Cyber Risk Report

April 27–May 3, 2009

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Three Adobe Acrobat and Reader PDF vulnerabilities were released this week, as described by IntelliShield Alerts 18088, 18091, and 18110.  These vulnerabilities take advantage of the relatively trusted PDF document type to overcome suspicion from users.  Successful exploitation could result in the execution of arbitrary code.  If users possess elevated privileges, code execution could result in the complete compromise of an affected system.  These vulnerabilities continue a trend of significant PDF-related exploitation since January 1, 2009.  Administrators are encouraged to apply complementary controls to reduce the impact of these threats.

This week also saw an interesting development in a Linux Kernel flaw described in IntelliShield Alert 17798.  First disclosed in March 2009, this vulnerability in the Stream Control Transmission Protocol (SCTP) was believed to be capable only of causing a denial of service condition.  Exploit code released publicly this week demonstrates that it is possible to exploit the vulnerability remotely for code execution.

Facebook and Google stand out in a list of the top ten most-phished websites published by phishtank.com.  Each of the other eight sites is primarily financial or commerce related, with PayPal being by far the most-recorded target for credential stealing.  Sites like Facebook, which recently shut down a fast-spreading phishing worm, are gaining popularity among malware authors and computer criminals because of the wealth of personal information voluntarily contributed by users.  Likewise, Google, especially the Docs and Gmail capabilities, contains a large quantity of valuable information.
Read More
Additional Information

Each of the top ten sites measured by phishtank.com is a popular destination for users.  Although these sites can, and do, take measures to protect users from phishing attacks, the primary responsibility lies with users and good security education.  Criminals will continue to go where the valuable information can be found.  As users grow increasingly comfortable storing their lives online, their responsibility to learn safe practices also increases.

IntelliShield published 68 events last week: 31 new events and 37 updated events.  Of the 68 events, 55 were Vulnerability Alerts, four were Security Activity Bulletins, four were Threat Outbreak Alerts, three were Security Issue Alerts, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 5/1/2009 3 6 9
Thursday 4/30/2009 9 16 25
Wednesday 4/29/2009 8 3 11
Tuesday 4/28/2009 6 4 10
Monday 4/27/2009 5 8 13
Weekly Total 31 37 68

 

Monthly Alert Totals

Month New Updated Total
January 148 392 540
February 227 249 476
March 222 335 557
April 164 206 370
Totals 761 1,182 1,943

 

Previous Alerts That Still Represent Significant Risk

Worm: W32/Conficker.worm
IntelliShield Malicious Code Alert 17121, Version 18, April 9, 2009
Urgency/Credibility/Severity Rating: 4/5/3

W32/Conficker has changed its command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. It is expected to continue to attempt to infect vulnerable systems, change command and control communication, and download additional malicious files to the infected systems.

Adobe Acrobat Products PDF File Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 17665, Version 11, April 24, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0658

Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software for Version 9 of the affected products.

Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 17689, Version 6, April 14, 2009
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2009-0238

Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.

Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services
IntelliShield Security Activity Bulletin 17657, Version 2, February 20, 2009
Urgency/Credibility/Severity Rating: 2/5/3

On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield Alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield Alert 17658.

Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 17519, Version 6, March 13, 2009
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2009-0075

Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity.

Worm: W32.Waledac
IntelliShield Malicious Code Alert 17327, Version 10, March 23, 2009
Urgency/Credibility/Severity Rating: 4/5/4

W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities.

Physical

Theft of Computers from over 60 Businesses

In what looks like a job staged by an insider, at least 60 businesses were burglarized in the Ventura Boulevard office building located in Woodland Hills, a district of Los Angeles, California.  What makes it look like an inside job is that there were no signs of breaking or entering, as if the thieves had possession of a master key to all the businesses.  Also, a security guard who normally patrols the grounds and regularly checks the inside the building was called away on an emergency before he could patrol inside.  This event suggests that the thieves knew about the risk that the guard would discover their operation and arranged for him to receive a call to take him elsewhere.  The thieves seemed to be most interested in computers from the businesses that they robbed, and in addition they took an interest in the computer hard drives themselves.  The data that was stolen included tax return information, credit card numbers, and files from a law office.
Read more 
Additional Information

IntelliShield Analysis: A burglary such as this serves to remind us of the importance of physical security.  Somehow, either by collusion or in a separate theft, these thieves seem to have obtained a master key.  The key would not have come from a business owner because an owner would have a key only for a particular business.  However, the key could have come from one of the security guards or other support staff members who have general access.  In addition, the thieves had knowledge of the guard who patrols the building and grounds and they knew how to place an emergency call to him.  Whether a security guard or security guard manager was involved in this heist will be a matter for the law enforcement authorities to investigate.  However, this crime is a good rationale for carefully screening security guards and other support staff, paying them competitive wages and benefits, and managing them to be motivated to perform their jobs at the required levels.

