The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was increased, primarily due to the Microsoft April security bulletins. Other vulnerability activity included security advisories and updates for Adobe Flash Player, Reader, and Acrobat; a Samba remote code execution vulnerability; a Nginx web server vulnerability; multiple VMware product vulnerabilities; RealNetworks Helix Mobile and Helix Server vulnerabilities; and multiple vulnerabilities in ImageMagick.

The Microsoft April Security Bulletin release included six bulletins that addressed 11 individual vulnerabilities. Microsoft rated four of the vulnerabilities as critical and the remaining two as important. The most significant of the bulletins are likely MS12-023 for Internet Explorer and MS12-027 for Windows Common Controls (MSCOMCTL). Full details of the Microsoft security bulletins are available on the Cisco Security Intelligence Operations portal and in correlated Cisco IntelliShield alerts, Cisco Intrusion Prevention System (IPS) signatures, and an Applied Mitigation Bulletin listed in Cisco Event Response: Microsoft Security Bulletin Release for April 2012. A video summary of the bulletins is available in Insights on the Microsoft Security Bulletin Release for April 2012.

Cisco released two IntelliShield alerts for vulnerabilities in the IronPort Web Security Appliance. The vulnerabilities were reported in alerts 25647 and 25648.

Oracle will release the scheduled quarterly Critical Patch Update (CPU) on April 17, 2012. The prerelease announcement included 88 patches for multiple Oracle products. This CPU does not include updates for Java, which will be released in the next scheduled Java SE update in June 2012.

IntelliShield published 129 events last week: 69 new events and 60 updated events. Of the 129 events, 84 were Vulnerability Alerts, eight were Security Activity Bulletins, two were Security Issue Alerts, 31 were Threat Outbreak Alerts, three were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Significant Alerts for the Time Period

Oracle Java Runtime Environment readMabCurveData nTblSize Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25636, Version 1, April 10, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0498
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Oracle has released a security advisory in the Oracle Critical Patch Update February 2012. Reports indicate that this vulnerability is being actively exploited in the wild. HP, IBM, Apple, and Red Hat have released security advisories and updates.

Previous Alerts That Still Represent Significant Risk

Oracle Java Runtime Environment AtomicReferenceArray Type Violation Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25553, Version 3, April 5, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0507
Multiple versions of Oracle Java Runtime Environment (JRE) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is publicly available. Oracle has confirmed this vulnerability and released software updates. Red Hat, HP, and Apple have released security advisories.

Oracle Java SE Critical Patch Update February 2012
IntelliShield Activity Bulletin 25191, Version 5, April 6, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle has released the February 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle Java SE versions. This update remediates 14 vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Oracle, CentOS, Red Hat, IBM, HP, and Apple have released security bulletins and updated software.

MIT Kerberos 5 Telnet Service Buffer Overflow Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 24838, Version 8, April 5, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2011-4862
MIT Kerberos 5 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. MIT has confirmed the vulnerability and released software updates. Oracle, VMware, Cisco, FreeBSD, GNU.org, and Red Hat have released security advisories.

Apache HTTP Server Reverse Proxy Rewrite URL Validation Vulnerability
IntelliShield Vulnerability Alert 24625, Version 6, March 28, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4317
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to internal networks. Apache has not confirmed the vulnerability and software updates are not available. The vulnerability is due to a regression error introduced by the vulnerability CVE-2011-3368, documented in IntelliShield Alert 24327. Proof-of-concept code that exploits the vulnerability is publicly available. HP has released a security bulletin and updated software to address this vulnerability.

Microsoft Windows Remote Desktop Uninitialized Memory Access Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 25326, Version 3, March 20, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0002
Microsoft Windows contains a vulnerability in Remote Desktop that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has confirmed the vulnerability in a security bulletin and released updated software. Proof-of-concept code that exploits the vulnerability is publicly available. ICS-CERT has released a security advisory to address this vulnerability.

Multiple Apple Products Security Updates
IntelliShield Security Activity Bulletin 25374, Version 2, March 13, 2012
Urgency/Credibility/Severity Rating: 2/5/3
Multiple CVEs
Apple iOS versions prior to 5.1 contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct information disclosure, security bypass, denial of service, code execution, or cross-site scripting attacks. Apple has released an additional security update and updated software to address the vulnerability. Apple added Apple Safari versions prior to 5.1.4 and Apple Safari for Windows versions prior to 5.1.4 to the list of products affected by these vulnerabilities.

Apple iTunes and iTunes for Windows Multiple Memory Corruption Vulnerabilities
IntelliShield Security Activity Bulletin 25373, Version 1, March 9, 2012
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Apple iTunes and iTunes for Windows contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks, cause a denial of service condition, or execute arbitrary code on a targeted device.

Multiple Products Hash Collisions Denial of Service Vulnerability
IntelliShield Security Activity Bulletin 24871, Version 8, February 24, 2012
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2011-4461 , CVE-2011-4815 , CVE-2011-4885, CVE-2012-0193, CVE-2012-0841
Multiple products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Apache, Microsoft, CentOS, IBM, Ruby, FreeBSD, Red Hat, and HP have released security advisories and updates.

