Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Threat Roundup for November 9 to November 16


    November 16, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 09 and Nov. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More at Talosintelligence.com
    TRU1109-1116

  • Threat Roundup for November 2 to November 9


    November 9, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More at Talosintelligence.com
    Tru11092018

  • Metamorfo Banking Trojan Keeps Its Sights on Brazil


    November 8, 2018 - 0 Comments

    This blog post was authored by Edmund BrumaghinWarren MercerPaul Rascagneres, and Vitor Ventura.

    Executive Summary

    Financially motivated cybercriminals have used banking trojans for years to steal sensitive financial information from victims. They are often created to gather credit card information and login credentials for various online banking and financial services websites so this data can be monetized by the attackers. Cisco Talos recently identified two ongoing malware distribution campaigns being used to infect victims with banking trojans, specifically financial institutions’ customers in Brazil. Additionally, during the analysis of these campaigns, Talos identified a dedicated spam botnet that is currently delivering malicious spam emails as part of the infection process.

    Distribution campaigns

    While analyzing these campaigns, Talos identified two separate infection processes that we believe attackers have used between late October and early November. These campaigns used different file types for the initial download and infection process, and ultimately delivered two separate banking trojans that target Brazilian financial institutions. Both campaigns used the same naming convention for various files used during the infection process and featured the abuse of link-shortening services to obscure the actual distribution servers used. The use of link shorteners also allows some additional flexibility. Many organizations allow their employees to access link shorteners from corporate environments, which could enable the attacker to shift where they are hosting malicious files, while also enabling them to leverage these legitimate services in email-based campaigns.

    Read More >>

     

  • CyberVets U.S.A.: The Mission After Transition


    November 6, 2018 - 0 Comments

    Christopher Marshall, a veteran of the U.S. Navy, currently serves as Director of Cybersecurity Research for Cisco Talos Intelligence Group.

    As a veteran of the U.S. Navy, I’ve had the opportunity to use some of the greatest technology this country has to offer — from night vision goggles, to thermal cameras, to radio and satellite command and control equipment — even the care and feeding of nuclear reactors. When it was time for me to transition from the military to the civilian world, my post-military career led me to work for the Cisco Talos Intelligence Group, where I’ve found that many who served are also excellent teammates in the fast-paced, ever-shifting domain of cybersecurity. These men and women exhibit leadership, teamwork, inclusion, integrity, efficiency, and (importantly) the ability to acquire technical prowess. These are highly desirable traits in any industry, especially one that is predicated on trust and a willingness to always learn and evolve.
    (more…)

  • Persian Stalker pillages Iranian users of Instagram and Telegram


    November 5, 2018 - 0 Comments

    State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.

    Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it’s mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for “promoting violence.” The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.

    Read more >>

  • Threat Roundup for October 26 to November 2


    November 2, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 26 and Nov. 02. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More

    Tru1102