May 4–10, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability levels for the period remained consistent with recent weeks. While no significant vulnerabilities were disclosed during the period, reporting activity continues to surround the recently disclosed PDF vulnerabilities. IntelliShield published 62 events last week: 30 new events and 32 updated events. Of the 62 events, 49 were Vulnerability Alerts, one was a Security Activity Bulletin, four were Threat Outbreak Alerts, six were Security Issue Alerts, one was a Malicious Code Alert, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant Risk Worm: W32/Conficker.worm W32/Conficker has changed its command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from malicious code that infects vulnerable systems to an operational botnet. Conficker is expected to continue to infect vulnerable systems, change command and control communication, and download additional malicious files to the infected systems. Adobe Reader getAnnots Function Buffer Overflow Vulnerability Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. The vulnerability is due to insufficient boundary checking on annotation parameters in Adobe PDF documents. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious PDF. If the user views the document, the attacker could execute arbitrary code with the privileges of the user. Proof-of-Concept code is available. Adobe has confirmed this vulnerability and provided an official workaround. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader, Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield Alert 14388. Adobe has confirmed the vulnerability and released updated software. Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield Alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save the documents as .doc files, and deliver the malicious documents via e-mail or host them on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open the malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Physical2008 US National Counterterrorism Center Terrorist Activities ReportThe U.S. National Counterterrorism Center has released the 2008 report on terrorists activities across the globe. The 78 page report includes a wealth of data and statistics across a wide range of terrorist activities and organizations from the years 2005 through 2008. The detailed data breaks down terrorist activities by country, types of attacks, numbers and classification of victims, organizations responsible, and analysis of identified trends. Read More IntelliShield Analysis: This is a very complex report with many caveats and qualifiers that should be carefully read and analyzed. The tendency of immediately creating a graphical representations of the data will likely give the reader incorrect impressions and perceptions of the activities. There are identifiable trends that could be important when adjusting physical security measures to the evolving terrorism threat. The report also shows an interesting reliance on data and reporting from open source terrorism databases that are credited with evolving favorably over the past decade. The report details that there are some serious concerns with the data from these open sources as they rely heavily on media and government reporting, but are credited with providing some terrorism information that would otherwise be unavailable. There is particular concern for those with personnel and offices in areas where there is a documented threat of terrorist activities. LegalHacker Demands US $10 Million for Release of Stored Data A hacker has claimed to have broken into the Virginia Department of Health Professions (DHP) Prescription Monitoring Program (PMP) and destroyed the data. Before destroying the data on the state's servers, the hacker claims to have created an encrypted copy. The attacker is demanding 10 million dollars from the State of Virginia for the release of the key to unlock the encrypted data. Neither the Virginia police or the Virginia PMP office would confirm or deny the situation; however, the PMP web site is currently out of commission. IntelliShield Analysis: While we do not know if this program was under HIPPA jurisdiction, it highlights the problem of storing personal information in databases that are connected to the Internet. It is also unclear if the backups were lost as the hacker claims. Most businesses store backups off-site for disaster recovery purposes. The silence from the Virginia Police and the Virginia PMP may be due to legal constraints while the case is being investigated. TrustWikipedia Hoax Reveals Prevalence of Wikipedia Use by Journalists A Wikipedia hoax in the form of words purportedly expressed by the late composer Maurice Jarre has exposed a lack of fact-checking by Britain's Daily Mail, The Guardian, the London Independent, BBC Music News, and many other news outlets in the United States, India, and Australia. Corrections were issued when the Irish Times reported that the actual author was a 22 year old student studying globalization at University College Dublin. According to news reports, the student conceived the hoax as a demonstration of the extent to which journalists rely on Wikipedia as a primary source. IntelliShield Analysis: The Student, Shane Fitzgerald, attached his quote to a Wikipedia article about Jarre shortly after Jarre's death in March 2009 and Wikipedia editors removed it because it lacked a citation. However, Fitzgerald reattached it and the fabricated quote remained in place long enough for journalists around the world to find and