Cyber Risk Report

November 28–December 4, 2011

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.


Vulnerability activity for the weekly period was below previous levels, and for the month of November, vulnerability activity was substantially lower than previous monthly periods. While many vendors and researchers are reducing levels of activity as we approach the year end, threat activity from e-mail and web threats continues to remain increased with the commencement of online shopping activity for the holiday periods. For the 2011 calendar year, vulnerability and threat activity remains increased from the previous two years, reversing the trend of declining activity observed since 2009.

Highlights for the period include the release of functional exploit code and a Metasploit module for Java vulnerabilities, reinforced by the release of the latest Microsoft Security Intelligence Report on increased levels of Java-related threat activity identified over the period. Red Hat and VMware released multiple updates for Java vulnerabilities in their products. Vendors continue to release updates for the BIND denial of service (DoS) vulnerability reported in IntelliShield alert 24590. HP released multiple updates for Apache. Cisco reported updates were available for the compromised certificates impacting the Web Security Appliance (WSA) reported in IntelliShield alert 24513.

RealNetworks released a large update for RealPlayer that corrects 19 vulnerabilities in previous versions. RealPlayer is a widely used media player that is often required for web videos and conferences and is likely to be on many users' systems. Users should be alerted to update to the latest version or install the available updates.

Adobe reported multiple vulnerabilities in the Adobe Flex Software Development Kit (SDK), which is an open source framework that may have been used to create applications that now include these vulnerabilities. Users will need to check with their application providers to determine their level of vulnerability and obtain updates for the impacted applications.

Threat activity for the period includes reports of multiple groups participating in Operation Robin Hood (OpRobinHood), targeting banks for credit card information that will reportedly be used to make donations to charity organizations. Also targeting financial institutes is the "gameover" attack, which combines the Zeus trojan with distributed denial of service (DDoS) attacks to compromise accounts and provide cover for the transfer of funds from those accounts with the DDoS attacks.

On an administrative note to our readers, the Cyber Risk Report was not published on November 28, 2011, and will not be published on January 3, 2012, due to the holidays and reduced work schedules.

IntelliShield published 94 events last week: 52 new events and 42 updated events. Of the 94 events, 51 were Vulnerability Alerts, seven were Security Activity Bulletins, two were Security Issue Alerts, and 34 were Threat Outbreak Alerts. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 12/02/2011   11    8  19
Thursday 12/02/2011    7   10  17
Wednesday 11/30/2011   10   10  20
Tuesday 11/29/2011   13    4  17
Monday 11/28/2011   11  10  21
Weekly Total  52  42 94


2011 Monthly Alert Totals

Month New Updated Monthly Total
January  166  237  403
February  177  176  400
March  194  276  501
April  246  229  475
May  219  185  404
June  251  221  472
July  240  213  453
August  248  226  474
September  207  234  441
October  244  314  558
November  162  195  357
Totals 2432 2506 4938


Significant Alerts for November 28–December 4, 2011

Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24470, Version 4, December 1, 2011
Urgency/Credibility/Severity Rating: 3/5/4

Multiple versions of Oracle Java contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Oracle and multiple other vendors have confirmed this vulnerability and released updated software. Functional code that demonstrates an exploit is publicly available.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 1, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available.

Previous Alerts That Still Represent Significant Risk

ISC BIND Recursive Query Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24590, Version 8, December 2, 2011
Urgency/Credibility/Severity Rating: 2/5/3

ISC BIND version 9 contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. It should be noted that there are external reports that this vulnerability is being actively exploited in the wild, as DNS server crashes have been observed. It is not, however, fully determined that exploitation of this vulnerability is the root cause for the recently observed crashes. ISC and multiple vendors have confirmed this vulnerability and released updated software.

Apache HTTP Server Overlapping Ranges Denial of Service Vulnerability
IntelliShield Vulnerability Alert 24004, Version 18, November 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that exploits this vulnerability is publicly available. Apache has confirmed this vulnerability and updated software is available. Oracle and multiple additional vendors have released security advisories. HP has released an additional security bulletin.

