Cyber Risk Report

December 10–16, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period remained at elevated levels. Microsoft released seven security bulletins addressing 11 individual vulnerabilities. While five of the security bulletins were rated as critical, the top priorities are likely the Cumulative Security Update for Internet Explorer (MS12-077) and the Vulnerability in Microsoft Word Could Allow Remote Code Execution (MS12-079). There are currently no known exploits of these vulnerabilities, although Microsoft rated six as having an Exploitability Index of 1 - Exploit Code Likely. Regarding the MS12-079 Security Bulletin, a similar vulnerability reported by Microsoft in the April 2012 Security Bulletin–Vulnerability in Windows Common Controls Could Allow Remote Code Execution (MS12-027)–continues to be targeted by attackers with a number of exploits and malware circulating. Cisco has published the Cisco Event Response: Microsoft Security Bulletin Release for December 2012 on the Cisco SIO portal, along with an Insights video of the Microsoft Security Bulletin Release for December 2012.

Cisco released multiple IntelliShield alerts to address a Cisco Wireless LAN Controller Software Form Post Denial of Service Vulnerability, a Cisco Wireless LAN Controller Cross-Site Request Forgery Vulnerability, and a Cisco Wireless LAN Controller Cross Site Scripting Vulnerability. And an IntelliShield alert addressing multiple vulnerabilities in the Cisco DPC2420 Wireless Residential Gateway.

Other activity included updates from Adobe for Flash, ColdFusion, and Photoshop. Google released another update for Chrome fixing five vulnerabilities, one of which is rated critical. Additional security advisories and updated software was released by Citrix for vulnerabilities in XenApp and Desktop; by HP for vulnerabilities in Network Node Manager and OpenVMS; by IBM for vulnerabilities in eDiscovery, Informix, Lotus, and Tivoli; and by OpenStack for multiple vulnerabilities in Keystone.

McAfee released a report on "Project Blitzkrieg," which is a criminal botnet campaign that is being organized to recruit botnet controllers to steal funds from United States (U.S.) Banks. Detailed research and analysis was reported on the Dexter Point of Sale (POS) infections that are being used to compromise personal and financial information.

In addition to the return of the Al Qassam group's distributed denial of service (DDoS) attacks against U.S. banks, GhostShell (believed to be associated with the Anonymous group) attacked, compromised, and posted information from multiple government and defense websites in the U.S. and Australia.

On an administrative note, Cisco IntelliShield will not publish the Cyber Risk Report on December 24 or 31, 2012.

IntelliShield published 123 events last week: 79 new events and 44 updated events. Of the 123 events, 54 were Vulnerability Alerts, 12 were Security Activity Bulletins, 11 were Security Issue Alerts, 43 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 12/14/2012 10 8 18
Thursday 12/13/2012 19 3 22
Wednesday 12/12/2012 12 12 24
Tuesday 12/11/2012 25 4 29
Monday 12/10/2012 13 17 30
Weekly Total 79 44 123


Significant Alerts for the Time Period

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

MySQL Triggered Events Privilege Elevation Vulnerability
IntelliShield Vulnerability Alert 27522, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/4/3
CVE-2012-5613
MySQL contains a vulnerability that could allow an authenticated, remote attacker to gain elevated privileges on a targeted system. Functional code that demonstrates an exploit in the MySQL triggered events privilege elevation vulnerability is publicly available. MySQL has not confirmed the vulnerability and updated software is not available. MySQL is questioning the vulnerability as being the result of a known poor configuration that it repeatedly advises against in the MySQL documentation.

SSH Tectia Authentication Bypass Unauthorized Access Vulnerability
IntelliShield Vulnerability Alert 27540, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5975
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. SSH Communications Security has confirmed this vulnerability and released software updates.

Previous Alerts That Still Represent Significant Risk

Oracle Java Applet JAX-WS Class Processing Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27404, Version 1, November 13, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5076
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Oracle Java Runtime Environment (JRE) 7 Update 7 and prior are vulnerable. Oracle has released the Oracle Java SE CPU October 2012. Functional code that demonstrates an exploit of this vulnerability is available as a part of the Metasploit framework.

