March 23–29, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels rose from those of previous weeks due in part to the release of large groups of advisories from Cisco and Sun. Cisco released the semi-annual IOS Software bundle of advisories on March 25, 2009. This release included eight security advisories and updated software to address 10 vulnerabilities in affected Cisco IOS Software versions. A summary of the advisories, IntelliShield alerts, and Applied Mitigation Bulletins is available at the following link: Cisco. Sun released seven security advisories and updated versions of its Java products to address multiple vulnerabilities. Due to the widespread use of Java across multiple platforms, attackers could find these vulnerabilities to be an attractive attack vector. Individual IntelliShield vulnerability alerts were published in response to the Sun release; an IntelliShield Activity Bulletin that summarizes the vulnerabilities is available at the following link: Sun Releases Updated Versions of Java Products The Microsoft Security Response Center (MSRC) confirmed the existence of the GDI+ EMF file handling integer overflow vulnerability affecting Microsoft Windows. The MSRC confirms that a remote attacker could exploit this vulnerability to cause a denial of service condition, and is investigating the possibility of an attacker gaining the ability to execute arbitrary code. This vulnerability is detailed in IntelliShield alert 17873. Malicious code activity this week has centered around the Conficker worm and its April 1, 2009 trigger date. The latest variant of the worm, W32/Conficker.C (W32.Downadup.C), is scheduled to change its operation and begin polling 500 of 50,000 domains per day on April 1, 2009 on systems that are already infected. The worm can also use P2P capabilities to communicate with other infected hosts to obtain updates without needing to contact any of the malicious domains. Systems only infected with previous variants of Conficker will not change on April 1, and security experts believe that most machines are infected with these earlier variants. Infected systems may not be able to reach security-related websites, such as www.f-secure.com or www.symantec.com, which could indicate an infection. Administrators are advised to examine their Windows environment to ensure systems are not infected and recover systems that have been compromised. Multiple antivirus vendors have issued Conficker removal tools to assist in the recovery of systems that are identified as infected. Further analysis and mitigation techniques are detailed in IntelliShield alert 17121. Also receiving elevated media attention this week is Linux/Psybot, which is a worm that is targeting home-based routers and DSL modems utilizing the MIPS processor running Linux Mipsel. Security experts believe the worm is among the first to target these types of devices. Once the device is compromised, it forces the router or modem to join a botnet and begin accepting commands from a remote server. Reports indicate that 100,000 devices are currently compromised. It should be noted that the worm is only capable of targeting devices with interfaces exposed to the Internet accompanied with either default or weak username and password combinations. Devices that are not in a DMZ or with interfaces not exposed to the Internet are not susceptible to attacks, along with devices using strong username and password combinations. Infected users may not be aware that they are compromised since the machine itself is not infected, only the user's router or modem. The worm is detailed in IntelliShield alert 17866. IntelliShield published 152 events last week: 69 new events and 83 updated events. Of the 152 events, 119 were Vulnerability Alerts, nine were Malicious Code Alerts, eight were Security Activity Bulletins, eight were Threat Outbreak Alerts, six were Security Issue Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 23-29, 2009 W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One of the worm's propagation routines involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield alert 16941. The worm prevents infected systems from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. Previous Alerts That Still Represent Significant Risk Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability and released updated software for Version 9 of the affected products. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalEconomic Policies Cause Union Strikes in FranceApproximately 1.2 million people in France rallied and protested last week due to the economic downturn nationwide. Union members are concerned about government spending as well as the unemployment rate, which has increased 3.5 percent in January and February 2009. Protestors have marched in several cities, including Marseille, Lyon, and Grenoble. These protests follow similar rallies that were held in January, where an estimated one million people attended. Hostage situations arose during the most recent demonstrations at a 3M Co. factory, as well as at a Sony France factory, as upset workers prevented executives from leaving the plants in an attempt to force severance package negotiations. Read more IntelliShield Analysis: Despite President Nicolas Sarkozy's attempt to improve the economy, the stimulus package has not been able to improve the unemployment rate thus far. The economic downturn is affecting countries world-wide, and although most protests are held peacefully, others may