January 19–25, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityDuring the time period, IntelliShield observed lower threat and activity levels compared to a similar period from the previous year. This reduction can be attributed to a decline in vendor responses to existing threats. IntelliShield reported on a large percentage of previously undisclosed vulnerabilities that will likely drive increased vendor responses in the coming weeks. Apple released a pair of security updates to address a total of eight memory corruption vulnerabilities in its QuickTime media player; an example is available in IntelliShield alert 17450. These vulnerabilities are significant due to the widespread use of QuickTime across both the Microsoft Windows and Apple Mac OS X platforms. Many users download QuickTime to view certain types of web content or to use the popular Apple iTunes application. Because media applications are potentially high-risk due to the number of identified vulnerabilities and their associated exploits, administrators should consider warning users about the potential security threats and asking that users ensure their installations are fully updated. In general, users should also be advised to remove unnecessary applications, such as multiple media applications, to reduce the risk of exposure. Cisco released security advisories and updated software during the time period to address vulnerabilities in Cisco Unified Communications Manager and Cisco Security Manager. An unauthenticated, remote attacker could exploit a vulnerability in Cisco Unified Communications Manager to cause the Certificate Authority Proxy Function to crash. An unauthenticated, remote attacker could exploit the vulnerability in Cisco Security Manager to gain root access to the embedded Cisco IPS Event Viewer (IEV) database and server. The attacker could leverage this access to add, delete, or modify devices in the IEV. Based on data from Cisco Security Intelligence Operations, IntelliShield released Threat Outbreak Alerts to warn customers of malicious spam e-mail messages that attempt to lure users of several Brazilian banks and financial services to download malicious software. The messages describe a new security component that will allegedly help recipients secure their online banking sessions. In reality, the message contains an attachment with an executable file that infects the user's system with malicious code. The following IntelliShield Threat Outbreak Alerts describe these messages: 17424, 17433, 17453, and 17461. IntelliShield also released a Malicious Code Alert to address the OSX.lservice trojan, which targets Apple Mac OS X systems. This trojan is bundled with a legitimate copy of the iWork09 application and is reportedly being distributed via the BitTorrent file-sharing protocol. Upon execution, the trojan runs the legitimate iWorksServices program and then determines whether the session is running with root privileges. If so, the trojan will ultimately attempt to install a backdoor component to allow an attacker to access the system. This trojan is documented in IntelliShield Alert 17459. The W32/Conficker.worm worm, which is also being referred to as Downadup, continues to infect unpatched Microsoft Windows systems. This worm is described in IntelliShield alert 17121. The worm exploits the remote procedure call code execution vulnerability in the Microsoft Windows Server service, which is addressed in Microsoft security bulletin MS08-067 and IntelliShield alert 16941. Because the worm is capable of propagating by copying itself to removable media devices, it could bypass even well-configured perimeter defenses. Recent studies released by antivirus vendors Symantec and F-Secure indicate that the worm mainly affects systems in Argentina, Brazil, China, and Russia. Approximately one percent of the infected systems reside in the United States. These studies are available at the following links: F-Secure and Symantec. The Microsoft Malware Protection Center has released a response blog at the following link: Microsoft. IntelliShield published 103 events last week: 46 new events and 57 updated events. Of the 103 events, 81 were Vulnerability Alerts, seven were Threat Outbreak Alerts, six were Security Issue Alerts, four were Malicious Code Alerts, three were Security Activity Bulletins, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskWorm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One of the worms propagation routines involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability as described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and steps to isolate any suspected infected systems until the machine can be fully restored. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, Acrobat 3D, Acrobat Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. PhysicalLessons Learned From Mumbai, India AttacksSince the terrorist attacks on Mumbai, India in November 2008, several government and corporate security organizations have evaluated the events and incorporated changes in their own programs to prevent and respond to future attacks. The terrorists appear to have employed multiple advanced technologies, including satellite imagery and GPS receivers, for surveillance purposes before the attacks. Satellites and cell phones were also used to communicate with commanding officers and individual members of the organization; certain conversations were intercepted and recorded by the Indian government. Many have also acknowledged that the lack of funding in Mumbai slowed the response of National Security Guard officials. Read More IntelliShield Analysis: Organizations are advised to leverage this opportunity to review and validate their policies against current threats, especially because criminal and terrorist tactics frequently change. A remaining concern from the recent attacks is the dichotomy between the presence of an actively shooting terrorist and the local police procedure of waiting for armed and trained special response teams to neutralize threats. New tactical programs like Active Shooter Training, which neutralizes an active shooter as quickly as possible, could assist in such circumstances. The availability of technology can also provide immediate communication during an attack. Security policies that address active shooters who are threatening corporate premises must involve familiarity with police, fire, and military response procedures and times and also include strict rules on surveillance and communications. In