Cisco Blogs

Threat Research

  • Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

    - November 15, 2017 - 0 Comments

    Vulnerabilities discovered by Marcin Noga of Cisco Talos

    Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.


    libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats.

    The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.


  • Microsoft Patch Tuesday – November 2017

    - November 14, 2017 - 0 Comments

    Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.

    In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 – Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked structure elements. A specifically crafted PDF document designed to trigger the vulnerability could cause an out-of-bounds access on the heap, potentially leading to arbitrary code execution. More details regarding this vulnerability are available here.


  • Vulnerability Spotlight: Multiple Vulnerabilities in Foscam C1 Indoor HD Cameras

    - November 13, 2017 - 0 Comments

    These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.

    Executive Summary

    The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for use in a variety of applications, including use as a home security monitoring device. Talos recently identified several vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details for in a blog post here. In continuing our security assessment of these devices, Talos has discovered additional vulnerabilities. In accordance with our responsible disclosure policy, Talos has worked with Foscam to ensure that these issues are resolved and that a firmware update is made available for affected customers. These vulnerabilities could be leveraged by an attacker to achieve remote code execution on affected devices, as well as upload rogue firmware images to the devices, which could result in an attacker being able to completely take control of the devices.


  • Poisoning the Well: Banking Trojan Targets Google Search Results

    - November 2, 2017 - 0 Comments

    This blog post was authored by Edmund BrumaghinEarl Carter and Emmanuel Tacheau.


    It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus Panda banking Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion.

    By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time.



  • Vulnerability Spotlight: The Circle of a Bug’s Life

    - October 31, 2017 - 0 Comments

    Cisco Talos is disclosing several vulnerabilities identified in Circle with Disney. Circle with Disney is a network device designed to monitor the Internet use of children on a given network. Circle pairs wirelessly, with your home Wi-Fi and allows you to manage every device on the network, tablet, TV, or laptop. It can also pair via ethernet after the initial pairing. Using an iOS or Android app, families create unique profiles for every member of the home and from there, help shape each person’s online experience.

    The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication. Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.

    Read More

  • Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server

    - October 31, 2017 - 0 Comments

    These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos

    Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server.

    Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in many IoT devices and runs on virtually all popular IoT platforms. The small size of the software enables any Internet-connected device to function as a web server. Mongoose is available under GPL v2 and commercial licenses.

    All discovered vulnerabilities are fixed in version 6.10 of the library.


  • Threat Round Up for Oct 20 – Oct 27

    - October 27, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 20 and October 27. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or

    Read more »

  • Vulnerability Spotlight: Apache OpenOffice Vulnerabilities

    - October 26, 2017 - 0 Comments

    Today, Talos is releasing details of three new vulnerabilities discovered within Apache OpenOffice application. The first vulnerability, TALOS-2017-0295 within OpenOffice Writer, the second TALOS-2017-0300 in the Draw application, and the third TALOS-2017-0301 discovered in the Writer application. All three vulnerabilities allow arbitrary code execution to be performed.


  • Threat Spotlight: Follow the Bad Rabbit

    - October 24, 2017 - 4 Comments

    Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

    On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

    There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.


  • “Cyber Conflict” Decoy Document Used In Real Cyber Conflict

    - October 22, 2017 - 0 Comments

    This post was authored by Warren MercerPaul Rascagneres and Vitor Ventura


    Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.

    The VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group 74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar to the previous versions but the author modified some public information such as MUTEX name, obfuscation keys… We assume that these modifications were performed to avoid detection based on public IOCs.

    The article describes the malicious document and the Seduploader reconnaissance malware, especially the difference with the previous versions.