Adobe Flash Player and AIR Multiple Vulnerabilities
IntelliShield Vulnerability Alert 24582, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-2445, CVE-2011-2450, CVE-2011-2451, CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455, CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459, CVE-2011-2460

Adobe Flash Player and AIR contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Red Hat and FreeBSD have release security advisories and updates.

Microsoft Windows UDP Packet Processing Integer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24490, Version 2, November 14, 2011
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of the Microsoft Windows UDP packet processing integer overflow arbitrary code execution vulnerability is publicly available. Microsoft has released a security bulletin and updates.

Trojan: W32.Duqu
IntelliShield Vulnerability Alert 24425, Version 3, November 2, 2011
Urgency/Credibility/Severity Rating: 3/5/3

W32.Duqu is a remote access trojan that attempts to steal sensitive information, initiate remote application download, and provide back door access to a remote attacker. Virus definitions are available. IntelliShield has updated this alert to include information about a vulnerability in the Microsoft Windows platform that the W32.Duqu trojan could leverage to infect a targeted system. ICS-CERT and multiple anti-virus vendors have also released security alerts with virus descriptions for this trojan.

Microsoft Windows TrueType Font Parsing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 24500, Version 2, November 4, 2011
Urgency/Credibility/Severity Rating: 3/5/4

Microsoft has released a security advisory to address the TrueType font parsing remote code execution vulnerability. Reports suggest that this vulnerability is being exploited by W32.Duqu to install itself on a targeted system. This trojan has been documented in IntelliShield Alert 24425. Microsoft has released a security advisory announcing it is investigating this vulnerability. Microsoft has released a Fix-It solution as a workaround for the vulnerability.

Oracle Java SE Critical Patch Update October 2011
IntelliShield Vulnerability Alert 24433, Version 4, November 28, 2011
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

Oracle has released the Oracle Java SE Critical Patch Update for October 2011. The update addresses 20 new security vulnerabilities. An unauthenticated, remote attacker could leverage several of the vulnerabilities to completely compromise an affected system. Oracle, Red Hat, CentOS, and Apple have released updates.

Worm Targeting Vulnerable JBoss Application Server Installations
IntelliShield Vulnerability Alert 24445, Version 1, October 21, 2011
Urgency/Credibility/Severity Rating: 3/5/3

Multiple reports indicate a worm circulating in the wild is exploiting a patched vulnerability in JBoss Application Server, reported in IntelliShield alert 20397. Updates and instructions to mitigate the threat are available. This vulnerability was originally reported in April 2010.

Apache HTTP Server mod_proxy Module Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 24327, Version 6, November 15, 2011
Urgency/Credibility/Severity Rating: 2/5/3

Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Apache, Red Hat, IBM, and FreeBSD have released have released security advisories and software updates.

FreeType PostScript Type 1 Font Parsing callothersubr Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 23602, Version 5, October 14, 2011
Urgency/Credibility/Severity Rating: 3/5/3

FreeType versions prior to 2.4.5 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code for this vulnerability is used publicly in conjunction with other vulnerabilities to provide web-based "jailbreak" capabilities for Apple iOS devices. Other sites or exploits may be able to repurpose this exploit code for malicious purposes. Apple, Red Hat and FreeBSD have released security updated software.


