March 2–8, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityDuring the time period, vulnerability and threat activity levels remained consistent with previous weeks. Microsoft released the Advanced Notification for the February 2009 security bulletin publication. Of the three bulletins scheduled for release on March 10, 2009, Microsoft scored one with a maximum severity rating of Critical and two with a rating of Important. These bulletins address vulnerabilities in all supported versions of the Microsoft Windows operating system. None of the bulletins are scheduled to address vulnerabilities in the Microsoft Office suite of applications, even though recent targeted attacks have utilized a vulnerability in Microsoft Office Excel that involves invalid objects. An independent security researcher also released technical details and proof-of-concept code for a cross-site request forgery request vulnerability in the popular Google Gmail webmail service. A remote attacker could exploit this vulnerability to modify a user's Gmail account password. By convincing a user to follow a link in an e-mail message to an attacker-controlled website, an attacker could make a "Change Password" request on behalf of the user. A variant of the infamous Koobface worm recently began another round of infections using its previous tactics. The worm broadened its propagation routine to target eight other social networking sites apart from MySpace and Facebook, such as Hi5 and LiveJournal. The fact that Koobface is reportedly hosted on as many as 300 unique IP addresses has increased the worm's lifespan. Social network account holders and other site users are advised to verify the authenticity of unexpected links that may exist on online pages. For assistance in verifying these links or any other URLs, users can employ the IronPort Security Network E-mail and Web Reputation Tool on the SenderBase website. Further details on Koobface are available in IntelliShield alert 17240. In other malicious code a activity, recent reports indicate that the Backdoor.Syzoor trojan has infected approximately 250,000 machines. This trojan, which is also known as Tigger, is difficult to detect because it installs a rootkit that loads on systems even when they are started in Safe Mode. The trojan also removes software that could warn users of an infection or otherwise prompt them to clean systems and, as a result, remove Backdoor.Syzoor during the process. Although infection rates associated with this trojan are reportedly high, there is no public information regarding its propagation routine. Users are likely downloading Backdoor.Syzoor over P2P networks, IRC servers, FTP servers, or as e-mail attachments. According to sources, the trojan only targets customers and employees of stock and options trading firms, such as E-Trade, ING Direct, ShareBuilder, Vanguard, Options XPress, TD Ameritrade, and Scottrade. Further information on this trojan is detailed in IntelliShield alert 17717. According to security researchers, W32/Conficker.worm, which is also being referred to as Downadup, received code upgrades and is scheduled to launch attacks against the legitimate jogli.com, wnsux.com, and qhflh.com domains in the coming week. The worm is scheduled to attack wnsux.com, which Southwest Airlines runs as a secondary domain domain, on March 13, 2009. If a distributed denial of service (DDoS) takes place, Southwest Airlines's online check-in process may be disrupted. The worm has traditionally used a pseudo-random domain name generator that produced 250 IP addresses for the worm to contact and attempt to infect each day. Reports indicate that the worm received a new module that increased the amount of IP addresses to 50,000 per day. These kind of updates help the worm avoid detection and subsequently protect already infected machines. With a list of addresses this large, monitoring networks for connections to detect infected systems becomes nearly impossible. Sources have also indicated that individuals who are responsible for the Conficker botnet are selling it to malicious users in chunks. IntelliShield published 116 events last week: 44 new events and 72 updated events. Of the 116 events, 86 were Vulnerability Alerts, 14 were Threat Outbreak Alerts, seven were Malicious Code Alerts, five were Security Activity Bulletins, three were Security Issue Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskMicrosoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. IntelliShield Vulnerability Alert 17665, Version 3, February 25, 2009 Adobe Reader and Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability; however, updates are not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router issuing routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and delivering the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related website's, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat 3D, and Acrobat Standard contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, described in IntelliShield alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure website's. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. PhysicalMexico Adds 1,000 Federal Police Officers to Military Presence in JuarezThe government of Mexico recently sent 1,000 federal police officers and thousands of military personnel as reinforcements to Ciudad Juarez in an attempt to quell drug-related gang warfare. The amount of deployed police and soldiers is expected to rise to 7,000. Soldiers will perform police duties while military officials will oversee the city's police force, which essentially imposed martial law on the city. Over the past year, more than 2,000 homicides have been attributed to rival gangs that are battling for control of the highly industrialized city on the United States-Mexico border. Violent encounters between cartels, law enforcement, tourists, and citizens have increased at many points along the United States (U.S.) border and recently extended into tourist destinations. The U.S. Department of State issued a Travel Alert on February 20, 2009 that advised U.S. citizens of the increased risk of violence, specifically robbery, car-jacking, assault, mugging, public shooting, and kidnapping. Travel to and within cities along the northern border, specifically Tijuana and Ciudad Juarez, is of particular concern because law enforcement operations are ongoing and escalating. IntelliShield Analysis: Ciudad Juarez is a major outsource and distribution location for international businesses that operate on both sides of the U.S.