Cisco Threat Research Blog
Threat intelligence for Cisco Products
We detect, analyze, and protect customers from both known and unknown emerging threats
CyberVets U.S.A.: The Mission After Transition
Christopher Marshall, a veteran of the U.S. Navy, currently serves as Director of Cybersecurity Research for Cisco Talos Intelligence Group.
As a veteran of the U.S. Navy, I’ve had the opportunity to use some of the greatest technology this country has to offer — from night vision goggles, to thermal cameras, to radio and satellite command and control equipment — even the care and feeding of nuclear reactors. When it was time for me to transition from the military to the civilian world, my post-military career led me to work for the Cisco Talos Intelligence Group, where I’ve found that many who served are also excellent teammates in the fast-paced, ever-shifting domain of cybersecurity. These men and women exhibit leadership, teamwork, inclusion, integrity, efficiency, and (importantly) the ability to acquire technical prowess. These are highly desirable traits in any industry, especially one that is predicated on trust and a willingness to always learn and evolve.
(more…)
Persian Stalker pillages Iranian users of Instagram and Telegram
State-sponsored actors have a number of different techniques at their disposal to remotely gain access to social media and secure messaging applications. Starting in 2017 and continuing through 2018, Cisco Talos has seen different techniques being used to attack users and steal their private information. These techniques used fake login pages, malicious apps disguised as their legitimate counterparts and BGP hijacking, and were specifically targeting Iranian users of the secure messaging app Telegram and the social media site Instagram.
Telegram has become a popular target for greyware in Iran, as the app is used by an estimated 40 million users. While it’s mostly used for daily communication, protest organizers also used it in the past to organize demonstrations against the Iranian government, specifically in December 2017. In a few instances, the Iranian government asked Telegram to shut down certain channels for “promoting violence.” The tactics outlined in this post have been in use since 2017 in an effort to gather information about Telegram and Instagram users. The campaigns vary in complexity, resource needs and methods. Below, we outline examples of a network attack, application clones and classic phishing. It is our belief that these campaigns were used to specifically target Iranian users of the Telegram app in an effort to steal personal and login information.
Threat Roundup for October 26 to November 2
Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 26 and Nov. 02. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Talos Vulnerability Deep Dive – TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability
Overview
Sophos patched two vulnerabilities in Sophos HitmanPro.Alert on Thursday. We publicly disclosed these issues last week here, Cisco Talos will show you the process of developing an exploit for one of these bugs. We will take a deep dive into TALOS-2018-0636/CVE-2018-3971 to show you the exploitation process.
Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software’s core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. This blog will show how an attacker could leverage TALOS-2018-0636 to build a stable exploit to gain SYSTEM rights on the local machine.
Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera
Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.
Overview
Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.
The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.
It includes all the functions that one would expect from an IoT device, including the ability to view the camera’s feed from anywhere, offline storage, subscription-based cloud storage and easy setup.
Read the complete details here
Anatomy of a sextortion scam
Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn’t pay the extortion payment by a certain time. By including the recipient’s password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers’ empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.
Talos Vulnerability Discovery Year in Review – 2018
Introduction
Cisco Talos’ Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers, but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.
Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of October 23rd, Cisco has updated it’s vendor vulnerability and discovery policy. You can read the complete details here.
Read the rest of the details on the Talos Blog
GPlayed younger brother is a banker and targets Russian banks
Cisco Talos published its findings on a new Android trojan known as “GPlayed” on Oct. 11. At the time, we wrote that the trojan seemed to be in the testing stages of development, based on the malware’s code patterns, strings and telemetry visibility. Since then, we discovered that there’s already a predecessor to GPlayed, which we are calling “GPlayed Banking.” Unlike the first version of GPlayed, this is not an all-encompassing banking trojan. It is specifically a banking trojan that’s looking to target Sberbank AutoPay users, a service offered by the Russian state-owned bank.
GPlayed Banking is spread in a similar way to the original GPlayed. It’s disguised as a fake Google app store, but actually installs the malware once it’s launched. This further illustrates the point that Android users need to be educated on how to spot a malicious app, and that they should be careful as to what privileges they assign to certain programs.
Threat Roundup for October 19-26
Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Oct. 19 and 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
CONNECT WITH CISCO
LET US HELP
Call us: 1.800.553.6387 - Ext 118
US/Can | 5am-5pm Pacific Other Countries