Cyber Criminals Supporting Terrorist Arrests

On November 23, 2011, a joint team from Criminal Investigation and Detection Group (CIDG) of the Philippine National Police and the United States (U.S.) Federal Bureau of Investigation (FBI) apprehended four Filipino criminals who were accused of misusing telephone private branch exchanges (PBX) of various companies including AT&T. AT&T alone suffered losses of around US$2 million.
Read More
Additional Information
Additional Information

IntelliShield Analysis: What sets this case apart from other similar cases is that the money was reportedly used to finance terrorist organizations. According to the CIDG, Paul Michael Kwan, one of the four suspects, received payments from the Jemaah Islamiyah group since 2007. This kickback arrangement between the Saudi-based terrorist cell and Filipino criminals seems to be long-standing. The first paper trails linking the groups were uncovered in 1999. There were some indications and suspicions that computer criminals were involved in financing terrorist organizations, but concrete proof was hard to come by. This case brings closure to this point because the evidence shows that computer criminals do finance terrorist activity and have done so for years. The only remaining question is what portion of criminals' gain is used to finance terrorists and what portion goes to non-political criminals and their organizations? This question is harder to answer because in today's global criminal organizations, lines can be easily blurred.


U.S. Immigration and Customs Enforcement Seizes 150 Domains

The results of a U.S. Immigration and Customs Enforcement (ICE) and FBI three-month investigation related to the sale of counterfeit merchandise resulted in the seizure and shutdown of 150 domains just prior to Cyber Monday. The domains seized sold products ranging from counterfeit or fake NBA jerseys to Louis Vuitton handbags. Since first targeting online counterfeiters in June 2010, the federal government has seized the domain names of 350 websites. No charges have been filed against the recently seized sites (150 domains); however, the investigation is still ongoing. Another astonishing statistic is that, from the counterfeit crackdown in June 2010, Internet users have attempted to access the seized domains more than 77 million times. Moreover, the ICE and FBI state "it may seem like a trivial thing to buy a knock-off football jersey or look-alike sunglasses, but the profits seized by counterfeiters can help fund far more nefarious activities." There is growing concern that these organized crimes are going to fuel other criminal activities. Read More

IntelliShield Analysis: While there is no doubt that protecting citizens in the U.S. and abroad from cyber-based crimes is an obligation today, we must also ensure the process of due diligence is followed. The linked article states that "Federal authorities have shut down 150 websites accused of selling knock-off or pirated merchandise to unsuspecting online bargain hunters." Is there a threshold or are there metrics being recorded to define the accusations or complaints? When should the government step in from an authoritative standpoint with intrusive actions such as a domain shutdown? The reality is that there continues to be a risk with such actions, and while the thought of serving the greater good comes to mind, we all must be cognizant of how the greater good is defined. For instance, if you hosted an e-commerce site and an accusation surfaced regarding the site that resulted in the website being taken down prior to one of the busiest shopping seasons without recourse, what would you do? The potential revenue generated would be lost, but more importantly, what if you were not selling counterfeit merchandise? Maybe an advertisement or pop-up surfaced on your site with a reference to another site that was the guilty party. As web advertisements and marketing abound, it is not infeasible for this type of scenario to occur. Again, due diligence cannot be overlooked in such situations. As always, stay on the lookout for nefarious activity and scrutinize all web transactions, because you never know which may be your last.

Facebook and U. S. Federal Trade Commission Settlement

The U.S. Federal Trade Commission (FTC) and social networking giant Facebook have agreed on a settlement surrounding Facebook's privacy practices. The charges in particular were regarding Facebook's practice of communicating privacy to customers by telling users to keep their information private, yet Facebook repeatedly shared the information and allowed it to be made public. The FTC brought charges against Facebook in the form of a 19-page complaint that expressed various examples that conflicted with Facebook's claims that user data was never shared with advertisers and marketers. Moreover, the information shared was detailed to the point that they could identify the users who clicked the ads and subsequently identify for whom the ads were targeted. This is a complaint on behalf of the FTC, not a formal charge. The complaint does not specify that a ruling or law has been violated and as such, it does not constitute or require an admission by Facebook. Facebook CEO Mark Zuckerberg did admit that "a bunch of mistakes" were made and said that Facebook is working to rectify the mistakes. Zuckerberg has since hired privacy professionals to ensure that privacy controls are built into the products and policies.
Read More
Additional Information
Additional Information

IntelliShield Analysis: User awareness is more critical than ever. The FTC provided this complaint, not consumers or users, because most were or are not aware of the matter. When a user sporadically begins to receive e-mail or other communications regarding some of their interests, that is a call for action. Although today's society is predicated on an absorbent amount of technology and innovation, we cannot allow it to mask our sense of awareness and ability to still ask the obvious questions of how, why, when, and where. Regardless of the privacy notices and practices instituted, users must still perform their own reconnaissance, as the practices and policies are simply guides to help the situation, not holistic solutions to solve them.


