April 6–12, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels remained consistent with those from previous weeks. Although there was increased activity associated with the Conficker and the Waledac families of malicious code, there was no significant impact on broader activity levels. Conficker has continued its efforts to wreak havoc on countless hosts with the newly released Conficker.E variant. As of April 8, 2009, the Conficker botnet downloaded an update that exhibits more similarities with the Waledac botnet. Updated information about Conficker and Waledac is available in IntelliShield alert 17121 and IntelliShield alert 17327 respectively. The latest update has Conficker and Waledac both contacting the same domains to obtain updates; moreover, both botnets appear to intercept calls that are sent to the Wireshark application using a programmatic hook. When a user opens Wireshark on an infected system, the worm terminates the application initially. The previously reported command and control traffic that used UDP packets over P2P connections to download updates to infected systems ceased on April 9, 2009. One of the most noticeable changes about the Conficker.E variant has been the transition of the command and control traffic to TCP port 443, which is normally used for SSL-encrypted traffic. Cisco released a security advisory to address multiple vulnerabilities in Cisco ASA Adaptive Security Appliance and Cisco PIX Security Appliances. These vulnerabilities include VPN authentication bypass using the account override feature, a crafted HTTP packet denial of service (DoS) vulnerability, a crafted TCP packet DoS vulnerability, a crafted H.323 packet DoS vulnerability, an SQL*Net packet DoS vulnerability, and an access control list (ACL) bypass vulnerability. Microsoft released its Security Bulletin Advance Notification for April 2009, which includes eight bulletins scheduled for release on April 14, 2009. Of these bulletins, Microsoft has scored five with a maximum severity rating of Critical, two with a rating of Important, and one with a rating of Moderate. These bulletins address vulnerabilities in the Microsoft Windows operating system, the Microsoft Office Suite of applications, and the Microsoft Security Server products. Oracle also released its Critical Patch Update Pre-Release Announcement for April 2009. This update will include 43 security fixes that affect multiple Oracle products. The Oracle Critical Patch Update is also scheduled for release on April 14, 2009. In malicious code activity, Cisco released Threat Outbreak alert 18021 to detail deceptive e-mail messages that contain a link to download malicious code. Cisco Security Intelligence Operations detected increased activity related to e-mail messages that attempt to deceive users into downloading malicious code. The e-mail messages state that Cetelem Bank has performed an update and that users must download and install software if they want to continue to have access to their online banking account. The e-mail messages contain a URL that directs users to a malicious .exe file. Systems can only be infected after a user downloads and executes the malicious file. VMware released a security advisory for a host code execution vulnerability from a guest operating system. The vulnerability may allow a guest operating system to run code on the host, as detailed in IntelliShield alert 18022. In other malicious code activity, Twitter released a blog post to discuss the computer worm that affected Twitter customers over the past weekend. The worm is similar to the "Samy" worm that compromised more than 100 MySpace accounts. To date, 10,000 posts (tweets) that could have spread the worm have been identified and deleted. At the time of this writing, Twitter has stated that the situation is under control. Additional information on worm mitigation techniques is available in the white paper "Worm Mitigation Technical Details". IntelliShield published 91 events last week: 34 new events and 57 updated events. Of the 91 events, 73 were Vulnerability Alerts, three were Malicious Code Alerts, three were Security Activity Bulletins, eight were Threat Outbreak Alerts, three were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for April 6-12, 2009
Worm: W32/Conficker.worm W32/Conficker has changed is command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from a malicious code that infects vulnerable systems to an operational botnet. It is expected to continue to attempt to infect vulnerable systems, change command and control communication and download additional malicious files to the infected systems. Previous Alerts That Still Represent Significant Risk
Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software for Version 9 of the affected products. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalLondon Counter-Terrorism Document ExposureBritain's senior counter-terrorism officer, Bob Quick, resigned from the Metropolitan Police Service of London after a photograph was taken of documents that Mr. Quick was carrying on his way to a security briefing. Details on the exposed page included plans to raid several addresses in connection with a suspected terror bombing plot. As a result of the disclosure, police raids had to occur sooner than planned. Suspects are expected to face deportation and not criminal charges. IntelliShield Analysis: Physical document protections, such as binders or cover sheets, provide a very simple countermeasure against snooping, much like screen guards provide for computers. With digital cameras, telephoto lenses, and the proliferation of surveillance cameras, these simple countermeasures become even more important for organizations that regularly handle documents in public areas. Much like clean desk policies, organizations should consider clear policies on how documents and systems should be handled and displayed in public. For the Metropolitan Police Department, this failure in document handling not only resulted in the loss of a senior staff member, but also may have caused the organization to act too quickly, preventing the full prosecution of the suspected terrorists. LegalFBI Raid on Service ProvidersAccording to the United States (U.S.) Federal Bureau of Investigation (FBI), two Internet Service Providers (ISPs), Premier Voice and Lone Star Power, both based in the U.S. state of Texas, allegedly cheated AT&T Inc. and Verizon Communications Inc. out of 120 million minutes of telephone service. The ISPs are accused of providing fraudulent information to the telecommunications companies to steal the phone time and pass it on to their customers. The FBI recently conducted a raid on a co-location facility in Dallas, Texas. This information became public when the FBI's search-warrant request was made public. Read More TrustThere was no significant activity in this category during the time period. IdentityThere was no significant activity in this category during the time period. HumanTwitter Streams Moldova RevoltGrowing unrest in Moldova over disputed parliamentary election results led government authorities to shut down phone and television networks to stop approximately 1,000 protesters from communicating and sharing information with each other. Protesters used the social networking service, Twitter, to mobilize more than 10,000 student protestors into a "flash mob" in Chisinau, the capital of the Republic of Moldova. Organizers added a searchable tag to a Twitter page that allowed followers to track events in real time, while a Google translation application in the sidebar made the microblogged reports accessible to a global audience. Authorities in Chisnau shut down access to the Internet for several hours and lifted the news blackout to televise appeals to the public to stay home, threatening that weapons would be used against protestors. By April 10th, traditional communications services had been restored and protests halted as President Vladimir Voronin announced a vote recount would take place. IntelliShield Analysis: The situation in Moldova is an example of the power of social networking sites; the use of Twitter as a workaround enabled protesters to stay in touch with one another, report on conditions, remain organized, and, perhaps most importantly, alert international news organizations to rapidly developing events when traditional media sources had been blocked. The resulting spotlight may have contributed to the decision to recount votes, especially as reports of government violence against student protestors and journalists began to emerge from the news blackout. Flash mobs, whether assembling for political or entertainment purposes, can disrupt businesses, traffic flow, and create costly distractions for law enforcement officials. Authorities will eventually adopt the same Web 2.0 technologies in use by their adversaries, but in Moldova, officials were unable to suppress speech by simply shutting down television and phone service. The use of social networking sites may have lessened the number of student casualties and limited collateral damage as government officials and protestors realized the world was twittering. GeopoliticalAnti-Piracy Legislation Creates Political TensionAnti-piracy legislation that is being considered everywhere from Sweden to New Zealand is being greeted by generally high levels of popular opposition. In Sweden, which enjoys some of the highest connectivity in the world, Internet traffic fell by 40 percent two days after a new law was enacted requiring ISPs to provide IP addresses of copyright infringers to authorities. In France, lawmakers rejected a bill that would have created a three strikes system, wherein copyright infringers would receive three warnings against illegally downloading music after which they could lose their Internet connection for a year. South Korea, for its part, successfully passed a three strikes rule, but already opposition is rising. IntelliShield Analysis: Anti-piracy legislation is widely opposed by a primarily young generation of global Internet users who are alienated by the copyright regime that an older generation took for granted. Indeed, the multilateral Anti-Counterfeiting Trade Agreement (ACTA) anti-piracy treaty currently under discussion between the European Union, the United States, and Japan is inviting criticism primarily because of the closed-door nature of the negotiations. These efforts to curb abuse of the Internet may be well-intentioned, but as they increasingly are portrayed as symbols of anti-democratic, state-sponsored oppression, they may become more politically volatile, and ultimately may do more harm than good to the companies whose intellectual property they seek to protect. Upcoming Security ActivityBlack Hat Europe 2009: April 14–17, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: United States income tax day: April 15, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