become violent at times. France in particular has had to close schools, stop public transportation, and spend more on protection for workers. These actions can disrupt normal business operations and create challenges for employees who need to find childcare or transportation to work. These types of widespread strikes are risks that require business continuity planning and may require emergency notification methods to alert employees when contingency plans are exercised. Remote worker capabilities may assist business continuity during economic downturns. LegalThere was no significant activity in this category during the time period. TrustLawsuit Discloses Data Loss for More Than 7,500 Carbonite, Inc. CustomersOnline backup provider Carbonite, Inc. has filed suit in Boston against two vendors that the company says supplied them with defective hardware that resulted in data loss affecting more than 7,500 Carbonite customers. Carbonite claims the data loss has substantially damaged its business reputation and is seeking damages to be determined at the trial. Read more IntelliShield Analysis: Carbonite faces a public relations challenge to recover its reputation after losing the personal data of thousands of customers, but the most injured party may be the customers who lost irretrievable and irreplaceable data. Technology-related legal issues tend to be complicated, and as cloud computing moves from buzz word to the main stream, assigning blame and responsibility will become more convoluted. Cloud computing in its current form is rarely transparent, and the distribution of services across the Internet may expose users to unseen risks. Customers of Carbonite, Mozy, and other third-party online backup services should be aware that they are taking a risk when trusting companies who use third-party storage devices. Users should determine whether their organizations already have internal backup storage solutions or policies in place to ensure no company data is jeopardized and policies are not violated when using external backup solutions. IdentityThere was no significant activity in this category during the time period. HumanKentucky Officials Charged in Electronic Voting FraudFive county officials from Clay County, Kentucky, have been indicted on Federal charges for a number of incidents surrounding election corruption, including manipulating votes. The officials staffed polling places with volunteers complicit in the scheme to oversee voting and mislead voters in the use of electronic voting machines. Voters were led to believe that their votes had been cast after they had pressed a "Vote" button, but instead the corrupt poll workers would approach the machines after the voters had left them, change the votes, and complete the ballots by confirming the vote. Read more IntelliShield Analysis: This case has captured media attention as perhaps the first documented example of electronic voting fraud in the United States. Still, the tactics allegedly employed were more social engineering than technical exploits that many have feared would hinder electronic voting. The design of the voting machine interface did provide an opportunity for the conspirators to mislead voters into believing that their ballots had been recorded, contrary to how the actual vote had been cast. Many challenges exist for governments that wish to transition to electronic voting, but ultimately the system must be very carefully designed not to sacrifice the rights of the voter for the convenience of the election process. Adopting technologies and processes that are easy for voters to understand, use, and verify are crucial to transparent and fair electronic elections. GeopoliticalHuawei Makes Inroads in U.S. MarketShenzhen, China-based telecommunications equipment manufacturer Huawei Technologies has won a contract from U.S. cable television provider Cox Communications to install infrastructure systems for a cell phone network, according to the Wall Street Journal. Huawei is also reportedly a finalist for a major Wimax contract offered by Clearwire, another U.S. company. Despite success in emerging markets and more recently in Western Europe, Huawei has long fought to establish itself in the U.S. market, making these developments significant milestones for Huawei. Read more IntelliShield Analysis: Huawei has long struggled for traction in the Western markets due to concerns that the privately held company is closely connected to the Chinese government. In 2007, Huawei's bid to acquire U.S. partner 3Com was thwarted on national security grounds. Huawei's lost bid to outfit government telecoms in Australia last year was attributed to espionage fears. A press report this weekend documented high-level U.K. government concerns over a deal signed in 2005 for Huawei to modernize the country's telecommunications network. The two U.S. deals currently on the table will not outfit government networks, although cautious observers will remain skeptical given China's reputation for aggressively acquiring technology overseas. What may be of more immediate concern to Huawei competitors in the U.S. is that this fast-growing company is gaining leverage at a time when the recession has made price a priority. Once established, Huawei will likely remain even after the price advantage becomes less crucial. Upcoming Security ActivityBlack Hat Europe 2009: April 14–17, 2009 United States NCAA basketball tournament: March 19–April 6, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
