Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Ransomware or Wiper? LockerGoga Straddles the Line


    March 20, 2019 - 0 Comments

    Executive Summary

    Ransomware attacks have been in the news with increased frequency over the past few years. This type of malware can be extremely disruptive and even cause operational impacts in critical systems that may be infected. LockerGoga is yet another example of this sort of malware. LockerGoga is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals. Talos has also seen wiper malware impersonate ransomware, such as the NotPetya attack.

    Earlier versions of LockerGoga leverage an encryption process to remove victim’s ability to access files and other data that may be stored on infected systems. A ransom note is then presented to the victim that demands the victim pay the attacker in Bitcoin in exchange for keys that may be used to decrypt the data that LockerGoga has impacted. Some of the later versions of LockerGoga, while still employing the same encryption, have also been observed forcibly logging the victim off of the infected systems and removing their ability to log back in to the system following the encryption process. The consequence is that in many cases the victim may not even be able to view the ransom note let alone attempt to comply with any ransom demands. These later versions of LockerGoga could then be described as destructive.

    While the initial infection vector associated with LockerGoga is currently unknown, attackers can use a wide variety of techniques to gain network access including exploiting unpatched vulnerabilities and phishing user credentials. Expanding initial access into widespread control of the network is facilitated by similar techniques with stolen user credentials being an especially lucrative vector to facilitate lateral movement.  For example, the actors behind the SamSam attacks leveraged vulnerable servers exposed to the internet as their means of obtaining initial access to environments they were targeting.

    Read More >>

  • Vulnerability Spotlight: Multiple Vulnerabilities in CUJO Smart Firewall, Das U-Boot, OCTEON SDK, Webroot BrightCloud


    March 19, 2019 - 0 Comments

    Claudio Bozzato of Cisco Talos discovered these vulnerabilities.

    Executive summary

    CUJO AI produces the CUJO Smart Firewall, a device that provides protection to home networks against a myriad of threats such as malware, phishing websites and hacking attempts. Cisco Talos recently discovered 11 vulnerabilities in the CUJO Smart Firewall. These vulnerabilities could allow an attacker to bypass the safe browsing function and completely take control of the device, either by executing arbitrary code in the context of the root account, or by uploading and executing unsigned kernels on affected systems.

    In accordance with our coordinated disclosure policy, Cisco Talos worked with CUJO AI to ensure that these issues are resolved and that a firmware update is available for affected customers. In most typical scenarios the firmware update process is handled by CUJO AI, allowing this update to be deployed to affected customers automatically. Given that these devices are typically deployed to provide protection for networked environments, it is recommended that affected users confirm their devices have been updated as soon as possible to ensure that the devices are no longer affected by these vulnerabilities.

    Read More >>

  • IPv6 unmasking via UPnP


    March 18, 2019 - 0 Comments

    Martin Zeiser and Aleksandar Nikolich authored this post

    EXECUTIVE SUMMARY

    With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodanand Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet.

    While IPv4 is the norm, the use of IPv6 is on the rise. However, there’s been very little analysis on the most recent version of the internet protocol because it’s impossible to run exhaustive scans given the size of the address space. We need to deploy novel techniques to enumerate active IPv6 hosts.

    In the following post, we’ll present a technique that uses the properties of the Universal Plug and Play (UPnP) protocol to get specific IPv4 hosts to divulge their IPv6 address. This allows us to enumerate a particular subset of active IPv6 hosts which can then be scanned. We performed comparative scans of discovered hosts on both IPv4 and IPv6 and presented the results and analysis. Our findings show that this technique is valid and that there are significant security discrepancies in filtering between IPv4 and IPv6 interfaces of these hosts and unintended IPv6 connectivity will be a growing problem.

    More>>>

  • Threat Roundup for March 8 to March 15


    March 15, 2019 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar. 8 and Mar. 15. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More at Talosintelligence.com


    Reference
    TRU03152019 This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

  • GlitchPOS: New PoS malware for sale


    March 13, 2019 - 0 Comments

    Warren Mercer and Paul Rascagneres authored this post with contributions from Ben Baker.

    Executive summary

    Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers’ websites and retail point-of-sale locations with the goal of tracking customers’ payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. We assess with high confidence that this is not the first malware developed by this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet. Known as “GlitchPOS,” this malware is also being distributed on alternative websites at a higher price than the original.

    The actor behind this malware created a video, which we embedded below, showing how easy it is to use it. This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet.

     

    More >>>

  • Threat Roundup for Mar. 1 to Mar. 8


    March 8, 2019 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between March 01 and March 08. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More >>