Cyber Risk Report

January 7–13, 2013

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity significantly increased for the period. Security advisories and updates from Microsoft, Adobe, Google Chrome, and Mozilla drove activity levels higher, while a previously unknown Oracle Java vulnerability received significant attention.

Over the holiday period, a previously unknown vulnerability in Oracle Java was reported, including reports of functional code that exploits the vulnerability and active exploits in the wild. Reports indicated the Blackhole and Nuclear Pack exploit kits have incorporated this vulnerability, and a Metasploit module was released for the vulnerability. In response to the widespread reports, it was recommended to disable the Java web plugin or Java completely. In addition, Oracle released a security advisory and update for the vulnerability. Details of the activity and the reported vulnerability are available in IntelliShield alerts 27841 and 27845. Additional details are also available in the Cisco Security Blog post "New Java Vulnerability Being Exploited in the Wild."

The Microsoft Security Bulletin Release for January 2013 included seven security bulletins that addressed 12 vulnerabilities. Two of the bulletins were rated critical, although none of the vulnerabilities are currently reported as being exploited. Full details of the security bulletins are available in the Cisco Event Response: Microsoft Security Bulletin Release for January 2013, including individual vulnerability and recommended network mitigation details. Adobe also released security bulletins for Adobe Reader and Acrobat addressing 27 vulnerabilities, and a second bulletin addressing vulnerabilities in Adobe Flash Player.

Mozilla and Google released security updates for Firefox and Chrome browsers addressing multiple vulnerabilities. Other activity included updates to multiple vulnerabilities in Ruby on Rails, NVIDIA driver, Symantec PGP Desktop, and Red Hat products.

Cisco released two security advisories for the Cisco Prime LAN Management Solution Command Execution Vulnerability and Cisco Unified IP Phone Local Kernel System Call Input Validation Vulnerability.

Threat activity continues with Operation Ababil launching additional attacks on U.S. banks, and multiple new and updated spam messages attempting to exploit users with messages on the themes of package deliveries, electronic receipts, and account activity. Additional malicious spam and phishing messages were reported attempting to exploit users with false Microsoft Windows updates.

IntelliShield published 155 events last week: 91 new events and 64 updated events. Of the 155 events, 84 were Vulnerability Alerts, 13 were Security Activity Bulletins, 7 were Security Issue Alerts, 46 were Threat Outbreak Alerts, four were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Saturday 01/12/2013 3 1 4
Friday 01/11/2013 7 13 20
Thursday 01/10/2013 16 7 23
Wednesday 01/09/2013 29 13 42
Tuesday 01/08/2013 23 15 38
Monday 01/07/2013 13 15 28
Weekly Total 91 64 155

 

Significant Alerts for the Time Period

Oracle Java Security Manager Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27845, Version 2, January 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0422
Oracle Java version 7 updates 10 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code exists publicly as part of exploit toolkits and the Metasploit framework. Functional code that exploits the vulnerability is publicly available and actively exploited in the wild. Reports indicate the Blackhole and Nuclear Pack exploit kits have incorporated this vulnerability, which could help an attacker in a successful exploit. Exploit source code has also been posted publicly, further increasing the likelihood of exploitation. Oracle has confirmed the vulnerability and software updates are available.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer CDwnBindInfo Object Processing Use-After-Free Vulnerability
IntelliShield Vulnerability Alert 27711, Version 1, January 2, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4792
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed this vulnerability; however, software updates are not available.

Fraudulent TURKTRUST Inc. Digital Certificates Issued
IntelliShield Security Activity Bulletin 27758, Version 2, January 9, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Fraudulent certificates for google.com were issued by a third-party certificate authority, possibly allowing spoofing attacks. Root certificate authorities have revoked the fraudulent certificates. Microsoft and Mozilla have released security advisories and software updates to revoke the certificate.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service (DDoS) attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

MySQL Triggered Events Privilege Elevation Vulnerability
IntelliShield Vulnerability Alert 27522, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/4/3
CVE-2012-5613
MySQL contains a vulnerability that could allow an authenticated, remote attacker to gain elevated privileges on a targeted system. Functional code that demonstrates an exploit in the MySQL triggered events privilege elevation vulnerability is publicly available. MySQL has not confirmed the vulnerability and updated software is not available. MySQL is questioning the vulnerability as being the result of a known poor configuration that it repeatedly advises against in the MySQL documentation.

SSH Tectia Authentication Bypass Unauthorized Access Vulnerability
IntelliShield Vulnerability Alert 27540, Version 3, December 10, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5975
SSH Tectia server contains a vulnerability that could allow an unauthenticated, remote attacker to gain unauthorized access to a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. SSH Communications Security has confirmed this vulnerability and released software updates.

Oracle Java Applet JAX-WS Class Processing Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27404, Version 1, November 13, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-5076
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Oracle Java Runtime Environment (JRE) 7 Update 7 and prior are vulnerable. Oracle has released the Oracle Java SE CPU October 2012. Functional code that demonstrates an exploit of this vulnerability is available as a part of the Metasploit framework.

Oracle Java SE Critical Patch Update October 2012
IntelliShield Security Activity Bulletin 27210, Version 8, January 7, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Reports indicate these vulnerabilities are being exploited successfully in the wild. Oracle, Apple, Red Hat, and IBM have released security advisories and software updates.

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 11, December 14, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software. Samba, Apple, FreeBSD, HP Oracle, Red Hat, and MonteVista have released security advisories. Oracle has re-released a security notification and patches.

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 10, October 19, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit Framework. The Blackhole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, IBM, and HP have released security advisories and updated software.

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 6, November 16, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, and IBM have release security advisories and software updates. HP has released a security bulletin and updated software.

