Cyber Risk Report

November 16–22, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity for this period decreased sharply relative to previous periods. After several recent periods of high levels of activity due to large releases from major vendors, activity for this period returned to lower levels consistent with periods earlier in the year.

Activity was highlighted by two Microsoft vulnerabilities. The Internet Explorer Cascading Style Sheet vulnerability and proof of concept exploit code was identified on Sunday, November 22, and reported in IntelliShield alert 19468.  The previously reported Microsoft Windows SMB Client Remote Denial of Service vulnerability affecting Windows 7 and Windows Server 2008 R2 was updated due to the public release of exploit code, reported in IntelliShield alert 19422.

In other activity, PHP released updated version 5.3.1 to correct multiple vulnerabilities. Due to the widespread use of PHP in website and application coding, developers and administrators are advised to update their systems to avoid the current common attacks used to compromise data and legitimate websites with malicious content.

On an administrative note, the Cisco Cyber Risk Report will not be published on the usual Monday schedule following the upcoming holidays. It will not be published on November 30 following the U.S. Thanksgiving holiday, December 28 following the Christmas holiday, or January 4 following the New Year's Day holiday.

IntelliShield published 78 events last week: 38 new events and 40 updated events. Of the 78 events, 55 were Vulnerability Alerts, 15 were Security Activity Bulletins, four were Security Issue Alerts, two were Threat Outbreak Alerts, one was an Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Sunday 11/22/2009 1 0 1
Friday 11/20/2009 6 4 10
Thursday 11/19/2009 6 2 8
Wednesday 11/18/2009 6 10 16
Tuesday 11/17/2009 8 8 16
Monday 11/16/2009 11 16 27
Weekly Total 38 40 78

 

Significant Alerts for November 16–22, 2009

Microsoft Internet Explorer Cascading Style Sheets Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19468, Version 1, November 22, 2009
Urgency/Credibility/Severity Rating: 2/4/4

Microsoft Internet Explorer versions 6 and 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Proof-of-concept code is publicly available.

Microsoft Windows SMB Client Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 19422, Version 2, November 16, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3676

Microsoft Windows Server 2008 R2 and Windows 7 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Exploit code is publicly available. Microsoft has confirmed this vulnerability, but updates are not available.

Previous Alerts That Still Represent Significant Risk

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 11, November 20, 2009
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Multiple vendors have released updates to correct this vulnerability. Proof-of-concept code that exploits this vulnerability is publicly available.

Gumblar Malicious Code Adopts Additional Exploit Methods
IntelliShield Vulnerability Alert 19237, Version 1, October 20, 2009
Urgency/Credibility/Severity Rating: 3/4/3

Reports indicate additional activity related to the Gumblar malicious code.

Microsoft Windows SMB2 Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 19000, Version 7, October 13, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-3103

Microsoft Windows Vista SP2 and prior and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. Microsoft has released a security advisory to address the Microsoft Windows SMB2 remote code execution vulnerability. Microsoft has released a security advisory and updated software to address the Microsoft Windows SMB2 remote code execution vulnerability. Functional exploit code is publicly available.

Microsoft Internet Information Services FTPd Remote Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 18951, Version 5, October 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-3023

Microsoft IIS versions 5.0, 5.1, and 6 contain a vulnerability in the FTPd service that could allow an authenticated, remote attacker to cause a DoS condition or execute arbitrary code with elevated privileges. Microsoft has released a security bulletin with software updates to address the Microsoft Internet Information Services FTPd remote buffer overflow vulnerability.

Microsoft Visual Studio Active Template Library Uninitialized Object Vulnerability
IntelliShield Vulnerability Alert 18725, Version 12, November 5, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0901

Microsoft Visual Studio Active Template Library contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin and software updates to address the Microsoft Visual Studio Active Template Library uninitialized object vulnerability in Microsoft Windows.

Microsoft Office Web Components ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 18633, Version 6, October 12, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-1136

Microsoft Office Web Components contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. This vulnerability is due to an unspecified error in the Office Web Components ActiveX control. Reports indicate that exploits of this vulnerability are ongoing. Additional technical information is available to detail the Microsoft Office Web Components ActiveX control arbitrary code execution vulnerability. IntelliShield has re-released this alert to clarify the availability of software updates.

