The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability and threat activity levels decreased significantly between July and August 2008. The drop in activity levels can be attributed to a lower number of vendor responses to existing threats during the time period. The number of newly reported vulnerabilities remained consistent with earlier time periods.

Significant to the time period are ongoing targeted attacks using malicious JustSystems Ichitaro documents to infect users' systems with a backdoor trojan. These attacks are detailed in IntelliShield Alert 16543. The attacks use the unspecified arbitrary code execution vulnerability in JustSystems Ichitaro, as described in IntelliShield Alert 16544, to create the BackDoor-DRZ trojan on the targeted system. The trojan, which is detailed in IntelliShield Alert 16542, attempts to grant a remote attacker backdoor access to the infected system using port 443. Such attacks reflect the trend of using vulnerabilities in office productivity documents to propagate malicious code. These attacks are easily adapted for social engineering tactics by changing the content and appearance of a document to the targeted habits of the affected user. Virus definitions are available to detect these particular attacks.

Recent detections show that attackers have been compromising Linux-based systems using stolen SSH keys. These attacks are described in IntelliShield Alert 16547. One source of the stolen SSH keys may be the OpenSSL random number generation issue that is affecting Debian and Ubuntu. After gaining access to an affected system, the attacker uses locally exploitable vulnerabilities to gain root privileges, which allow the attacker to install the phalanx2 rootkit. This rootkit appears to be an updated version of the Linux.Phalax trojan, which is described in IntelliShield Alert 16418.

IntelliShield published 99 events last week: 42 new events and 57 updated events. Of the 99 events, 78 were Vulnerability Alerts, eight were Security Activity Bulletins, five were Security Issue Alerts, three were Daily Malicious Code Summaries, three were Malicious Code Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The weekly, monthly, and cumulative alert publication totals are as follows:

Weekly Alert Totals

2008 Monthly Alert Totals

Cumulative Alert Totals

Significant Alerts for August 25–31, 2008

JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 16544, Version 1, August 28, 2008
Urgency/Credibility/Severity Rating: 3/5/4

JustSystems Ichitaro products contain a vulnerability that could allow an remote attacker to cause a denial of service condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield Alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a 0-day vulnerability.

Debian and Ubuntu Predictable OpenSSL Random Number Generation Issue
IntelliShield Security Issue Alert 15858, Version 8, June 20, 2008
Urgency/Credibility/Severity Rating: 4/5/3
CVE-2008-0166 and CVE-2008-2285

Debian and Ubuntu contain a security issue in OpenSSL that could result in the generation of pseudo-random values that can easily be predicted. As a result, all SSL certificates, SSH keys, and passwords generated by affected third-party applications may have predictable features that could easily be determined through brute-force methods. Attackers may be able to nullify or significantly reduce the benefits supplied by encryption or randomization.

Previous Alerts That Still Represent Significant Risk

Microsoft Windows NSlookup.exe Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 16475, Version 1, August 18, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-3648

Microsoft Windows contains a vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code. The vulnerability exists due to an unspecified error in the NSlookup.exe administrative tool. Reports indicate that attackers may be exploiting this vulnerability in the wild. The Microsoft Security Response Center (MSRC) is currently investigating reports of this vulnerability; however, the vulnerability remains unconfirmed, and updated software is not available.

Multiple Vendor DNS Implementations Insufficient Entropy Vulnerability
IntelliShield Vulnerability Alert 16183, Version 22, August 19, 2008
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2008-1447

DNS implementations of multiple vendors contain a vulnerability that could allow an unauthenticated, remote attacker to conduct DNS cache poisoning attacks. Such an attack may result in the modification of stored DNS entries, possibly allowing the attacker to conduct further attacks against systems that rely on the affected DNS server. Functional exploit code that allows the insertion of malicious DNS records to poison the cache of the targeted DNS server has been publicly released. This exploit caches a single malicious host entry into the DNS server. A successful exploit in this manner allows the attacker to spoof DNS entries, causing the target DNS server to insert the additional malicious record into the cache. Additional exploit code that allows for complete domain hijacking through the modification of SOA records is also available. Multiple exploit tools are becoming publicly available, increasing the risks associated with not patching affected products.

Oracle Critical Patch Update July 2008
IntelliShield Security Activity Bulletin 16276, Version 1, July 15, 2008
Urgency/Credibility/Severity Rating: 2/5/4

Oracle has released the Critical Patch Update advisory for July 2008. The update contains 45 distinct security fixes for various Oracle products. Additional IntelliShield alerts that detail individual vulnerabilities will be released in the near future as technical details become available.

