March 9–15, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels remained consistent with those of previous weeks. Much of the activity centered on responses to the Microsoft Security Bulletin Release for March 2009. Currently, there are no publicly available reports of attempts to exploit these vulnerabilities to conduct an attack. Adobe released updated software to address the .pdf file buffer overflow vulnerability in Adobe Acrobat products. This vulnerability is described in IntelliShield alert 17665. The updated software addresses the vulnerability in version 9 of the affected products. Updates for prior versions are reportedly still in development. The Twitter security team released updates to resolve a spoofing vulnerability in its popular micro-blogging service. The vulnerability affected users who have mobile phones associated with their accounts. Twitter allows users to send Short Message Service (SMS) messages from mobile phones to update accounts or perform other administrative tasks. Twitter uses separate numbers to accept commands from United States (U.S.) users and from international users. An attacker with knowledge of a user's mobile phone number could perform actions on the user's account as the user. In the U.S, most U.S.-based mobile phone carriers include protection against sending SMS messages as other users, which would prevent this type of attack against an individual Twitter account. Twitter implemented a PIN protection service to resolve the vulnerability for international services. Some reports indicate attackers can bypass the PIN protection for international accounts and spoof Twitter messages, or "tweets." An attacker with knowledge of a user's U.S. mobile phone account could use the international account update number to spoof the user's U.S.-based Twitter account. An attacker could leverage the vulnerabilities to post messages as the user. With the ability to post messages as the user, an attacker could perform actions, such as delivering spam, while obfuscating the origin of the attack. Attackers are using spam and phishing attacks to exploit the current economic situation as a means for distributing malware, such as fake job application forms and government grants, and stealing confidential information. Most recently, the scams claim to provide information about the economic stimulus package, including spam e-mail messages and links to malicious websites that supposedly contain important details about stimulus checks. Attackers are also poisoning search engine results to exploit the increased number of searches on these topics with malicious websites in the search results. Users should examine the URL of search results and the search engine website's security rating, when available, to avoid malicious websites. Also in malicious code activity this week, Microsoft has updated the Malicious Software Removal Tool to include Win32/Koobface as part of its disinfection routines. The tool has been very successful and is widely known for removing such malware as Blaster, Sasser, and Mydoom. Microsoft's action is another positive development in the role major corporations play in stopping malware. IntelliShield published 130 events last week: 37 new events and 93 updated events. Of the 130 events, 106 were Vulnerability Alerts, eight were Security Activity Bulletins, five were Malicious Code Alerts, four were Threat Outbreak Alerts, three were Security Issue Alerts, two were Applied Mitigation Bulletins, and two were Cyber Risk Reports. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for March 9–15, 2009Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Previous Alerts That Still Represent Significant RiskMicrosoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available.
Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router issuing routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and delivering the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related website's, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. PhysicalGoodyear Equipment Photographed by SpiesTwo engineers employed by Wyko Tire Technology , a British manufacturing company, have been charged with theft of trade secrets after photographing sensitive equipment at the Goodyear factory located in Topeka, Kansas. Clark Roberts and Sean Howley allegedly used mobile phones to photograph sensitive equipment used for manufacturing a particular type of tire. The two then sent the pictures to employees at the Wyko factory in Dudley Midlands, United Kingdom, to create a similar machine under a contract for a manufacturer in China. The United States Department of Justice has charged the engineers with 12 counts of felony pertaining to theft of trade secrets and wire fraud. Howley and Roberts could face 150 years in prison and a fine of US$2.75 million. Read More IntelliShield Analysis: Theft of trade secrets and proprietary information continues to threaten companies around the globe. While many reports focus on the theft of electronic data from networks and systems, this incident highlights the threat from mobile phone cameras and other similar technologies that allow individuals to surreptitiously photograph or record information. Businesses may consider restricting these types of technologies from guests who are touring facilities or attending meetings and briefings. Establishing policies and posting warnings can assist employees in enforcing the policies and preventing confrontations with visitors and guests. LegalGermany Ratifies Cybercrime TreatyRepresentatives of 72 countries met at a cyber crime conference recently to continue work on developing and ratifying worldwide cyber crime laws. The number of countries represented is up from the 65 countries who attended the conference in 2008. Currently, 24 countries have ratified the treaty, with Germany being the latest, and a further 23 countries have signed but not ratified the treaty. The conference allows representatives from different countries to meet and discuss the cyber crime laws that need to be implemented and explore ways to enforce such laws on an international basis. Read More IntelliShield Analysis: With the increase of cyber crime in the world, especially the rise of organized cyber crime across international borders, it is important that the countries of the world present a united front against this criminal threat. The Council of Europe (COE), with 47 Member States, is spearheading the project. Increased cooperation between law enforcement agencies has had limited success, but legal barriers still restrict the agencies' ability to pursue these cases. TrustProgressive Hydraulics Employee Deletes Critical InformationGareth Pert, a former employee of Progressive Hydraulics, pleaded guilty to deliberately deleting critical files from the backup systems of Progressive Hydraulics. Pert gained access to the backup systems by stating that he needed to fix a corrupt file located on the systems. After receiving access, he proceeded to wipe all contents from that backup system plus two others. Pert's