Malware implants on Cisco routers revealed to be more widespread

Posted on

Researchers detected 200 Cisco routers with malicious firmware in 31 countries, with the U.S. having the largest number of potentially infected routers.

Attackers have installed malicious firmware on nearly 200 Cisco routers used by businesses from over 30 countries, according to Internet scans performed by cyber crime fighters at the Shadowserver Foundation.

Last Monday, FireEye subsidiary Mandiant warned about new attacks that replace the firmware on integrated services routers from Cisco Systems. The rogue firmware provides attackers with persistent backdoor access and the ability to install custom malware modules.

At the time Mandiant said that it had found 14 routers infected with the backdoor, dubbed SYNful Knock, in four countries: Mexico, Ukraine, India, and the Philippines. The affected models were Cisco 1841, 8211, and 3825, which are no longer being sold by the networking vendor.


Since then, the Shadowserver Foundation, a volunteer organization that tracks cyber crime activities and helps take down botnets, has been running an Internet scan with Cisco’s help in order to identify more potentially compromised devices.

The results confirmed Mandiant’s suspicions: there are more than 14 routers infected with SYNful Knock out there. Shadowserver and Cisco identified 199 unique IP (Internet Protocol) addresses in 31 countries that show signs of compromise with this malware.

The U.S. has the largest number of potentially infected routers, 65. It is followed by India with 12 and Russia with 11.

Shadowserver plans to start notifying network owners who have signed up for the organization’s free alert service if any of the compromised routers fall into their IP blocks.

“It is important to stress the severity of this malicious activity,” the organization said Monday in a blog post. “Compromised routers should be identified and remediated as a top priority.”

By controlling routers, attackers gain the ability to sniff and modify network traffic, redirect users to spoofed websites and launch other attacks against local network devices that would otherwise be inaccessible from the Internet.

Since the devices targeted by the SYNful Knock attackers are typically professional-grade routers used by businesses or ISPs, their compromise could affect large numbers of users.

Cisco has been aware of attackers using rogue firmware implants for several months. The company published a security advisory in August with instructions on how to harden devices against such attacks.



Cisco Patches File Overwrite Bug in IMC Supervisor and UCS Director

Posted on

Cisco has patched a remote file-overwrite vulnerability in a couple of its products that could allow an attacker to replace arbitrary files and cause target systems to become unstable.

The vulnerability affects the Cisco Integrated Management Controlled Supervisor and UCS Director software. The company has fixed the bug in new versions of the software, for Cisco UCS and for the UCS Director. The IMC Supervisor is designed to give customers the ability to manage other Cisco servers from a central point. The UCS Director, meanwhile, provides centralized management of software and hardware in Cisco’s Unified Computing System.


“A vulnerability in JavaServer Pages (JSP) input validation routines of the Cisco IMC Supervisor and Cisco UCS Director could allow an unauthenticated, remote attacker to overwrite arbitrary files on the system,” the Cisco advisory says.

“The vulnerability is due to incomplete input sanitization on specific JSP pages. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected system. An exploit could allow the attacker to overwrite arbitrary system files resulting in system instability.”

Cisco said there are no workarounds available for the vulnerability, but there are no known public exploits for the bug, either.


Zero Day Weekly: Plex ransomed, FBI on California cable-cutting, MasterCard’s selfie passwords, BitStamp breach

Posted on

A collection of notable security news items for the week ending July 3, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

Welcome to Zero Day’s Week In Security, our roundup of notable security news items for the week ending July 3, 2015. Covers enterprise, controversies, reports and more.

