Cisco Blogs

Cisco Threat Research Blog

Threat intelligence for Cisco Products

We detect, analyze, and protect customers from both known and unknown emerging threats

Threat Research

  • Vulnerability Spotlight: Epee Levin Packet Deserialization Code Execution Vulnerability


    September 25, 2018 - 1 Comment

    This vulnerability was discovered by Lilith (>_>) of Cisco Talos.

    Overview

    The Epee library, which is leveraged by a large number of cryptocurrencies, contains an exploitable code execution vulnerability in the Levin deserialization functionality. An attacker can send a specially crafted network packet to cause a logic flaw, resulting in remote code execution.

    In accordance with our coordinated disclosure policy, Cisco Talos has worked with the developers of Monero ‘Lithium Luna’ to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.

    Read More >>

  • IDA-minsc Wins Second Place in Hex-Rays Plugins Contest


    September 25, 2018 - 0 Comments

    Ali Rizvi-Santiago of Cisco Talos recently tied second place in the IDA plugin contest with a plugin named “IDA-minsc.” IDA is a multi-processor disassembler and debugger created by the company Hex-Rays and this year there were a total of 4 winners with 9 submissions total. Every year, the company invites researchers to submit plugins that improve their products, and Talos determined that IDA-minsc would improve users’ experience enough that it deserved consideration for this year’s awards.

    This plugin aims to make it easier for people to reverse and annotate binaries. We believe that this plugin expedites the annotation process and allows the user to work more efficiently. This is done by introducing a few concepts that change the way most users develop Python, which allows the user to treat the parts that they are reversing as more of a dataset that can be used to query and annotate as they see fit. This, combined with the plugin’s various components that automatically determine a function’s parameters based on the user’s current selection, allows the user to very quickly write code that can be used to mark and annotate the different parts of the database.

    Read More >>>

  • Adwind Dodges AV via DDE


    September 24, 2018 - 0 Comments

    This blog post is authored by Paul RascagneresVitor Ventura and with the contribution of Tomislav Pericin and Robert Perica from ReversingLabs.

    Introduction

    Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a new spam campaign that is spreading the Adwind 3.0 remote access tool (RAT), targeting the three major desktop operating systems (Linux, Windows and Mac OSX). This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software.

    The majority of the targets in this campaign are in Turkey, according to data from the Cisco Umbrella cloud security platform. After our research, we have discovered important details about this attack, as well as the malicious, forged Microsoft Office documents that the attackers are using.

    More information

  • Threat Roundup for Sept 14 – 21


    September 22, 2018 - 0 Comments

    Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 14 and 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read_More>>

  • Cyber Threat Alliance Releases Cryptomining Whitepaper


    September 19, 2018 - 0 Comments

    Despite the recent devaluation of some cryptocurrencies, illicit cryptocurrency miners remain a lucrative and widespread attack vector in the threat landscape. These miners are easy to deploy, and attackers see it as a quick way to steal other users’ processing power to generate cryptocurrency. These attacks are harder to notice than a traditional denial-of-service or malware campaign, resulting in reduced risk and a more stable foothold for a malicious actor. The Cyber Threat Alliance, with contributions from Cisco Talos and other CTA members, has released a whitepaper detailing the rise of cryptomining attacks that outlines what you — and your organization — should know about these kinds of campaigns.

    This paper covers the fact that there is a low technical barrier to entry for attackers, and that there are accessible patches to protect users from many of these attacks. Because cryptomining campaigns are easy to launch, a broader set of actors have engaged in this activity, resulting in a higher rate of attacks. Talos often observes multiple actors with illicit cryptomining software on the same compromised box. The use of well-known vulnerabilities by attackers essentially turns this problem into a canary-in-the-coalmine situation for defenders. If you discover unauthorized cryptomining software on one of your assets, there is a high likelihood that other actors have also leveraged the weaknesses in your systems to gain access — potentially for more damaging purposes.

    More information.

  • Threat Roundup for September 7 to September 14


    September 14, 2018 - 0 Comments

    Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between September 7 and September 14. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

    As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

    Read More