April 13–19, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity remained consistent with levels from previous weeks. Although there was increased activity related to the Microsoft monthly security bulletin release and the Oracle quarterly critical patch update, the events did not have a significant impact on broader activity levels. Microsoft published its monthly security bulletin release on April 14, 2009. Eight bulletins were released that address 21 individual vulnerabilities. These bulletins address vulnerabilities in the Microsoft Windows operating system, Microsoft ISA Server, and the Microsoft Office Suite of applications. Since the publication of the monthly release, additional information about several of vulnerabilities has been released by the researchers who reported the vulnerabilities to Microsoft. The updated information is available through Cisco Security Center. Also on April 14, 2009, Oracle released the Critical Patch Update advisory for April 2009. The update contains 43 security fixes for various Oracle products. Sun also released a set of 14 Sun Java vulnerabilities with fixes. Fifteen of the fixes address vulnerabilities that can be exploited remotely without prior authentication. Of those fifteen, attackers can exploit two vulnerabilities, one in JRockit and one in Weblogic Server, to fully compromise the host operating system. In the aftermath of the Twitter cross-site scripting worm, the social networking website is facing public scrutiny for the flaw, which could have been leveraged for much greater damage. Meanwhile, the worm's author has accepted a position with a web security company, a move that has garnered mixed feelings from security professionals. An unnamed attacker recently used the worm's publicity as an opportunity to exact revenge by compromising a server used by the worm's author and posting passwords and other details in a public forum. IntelliShield published 83 events last week: 42 new events and 41 updated events. Of the 83 events, 67 were Vulnerability Alerts, three were Security Activity Bulletins, six were Threat Outbreak Alerts, three were Security Issue Alerts, two were Applied Mitigation Bulletins, and two were Cyber Risk Reports. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskWorm: W32/Conficker.worm W32/Conficker has changed is command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from a malicious code that infects vulnerable systems to an operational botnet. It is expected to continue to attempt to infect vulnerable systems, change command and control communication and download additional malicious files to the infected systems. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software for Version 9 of the affected products. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. IntelliShield Security Activity Bulletin alert 17657, Version 2, February 20, 2009 On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalVandals Cut Silicon Valley Communications CablesAccording to police, tens of thousands of United States residents in Silicon Valley, California recently awoke without Internet access, landline, or wireless phone service after vandals severed two fiber optic cables belonging to AT&T and Sprint. Officials suspect that saboteurs accessed the cables in early morning hours via manhole covers in San Jose and San Carlos, two cities that are located south of San Francisco. The first cut, which affected an AT&T cable around 1:30 AM PST, impacted landline, cell phone service, and 911 calls. The second cut, which damaged a Sprint fiber about two hours later, significantly disrupted services at a major datacenter in southern San Francisco. According to the Santa Clara County Office of Emergency Services, the overall incident affected cell phones, Internet access, and about 52,200 Verizon household landlines. Reports also indicated that some ATMs in affected areas were not functioning. AT&T is offering a US$100,000 reward for information leading to the arrest and conviction of the vandals. IntelliShield Analysis: With such a dependence on communications, including the Internet, in most areas of modern life, the infrastructure that supports this foundation is, with some exceptions, fragile and virtually unprotected. Although police officials claim that the manhole covers used by the vandals are heavy and require great efforts to lift, they clearly did not provide a sufficient security barrier for the protection of vital resources that had an immediate impact on emergency infrastructures. Many experts agree that necessary solutions involve increased physical protection of fiber links and the development of satellite workarounds. Reports have suggested that the recent incident may be related to contract expirations with AT&T workers, but no information has been confirmed. The location of the affected cables was not public knowledge, and the precision of the attack suggests a high level of infrastructure knowledge. Nevertheless, this incident could still represent an intentional act of sabotage by a party who is not related to any affected organization. LegalThere was no significant activity in this category during the time period. TrustThere was no significant activity in this category during the time period. IdentityVerizon Releases 2009 Data Breach ReportVerizon Business recently released their 2009 Data Breach Investigations Report, which summarizes specific intrusions and details the methods that attackers used to access confidential information. The report includes data from a total of 90 incidents that resulted in the loss of 285 million records, along with additional information pertaining to related attack sources and types used in those attacks. Read More IntelliShield Analysis: The results of these kinds of studies can help business allocate expenditures and resources to combat data loss. Most reported attacks originated from external sources and involved some type of hacking, either through guessed or stolen account credentials, or an exploit against a software vulnerability, such as a SQL injection flaw. Malicious software in the form of keyloggers and trojan horses were another vector used to access to confidential data; the use of this method increased in comparison to past years. Configuration errors and failures in policy enforcement also contributed to the majority of breaches. By patching or removing vulnerable software, combating malware infections, securing software configurations, and enforcing password change policies, business can avoid the majority of attack types used in typical data breach incidents. HumanThere was no significant activity in this category during the time period. GeopoliticalIndia's Citizens to Vote ElectronicallyBeginning April 16, 2009, India will conduct the largest democratic elections in history, with more than 700 million eligible voters set to visit the polls. The poor state of the economy and security concerns following the Mumbai terror attacks are likely to be central issues. Voters will cast ballots using electronic voting machines, and those with Internet access will be able to research candidates platforms and credentials using websites provided by Google and Yahoo, among others. Prominent candidates, including prime ministerial contender Lal Krishna Advani, have Facebook pages. In an effort to promote transparency, the website nocriminals.org allows voters to check whether various candidates have criminal records. The Yahoo site allows users to discuss issues of greatest concern to them. IntelliShield Analysis: Although the outcome of the elections and their potential impact on the world's largest democracy are impossible to predict, the Internet is playing a central role in the process. Social networking, in particular, will almost certainly affect candidate fundraising and brand building, and watchdog sites like nocriminals.org will promote transparency. While these developments are largely positive for India, widespread use of the Internet and electronic voting also dramatically increases the risk of fraud or invalidation. Indeed, Finland recently invalidated election results when two percent of its electronically cast votes were lost due to a glitch. Observers will watch closely to see whether India experiences similar problems, or whether the democratizing effects of the Internet help hold candidates to account and mass electronic communications help make such a huge undertaking possible. Upcoming Security ActivityRSA Conference 2009: April 20–24, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: India general elections: April 16–May 13, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