  • With the launch of Windows 10, anyone who walks into your house and gets your Wi-Fi password could potentially let all their friends onto your network, thanks to a feature called “Wi-Fi Sense,” which has ignited controversy online.
  • One takeaway from a breach report prepared for Bitstamp, a European bitcoin exchange – don’t allow PCs that run software such as Skype and Microsoft Office to connect to a server that hosts your bitcoin wallet. The UK registered company suffered a Jan. 4 breach resulting in the theft of 18,977 bitcoins, which at the time were worth 4.4 million euros, or $5.3 million.
  • Plex was hacked on July 1st, and the hacker claiming to be responsibletook to the Plex forums, saying they had “obtained all of your data, customers as well as software and files.” The hacker also demanded a ransom, payable in the form of Bitcoin, or else the data would be released by way of “multiple torrent networks.”
  • The FBI is investigating internet cable-cutting in the San Francisco Bay Area. On Tuesday, 30 June, the 11th such attack cut off service for customers of Wave Broadband, near the state capital of Sacramento, which the internet service provider said was the result of a widespread “coordinated attack.” The FBI branch in San Francisco said there is “no indication these incidents are linked” to a case of vandalism in April 2013 that local law enforcement officials called “sabotage,” where a suspect cut fiber-optic cables, knocking out 911 service, and then fired a rifle at a PG&E power substation.
  • Twin brothers have pleaded guilty to a slate of computer hacks, including breaking into State Department networks while working as government contractors. Muneeb and Sohaib Akhter, 23, admitted during a Friday hearing that they infiltrated the department’s networks in order to pilfer passport and visa information, according to the U.S. Attorney’s Office for the Eastern District of Virginia. The plea comes amid growing fears that government contractors pose an increasing threat to federal networks.
  • Amazon is introducing a new TLS implementation: “Signal to noise,” s2n. This new library is meant to answer an inherent problem with the older open-source encryption programs. s2n, with its mere 6,000 lines of code, focuses only on encryption. Amazon is not trying to replace OpenSSL: Instead, s2n replaces the functionality of only one of OpenSSL’s two main libraries: Libssl, which implements TLS. There is no s2n equivalent to libcrypto, OpenSSL’s general-purpose cryptography library. Thus, s2n can take the place of “libssl,” but not “libcrypto.”
  • MasterCard users may soon be able to pay for online purchases with their face or finger, with the payments giant to begin experimenting with facial-scan technology as well as fingerprint identification in an attempt to eliminate digital fraud. According to a report by CNNMoney, MasterCard will launch a pilot program with 500 participants over the next few months to develop the infrastructure to approve purchases without the need to enter a password.
  • 3-D ultrasonic fingerprint scanning is being developed with an eye on strengthening smartphone security. Researchers at the University of California, Davis and Berkeley have managed to miniaturize medical ultrasound technology to create a fingerprint sensor that scans your finger in 3D. This low-power technology, which could improve on the robustness of current-generation capacitive scanners, could soon find its way to our smartphones and tablets.

fbi zero day

  • Google Monday added controls for two-step verification to a pair of its Google Apps services, giving enterprise and education administrators tools to deploy, monitor and manage physical hardware-based tokens for strong authentication. The two Google services supported are Google Apps Unlimited, the premium business version of Google Apps, and Google Apps for Education, a suite of productivity tools for classroom collaboration.
  • Cisco has announced its intention to purchase threat protection (and internet filtering) security firm OpenDNS in a deal worth $635 million. Announced on Tuesday, the tech giant said the move will accelerate the development of the Cisco Cloud Delivered Security Portfolio, and OpenDNS will prove a boost to advanced threat protection services for Cisco clients.


Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution

Posted on

Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th,  is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a remote code execution vulnerability in Apple Quicktime (TALOS-CAN-0018, CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.

There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.


The first function swaps out the reference in object_ref for a bigger object, one of size 0xb0 bytes, and the second function operates on this new object.


At some point up the call stack, for the first of these two functions, the reference in question is passed to the function QuickTime!0x73e0f0. However, when the stbl atom is missing from the file, or the 4CC is corrupted, the object at eax does not get populated. When this happens the check at line 15 will pass and an error code (0xfffff809) will be passed back down the call stack.


This series of calls would normally lead to the replacement of the object reference lie in the functionQuickTime!0x748a40. However, because the error code returned down the stack isn’t zero, the branch below is taken and the code path skipped.


Eventually, the calls return and the function at line 57 of QuickTimeMPEG4!0x147f0 is called.

back to back function

Code execution makes its way up to the function QuickTime!0x21ab00.

v3 Dword

A read of 2 bytes is attempted at an offset of 84 bytes into the 16-byte object, resulting in an out-of-bounds read.

Cisco Talos’ research and discovery of programmatic ways to find 0-days helps secure the platforms and software that our customers depend on. The disclosure of this and other vulnerabilities helps the entire online community by identifying security issues that otherwise could be exploited by threat actors. Uncovering new 0-days not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all of the products that Cisco produces.

Related Snort rules: 35022-35023
For the most up to date list, please refer to Defense Center or FireSIGHT Management Center.
For further zero day or vulnerability reports and information visit:

Timeline ::
2015-05-08 – Reported
2015-06-30 – Patched
2015-06-30 – Released


Cisco warns of default SSH key in several products

Posted on

Cisco security engineers have disclosed that there is a single default ‘maintenance’ SSH key hardcoded into several families of Cisco security appliances.

The default authorised SSH keys and SSH host keys are associated with remote access for maintenance, meaning that a successful attack would allow hackers to access the devices at will. Once obtained, the private keys would allow an attacker to decrypt traffic after collecting it during a man-in-the-middle attack, or impersonate one of the appliances and alter traffic.

Cisco warns of default SSH key in several products
Cisco warns of default SSH key in several products

According to Cisco, Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the security issue, reports theSecurityAffairs blog.