-Mexico border. In addition to physical safety threats for employees, businesses should consider preparing for supply chain disruptions. The increased kidnapping threat and potential that violence could escalate into El Paso, Phoenix, or San Diego could bring supply systems to a halt. Increased security at checkpoints will slow border crossings, which will affect commuters and tourists, delay shipments, and clog shipping points. Although Mexican President Felipe Calderon rejected reports that Mexico may be a failed state, it is unlikely that the current violence will end quickly. Organizations are advised to ensure that business continuity plans are in place and sufficiently comprehensive to allow recovery from possible extended disruptions. LegalBotnet Master Sentenced to Four Years in Federal PrisonAlmost one year after pleading guilty to bank and wire fraud charges, John Schiefer was sentenced to serve four years in federal prison after infecting thousands of end-user systems with malicious software in an effort to steal user credentials for the PayPal online payment system and make unauthorized purchases. The FBI arrested Schiefer as part of an investigation called Operation Bot Roast II that took place around November of 2007. Read More IntelliShield Analysis: Although a victory for law enforcement and the judicial process, Schiefer's arrest, conviction, and sentencing is only a temporary reprieve. As users continue to act in an unsafe manner on the Internet and systems continue to remain unpatched, criminals will be drawn to cybercrime as a non-violent means to make money. Inevitably, other criminals will assume the place of the arrested botnet master, because the underlying issues of poor end-host security and a misplaced trust in communications from unknown sources persist. TrustTesla Motors CEO Suspected of Fishing for Employee LeaksAfter a Tesla Motors employee leaked company financial information to the Internet in October 2008, the company began a thorough investigation to uncover its source. After discovering the culprit was Peng Zhou, the company's CEO Elon Musk distributed an apology from Zhou to the company, and Zhou later lost his job. In the hopes of identifying the source of the next leak, a company insider (allegedly Musk) attempted to distribute unique communications with subtle cues in message text to each employee. Although the plan backfired because one employee's unique message was forwarded to every employee, criticisms against the company are increasing. Read More IntelliShield Analysis: As with any effort to retain sensitive information, senior company leaders may consider digital forensics or private investigation to uncover disclosures. The motivation to leak information, or even to uncover the source of leaks, may be especially tempting during times of economic hardship. Employees could feel slighted by company actions or seek stability or advantage by disclosing sensitive information, and companies may try to retain intellectual property or prevent financial situations from being disclosed out of context. Organizations are advised to construct sound legal policies for initiating and pursuing investigations. Resisting the urge to overstep policies or act in a manner that could be perceived as extraordinarily invasive will aid organizations who pursue litigation and likely help prevent employee or public backlash. Details of United States Presidential Helicopter Released Over P2P NetworkThe United States (U.S.) Navy has released additional information from its investigation into the possible security breach of the Presidential helicopter fleet. The investigation identified an IP address from Iran that downloaded information about Marine One, and searches conducted in file-sharing programs identified related engineering and communications documents. The U.S. Navy determined that the information did not have a significant impact but should not be available on file-sharing programs and the Internet. Further investigation of the files identified the source of the breach, which appears to have been caused by P2P file-sharing software that was installed on a government contractor system. The source has not been publicly identified, but investigators are confident that they know exactly what data was compromised and where it went. Read More IntelliShield Analysis: File-sharing programs are well-known sources of malicious code and viruses and are also a potential threat for data loss. These types of applications can allow individuals to access other users' systems and easily obtain sensitive information. Organizations are advised to impose guidelines and rules for the use of P2P file-sharing programs on business systems. To assess risks to systems that contain sensitive information, organizations should define what information is considered highly valuable and then address which data is considered valuable to an attacker and how it could be leveraged to conduct subsequent attacks. Due to the targeted nature of this data compromise, traditional signature-based approaches of antivirus software could not protect the defense contractor's system. Organizations are advised to ensure that they implement multi-layered security through training, monitoring, and other technical means to protect against these kind of threats. IdentityCustomer Information From Spotify Music Service Is ExposedSpotify discovered and fixed an error in their streaming music services on December 19, 2008 that allowed attackers to access user password hashes. The group responsible for compromising the Spotify service could use brute force