Cyber Risk Report

February 18-24, 2013

We have introduced some changes to the format and structure of the Cyber Risk Reports. While we will remain focused on the seven primary risk categories, we also will be adding additional risk categories as they apply to activity in a specified period. These could include, for example, categories pertaining to botnets, cloud, mobile and others. The Cyber Risk Report will remain focused on risk management, lessons learned, recommended practices and analysis from our Cisco expert security engineers and analysts. We will also not include risk categories that have no activity for the period.

Cisco released the Cisco Annual Security Report 2013 highlighting global threat patterns and trends, expert analysis and recommendations, and the results of the Cisco Connected World Report

If you missed Cisco Live London, several of the keynote and session recordings are available at www.ciscolive365.com. Log onto www.ciscolive365.com, if you do not have an account, create one at no charge. And, event details and registration are now available for Cisco Live 2013, June 23-27, 2013, in Orlando, Florida.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card

Vulnerability

Vulnerability activity remained elevated for this period, consisting of larger numbers of new alerts versus updated alerts. The movement maintains the trend of the new year's activity levels.

Cisco released Security Notices and Release Note Enclosures for a Cisco IOS SSL VPN Portal Page Denial of Service Vulnerability, multiple vulnerabilities in Cisco Linksys WAG200G, a Cisco Unified Videoconferencing Products Insecure Default FTP Configuration Issue, a Cisco Unity Connection Memory Leak Denial of Service Vulnerability and multiple Cisco Products Root Shell Access Vulnerability. Information concerning these releases are available on the Cisco SIO Portal.

Additional activity included multiple vulnerabilities in IBM Maximo Asset Management, IBM Netezza WebAdmin and IBM Smartcloud Control Desk.  Multiple security updates were released by Red Hat and Mozilla that correct multiple vulnerabilities. Adobe released the Adobe Reader and Acrobat Security Update for February 2013 that correct two sandbox escape vulnerabilities.

IntelliShield published 172 events last week: 97 new events and 75 updated events. Of the 172 events, 87 were Vulnerability Alerts, six were Security Activity Bulletins, six were Security Issue Alerts, 71 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report.  The alert publication totals are as follows:

Day Date New Updated Total
Friday 2/22/2013
23
19
42
Thursday 2/21/2013
18
28
46
Wednesday 2/20/2013
23
11
34
Tuesday 2/19/2013
15
4
19
Monday 2/18/2013
18
13
31
Weekly Total
97
75
172



Significant Alerts for the Time Period

Adobe Reader and Acrobat Security Update for February 2013 
IntelliShield Activity Bulletin 28227, Version 4, February 22, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0640 , CVE-2013-0641
Adobe Product Security Incident Response Team investigated reports of active exploitation of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions. Adobe has released a security advisory and updated software to address multiple vulnerabilities in Adobe Reader and Acrobat.

Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability 
IntelliShield Vulnerability Alert 28046, Version 3, February 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0439
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.


Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update Advisory for February 2013 
IntelliShield Activity Bulletin 28080, Version 5, February 21, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVE
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability.


Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability  
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0025
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.


Intel 82574L Ethernet Controller Packet Processing Remote Denial of Service Vulnerability 
IntelliShield Vulnerability Alert 28134, Version 2, February 12, 2013
Urgency/Credibility/Severity Rating: 3/4/3
Intel 82574L Ethernet Controllers contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof of concept code is publicly available. Reports indicate the availability of fixes; however, no confirmation of fixes exists.


Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities 
IntelliShield Activity Bulletin 28002, Version 4, January 31, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that exploits these vulnerabilities is publicly available. The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-sa-20130129-upnp


Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability 
IntelliShield Vulnerability Alert 27831, Version 4, February 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.


Red October Cyber Espionage Campaign Identified  
IntelliShield Activity Bulletin 27890, Version 2, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra). Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.


Oracle Java Security Manager Security Bypass Arbitrary Code Execution Vulnerability 
IntelliShield Vulnerability Alert 27845, Version 4, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0422
Oracle Java version 7 updates 10 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code exists publicly as part of exploit toolkits and the Metasploit framework. Functional code that exploits the vulnerability is publicly available and actively exploited in the wild. Reports indicate the Black hole and Nuclear Pack exploit kits have incorporated this vulnerability, which could help an attacker in a successful exploit. Exploit source code has also been posted publicly, further increasing the likelihood of exploitation. Oracle has confirmed the vulnerability and software updates are available.


Microsoft Internet Explorer CDwnBindInfo Object Processing Use-After-Free Vulnerability
IntelliShield Vulnerability Alert 27711, Version 2, January 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4792
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are not available. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has released a security bulletin and software updates.


Fraudulent TURKTRUST Inc. Digital Certificates Issued
IntelliShield Security Activity Bulletin 27758, Version 3, January 29, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Fraudulent certificates for google.com were issued by a third-party certificate authority, possibly allowing spoofing attacks. Root certificate authorities have revoked the fraudulent certificates. Microsoft and Mozilla have released security advisories and software updates to revoke the certificate.


Financial Institution Websites Targeted by Distributed Denial of Service Attacks 
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

SSH Tectia Authentication Bypass Unauthorized Access Vulnerability 
IntelliShield Vulnerability Alert 27540, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5975
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. SSH Communications Security has confirmed this vulnerability and released software updates.