Apple Mac OS X and OS X Server Apple Remote Desktop Agent Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 16117, Version 3, August 1, 2008
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2008-2830

Apple Mac OS X and OS X Server contain a vulnerability that could allow a local attacker to perform actions with elevated privileges. A local attacker could exploit the vulnerability to perform actions with root privileges. The attacker could leverage these privileges to take complete control of the targeted sources. Malicious software is currently exploiting this vulnerability. OSX/Hovdy-A, which is documented in IntelliShield Alert 16132, has been identified as exploiting this vulnerability.

Adobe Flash Player Multimedia File Integer Overflow Vulnerability
IntelliShield Vulnerability Alert 15623, Version 5, June 4, 2008
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2007-0071

Adobe Flash Player contains an integer overflow vulnerability that could allow a remote attacker to cause a denial of service condition or execute arbitrary code with elevated privileges. The Downloader.Swif.C trojan, which is detailed in IntelliShield Alert 15955, attempts to exploit this vulnerability. Reports indicate that this malicious code is currently active in large-scale attacks. Adobe has confirmed the vulnerability and released updated software.

Physical

Hurricane Gustav A Lesser Threat

With a successful evacuation of nearly 2 million residents, the state of Louisiana sustained Hurricane Gustav far better than Hurricane Katrina in 2005. Officials may allow some businesses back into the evacuated areas on September 3, 2008 with residents following thereafter. The state's flood barriers held, although some gaps allowed approximately 6 feet of water into New Orleans' industrial park, which is located in the Upper 9th Ward; most of the water has since receded. With 1,500 police officers and as many members of the National Guard in the area for security, looting has been nearly absent. Repair crews are beginning to assess the damage to power lines, sewer systems, highways and roads, and other critical infrastructure. Gustav has been downgraded to a tropical depression and is now moving towards the Texas/Louisiana border. Read more

IntelliShield Analysis: The United States' (U.S.) reaction to Hurricane Gustav appears to have been adequate with minimal loss of life and property damage as compared to Hurricane Katrina. There is concern that Gustav's lesser impact may result in a decrease in evacuations during the next major hurricane. Much of the oil-producing infrastructure is believed to be functional, which resulted in a decrease in oil prices for the time being. As oil producing equipment is restarted, full production should resume in 2-3 days. With much less damage than expected and residents returning by the end of the week, recovery efforts should take less time and businesses should be back to operational status in just a few days or weeks, instead of months. This time of year marks the peak of the Atlantic Ocean hurricane season, and tropical storms Hanna, Ike, and Josephine are all expected to reach hurricane strength as they approach the U.S. Organizations with resources in the Atlantic basin are advised to review business continuity and disaster recovery plans in preparation for the peak hurricane season. In addition, users should be aware that malicious code emails and illegitimate support websites are often active using subject lines that are related to major news stories and requesting donations following events like Hurricane Gustav.

Legal

Alleged Identity Theft Ring Arrested in Taiwan

The Criminal Investigation Bureau (CIB) of Taiwan has arrested six people and charged them with fraud as well as computer attacks. The chargers carry a maximum penalty of five years. The CIB believes that the suspects targeted government agencies as well as large corporations. Allegedly, the suspects acquired over 50 million records of personal information, including records of the current President, former President, and Chief of Police, and were selling the information for NT$300 per record. The perpetrators were able to use some of the stolen information to steal millions of Taiwanese dollars from victims by accessing their bank accounts online. Read more

IntelliShield Analysis: The CIB is calling this incident the largest data breach in Taiwan to date. Details regarding the breaches have not been fully released, but there is evidence that the suspects received assistance from computer-savvy criminals in China as well as accomplices internal to the companies and government agencies that were targeted. After the announcement of this discovery, an amendment to the Computer Processed Personal Data Protection Act was drafted, calling for tougher penalties on public and private entities that fail to protect personal information. The penalties will also apply to individuals within a company who disclose information for reasons other than profit. The penalties may serve as a deterrent to such crimes, but an agreement on what specific guidelines must be adhered to within the region is necessary. Without the appropriate language, additional revisions and adoptions may be necessary.

Trust

There was no significant activity in this category during the time period.

