceni Infix PDF Editor that could lead to arbitrary code execution on affected hosts. This vulnerability manifests in a way that could be exploited if a user opens a specifically crafted PDF file that triggers this flaw. Talos has coordinated with Iceni to ensure relevant details regarding the vulnerability have been shared. Iceni has developed a software update that addresses this vulnerability. In addition, Talos has developed Snort Rules that can detect attempts to exploit this flaw.


  • Attack on Critical Infrastructure Leverages Template Injection

    - July 7, 2017 - 0 Comments

    Contributors:  Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall 

    Executive Summary

    Attackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code. In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user’s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim’s computer.


  • Threat Round-up for June 30 – July 7

    - July 7, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 30 and July 07. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center,, or


  • Vulnerability Spotlight: TALOS-2017-0311,0319,0321 – Multiple Remote Code Execution Vulnerability in Poppler PDF library

    - July 7, 2017 - 0 Comments

    Vulnerability discovered by Marcin Noga, Lilith Wyatt and Aleksandar Nikolic of Cisco Talos.


    Talos has discovered multiple vulnerabilities in the Poppler PDF library. Exploiting these vulnerabilities can allow an attacker to gain full control over the victim’s machine. If an attacker builds a specially crafted PDF document and the victim opens it, the attackers code will be executed with the privileges of the local user.