Identity

Google Account Theft Drops Sharply

Adaptive authentication is the term used for technologies that make decisions concerning authentication in real-time. The technology, that operates beyond the standard pass or fail, is making life difficult for account thieves. This authentication mechanism removes the ability to hijack email accounts, even when the correct username and password are used. This week Google reported a 99.7% drop in hijacked emails since 2011. This is not a replacement for good password practices such as frequent password changes or password complexity, but the days of automated account hijacking against Gmail appear to be over.
Update on the War Against Account Hijackers  
RSA Upgrades Malware Defenses For Bank Transactions

Analysis: The industry will continue to adopt these technologies. Recently, RSA made adaptive authentication viable for bank customers. Consumers do not appear to resist the change because it is easy to use. The additional steps for the consumer are not as frustrating as other authentication methods. For example, the CAPTCHA (type the unreadable letters and numbers into the box below) test is a frustrating authentication method. The additional steps are as easy as reading a text message. Expect to see adaptive authentication as a defense against account hijackers who look to utilize user's accounts to launch attacks.

Human

Tongue In Cheek News Blog Tricks Constituent and U.S. Senator's Staff

A tongue in cheek military blog misled a capitol hill staffer to request a Pentagon explanation about reported military benefits being provided for Guantanamo Bay detainees. A constituent wrote a letter to the U.S. Senate Minority leader's staff that requested information about a story reported on The Duffel Blog, a military news spoof website. The constituent referred to the story as authentic and wrote their Senator for an explanation. The staffer failed to vet the story that resulted in the letter to the Pentagon.
McConnell Duffel Blog Post 
Guantanamo Prisoners To Receive GI Bill Benefits 
On the Internet, Nobody Knows You're a Dog

Analysis: Anyone with a small amount of skill can create a website that appears credible. Without due diligence on the part of the reader, it is possible to successfully mislead the readers of the website. Using graphics and language from authentic websites lends additional credence to the false website. The amount of phony news websites such as the Onion.com periodically trick users who should be savvy. Once an individual has been misled into accepting a websites authenticity, that trust can provide additional credence in the mind of the next user who visits the website. While this was an embarrassment for the senator's staff, no harm was done. This would not be the case if the website was truly malicious, such as a fake banking website. Users are advised to thoroughly investigate websites that appear to have important information and use secure methods of contact, such as secured messaging on banking websites, for correspondence.


Attacks/Compromises

Facebook, Twitter, Apple Hacks Originate From Third-Party Forum Website 

Reports of compromises at Facebook, Twitter, and Apple were linked to a compromised third-party forum website that discusses software development. The website, iphonedevsdk.com, suffered an account compromise, that allowed an attacker to post malicious Java applets that would execute when a user visited the site. The attackers were reportedly able to gain access to information stored on employee laptops.
Anatomy of Facebook, Twitter, and Apple Attack 
Facebook, Twitter, Apple hack sprung from iPhone developer Forum

Analysis: The main difference in this series of compromises were the announcements by the affected companies. Many organizations are cautious concerning public announcements of compromises fearing brand or reputation damage. However, the affected companies chose to share information regarding the attacks in the hope that others could apply their solution to recover from the attack. The attack was not a new phenomenon but demonstrated the cascading nature of website exploitation. The ability to compromise a single website allowed the attacker the ability to compromise other systems across other organizations. The trust model is only as strong as the weakest link. If an employee who trusts a third-party website executes controls from that website, a path for exploitation is created. Initially, Facebook discovered the attack because an abnormal series of domain names were contained in the DNS logs. Organizations should monitor for unknown or unexpected domain names that appear in DNS logs and other indicators of compromise to discover possible exploitation.


Geopolitical

Ruling in India Spooks IT Investors

Last year, India's Supreme Court rejected appeals by telecommunication operators to reconsider a key decision. The decision nullified 122 2G spectrum licenses that were granted to telecommunication operators in 2008 through a process that was determined to be rigged. The court ruled that government officials colluded with telecommunication operators who granted the licenses at below market value, which deprived Indian citizens of an estimated US$40 billion in budget funds. Several senior officials, including former telecommunication minister A. Raja, were implicated for their direct involvement or for looking the other way.  Raja was jailed for his role in the fraud. The decision will require roughly five percent of  mobile phone subscribers to change operators and will cost affected telecommunication operators billions of dollars.
India Court Refuses to Reconsider Telecom Order  
Huge Implications of Indian Court's Mobile Phone Ruling  
SC Rejects Appeals in Telecoms License Dispute 

Analysis: The scandal, now several years old, sparked a major grass roots anti-corruption movement in India and weakened the government in New Delhi. The court's stance against high-level corruption was viewed as a positive step that India can change its business culture. However, many foreign telecommunication investors and their Indian partners are rethinking their India strategy. The Indian mobile market investors, that have been looking for profits that have not materialized, remain uncertain. A new set of spectrum auctions are scheduled to take place in March 2013, despite efforts by some companies to head them off. For information security specialists, the case reminds us of continuing high risk in emerging markets where unpredictable regulations add security risk and point toward continued uncertainty for years to come.

Upcoming Security Activity

RSA Conference 2013: February 25-March 1, 2013
Cisco Live ANZ: March 5-8, 2013
CanSecWest March 6-8, 2013
Black Hat Europe: March 12-15, 2013
Interop Las Vegas May 6-10, 2013
Cisco Live US: June 23-27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
 
US Budget Sequestration: March 1 and 27, 2013
China National People's Congress: March 4-9, 2013
Kenya Presidential Election: March 4, 2013
NATO Meeting: March 16-17, 2013
ASEAN Summit: March 23-25, 2013
BRICS Summit: March 26-28, 2013
Arab League Summit: March 26-28, 2013
IMF World Bank Meeting: April 19-21, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

For more information about the vulnerabilities in this report and latest threat information, visit the Cisco Security Intelligence Operations portal.

For more information about the Cisco Security IntelliShield Alert Manager Service, or to register for a 90-day free trial of the Cisco Security IntelliShield Alert Manager Service, please visit the Cisco Security IntelliShield Alert Manager Service.


This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top