Identity

Best Western Refutes Breach Claims

Best Western has refuted claims that intruders using stolen user credential information accessed 8 million customer records. Initially, a Scottish newspaper reported that an attacker stole a large amount of customer information from Best Western hotels across Europe. Strongly refuting the claims, Best Western followed up with its own investigation, stating that perhaps as few as thirteen individual customer transactions were compromised by intruders from a single hotel location. Read more

IntelliShield Analysis: It is not immediately clear which report, that of Best Western or the original reporter, is the more accurate assessment. Although this incident is far from reaching closure, all involved parties may suffer damage to their reputation and brand assets. Privacy disclosures generate significant attention, and all parties should work toward fact-based and responsible disclosure that provides clear and objective guidance to all interested parties. Businesses with established policies and disclosure responses will be better prepared in the event of an incident.

Human

Virus Infected Laptop Discovered on the Space Station

NASA discovered malicious code infecting a laptop on board the International Space Station (ISS). Reports indicate that the worm detected was W32.Gammima.AG, which is designed to steal passwords for online games from infected systems. The worm also carries the capability to place a rootkit on the infected systems. NASA security policy prevents official comment on how a laptop on board the ISS became infected with malicious code, but unofficial reports state that the worm was likely transmitted via a personal flash or USB memory device.
Read more
Additional information

IntelliShield Analysis: A NASA spokesperson stated that the worm was detected and stopped by antivirus software and that the worm was never a threat to critical systems. NASA is currently investigating the matter and determining if additional security measures are required. This incident underscores the need for heightened security policies governing the use of removable memory devices on corporate networks. The majority of the malicious code that is developed uses these devices as a means of transmission from system to system.

Geopolitical

Georgia Crisis Raises Questions About Kremlin's Commitment to the World Economy

Global powers reacted with angry words but muted action to Russian recognition last week of the independence of two breakaway regions of Georgia, as reported in IntelliShield Alert 16470. The move prompted European Union (EU) leaders to discuss possible economic sanctions, despite the EU's reluctance to jeopardize the continued flow of oil and gas to the EU from Central Europe. Prime Minister Putin accused the United States (U.S.) of orchestrating the Georgian conflict, and banned several U.S. poultry companies from doing business in Russia. U.S. military ships delivered humanitarian aid to Georgia, adding to concerns of resurgent Cold War tensions over central European spheres of influence. Indeed, Britain's foreign minister David Millibrand declared that the era of relative peace on the European continent had come to an end, and called the Georgia crisis a turning point in EU-Russian relations.
Read more
Additional information

IntelliShield Analysis: Investors are watching developments closely. Russia's increased interdependence with world economies does not seem to have made it more risk averse in foreign policy, despite an abrupt 4 percent fall in the Russian bourse, already off one-third from its peak in May following military action in Georgia. Russian President Dmitry Medvedev, a former chairman of energy giant Gazprom, is undoubtedly aware that 70 percent of Gazprom's profits come from gas sales to EU countries. However, strong Russian popular support for the Kremlin's stance is a powerful counter-balance to economic concerns. For many in Russia, loss of face over foreign policy setbacks in the 1990's can be put to rest by the new assertiveness in Georgia. Record oil revenues give the economy a comfortable layer of reserve to withstand market fluctuations, and Russian economic fundamentals remain strong. Following the invasion into Georgia, Prime Minister Vladimir Putin pledged US$25 billion toward the development of Russia's high technology sector. This major 5-year commitment may be seen as a way to wean Russia from its dependence on the oil sector and create new opportunities for wary, risk-tolerant foreign investors.

Upcoming Security Activity

sec-t: September 11–12, 2008
IT Security World: September 13–18, 2008
OWASP Israel 2008: September 14, 2008
Oracle OpenWorld 2008: September 21–25, 2008
OWASP NYC AppSec 2008: September 22–25, 2008
OARC Workshop 2008: September 24–25, 2008
Kiwicon 2k8: September 27–28, 2008
SANS Network Security 2008: September 28–October 6, 2008
BA-Con Argentina 2008: September 30–October 1, 2008
Virus Bulletin 2008: October 1–3, 2008
ekoparty Security Conference: October 2–3, 2008
Critical Infrastructure Protection Congress: October 6–8, 2008

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

Republican National Convention: September 1–4, 2008
Ramadan: September 1–31, 2008
Rosh Hashanah: September 29–October 1, 2008

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top