We have introduced some changes to the format and structure of the Cyber Risk Reports. While we will remain focused on the seven primary risk categories, we also will be adding additional risk categories as they apply to activity in a specified period. These could include, for example, categories pertaining to botnets, cloud, mobile, and others. The Cyber Risk Report will remain focused on risk management, lessons learned, recommended practices, and analysis from our Cisco expert security engineers and analysts. We will also not include risk categories that have no activity for the period.

If you missed Cisco Live London, several of the keynote and session recordings are available at www.ciscolive365.com. If you do not have an account, you can create one at no charge.

Cisco released the Cisco Annual Security Report 2013, highlighting global threat patterns and trends, expert analysis and recommendations, and the results of the Cisco Connected World Report.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.

Vulnerability

Vulnerability activity was significantly increased for the period, primarily due to multiple large updates from Microsoft and Adobe. Microsoft released 12 bulletins that addressed 57 vulnerabilities. The bulletins addressed vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft .NET Framework, Microsoft Exchange Server, and Microsoft FAST Search Server for SharePoint. The vulnerabilities could allow an attacker to execute arbitrary code, access sensitive information, cause a denial of service condition, or gain elevated privileges. Only the Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability reported in MS13-009 has functional exploit code available. Details of the vulnerabilities and mitigations are available in the Cisco Event Response: Microsoft Security Bulletin Release for February 2013.

Adobe released multiple security updates, including the Adobe Flash Player Security Updates for February 2013, the Adobe Flash Update for February 2013, and the Adobe Shockwave Player Security Update for February 2013. In addition, Adobe PSIRT released the Adobe Reader and Acrobat Vulnerability Report, indicating the team is investigating a report of a new vulnerability being exploited in the wild. IntelliShield alerts for these vulnerabilities and security updates are available on the Cisco SIO portal.

Cisco released Security Notices for a Multiple Cisco Product Root Shell Access Vulnerability, a Cisco Unity Connection Memory Leak Denial of Service Vulnerability, and a Cisco Small Business Wireless Access Points SSID Validation Vulnerability.

Additional security advisories and software updates where released for multiple vulnerabilities in WordPress, a Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability, multiple vulnerabilities in HP LeftHand Virtual SAN Appliances, and multiple vulnerabilities in IBM WebSphere.

In e-mail security activity, sources are reporting on a spam campaign targeting Citigroup customers. Cisco SIO identified and updated rules for this spam on January 23, 2013, and reported this activity in Threat Outbreak Alert 27956.

In botnet activity, Zeus samples were identified in Japan, crossing the language barrier, and multiple sources reported the resurgence of the Kelihos botnet, which has been shut down in two previous actions.

In activist activity, the Al Qassam hacking group has issued new statements that it will return to attacking United States targets because of the failure to remove the offending video from YouTube, and now other sites. The previous attacks targeted U.S. financial institutions with distributed denial of service attacks, reported in IntelliShield Alert 27076.

IntelliShield published 174 events last week: 125 new events and 49 updated events. Of the 174 events, 71 were Vulnerability Alerts, 38 were Security Activity Bulletins, two were Security Issue Alerts, 58 were Threat Outbreak Alerts, four were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for the Time Period

Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0025
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.

Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28046, Version 3, February 12, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0439
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.

Previous Alerts That Still Represent Significant Risk

Intel 82574L Ethernet Controller Packet Processing Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28134, Version 2, February 12, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Intel 82574L Ethernet Controllers contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof-of-concept code is publicly available. Reports indicate the availability of fixes; however, no confirmation of fixes exists.

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 3, February 11, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components, such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX.

Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities
IntelliShield Activity Bulletin 28002, Version 4, January 31, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Proof-of-concept code that exploits these vulnerabilities is publicly available. The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-sa-20130129-upnp

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 4, February 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Red October Cyber Espionage Campaign Identified
IntelliShield Activity Bulletin 27890, Version 2, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra). Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.

Oracle Java Security Manager Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27845, Version 4, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0422
Oracle Java version 7 updates 10 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code exists publicly as part of exploit toolkits and the Metasploit framework. Functional code that exploits the vulnerability is publicly available and actively exploited in the wild. Reports indicate the Black hole and Nuclear Pack exploit kits have incorporated this vulnerability, which could help an attacker in a successful exploit. Exploit source code has also been posted publicly, further increasing the likelihood of exploitation. Oracle has confirmed the vulnerability and software updates are available.

Microsoft Internet Explorer CDwnBindInfo Object Processing Use-After-Free Vulnerability
IntelliShield Vulnerability Alert 27711, Version 2, January 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4792
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are not available. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has released a security bulletin and software updates.

Fraudulent TURKTRUST Inc. Digital Certificates
IntelliShield Security Activity Bulletin 27758, Version 3, January 29, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Fraudulent certificates for google.com were issued by a third-party certificate authority, possibly allowing spoofing attacks. Root certificate authorities have revoked the fraudulent certificates. Microsoft and Mozilla have released security advisories and software updates to revoke the certificate.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service (DDoS) attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

SSH Tectia Authentication Bypass Unauthorized Access Vulnerability
IntelliShield Vulnerability Alert 27540, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5975
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. SSH Communications Security has confirmed this vulnerability and released software updates.