Oracle Java SE Critical Patch Update October 2012
IntelliShield Security Activity Bulletin 27210, Version 6, November 26, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Reports indicate these vulnerabilities are being exploited successfully in the wild. Oracle, Apple, Red Hat and IBM have released security advisories and software updates.

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 11, December 14, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software. Samba, Apple, FreeBSD, HP Oracle, Red Hat and MonteVista have released security advisories. Oracle has re-released a security notification and patches

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 10, October 19, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit Framework. The Black hole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, IBM, and HP have released security advisories and updated software.

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 6, November 16, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat and IBM have release security advisories and software updates. HP has released a security bulletin and updated software.

Physical

Attacking the GPS System Software

While previous research and attack demonstrations have focused on the GPS hardware and signalling to jam or spoof GPS systems, researchers from Carnegie Mellon University (CMU) and Coherent Navigation investigated the GPS system from the approach of it being a computer system. As might be expected, the research identified multiple software vulnerabilities that could be exploited to impact 20-30 percent of the navigation and network systems. The research also provides recommended mitigations and methods to improve the security of these systems.
Read More

IntelliShield Analysis: This is important research form CMU and Coherent for multiple reasons. Many look at GPS and critical infrastructure systems as hardware and electronic components but fail to examine the software on those systems. While these systems may be vulnerable to hardware-based attacks, the software vulnerabilities allow the systems to be compromised, the data to be captured revealing details of the systems, and attacker to possibly take control of the active systems. Again similar to critical infrastructure, vendors and operators of these systems need to consider this research and focus on securing the software that is running on these systems using secure coding practices and implementing security controls to prevent attacks.

Legal

Increasing Government Agency Investigation and Prosecution

Recent reports of investigations and prosecutions include Facebook cooperating with multiple law enforcement agencies that resulted in the arrests of criminals in seven countries for distributing malicious code on Facebook and operating a botnet to compromise accounts and sensitive information. Similarly, multiple law enforcement agencies and the U.S. Department of Justice (DOJ) reached a settlement with HSBC over an investigation of laundering money and not having required controls in place to identify and block criminal money transfers.
Read More
Additional Information
Additional Information

IntelliShield Analysis: While government and international organizations continue to debate legislation and agreements with little progress, global government and law enforcement agencies across continue to increase their active investigation and prosecution of criminals and criminal activity on the Internet. There are already several governance, regulatory and compliance (GRC) requirements in place. As these cases are investigated, and courts rule on various legal points, the agencies are becoming more capable and experienced in pursuing these cases while private organizations are becoming increasingly willing and experienced working with those agencies. This is one of the major trends identified in the past few years, and it is expected to continue to increase in number and success. Organizations that have not yet experienced involvement in these types of investigations will likely do so in the future. Not only must organizations ensure that they have their required GRC practices in place to avoid legal issues, but they must also be prepared to work with the government and law enforcement agencies during investigations.

Trust

Social Media: Democracy, Contact with Your Customers, or a Little of Both?

Two of the largest players in social media–Facebook and Twitter–are increasingly seen as an effective way to communicate with constituents, be they citizens or customers. Two entirely disparate events recently leveraged social media for democratic purposes: Facebook asked its users to vote on its ever-evolving privacy policies, and the citizens of Iceland were asked for input on their new constitution. Separately, PNC bank took to Twitter and Facebook to advise its customers on the effects of recent DDoS attacks on US-based financial institutions.
Read More
Additional Information

IntelliShield Analysis: Social media's ability to connect (and in most cases, be trusted) by its users is due in part to the long term effects of malicious or unwanted content in email and SMS (text) messages, with Eurograbber being a more recent example. As a result, social media has become more important to organizations which want to push out 'official' content on their own behalf. This may be due in part to the pull vs push nature of social media, coupled with the ability for specific contributors to be marked as 'official' or verified in some way, such as Twitter's blue check mark. The implications of trusting social media as an official voice bring more potential for sophisticated compromises which could go undetected by even the most savvy of users. Organizations which leverage social media, regardless of the goal, should regularly review the landscape of threats and trends and communicate regularly with their audience about such threats–as well as any changes to policies as a result.