Legal

There was no significant activity in this category during the time period.

Trust

Challenges to Bank Use of Chip-and-PIN Cards

A customer of the U.K. bank Halifax has filed suit to recover UK£2,100 (US$3,100) that he claims he never withdrew.  Similar to most banks throughout the European Union (EU), Halifax issues "chip-and-PIN" cards for customers to use when they obtain cash from automated teller machines (ATMs) or at point-of-sale (POS) terminals in a retail environment.  To use the card, the user must enter a four-digit PIN on a keypad to complete a transaction.  The PIN is then matched against data stored on an embedded chip in the card.  Full details of the case have not been disclosed because a decision by the court is pending.  Security experts agree that criminals can circumvent the technologies used in chip-and-PIN cards, even as banks state that their systems are secure.
Read more 
Additional Information 

IntelliShield Analysis: The efficacy of a technology used for authentication of individual credentials continues to be challenged. Challenges come both from criminals who are intent on circumnavigating the technology for profit and from end users who may not safeguard their credentials.  The trust the banks have in these technologies may have contributed to inconsistent use of video surveillance devices at the ATMs. In contrast, video devices are widely deployed in the United States, where chip-and- PIN cards are rarely issued.  In this specific case, no video device was present at the ATM where the alleged withdrawals took place.  Businesses that employ transactional trust as part of their normal operations should not rely on any single technology to protect themselves and their customers.

Identity

There was no significant activity in this category during the time period.

Human

H1N1 Internet Information and Communications

In the United States (U.S.), federal officials have turned to Web 2.0 tools to disseminate information about H1N1, the swine flu virus. Health and Human Services (HHS), the Centers for Disease Control (CDC), and the Department of Homeland Security—among many other U.S. government agencies—are using streaming online video, Twitter, and YouTube videos to keep global citizens up to date with the latest facts about the outbreak.  Officials hope to keep the pace of information ahead of the spread of the disease by using websites such as pandemicflu.gov to provide education and to release information quickly.
Read more 
Additional Information 
Additional Information

IntelliShield Analysis: Web 2.0 technology enables the rapid spread of valid information concerning the impact of an outbreak to support public health, business continuity, and the economy.  The same ease and speed has encouraged cyber criminals to capitalize on public fears about the flu by using spam attacks, spoofing websites, and registering hundreds of flu-themed domain names.  Businesses are advised to closely monitor legitimate websites to protect employees and minimize economic effects, which were severe during the SARS outbreak in 2003.  Individuals should remain alert to spurious e-mail messages or websites from untrusted or unknown sources.  Organizations may consider adjusting spam filters to bypass e-mail messages that have flu-related subject lines.  Education remains key to efforts to control the effects of the virus on citizens and commerce and to mitigate the accompanying criminal activity.

Geopolitical

Sacking of Russian Intelligence Chief Underscores Broader Military Reforms

The head of Russia's military intelligence service, the GRU, has been dismissed amidst reported disagreements over military reforms.  According to the Kremlin's press service, Russian President Dmitry Medvedev signed an order relieving General Valentin Korabelnikov of his post on April 24, 2009.  For the past 12 years, General Korabelnikov had headed the GRU, Russia's largest intelligence service, which controls Moscow's spy satellites and also oversees electronic communications interceptions, according to a variety of reports.  With the announcement last month of the official conclusion of the conflict in the breakaway province of Chechnya, the time may have seemed right for Russia's military planners to proceed with planned reforms, including replacement of Korabelnikov.  Korabelnikov's critical role is said to have been securing Chechnya following the breakup of the Soviet Union.
Read More 
Additional Information

IntelliShield Analysis: The resignation underscores differences between General Korabelnikov—who is seen as a traditional Soviet-style military leader—and Prime Minister Vladimir Putin, President Medvedev, and Defense Minister Anatoliy Serdyukov, who are seeking to reorganize and modernize the Russian military.  There has been some speculation that the long-expected reforms were accelerated following Russia's military action in Georgia last August.  This action revealed shortcomings, particularly in high-end military communications.  Information security professionals may wish to be aware of these developments because changes in the balance of power among Russia's military and intelligence services will likely affect its collection resources, targets, and capabilities.

Upcoming Security Activity

CSI SX Security Exchange: May 17–21, 2009
Cisco Live: June 27–July 2, 2009

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

India General Elections: April 16–May 13, 2009

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top