Privacy

Privacy and Electronic Devices at the U.S. Border

The U.S. Department of Homeland Security (DHS) Office for Civil Rights and Civil Liberties has released a Civil Rights/Civil Liberties Impact Assessment Executive Summary regarding searches and seizures of electronic devices at national borders. The summary concludes that the DHS policy, in place since at least 2008, permitting the suspicion-less and warrantless searches and seizures of electronic devices at the U.S. border “and its functional equivalent” comply with both the First and Fourth Amendments to the United States Constitution. The American Civil Liberties Union (ACLU) has filed a request under the Freedom of Information Act (FOIA) to obtain the full report, titled “Civil Rights and Civil Liberties Impact Assessment—Border Searches of Electronic Devices,” along with a lawsuit challenging the policy on the behalf of individuals and organizations impacted by the policy.

Read more:
Civil Rights/Civil Liberties Impact Assessment
ACLU Files FOIA Request for Unreleased DHS Privacy Report
Government Data About Searches of International Travelers' Laptops and Personal Electronic Devices

Analysis:
The U.S. DHS policy in question has resulted in the warrantless search, and in many cases seizure, of thousands of travelling U.S. citizens' electronic devices. In at least one case, an individual had his device, a laptop, held for 11 days before it was ultimately returned to the traveler. During the period of time of July 2008 and June 2009, the DHS transferred data obtained via this policy to other federal agencies 280 times. Businesses and individuals travelling across or near the U.S. border and related transportation interchanges should take measures to ensure the confidentiality, integrity, and availability of their data and communications in the event their device(s) are searched or seized for an extended period of time during the normal course of travel.

Trust

Emergency Alert System Vulnerability Allows Spurious Message Sending

Security researchers from IOActive discovered a vulnerability in certain Emergency Alert System (EAS) devices used by television and radio stations in the United States. The researchers indicate the vulnerability allows the complete compromise of the affected devices. Once compromised, the devices could allow attackers to send messages of their choice through the system. Details of the vulnerability and devices affected are not available publicly, as the researcher has waited to disclose details until the vendor can distribute fixes to customers.

Further reading:

Emergency Alert System Attacks

Analysis:

Weaknesses in public alerting systems have the potential to cause damage related to panic. Perhaps as important, the impact to trust in the system could cause issues when an actual emergency arises and people do not act because of fake messages in the past. Although security research into EAS products has so far been uncommon, this event might bring greater scrutiny and possibly expose additional flaws. Organizations that deploy EAS devices should take measures to protect devices from external access.

Geopolitical

Big Week in Washington for Cyber

Last week, U.S. President Obama issued a long-awaited Executive Order on cyber security in conjunction with his State of the Union address. The Order, entitled “Improving Critical Infrastructure Cyber Security,” calls for the creation of a voluntary framework through which the federal government and critical industries can share threat information. One day after the Order was issued, the House of Representatives reintroduced a slightly amended version of the draft Cyber Intelligence Sharing and Protection Act (CISPA),which failed to come to a vote in Congress last year. At the same time, the White House issued a new Presidential Policy Directive (PPD-21) that broadens the definition of critical infrastructure and also broadens the government’s mission to protect these entities from threats beyond terrorism, including natural disasters and cyber attacks. As if that were not enough for one week, word of a new National Intelligence Estimate surfaced in press reports. The classified text reportedly lays out further evidence that the United States is the target of a massive cyber-espionage campaign that threatens national economic competitiveness and security.
Executive Order: Improving Critical Infrastructure Cybersecurity
Obama’s Cybersecurity Executive Order vs. CISPA: Which Approach Is Best?
Cyber Intelligence Sharing and Protection Act of 2013 (HR 624)
U.S. Said to be Target of Massive Cyber-espionage Campaign

Analysis: Information security specialists have a lot to think about following last week’s flurry of Washington, D.C. news. The attention is not unwelcome; there is wide recognition that U.S. critical infrastructure will only become more Internet connected with time, and therefore more vulnerable. Moreover, most experts agree that a better framework for public-private information sharing is overdue. As ever, the devil is in the details. A central concern is how to protect privacy while increasing actionable threat communication. Service and content providers are rightly concerned about the risk of litigation if a clear framework for information sharing is not established. One difference between the CISPA draft and the President’s Executive Order is that the EO focuses primarily on government sharing with the private sector, rather than the other way around, according to a PC Magazine article on the subject. One crucial question left for debate is whether some entities will be subject to mandatory reporting requirements because of their critical nature. The National Institute of Standards and Technology has been tasked with developing a framework, in cooperation with private sector infrastructure providers, within 1 year.

Upcoming Security Activity

RSA Conference 2013: February 25–March 1, 2013
Cisco Live ANZ: March 5–8, 2013
CanSecWest: March 6–8, 2013
Black Hat Europe: March 12–15, 2013
Interop Las Vegas: May 6–10, 2013
Cisco Live US: June 23–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Italy General Elections: February 24–25, 2013
U.S. Government Budget Dates: March 1 and 27, 2013
Kenya Presidential Election: March 4, 2013
China National People's Congress: March 4–9, 2013
NATO Meeting: March 16–17, 2013
ASEAN Summit: March 23–25, 2013
BRICS Summit: March 26–28, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top