Service Quality Reporting Software Mirrors Rootkit Functionality

A security researcher reportedly demonstrated capturing keystrokes on his cellular phone by software created by CarrierIQ. According to their website, CarrierIQ is a Mobile Service Intelligence company that gives service providers insight into their mobile service quality. In its default configuration, the software supposedly only collected non-personal information. The collection of data has resulted in a wiretapping lawsuit being filed in U.S. Federal Court over the alleged data collection. CarrierIQ has refuted these claims in their own statement. The latest information suggests that CarrierIQ may have been unfairly targeted by researchers.
Read More
Additional Information
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: This appears to be another case of automatic data collection by a personal cellular device without express user permission. Whether or not personally identifiable information was collected, users often purchase cellular phones and tablet computers directly from cellular providers with the idea that the consumer will have the final choice or at least some choice as to what information is collected during their use of their device. The issue that this software is so difficult to remove does not foster a sense of trust between customers and cellular providers and device manufacturers. The enterprise with a "bring your own device" policy may be well advised to conduct an assessment of software loaded on personally owned cell phones and tablet computers by cellular providers prior to allowing those devices access to corporate networks.


There was no significant activity in this category during the time period.


There was no significant activity in this category during the time period.


Preparing for the Possibility of Eurozone Dissolution

When French President Nicholas Sarkozy and German Chancellor Angela Merkel publicly alluded to the possibility of a Eurozone break up early in November, companies took notice. According to interviews with multinational corporations by the Financial Times, recent events have got them war gaming unlikely scenarios and preparing contingency plans. There were conflicting reports indicating that one major European technology firm had withdrawn large amounts of cash from a European bank and deposited it directly with the European Central Bank as a precautionary measure. Governments are also taking steps. China, faced with stalling manufacturing numbers, surprised economists last week when it eased bank reserve ratios to encourage new lending, despite concerns about overheated real estate and construction sectors.
Read More
Additional Information

IntelliShield Analysis: The likelihood of a disorderly breakup of the Euro remains low, but the mere perception of such a scenario raises risk, even for companies without direct exposure to European debt. The global crisis of confidence in the banking sector threatens to derail economic recovery worldwide and steers multinational trade contracts into uncharted waters. Indeed, some companies are consulting lawyers on the dispensation of cross-border contracts in a break-up scenario. Stock market volatility and exchange rate risk is probably complicating supply chain planning, particularly negotiation of multi-year contracts. The perception that a Eurozone breakup is no longer off the table may cause businesses to postpone major information technology upgrades and move cash into perceived safe havens. In other cases, it may prompt businesses to more aggressively use technology to number-crunch scenarios. Either way, company planners may be wise to start imagining the unimaginable, because experience shows that mere perception of a panicked rush to the exits could precipitate one.

Upcoming Security Activity

Black Hat Abu Dhabi 2011: December 12–15, 2011
International Conference on Cyber Security (ICCS 2012): January 9–12, 2012
Cyber Defence & Network Security conference: January 24–27, 2012
RSA Conference: February 27–March 2, 2012
CanSecWest 2012: March 7–9, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Al-Hijra/Muharram: November 26–December 24, 2011
COP-17 Climate Summit: November 28–December 09, 2011
Hanukkah: December 20–28, 2011
Christmas: December 25, 2011
New Year's Day: January 1, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top