The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

While activity levels have decreased, overall trends do not appear to have changed significantly during the time period. With the popular RSA Conference 2009 occurring April 20-23 in San Francisco, California, the focus may have temporarily shifted away from threat reporting.

The Rustock botnet has been known primarily as a prolific spam source. Cisco Security Intelligence engineers recently noticed a change in Rustock behavior and have reported that the botnet is attempting to grow larger by exploiting additional systems. IntelliShield previously reported on this trojan in IntelliShield Daily Malicious Code Summaries 11062 and 11243. Sources indicate that the botnet may account for approximately 26 percent of all spam. Typically, it is capable of sending hundreds of thousands of spam messages an hour from a single, low-end system. Additional details on the evolution of the Rustock botnet are available in IntelliShield alert 18062.

Following the release of the Oracle Critical Patch Update Advisory for April 2009, several of the vulnerabilities patched have been updated. For two of these vulnerabilities, documented in IntelliShield alerts 18066 and 18039, exploit examples have emerged publicly.

Mozilla recently updated its Firefox, Thunderbird, and Seamonkey products to correct nine vulnerabilities. Most of these vulnerabilities were not severe; however, three of the vulnerabilities could allow code execution or privilege elevation and users are encouraged to apply the appropriate updates.

IntelliShield published 53 events last week: 31 new events and 22 updated events. Of the 53 events, 43 were Vulnerability Alerts, three were Security Activity Bulletins, four were Threat Outbreak Alerts, one was a Security Issue Alert, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Previous Alerts That Still Represent Significant Risk

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed is command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from a malicious code that infects vulnerable systems to an operational botnet. It is expected to continue to attempt to infect vulnerable systems, change command and control communication and download additional malicious files to the infected systems.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 7, March 19, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software for Version 9 of the affected products.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 5, March 6, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0238

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services
IntelliShield Security Activity Bulletin alert 17657, Version 2, February 20, 2009
Urgency/Credibility/Severity Rating: 2/5/3

On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0075

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity.

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 9, February 13, 2009
Urgency/Credibility/Severity Rating: 4/5/4

W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.

Physical

European Union Releases Terrorism Situation and Trend Report

Europol released the European Union (EU) Terrorism Situation and Trend Report covering terrorist activity in the member states for 2008. The statistics show a 24 percent decrease in 2008 activity from 2007. The total number of identified successful or unsuccessful terrorist attacks was 515, with 1009 terrorism-related arrests across the EU member states. The vast majority of these attacks occurred in France and Spain. Identifying the attacks by the Europol categories showed 77 percent were identified as separatists, five percent as left-wing groups, and no terrorist attacks (0 percent) were identified as Islamist terrorism (the number excludes United Kingdom data). The report also noted that the Internet is central to all terrorist groups for communications, propaganda, and recruiting. Many groups identified by the report maintain their own websites.  Read More

IntelliShield Analysis: There was one Islamist terrorism attack in the United Kingdom in 2008, but that attack was excluded from the official EU statistics. Even so, the reports statistics may surprise many and could raise more questions than providing answers. Islamist terrorism is still considered the biggest global threat by many countries, yet the statistics do not seem to support that conclusion. The EU and other countries have greatly increased intelligence and law enforcement counter-terrorism activities, signified by the continuing high number of arrests. This may suggest the known Islamist terrorism groups have been identified and severely restricted in financing, planning, and executing attacks. Arrest statistics also indicate the majority of the Islamist arrests were identified as belonging to small, home-grown groups that were not associated with prominent Islamist terrorist organizations. While these report statistics may accurately represent the physical situation, on the Internet, the full spectrum of terrorist groups are highly active and continue to increase.