action has reportedly cost the company hundreds of thousands of dollars in damages attributable to the business and data recovery impact. Read More IntelliShield Analysis: Pert had already been disciplined and identified as having issues over claimed work hours and pay by his employer. Even with his employee history, he was still given access to sensitive data and to the backup systems. The employee disciplinary actions may have been seen as minor issues by the employer. The actions could also have been seen as red flags that might have alerted the company to a disgruntled employee who should have had his access restricted or more closely monitored. While this is a sensitive matter requiring the coordination of a team of management, human resources, and legal representatives, this case demonstrates that the damage to companies' systems from not taking swift actions can be very high. IdentitySprint Employee Fired for Disclosing Customer DetailsSprint has issued a letter to less than one percent of its customers alerting them to a breach of personal details allegedly perpetrated by a former employee. The company noted that from December 2008 to January 2009, thousands of records were accessed outside of the employee's authority. The employee is believed to have provided the account details to a third-party and customer information may have been used to perpetrate fraud. Read More IntelliShield Analysis: Organizations are increasingly sensitive to the disclosure of personally identifying information and, like Sprint, are turning to technologies for data leakage protection and custom application controls to spot trends that may result in unacceptable disclosures. Internal users often need access to significant amounts of information to do their jobs effectively and it is not always feasible to prevent them from seeing some of that information. In many cases, controls can spot trends such as employees accessing information that is not needed to perform their job, accessing information in excessive amounts, or performing these functions at unusual times. Companies should continue to seek a balance of enabling users to perform required tasks while monitoring and restricting access to sensitive information. HumanPhishers Find Vulnerable New Friends in Social NetworksAround the world, one minute out of every 11 online minutes is spent on Twitter and other social networks and blogs, according to a recent Nielsen Online survey. The market research firm released survey results reporting that the use of social networks has risen by 66.8 percent over the past year, globally surpassing the use of e-mail at 65.1 percent. Internet users and companies large and small are stepping away from their e-mail in boxes an average of three hours and 10 minutes every month to update their status on Facebook and other social networking sites. The survey data was gathered in the United States, Brazil, the United Kingdom, France, Germany, Italy, Spain, Switzerland and Australia. Read More IntelliShield Analysis: Web 2.0 users are finding love, friends, former classmates, and business contacts through online social networks and communities, yet most Internet security companies have remained focused on making e-mail safer. Companies spend large amounts of resources on e-mail security to protect against data theft, leaks, and malicious attacks, but not on Web 2.0 security, in part because there are not that many security products available. Scammers, spammers, and phishers blocked by e-mail filters and firewalls have taken their criminal business to social networks. Social engineering to compromise user information and accounts may be particularly profitable because individuals divulge so much personal information in community spaces they perceive as trustworthy. Until Internet security companies catch up with Web 2.0-era communication practices, users should be advised not to share particularized information on social networks. Users should also be aware of threats, such as the Koobface worm, that can spread malcode at wildfire speed through social networking sites. As always, users should verify the authenticity of unexpected links that may exist on online pages. GeopoliticalPakistan Protests Coordinated OnlineIn a bid to regain control following a chaotic weekend of riots and demonstrations, the government of Pakistan astonished international observers Monday by reinstating Pakistan's ousted chief justice, a key demand of protestors. Military police attempted to muzzle the opposition by arresting and beating protestors who oppose President Asif Ali Zardari and support lawyers and judges banned from the country's courts. The weekend's so-called Long March marked the broadest political violence since the assassination of Benazir Bhutto in 2007 and raised fears that Pakistan was descending into chaos. Outlawed from gathering in public, many protestors coordinated their activities online, using blogs, email, texting and real-time Twitter, according to press reports. IntelliShield Analysis: Reinstating the Chief Justice Mohammad Chaudhary may quiet the streets of Islamabad, but it will almost certainly weaken President Zardari. Moreover, the continued availability of popular Internet protest chatter suggests that those in power have been unable or have not seen it in their best interest to block it. Another government change appears increasingly likely; indeed, the military, said to be the ultimate power brokers in Pakistan, reportedly pressured Zardari to give in to the protestors' demands. The specter of another regime change in nuclear-armed Pakistan raises risks not only for multinational businesses with operations in Pakistan and neighboring India, but also has negative implications for the ongoing multinational effort to quell extremist militant movements in the region. MiscellaneousDDoS Attacks Against Korean Game Rating Board and Mininova.orgOn March 4, 2009, the home page of the Korean Game Rating Board was hit by a distributed denial of service (DDoS) attack that put the website out of commission until March 9. As a result of the attack, gaming industries were impacted because users were not able to check game results and other functions. This is the first known major attack against the Korean public civil service. IntelliShield Analysis: Political movements have often been seen as the motive behind DDoS attacks. DDoS attacks can take a website down for hours or even days, rendering the site unusable. While most networks are protected against high impact DDoS attacks, the site owner is usually taken by surprise and is not equipped to handle such intense traffic. Botnets are major contributors to DDoS attacks because they comprise hundreds or thousands of attacker-controlled, infected computers that can be commanded to attack at any given time, with devastating effects. Upcoming Security ActivityCanSecWest Vancouver 2009: March 16–20, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: United States NCAA Basketball Tournament: March 19–April 6, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