Physical

Flu Reaches Epidemic Level Across United States

Medical facilities, local governments, and the Center for Disease Control and Prevention are reporting that the 2013 flu season has reached epidemic levels in several locations across the United States. Major U.S. cities have declared medical emergencies due to the high levels of activity, causing healthcare workers to take exceptional measures to handle the caseloads at hospitals and emergency rooms. More than 40 states are reporting widespread activity levels.
Read More
Additional Information

IntelliShield Analysis: The 2013 flu season is proving to be a severe one, and we are only now beginning to reach the peak of the season. Organizations are advised to coordinate closely with local authorities to receive the latest information on the situation in their areas, including measures to control further spread of the virus. Office and school environments can be particularly sensitive to the spread of the virus. Organizations may consider additional cleaning and disinfecting measures, as well as exercising remote workers options to reduce exposure. Electronic devices such as keyboards, printers, fax machines, and conference room equipment may require special cleaning procedures due to their sensitivity to moisture and widespread usage.

Legal

United States Federal Trade Commission Settlement with Google Possible Model for Patent Licensing

The United States Federal Trade Commission (FTC) accepted a settlement with Google involving a legal case investigating unfair practices related to Google's search technology and AdWords service. According to the FTC, Google failed to negotiate its patents on a fair, reasonable, and nondiscriminatory (FRAND) basis. Such practice is in violation of the FTC Act. Google voluntarily agreed to change its practices regarding AdWords displayed in its search services, allowing easier combination of AdWords with third-party services. In addition to the settlement, the FTC reinforced a process through which organizations can negotiate terms of patent use without legal filings in an attempt to create an easier environment to negotiate the use of patented technologies.
Read More

IntelliShield Analysis: The FTC's clarified system for resolving patent disputes promises to improve the process for resolution of many ongoing complicated disputes. By directing patent holders and users to negotiate fairly, the FTC process may help prevent lengthy, expensive, and acrimonious legal proceedings; however, legal injunctions remain for those who fail to use FRAND negotiation.

Trust

There was no significant activity in this category during the time period.

Identity

At Disney Parks, a Bracelet Meant to Build Loyalty (and Sales)

Starting spring 2013, Walt Disney World in Orlando, Florida, will introduce the use radio frequency identification (RFID) equipped bracelets that are expected to enhance the overall experience of Disney World visitors. The RFID bracelets, part of Disney's new vacation management system MyMagic+, will be used for several functions such as passes to enter the parks and hotel room keys. In addition, the bracelets can store a variety of personal information that will help track customer experiences, ride preferences, as well as enable Disney World employees and characters to provide more personalized and intimate interactions for customers.
Read More

IntelliShield Analysis: The use of RFID technology to both store personal information as well as track customer movements and actions throughout the Disney World park should certainly translate to a more enjoyable experience for customers while, at the same, positively impact the bottom line of Disney. In today's security landscape however, it is hard to ignore to the possibility that some of this collected data could be compromised or fall into the wrong hands. Customers (users) do have the right to limit the amount and type of information that is stored in the MyMagic+ RFID bracelets, and can choose not to use the bracelets at all; however, Disney must be held to a very high standard in terms of protecting this customer data. Disney must perform the necessary due diligence to ensure that safeguards are in place to protect both the financial and physical well-being of their customers who opt in to the MyMagic+ system.

In related activity, a Texas court ruled that a student could not refuse to wear an RFID device used by the school for tracking attendance. The student refused to wear the RFID device on religious grounds. The court ruled that the student must wear the RFID device, or change schools.

Human

There was no significant activity in this category during the time period.

Geopolitical

Japanese Ministry Reports Cyber Attack

Following reports of a data breach early this month, some analysts are questioning the stance of the Japanese Ministry of Agriculture, Forestry, and Fisheries that no sensitive information was compromised. No information was made public about who may have been responsible for the attacks, but it appears that secret documents related to negotiations over the Trans-Pacific Partnership (TPP), a proposed regional trade pact, were the target. According to unnamed sources quoted by TheYomiuri Shimbun, the attackers searched on terms including "TPP," then remotely gathered the information onto a single PC for compression into a .rar file for easier transmission to a remote server.
Read More
Additional Information

IntelliShield Analysis: Following an intrusion, it may not be clear whether sensitive information was actually exfiltrated. With concerns about public blowback, many organizations tend to report that nothing was stolen unless they can confirm otherwise. For information security professionals, however, it may be more helpful to assume in such situations, and even to publicly admit, that information was probably taken. This may be interpreted as more transparent, and may also be more accurate. Another interesting aspect of this incident is the political sensitivity surrounding the TPP. With new leaders in Japan, China, the Republic of Korea, and the Democratic People's Republic of Korea (DPRK), and tensions rising over disputed territories in the South China Sea, 2013 will likely be a challenging year for Asian countries. The TPP is a proposed regional free trade agreement that excludes Japan and the United States; however, a rival pact has been proposed, which includes both countries. Both of these proposals are burdened with geopolitical baggage that will influence their ultimate outcomes and have implications for business. Information security professionals may expect to feel the impact of tensions motivated by conflicting regional political concerns. This may well spill into attacks like the one witnessed at Japan's Ministry of Agriculture.

Upcoming Security Activity

Cisco Live, London: January 28–February 1, 2013
ShmooCon: February 15–17, 2013
RSA Conference 2013: February 25–March 1, 2013
Cisco Live, Melbourne: March 5–8, 2013
Black Hat Europe: March 12–15, 2013
Cisco Live, U.S.: June 23–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Israel Elections: January 21–22
Jordan Parliamentary Elections: January 23
World Economic Forum, Davos-Klosters, Switzerland: January 23–27, 2013

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top