Trend Micro Control Manager CmdProcessor.exe Arbitrary Code Execution Vulnerability
IntelliShield Activity Bulletin 24728, Version 2, February 23, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2011-5001
Trend Micro Control Manager contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Proof-of-concept code that exploits this vulnerability is available as part of the Metasploit framework.

Physical

There was no significant activity in this category during the time period.

Legal

There was no significant activity in this category during the time period.

Trust

U.S. Government and Cellular Carriers Plan a Database for Stolen Cell Phones

Using or selling stolen cellular phones should become more difficult in the future. The two major U.S. cellular service providers without a stolen phone database, AT&T and T-Mobile, have agreed to create one. Along with Verizon and Sprint, these carriers have agreed to make the database available to the Federal Communications Commission. Future plans for the database include an international connection that could make a stolen cell phone unable to be used worldwide; stolen phones are resold in Latin America, Africa, and China. A number of stolen phone databases exist in Europe, and these have significantly reduced the number of cellular phone thefts.
Read More
Additional Information

IntelliShield Analysis: Cellular systems based on the GSM standard do not send a physical phone's international module equipment identity (IMEI) when attaching to a particular carrier. The IMEI is not needed because complete identification used for attaching to the network, the international mobile subscriber identity (IMSI), is contained in the subscriber identification module (SIM). This limits the ability of the database to prevent stolen phone reuse. However, the two major U.S. cellular carriers using GSM technology, AT&T and T-Mobile, are both investigating methods of checking the IMEI when the phone connects to the network. Stolen cellular phones have been used in a scam where password recovery procedures include a text message sent to verify the validity of the password request. For owners of smartphones, there are a variety of applications and services that offer remote position locating, remote wiping, and data encryption services, further limiting the usefulness of stolen cell phones. A smartphone user is advised to load a protection application that includes this capability, and all cell phone users should report a theft as soon as possible.

Identity

Ogaki Kyoritsu Bank of Japan Using Biometric, Cardless Automated Teller Machines

A regional bank in Japan, Ogaki Kyoritsu, is rolling out cash machines that use biometric palm print scanners and PINs rather than traditional cards for authentication. The systems would allow bank customers to authenticate without needing a cash card, greatly increasing accessibility, particularly after the 2011 earthquake and tsunami in northern Japan.
Read More

IntelliShield Analysis: The use of these biometric scanners may reduce the risk of theft because the card cannot be stolen with a customer's wallet. Pairing biometric authentication with the use of a bank-issued card could greatly reduce the potential for fraud, as a criminal could not access the ATM without the customer's palm print. Biometrics also allow service accessibility to customers who have lost their cards due to accident or disaster.

Improper use or failure rates of the biometric scanners could lead to customer frustration. In addition, unlike issued cash cards and PIN codes, palm prints are not easily changed or replicated. However, the biometric information stored by the bank must be handled with care.

Human

There was no significant activity in this category during the time period.

Geopolitical

North Korea May Be Eyeing Cybercrime

Democratic People's Republic of Korea (DPRK) 100th anniversary celebrations of the birth of founder Kim Il-Sung were spoiled by a failed satellite rocket launch late last week. Pyongyang's official news agency admitted that the rocket had broken up over the ocean shortly after launch, amounting to a humiliation for new leader Kim Jong-Un, who may have hoped to use the launch to showcase his consolidation of power. The country continues to spend heavily on defense, despite a weak economy and continued dependence on external food aid. Meanwhile, the livelihoods of the wealthiest North Koreans are dependent on organized crime, according to experts. A recent New York Times article described 20-something Kim Jong-Un as the de facto head of a mafia state. Major transnational organized crime activities include currency counterfeiting, gambling via pachinko parlors in Japan, drug trafficking, and black market trade.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The situation in North Korea, which at times seems cannot possibly deteriorate further, raises questions for information security experts. While a growing body of evidence points to a sophisticated military-led cyber offense program, the North's financially motivated cybercrime capabilities are hard to measure. As global financial transactions, gambling, and trade increasingly become electronic activities, it seems probable that online crime originating from the DPRK will increase. Indeed, as the regime clings to existence at least for a while longer, cybercrime may be an obvious solution for Kim, who needs to shore up power by keeping his top military leaders comfortable. Cybercrime requires minimal capital investment and provides quick payoff, particularly when compared to nuclear programs and satellite launches. The implications of de facto sovereign organized crime groups launching satellites and conducting nuclear tests, meanwhile, is a discussion for another day.

Upcoming Security Activity

Interop May 6–10, 2012
Cisco Live US: June 10–14, 2012
Black Hat USA 2012: July 21–26, 2012
DEFCON 20: July 26–29, 2012

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

France Presidential Elections: April 22, 2012
World IPv6 Launch: June 6, 2012
Mexico General Elections: July 1, 2012
London Olympic Summer Games: July 27–August 12, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top