Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Talos Wins The 5th Volatility Plugin Contest With Pyrebox

    - November 22, 2017 - 0 Comments

    Talos has won this year’s 5th Volatility plugin contest with Pyrebox. Volatility is a well-known open-source framework designed to analyse operating system memory. The framework exists since 2007, for the previous 5 years they have run a plugin contest to find the most innovative, interesting, and useful extensions for the Volatility framework. Pyrebox is an open-source Python scriptable Reverse Engineering sandbox developed by Talos. Based on QEMU, its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective. In this context, Pyrebox is able to interact with Volatility in order to collect information from the memory of the analysed system.


  • This Holiday Season – Buy One IoT Device, Get Free CVEs

    - November 20, 2017 - 0 Comments

    As the Internet of Things gains steam and continues to develop, so are adversaries and the threats affecting these systems. Companies throughout the world are busy deploying low cost Internet-connected computing devices (aka the Internet of Things) to solve business problems and improve our lives. In tandem, criminals are developing their methods for abusing and compromising vulnerable and poorly defended IoT devices.


  • Threat Round Up for Nov 10 – Nov 17

    - November 17, 2017 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between November 10 and November 17. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or


  • Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

    - November 15, 2017 - 0 Comments

    Vulnerabilities discovered by Marcin Noga of Cisco Talos

    Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.


    libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats.

    The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.


  • Microsoft Patch Tuesday – November 2017

    - November 14, 2017 - 0 Comments

    Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 53 new vulnerabilities with 19 of them rated critical, 31 of them rated important and 3 of them rated moderate. These vulnerabilities impact Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, and more.

    In addition, an update for Adobe Reader was released which addresses CVE-2017-16367 / TALOS-2017-0356 – Adobe Acrobat Reader DC PDF Structured Hierarchy ActualText Structure Element Code Execution Vulnerability which was discovered by Aleksandar Nikolic of Cisco Talos. This vulnerability manifests as a type confusion vulnerability in the PDF parsing functionality for documents containing marked structure elements. A specifically crafted PDF document designed to trigger the vulnerability could cause an out-of-bounds access on the heap, potentially leading to arbitrary code execution. More details regarding this vulnerability are available here.


  • Vulnerability Spotlight: Multiple Vulnerabilities in Foscam C1 Indoor HD Cameras

    - November 13, 2017 - 0 Comments

    These vulnerabilities were discovered by Claudio Bozzato of Cisco Talos.

    Executive Summary

    The Foscam C1 Indoor HD Camera is a network-based camera that is marketed for use in a variety of applications, including use as a home security monitoring device. Talos recently identified several vulnerabilities present in these devices, and worked with Foscam to develop fixes for them, which we published the details for in a blog post here. In continuing our security assessment of these devices, Talos has discovered additional vulnerabilities. In accordance with our responsible disclosure policy, Talos has worked with Foscam to ensure that these issues are resolved and that a firmware update is made available for affected customers. These vulnerabilities could be leveraged by an attacker to achieve remote code execution on affected devices, as well as upload rogue firmware images to the devices, which could result in an attacker being able to completely take control of the devices.