“Multiple Cisco products contain a vulnerability that could allow an unauthenticated, remote attacker to decrypt and impersonate secure communication between any virtual content security appliances. Updates are available”, said the company in a widely-quoted statement.

The vendor has pushed out a security patch to rectify the issue, (“cisco-sa-20150625-ironport SSH Keys Vulnerability Fix”), and says all versions prior to 25 June need the update.

The Register quotes the patch advisory as saying: “IP address connectivity to the management interface on the affected platform is the only requirement for the products to be exposed to this vulnerability. No additional configuration is required for this vulnerability to be exploited.

“This patch is not required for physical hardware appliances or for virtual appliance downloads or upgrades after June 25, 2015,” the advisory continues.

However, according to ComputerWorld, Cisco said it “is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.”


Rombertik Malware Can Overwrite MBR if Audited

Posted on

A new strain of spyware that logs keystrokes and steals data has a destructive side to it, unleashing wiper capabilities if it detects it’s being analyzed and audited.

A limited number of samples of the malware, dubbed Rombertik by researchers at Cisco Talos, were spotted at the start of the year. That relatively small number indicates it could have been used in targeted attacks at the outset, but Craig Williams, security outreach manager at Cisco, said attacks are more widespread now, and are not focused on any particular vertical or geographic location.

“It sounds cliché, but this is really a digital arms race and we’re seeing the next evolution of it here,” Williams said. “They’re no longer content with detect-and-shut-down, now if malware realizes it’s being audited, the binary will destroy the system. It’s a simple case of attackers trying to dissuade researchers from going after a sample.”

Rombertik Malware Can Overwrite MBR if Audited
Rombertik Malware Can Overwrite MBR if Audited

Rombertik has a number of unusual and complex features, Williams said, most of which are designed to evade detection and analysis. For example, once the malicious executable is launched from a phishing or spam message, the malware contains volumes of garbage code that would have to be analyzed (1264Kb that includes 75 images and 8,000 functions that are never used).

Like many other pieces of malware, this one also contains capabilities to detect and evade sandboxes. Unlike others that sleep for a predetermined period of time before executing, Rombertik writes a byte of random data to memory 960 million times, Cisco said. Sandboxes cannot differentiate this stall tactic from normal behavior, and also, if all that data is logged, the size of the log would exceed 100Gb and would take a half-hour to write to the hard drive. This is just one of three anti-analysis checks, Cisco said.

If the malware passes those checks, it will install itself in the startup folder and into AppData to ensure persistence. It will eventually copy the executable a second time and overwrite memory of the new process with the unpacked executable, Cisco said.

“The unpacking code is monstrous and has many times the complexity of the anti-analysis code. The code contains dozens of functions overlapping with each other and unnecessary jumps added to increase complexity,” the Talos report said. “The result is a nightmare of a control flow graph with hundreds of nodes.”

The malware, however, is not done with its anti-analysis checks. The malware computes a hash of a resource in memory and compares it to the unpacked sample, and if there’s been an alteration, it will first attempt to overwrite the Master Boot Record of the physical disk. If that fails, it destroys all the files in the user’s home folder, encrypting each file with a randomly generated RC4 key.

“One of the things that’s interesting about this malware is that it doesn’t have one malicious feature, it’s got several,” Williams said. “At nearly every turn, it attempts to hang, destroy, or take up storage space of static or dynamic analysis tools. The more samples we see, the more problems companies are likely going to have. [Other attackers] are going to find this effective and copy it.”

Most of the phishing and spam emails pushing Rombertik carry a similar theme of an organization making a business pitch to work with an enterprise. One sample shared by Cisco shows the attackers impersonating “Windows Corp.” and pitching a business partnership with a semiconductor manufacturer.

The messages contain an infected attachment in a .zip file. If the user downloads and unzips the file, they will see a document thumbnail, such as a PDF icon, for example. The file is really a .scr file that contains Rombertik. If the malware passes all the checks and executes, it scans running processes looking for a instances of Chrome, Firefox or Internet Explorer running on the machine and injects itself into the process. The malware hooks API functions that handle plaintext data, Cisco said, and reads anything typed into the browser before it’s encrypted and sent over HTTPS. Data such as usernames, passwords, account numbers and more are at risk.

Rombertik indiscriminately targets data, just stealing as much data as it can from the victim, which is Base64 encoded and sent to the attacker’s command and control server. Cisco listed one domain in its report: www[.]centozos[.]org[.]in/don1/gate.php.

“When we first observed it at the beginning of the year, it was fairly unknown and had almost zero detection rates,” Williams said. “Today’s there’s a decent amount of detection for it, and at this point, it’s just being sent out shotgun style.”