addition, one of the most important aspects of emergency planning is educating employees and then practicing procedures. LegalIncreased Focus on Compliance and AuditingDuring ongoing reviews of financial institutions and banks in the midst of the global economic crisis, auditors have begun to note the lack of compliance with existing requirements for electronic discovery and data retention. According to certain study estimates, only 10-15 percent of organizations are currently meeting these requirements. Read More IntelliShield Analysis: Organizations have focused heavily on compliance requirements in previous years, but surveys for 2009 show a change in focus with compliance dropping to a lower priority. This reduction may result from a sense that organizations are meeting requirements and can shift activities to maintenance-level procedures. With the focus on the financial crisis and the likely increase in compliance, auditing, and oversight, organizations may consider reevaluating their priorities and current compliance positions. In addition to the stronger enforcement of current regulations, organizations are likely to experience additional requirements and more active auditing in the coming year. TrustPayment Processor Discloses Major BreachOn January 20, 2009, Heartland Payment Systems released a statement acknowledging a data breach that occurred in 2008. Alerted to suspicious activity by VISA and MasterCard, Heartland initiated a forensic investigation that discovered malicious software on their network. The company has not yet disclosed the full extent of the breach, but it normally handles 100 million credit card transactions per month. Some industry experts have speculated that this incident may surpass the 2007 TJX breach that exposed 45.7 million credit card numbers. IntelliShield Analysis: Few details about Heartland's data exposure are public, but their announcement suggests that payment data was collected as it crossed the company's network. The stolen data did not contain identifying information that could allow attackers to perform "card not present" transactions, but it could facilitate the duplication of cards for in-person transactions. Combined with other information, the data could also assist future fraud. Some initial reactions to the disclosure of Heartland's breach were tempered by the inaugural ceremonies for United States President Barack Obama that occurred simultaneously. This recent breach not only underscores the necessity of protecting card data that is both at rest and in transit, but it is also a reminder to consider the technical, administrative, and public relations solutions that promote consumer trust. IdentityPopular Employment Database CompromisedDatabases for the Monster.com and USAJOBS.gov employment websites were recently compromised. The attackers managed to access user account and contact information such as usernames, passwords, e-mail addresses, and telephone numbers but were not able to access user resumes, social security numbers, or financial information. IntelliShield Analysis: Employment websites are becoming more popular than ever as individuals attempt to locate employment during the global economic and financial crisis. This kind of database compromise is especially dangerous because many affected users who are desperate for work may be especially vulnerable to social engineering techniques. An attacker could easily utilize data from this compromise to impersonate a potential employer or the affected website itself via telephone or e-mail in an attempt to convince users to divulge financial account information or visit websites that host malicious code. HumanNetwork Traffic Increases During United States Inauguration EventInternet service providers (ISPs) reported a large increase in network traffic on January 20, 2009 that was related to media coverage of the United States Presidential Inauguration. The traffic was heaviest on TCP port 1395 and UDP port 8247, which are used for streaming media applications. IntelliShield Analysis: Network media usage during popular events may saturate outgoing network bandwidth and prevent internal users from accessing external resources. Organizations may consider employing network throttling techniques or utilizing multicasting to stream video content during events to conserve bandwidth. User education regarding responsible usage may also assist in decreasing overall consumption. At a higher planning level, organizations are advised to consider the capacity of their networks to avoid availability issues as more streaming media and other high-bandwidth applications grow in usage. GeopoliticalUnited States Government Confirms Ongoing Espionage ThreatAn annual report to the United States Congress on the threat to industry from foreign and industrial espionage was made public last week. The 22-page report documents countries that are originating attacks, the methods used, and the information that is being targeted. According to the report, the industrial, scientific, and technical property of Western European countries have also been targeted. The most heavily targeted sectors include information technology and processes that are used to create potential dual-use hard and software, and the most common method for soliciting information remains direct requests, followed by business solicitation or marketing of services. Read More IntelliShield Analysis: Government-investigated industrial and economic espionage cases in 2007 are similar to those in 2006 with a few surprises. However, the report is a valuable reminder of the very real, ongoing threat of economic and industrial espionage, particularly for multinational corporations. It underscores, for instance, that companies with international joint research, development, or educational facilities are particularly vulnerable due to the collaborative and personal working relationships that are established among expert peers. Conferences and professional trade groups are also popular vehicles for information transfer. The report notes that individuals, states, or entities that are perpetrating crime frequently mask solicitations by basing an intermediary in a friendly third country. Corporate security professionals may consider sharing this report with employees who find themselves in these situations. Upcoming Security ActivityNetworkers Barcelona: January 26–29, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Chinese New Year: January 26, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