incorporate it into obituaries and tributes. Fitzgerald's hoax highlights the risk of trusting a sole source to serve as authoritative fact. Individuals responsible for the security of employees, businesses, or governments need to consult multiple sources and verify the accuracy of sources before distributing critical or even casual information. Researchers are working on tools to check website credibility, but in the interim, users are advised to exercise caution in relying on any single source of information for credible intelligence. IdentityUniversity Researchers Assume Control of BotnetA group from the University of California studied the Torpig/Sinowal malicious software network in order to study facets of its data collection activities. The researchers were able to exploit a flaw in the malicious software's command and control scheme, allowing the researchers to gain temporary control. Among the data collected by researchers includes 70GB of web, e-mail, and system accounts, as well as submitted form data that may include personally identifiable information such as credit card numbers, bank accounts, addresses, and other information. The researchers studied the botnet for the ten days that they were in control. After their control was defeated the researchers contacted law enforcement authorities and ISPs to contact victims affected by the data loss. Read more IntelliShield Analysis: Data gathered from the botnet seizure reveals the target and scope of data captured by an active botnet. The amount of personal data captured by the single botnet is massive, although much of the information may be inaccurate, redundant, or unusable. It also shows how quickly a botnet can work, gathering a great deal of the information in a span of ten days. Because of the rapid gathering of information, it may be difficult to protect end-user systems from data loss, as even an infection lasting a few days can allow for the collection of large amounts of data. Preventing initial infections, rather than cleaning infections when they happen, should be the goal of any anti-malware strategy. HumanFlight Crew Data Entry Error Highlights Importance of Adherence to Established Procedures Data entered incorrectly by the crew of an Emirates A340-500 preparing for a flight from Melbourne, Australia to Dubai resulted in damage to the aircraft and ground-based navigation equipment as well as an in-flight emergency. The aircraft was eventually forced to return to Melbourne. The plane's take-off weight had been submitted as 100 metric tons lighter than the actual weight. As a result, computers which calculate thrust and lift-off speed had specified lower values than required to safely depart the runway. A last moment realization of the situation by the pilot, who subsequently applied maximum thrust, avoided a major incident and loss of life. IntelliShield Analysis: The efficacy of technology designed to enhance both safety and operational efficiency of a sophisticated system or process relies on the input of accurate data. When human interaction is part of the input process, the likelihood of an error being introduced into the data increases. Many of the routine tasks performed in modern aircraft are handled by on-board flight management systems (FMS) which are designed to utilize verification by its flight crew as a safety measure. Normal cockpit procedure requires that the pilot in command cross-checks flight data and checklists with the second in command. Rigorous and consistent adherence to procedures designed to detect errors can significantly reduce the possibility of the unfortunate scenario exemplified by the actions by the Emirates flight crew. GeopoliticalNATO–Russia Tensions Increase Telecom Infrastructure Risk The North Atlantic Treaty Organization (NATO) has begun a month of military exercises in the former Soviet state of Georgia, amid heightened tensions between NATO allies and Russia. These exercises, which had been scheduled since well before Russia's incursion into Georgia last August, are nevertheless considered provocative by Moscow. Compounding tensions, NATO, Russia, and Georgia have engaged in retaliatory diplomatic expulsions in recent weeks, amid accusations of espionage. These problems take place against a backdrop of instability in Georgia which has been steadily building since the August 2008 war in Ossetia. Georgian President Saakashvili is under increasing pressure to resign, including most recently a foiled military coup attempt, which Saakashvili charged was bankrolled by Russia. IntelliShield Analysis: With Georgia in a politically-charged and precarious situation, the risk of critical business data and communications infrastructure becoming a casualty of geopolitics increases. Recent events are particularly worrisome given accusations that critical infrastructure, both communications and energy, have been targeted in recent years for political ends in former Soviet states. Incidents include not only the 2007 Estonian cyber-riots, but more recently evidence that Internet connectivity and government websites in Georgia were attacked by still unidentified entities during the August 2008 Russian incursion. Information security professionals with assets in the former Soviet republics as well as across NATO member nations may wish to monitor the evolving situation carefully. Upcoming Security Activity CSI SX Security Exchange: May 17–21, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: India General Elections: April 16–May 13, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