Physical

Brazilian Power Operator's Website Hacked

Last week's news on the failure of the Brazilian power grid and the search for a cause, which was blamed on computer hackers by several news outlets, became a type of self-fulfilling prophecy this week as an investigation by hackers into the public web pages of the Operador Nacional do Sistema Electrico (ONS) yielded results. After performing a cursory scan of the website, a file was found that informed web crawlers to disregard specific areas of the site. The hackers then used that as a starting point to discover a login page for employees and several SQL injection vulnerabilities. Fortunately the systems controlling the grid were not connected to the compromised systems.
Read More
Additional Information

IntelliShield Analysis: Publicity of any sort is perhaps the worst enemy of any enterprise with systems connected to the Internet. In this case, no direct connection to the Brazilian power grid's control systems were ever discovered, but the publicity that was given to this group caused hackers to focus on the public website and subsequently discover several methods of compromise. While one lesson that can be drawn from this episode is to ensure that all of your public facing web servers are secure, another lesson would be to ensure that the product your enterprise delivers is reliable and that you stay out of the news. Sometimes any publicity is bad publicity.

Legal

Two Arrested in Connection with ZeuS Trojan

Two British Citizens have been arrested in Manchester England by the Metropolitan Police's Central e-Crime Unit (PCeU) for their part in the spread of the ZeuS trojan. The trojan is designed to steal banking credentials from the computers of those it infects and is unique because it propagates not only through malicious e-mail messages, but also through social networking sites such as Facebook.
Read More
Additional Information
Additional Information  

IntelliShield Analysis: What is unusual about the ZeuS trojan is that it is programmed to steal not only bank account credentials but also the credentials of Facebook accounts. The Facebook credentials are then used to upload the malicious code to the compromised Facebook accounts, which are used to further propagate the trojan. ZeuS has been a very successful piece of malware, and a customizable kit for redistributing it is available for purchase. While this arrest is Europe's first step at combating the spread of this malicious software, it is not likely to have a significant impact on the overall prevalence of ZeuS.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

Online Gangs Cash In on H1N1 Flu

Not surprisingly, several criminal gangs, many of them based in Russia, are exploiting the fears and concerns of the worldwide public regarding the H1N1 pandemic to sell counterfeit drugs. Millions of intercepted spam messages include advertisements for a fake version of the drug Tamiflu, the real version of which has been recommended by the World Health Organization (WHO) to treat symptoms associated with the H1N1 virus. Read More

IntelliShield Analysis: This is certainly not the first and very likely won't be the last attempt by miscreants and criminals to profit off of unfortunate events such as natural disasters (earthquakes, tsunamis, forest fires) and those that result in human suffering (airplane crashes, terrorist attacks, widespread illnesses.) While the general public must certainly exercise vigilance at all times regarding advertisements and solicitations arriving via the Internet, we must likewise be extra cautious and guarded during times of fear and terror so as not to fall victim to this type of malicious exploitation.

Geopolitical

International Corruption Barometer is Only Part of the Security Equation

Berlin-based non-governmental organization Transparency International issued its closely-watched annual Corruption Perceptions Index (CPI) last week, based on 13 different business surveys. The CPI measures perceived levels of public sector corruption in 180 countries, as opposed to actual corrupt activities, which may be impossible to measure. Afghanistan and Somalia were at the bottom of the list, while least corrupt nations included New Zealand, Denmark, and Singapore. Key emerging technology power-houses India and Russia held mostly steady in the rankings, while Brazil improved five places. China lost ground, despite high-profile efforts by the government in Beijing to stamp out corruption, taking 79th place out of 180, seven slots lower than its 2008 rank.
Read More
Additional Information
Additional Information

IntelliShield Analysis: By quantifying perceptions of corruption, the 2009 CPI illustrates the extent to which legal systems and effective governance are vital to economic growth. Indeed, the bottom third of the list is comprised primarily of war-torn, impoverished nations and dysfunctional governments. Information security specialists may wish to note, however, that a good score on the CPI does not correlate with a higher level of data security. Using security firm Sophos list of top malware-hosting countries, five of the top ten malware hosts scored above average on the CPI, including the United States, Germany, and the United Kingdom. In other words, measuring information security requires taking into consideration connectivity, entrepreneurial culture and economic activity, as well as governance and legal systems. Particularly as rich governments pump vast sums of public money into economies in a bid to sustain economic recoveries, security specialists may wish to note that two-thirds of the CPIs 180 countries scored lower than 5 on the scale of 1–10, where 1 is most corrupt. This means that economic conditions worldwide are fertile for bribery and fraud, and information systems are vulnerable everywhere.

Upcoming Security Activity

Black Hat DC: January 31–February 3, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

The Hajj: November 25–30, 2009
Copenhagen Climate Change Summit: December 7–18, 2009
Hanukkah: December 11, 2009
Christmas: December 25, 2009
New Year's Day: January 1, 2010

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top