techniques to learn user passwords from these hashes. As a result, user e-mail address, birth dates, gender, postal code, and billing receipt details were all exposed. Because Spotify does not store credit card information, this data was not at risk. Spotify claims that the company was not aware that individuals could access their protocols to exploit this error. IntelliShield Analysis: After correcting the error, Spotify warned users who registered accounts prior to December 19, 2008 to modify their passwords. Spotify also warned users against utilizing identical passwords for multiple online accounts, because a singe compromised account could provide an attacker with the necessary information to compromise many more. To resolve this issue and prevent similar attacks, organizations should remind users to change their passwords regularly and use unique passwords for each online account. HumanUnited States Collegiate "March Madness" Brings Unique ChallengesThe Unites States National Collegiate Athletic Association's (NCAA) Division 1-A men's basketball tournament, which is also known as "March Madness," begins with Selection Sunday on March 15, 2009 and the first tournament game on March 17, 2009. The popular basketball tournament is notorious for presenting business organizations with a multitude of security challenges, including lost productivity as employees watch video-on-demand services for the many games and the large amount of corporate bandwidth that these multiple video streams can consume. The "March Madness" period also provides an opportunity for malicious individuals to perform social engineering attacks. These attackers aim to compromise accounts, install malicious software, or conduct malicious code attacks by luring users to malicious websites that promise insider information, news alerts, or illicit gambling services related to the basketball games. Businesses should also be aware of the increased threat of collateral damage from distributed denial of service (DDoS) attacks that target online gambling or sports websites and video service providers during this time. These type of attacks normally target sites for extortion purposes, but attacks from infected systems in the network or attacks that impact service providers could cause availability issues for businesses that are not being targeted directly. Organizations may consider alternatives to minimize the impact of this event, such establishing a centralized showing of the games or throttling bandwidth for video services. Organizations should also review response plans and coordinate with service providers to plan for DDoS events or other availability impacts. GeopoliticalChina to Detail Stimulus Measures OnlineIn response to pressure from bloggers and hundreds of thousands of citizens who voiced concerns through government websites, the Chinese government has promised to publish details of its economic stimulus spending plans online. High-level party officials and a prominent lawyer have requested transparency, claiming that stimulus spending is in danger of being misused by corrupt provincial officials. Concurrently, on the outskirts of China's annual gathering of the National Peoples Congress, Premier Wen Jiabao held his first public online chat with Chinese citizens. The discussion was followed by a team of lawmakers who also answered questions several days later. IntelliShield Analysis: Given that government budgetary details have traditionally been closely guarded, Beijing's pledge to publish stimulus spending details online is noteworthy. The new openness indicates the seriousness with which government officials take the threat to the Chinese Communist Party's legitimacy in the current economic atmosphere. The Chinese government also appears to have recognized that the Internet is both the Chinese Communist Party's biggest problem and potentially most powerful tool. As the economic crisis continues, security specialists should consider the sensitivity of the Chinese government to online political discourse and remember the priority it places on maintenance of social order. An awareness of how rapidly popular demonstrations that are organized through electronic communications can arise is also important, as the potential for an abrupt seizure of networks exists if a situation is considered unmanageable. MiscellaneousSurveys Reveal Lack of Patching Procedures for Organizations That Use Oracle Database ProductsIn August 2008, Oracle and the Independent Oracle Users Group (IOUG) conducted surveys to determine the patching habits of Oracle administrators. The surveys revealed that only 26 percent of respondents installed Oracle Critical Patch Updates in a timely manner. In fact, 11 percent of respondents reported that they had not installed any of the Oracle Quarterly Patch Updates, and 30 percent indicated that their organization does not have a policy for implementing Oracle patches. Read More IntelliShield Analysis: Oracle databases often hold data that is critical to a company's business operations. Many Oracle administrators fear that installing updates, even important security updates, could damage database implementations or internally developed Oracle applications. Even though production Oracle servers are typically secured behind one or more firewalls and access is restricted to a few trusted users or application requests, these measures can lead to a false sense of security. In many cases, Oracle databases are used as the back-end to applications that are hosted on Internet-facing web servers. Because attackers can leverage SQL injection vulnerabilities in these web servers to potentially compromise the back-end database, organizations that have implemented Oracle database products are advised to establish and follow a procedure for the timely installation of Oracle's Critical Patch Updates. Upcoming Security ActivityInfoSec World 2009: March 7–13, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: United States Collegiate "March Madness" 2009: March 19–April 6, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