Identity

Healthcare Data Theft Unabated

A recently released Ponemon Institute survey of healthcare organizations included some disturbing findings:

  • 94 percent of the organizations had experienced data loss within the past two years.
  • 45 percent of the organizations said they had experienced five or more breaches over the past two years.
  • 52 percent of the organizations reported incidents of identity theft.

The survey also found that instances were caused by inaccuracies in patient records. In some cases patient care was affected in addition to the criminal use of the compromised data. Not only were patients targeted but the healthcare organizations were also targeted through ransomware attacks and demands for payments to release the data.
Read More
Additional Information

IntelliShield Analysis: With the Health Insurance Portability and Accountability Act (HIPAA) enacted by the U.S. Congress in 1996, and the Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law on February 17, 2009, the data security in the healthcare industry continues to be a serious concern. As this industry continues to move toward electronic health records and incorporates new mobile technologies to improve access and communications, the concerns are only growing in complexity and security. While many studies have offered possible causes for the continued data losses–ranging from cultural, to financial, to some noting that compliance requirements may be detrimental to improving security–the need for improvement is increasingly obvious to all. As patients, insurance companies, and healthcare organizations' costs continue to increase and the legal issues continue to become more frequently involved and challenged during data loss events, healthcare organizations are likely to find themselves in situations where they will be forced to improve and verify their security controls or face increasing government agency investigations and fines, along with patients' lawsuits.

Human

There was no significant activity in this category during the time period.

Geopolitical

Legislating Cyber Security Proves Tricky

During 2012, governments that tried to pass cyber security legislation met with limited success. Some countries passed laws that address certain aspects of cyber security, such as the United Arab Emirates (UAE), which announced a new law limiting online content that in their view could threaten public order, and Russia, which passed a law allowing authorities to block websites with content they see as objectionable. An anti-cybercrime law passed in the Philippines, however, was overturned by the country's top court in response to public outcry over privacy and freedom of speech. The United States was unable to pass a comprehensive cyber security law due to lack of consensus on how to treat critical infrastructure (an Executive Order is likely to be issued in the near term to bridge the gap until legislation can be revisited), and the United Kingdom adopted voluntary measures, rather than attempt broad new legislation.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: Around the world, governments are taking a close look at existing laws to determine whether they can be reinterpreted to reflect the realities of an Internet-connected world, or whether new laws must be drafted. At the same time, these laws cannot easily be disentangled from debates surrounding public security and human rights, and addressing the concerns of the multitude of players involved is difficult. Moreover, even defining cyber security can be a challenge given the wide range of related issues, including online crime, offensive content, and protecting critical infrastructure. Resiliency against cyber attacks and online crime are issues that the European Union hopes to address in a new comprehensive cyber security directive expected early in 2013. Information security specialists will want to keep an eye on the progress of this directive, as well as the renewed debate in the U.S. over comprehensive cyber security, in the new year.

Miscellaneous

Islamic Group Follows Through on Promise to Attack Banks

The group "Izz ad-Din al-Qassam Cyber Fighters" is claiming responsibility for launching a second Denial of Service attacks against US banks.
Read More
Additional Information
Additional Information

IntelliShield Analysis: It is still unclear if the source of the avalanche of disruptive traffic that is aimed at banks is Stuxnet backlash sponsored by Iran or from the Hamas affiliated Izz ad-Din al-Qassam Cyber Fighters because of an offensive YouTube video, or elsewhere. One thing is clear–small groups of actors can disrupt a vertical market. This particular attack will end, but the denial of service attack will continue to be an attack that is used by many, and when the convergence of malware and six billion active telephones in the world occurs the avalanche could be substantially larger.

Organizations need to evaluate what the costs would be in the event of an extended attack, then plan and test an appropriate defense. Cisco has several hardening guides that can help with a DDoS defense.
More Information
More Information
More Information
More Information
More Information

Upcoming Security Activity

Cisco Live London: January 28–February 1, 2013
ShmooCon: February 15–17, 2013
RSA Conference 2013: February 25–March 1, 2013
Cisco Live ANZ: March 5–8, 2013
Cisco Live US: June 23–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Egypt Constitution Referendum: December 15 and 22, 2012
Japan General Elections: December 16, 2012
South Korea Presidential Election: December 19, 2012
US Fiscal Cliff: January 1, 2013
World Economic Forum: January 23–27, 2013

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top