Legal

Potential Conflict of Interest Throws Pirate Bay Decision Into Doubt

After a guilty verdict was reached in the Pirate Bay case in Sweden, sentencing was set at one year of jail time and fines exceeding US$4 million. Defense lawyers are attempting to appeal to a higher court to retry the case because new information has surfaced regarding a potential conflict of interest regarding the presiding judge in the case. Tomas Norstrom, the judge in the original case, belongs to the Swedish Copyright Association and is a board member for the Swedish Association for the Protection of Industrial Property. Read More

IntelliShield Analysis: Memberships to the entertainment industry copyright advocate organizations may be the basis for declaring a retrial in the Pirate Bay trial. Believing the judge may have been influenced by his associations with the recording and entertainment industry groups, the defense may seek a retrial with a judge more sympathetic to their position. Even if the request for a retrial is not granted, the defense is likely to appeal the final verdict.

Trust

Gathering Storm over Cloud Security

Cloud security overshadowed discussions held at the annual RSA Conference 2009 with industry leaders sounding alarms and the release of a Deloitte/Ponemon Institute survey that reported a 82.6 percent of the businesses surveyed had no formal plans in place to protect the data they have entrusted to third-party cloud storage providers. According to press reports, nearly 45 percent of the survey respondents are using cloud computing services for data storage (27.7 percent), e-mail (12.8 percent), financial applications (17 percent), and database applications (16.1 percent). 
Read more
Additional information

IntelliShield Analysis: The excitement generated by the buzz surrounding the potential benefits of cloud computing may have deemphasized concerns about risks to data security. Legal and regulatory compliance issues could also obscure real costs incurred when entrusting data to third-party cloud service providers. Businesses are advised to ensure they perform due diligence, detail the security levels and controls in the service level agreements, know where and how their data is physically and logically stored, and review cloud service providers compliance and regulatory documentation for the countries over which cloud services may transit.

Identity

Hackers Pay Thousands for Old Nokia Phones

A discontinued model of a Nokia cell phone that was manufactured in millions is now commanding prices up to US$32 thousand in secondary markets, prompting interest from fraud investigators. The Nokia 1100 models that are in high demand were made in a factory in Bochum, Germany. Investigators have found that this model may contain a software error that allows attackers to obtain the onetime password or transaction authentication number (TAN) that is necessary to complete a banking transaction. Some European banks have been configured to send a number to a user's cell phone as a security measure to overcome phishing attacks. By reprogramming the phone number attached to the affected phone, attackers may be able to acquire the TAN for an arbitrary user's phone number. Read More
 
IntelliShield Analysis: Hackers have been collecting usernames and passwords for banking accounts from a variety of sources, including spyware and phishing attacks. For accounts that require a onetime password, the collected information is not enough to compromise an account. If what has been reported about the Nokia 1100 model is true, attackers could obtain the TAN for user credentials already collected and bypass the anti-phishing protections of the onetime password or TAN. While fraud investigators have not verified that this TAN attack works, the fact that hackers are willing to pay tens of thousands of dollars for one of the phones is an indication that the reports are probably true. Banks may need to reprogram their TAN processing software to defeat this new threat.

Human

There was no significant activity in this category during the time period.

Geopolitical

United States has a New Chief Technology Officer

Aneesh Chopra, former Commonwealth of Virginia Secretary of Technology, has been named the new national Chief Technology Officer for the United States, according to press reports. Chopra will work closely with new Chief Information Officer Vivek Kundra to use technology to streamline, strengthen, and make more transparent a host of public services, including healthcare and education. The choice has met with a generally positive reception from the technology community, as Chopra is seen as a strong advocate for more and better technology solutions for a wide variety of public needs. 
Read more
Additional Information
Additional Information

IntelliShield Analysis: As more public services go online, both the quantity and criticality of data at risk increases exponentially. This process is inevitable and the potential benefits probably outweigh the concerns, but digitization of public services is a nightmare for information security professionals. From a legal perspective, privacy concerns surrounding access and the inevitable leakage of personal information must also be confronted. The problems Chopra and Kundra will wrestle with are relevant to a host of technology-related issues handled by competing government authorities, virtually guaranteeing power struggles. Chopra and Kundra, along with corporate technology partners and government IT stake-holders, may be wise to seek public understanding of the risks involved as they seek to guide public services down this promising but perilous road.

Upcoming Security Activity

CSI SX Security Exchange: May 17–21, 2009
Cisco Live: June 27–July 2, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

India General Elections: April 16–May 13, 2009
May Day: May 1, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top