Cisco Threat Research Blog

The holidays are upon us and the shopping season is kicking into high gear. This year, an estimated 270 million consumers will shop online and, for the first time, more than half of them will use mobile devices to check off their holiday shopping lists.

With consumers searching for holiday discounts through display ads, social media and email, Cisco Talos Security Intelligence and Research Group predict that both malvertising and email spam will be significant vectors for cyber crime this season — especially for mobile shoppers. This is worrisome for the simple reason that most mobile devices do not posses the ability to block many of these threats, leading to increased vulnerabilities as attackers seek profit gain during the busiest time for online commerce.

Through their research, Talos found that Android users are particularly vulnerable. Of the all Apple and Android OS blocks observed on the Cisco’s Cloud Web Security (CWS) platform, the Talos team found that nearly 95% were Android-related. At the heart of the problem, many users are running significantly older versions of the Android OS, which lack the security updates for today’s most persistent threats. This holiday season, we advise that our mobile shoppers exercise additional caution.

Keep reading for more on our findings and recommendations.

Microsoft’s Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 12 bulletins addressing 53 vulnerabilities. Four bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, Windows Journal, and Windows. The remaining eight bulletins are rated important and address vulnerabilities in .NET, IPsec, Kerberos, Lync/Skype for Business, NDIS, Office, SChannel, and Winsock.

Bulletins Rated Critical

Microsoft bulletins MS15-112 through MS15-115 are rated as critical in this month’s release.

MS15-112 and MS15-113 are this month’s Internet Explorer and Edge security bulletin respectively. In total, 25 vulnerabilities are addressed with four of them specifically affecting both IE and Edge. The remaining 21 vulnerabilities only affect Internet Explorer. The majority of the vulnerabilities that are resolved in this month’s release are memory corruption defects. In addition, an ASLR bypass, an information disclosure vulnerability, and a couple of scripting engine flaws are also addressed.

Read More >>

This post is authored by Jaime Filson and Dave Liebenberg.

Background

The amount of fraudulent actors masquerading as legitimate tech support has been on the rise since 2008. According to David Finn, executive director at the Microsoft Cybercrime Center, tech support scammers have made nearly $1.5 billion off of 3.3 million unwitting victims just this year. These scammers typically convince the victim into allowing them access to his/her computer through remote control applications such as TeamViewer. They then present benign processes as malicious, or at times even spread malware themselves. Afterwards, they charge hundreds of dollars for the service.

There are several avenues through which these scammers reach their victims. One of the most insidious are pop-ups and websites asserting that the user’s computer is riddled with viruses, and that the only way to fix the problem is to call a provided tech support number.

Talos has been monitoring the incessant creation of these fake tech support websites in order to better understand the way in which these scams operate. We decided to call a company ourselves for some reverse social engineering. Our experiment provided some interesting insights into the methods these scammers use to fool their victims as well as the infrastructure supporting their operations. In addition, we discovered a broad New Delhi-based scamming network employing multiple websites and VOIP phone numbers to carry out their duplicitous activities.

Read More >>

According to the Centers for Disease Control and Prevention (CDC), “If you’re ready for a zombie apocalypse, then you’re ready for any emergency.” While events haven’t yet risen to the level of “zombie apocalypse”, computer attackers are continuing to use their voodoo to zombify Internet domains, and repurpose them for their own heinous crimes.

Read More >>

Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.

In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.

Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.

Read more >>

This post was authored by Marcin Noga with contributions from Jaeson Schultz.

Have you ever thought about how security researchers take a patch that has been released, and then reverse it to find the underlying security issue? Well, back In July Microsoft released security bulletin MS15-072, titled: “Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392)”. According to Microsoft, this vulnerability “could allow elevation of privilege if the Windows graphics component fails to properly process bitmap conversions.” Talos decided to have a deeper look at this vulnerability in order to better understand it, and this post describes the details of this process so that our readers may gain a better understanding of how this is done.

To read the full post, please visit the talosintel.com blog by clicking here.

One of the hardest jobs on the Internet is to work the abuse desk at a hosting provider.  These teams have to strike a difficult balance between protecting their customers, ensuring that their services aren’t being abused by malicious actors and delivering the service and convenience their customers expect.  They don’t get near enough credit for their work.

Recently, Talos had the privilege to work with the abuse team from Limestone Networks.  In the course of our joint investigation, we learned that Limestone Networks had been working against the same actor abusing their services for months.  Based on our findings, this actor was costing them approximately $10,000 a month in fraudulent charges plus wasted engineering time and the overhead of managing the abuse tickets this actor was causing.  By working together, Talos and Limestone Networks were able to make their network a difficult one for the actor to work in by rapidly identifying and terminating the systems they were trying to use.  As a result, the actor moved off of their network.

The results of this experience were so positive, both for Limestone Networks and Talos, that today Talos is announcing Project Aspis.

What is Project Aspis?
Provided by Talos, Project Aspis assists hosting providers, in certain situations, who are dealing with malicious actors who are persistent in their environment and a threat to others on the Internet.
(more…)

Microsoft’s Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated “Critical” and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated “Important” and address vulnerabilities in Edge, Office, and the Windows Kernel.

Bulletins Rated Critical

MS15-106, MS15-108, are MS15-109 are rated Critical in this month’s release.

MS15-106 is this month’s Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them being memory corruption conditions that could allow arbitrary code execution.  This bulletin also addresses 2 memory corruption flaws and 2 information disclosure flaw in the JScript/VBScript scripting engine for Internet Explorer versions 8 through 11 only. Users and organizations that currently use Internet Explorer 7 or who do not have Internet Explorer installed will need to install MS15-108 to address the vulnerabilities in the VBScript/JScript scripting engine. (more…)

This post was authored by Nick Biasini with contributions from Joel Esler, Nick Hebert, Warren Mercer, Matt Olney, Melissa Taylor, and Craig Williams.

Executive Summary

Today, Cisco struck a blow to a group of hackers, disrupting a significant international revenue stream generated by the notorious Angler Exploit Kit.  Angler is one of the largest exploit kit found on the market and has been making news as it has been linked to several high-profile malvertising/ransomware campaigns. This is the most advanced and concerning exploit kit on the market – designed to bypass security devices and ultimately attack the largest number of devices possible.

In its research, Cisco determined that an inordinate number of proxy servers used by Angler were located on servers of service provider Limestone Networks ­ — with the primary threat actor responsible for up to 50 percent of Angler Exploit Kit activity, targeting up to 90,000 victims a day, and generating more than $30M annually.  This implies that if you apply the full scope of Angler activity the revenue generated could exceed $60M annually. Talos gained additional visibility into the global activity of the network through their ongoing collaboration with Level 3 Threat Research Labs. Finally, thanks to our continued collaboration with OpenDNS we were able to gain in-depth visibility into the domain activity associated with the adversaries.

Cisco then took action:

• Shutting down access for customers by updating products to stop redirects to the Angler proxy servers.
• Released Snort rules to detect and block checks from the health checks
• All rules are being released to the community through  Snort
• Publishing communications mechanisms including protocols so others can protect themselves and customers.
• Cisco is also publishing IoCs so that defenders can analyze their own network activity and block access to remaining servers

This is a significant blow to the emerging hacker economy where ransomware and the black market sale of stolen IP, credit card info and personally identifiable information (PII) are generating hundreds of millions of dollars annually.

Watch Angler compromise a box and install ransomware at the end of the video.

(more…)