Cyber Risk Report

September 24–30, 2012

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity for the period was elevated primarily because of continued large updates from major vendors. Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication. Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication included eight Security Advisories that addressed vulnerabilities in Cisco IOS Software, and one advisory that addressed a vulnerability in Cisco Unified Communications Manager. Exploitation of the individual vulnerabilities could result in denial of service (DoS) conditions, interface queue wedges, or Border Gateway Protocol (BGP) session resets. Full details of the advisories and the consolidated Cisco Event Response are available at the Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication. Cisco also released an Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager and Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability.

Google released the Chrome Stable Channel Update for September 2012, which addressed 21 vulnerabilities. Google Chrome should enable the auto-update feature to install the latest updates and remain current with the latest version. The phpMyAdmin Compromised Source Distribution Issue was reported, which has functional exploit code available as part of the Metasploit framework. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available as initially reported in April 2012 in IntelliShield alert 25650.

A new zero-day Oracle Java vulnerability was reported by the same researchers that in August released the Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability. Few details have been released and no known attacks are currently exploiting this newest vulnerability. The researchers have claimed they are aware of additional Oracle Java vulnerabilities that could be released in coming weeks. As with the initial Oracle Java zero-day vulnerability and those yet to be released, users are advised to disable the Java web plug-in and may consider disabling and removing Java completely from their systems. Users should be aware that these mitigations could affect the functionality of many websites, including internal business web applications and sites. Users can further protect themselves by using the trusted site functions included in the browsers to limit the websites that can use Java.

In upcoming security activity, the United States and the European Union (EU) have designated October 2012 as National Cyber Security Awareness Month. Additional information and resources are available at the US Stay Safe Online website, US Department of Homeland Security website, and the EU ENISA website.

IntelliShield published 170 events last week: 93 new events and 77 updated events. Of the 170 events, 99 were Vulnerability Alerts, seven were Security Activity Bulletins, 25 were Security Issue Alerts, 36 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 09/28/2012 5 5 10
Thursday 09/27/2012 8 11 19
Wednesday 09/26/2012 43 16 59
Tuesday 09/25/2012 22 36 58
Monday 09/24/2012 15 9 24
Weekly Total 93 77 170

 

Previous Alerts That Still Represent Significant Risk

Samba Marshaling Code Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 25650, Version 9, September 28, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1182
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected system. Functional code that demonstrates an exploit in the Samba marshaling code remote code execution vulnerability is publicly available. Samba has confirmed this vulnerability and released updated software.

Microsoft Internet Explorer execCommand Method Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26936, Version 4, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-4969
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has released security advisory 2757760 and Security Advisory MS12-063 with updated software.

Oracle Java Security Manager Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26751, Version 9, September 20, 2012
Urgency/Credibility/Severity Rating: 4/5/4
CVE-2012-4681
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits the vulnerability is publicly available as part of the Metasploit Framework. The Black hole toolkit is also reported to include an exploit, and multiple threats have been reported targeting this vulnerability. Oracle has confirmed the vulnerability and released software updates. Oracle, Apple, FreeBSD, Red Hat, and IBM have released security advisories and updated software.

Oracle Java Multiple Unspecified Vulnerabilities Update
IntelliShield Security Activity Bulletin 26831, Version 4, September 19, 2012
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681
Java SE 7 Update 7 mitigates a widely reported vulnerability, CVE-2012-4681, as described in IntelliShield Alert 26751. The update also mitigates two remote code execution vulnerabilities that are due to unspecified errors in the affected software. The three vulnerabilities can be exploited only through untrusted Java Web Start applications and untrusted Java applets on client deployments of the affected software. In addition, a security-in-depth issue in the Abstract Window Toolkit (AWT) has also been addressed. Direct exploitation of the AWT security-in-depth issue is not possible; however, the issue can be used to aggravate security vulnerabilities that can be directly attacked. Oracle, Apple, Red Hat, and IBM have released security advisories and software updates.

OpenSSL ASN.1 asn1_d2i_read_bio() Heap Overflow Vulnerability
IntelliShield Vulnerability Alert 25706, Version 17, September 25, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-2110, CVE-2012-2131
OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Proof-of-concept code that demonstrates this vulnerability is publicly available. OpenSSL, FreeBSD, Red Hat, HP, Oracle, MonteVista, IBM, Balabit, and VMware have released security advisories and updates.

PHP Hash Collisions Fix Regression max_input_vars Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 25100, Version 6, August 23, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-0830
PHP 5.3.9 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a DoS condition on the affected system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. PHP has confirmed this vulnerability and released updated software. Apple, FreeBSD, Red Hat, and HP have released security advisories and updated software. HP has re-released a security bulletin and updated software to address the PHP hash collisions fix regression max_input_vars arbitrary code execution vulnerability.

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 13, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823
PHP contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a DoS condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. FreeBSD, Red Hat, HP, and Apple have released security advisories and updated software. HP has re-released a security bulletin and updated software to address the PHP php5-cgi binary setup remote unsanitized command-line parameter processing vulnerability.

Adobe Flash Player Unspecified Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 26657, Version 3, August 21, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1535
Adobe Flash Player contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Adobe has reported that limited exploitation is ongoing in the wild. Adobe has released a security bulletin and software updates. Functional code that exploits this vulnerability is available as part of the Metasploit framework.

Microsoft Core XML Services Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 26148, Version 5, August 16, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1889
Microsoft XML Core Services contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Reports indicate that exploitation of the Microsoft XML Core Services memory corruption vulnerability has been observed in the wild. Microsoft has released a security bulletin and software updates to address the Microsoft XML Core Services memory corruption vulnerability. Microsoft has re-released a security bulletin and software updates to address the Microsoft XML Core Services memory corruption vulnerability.

Oracle Java SE Java Sandbox Remote Security Bypass Vulnerability
IntelliShield Vulnerability Alert 26159, Version 4, August 15, 2012
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-1723
Oracle Java SE contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and execute arbitrary code on a targeted system. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Oracle has confirmed the vulnerability and released software updates. Apple, Red Hat, and HP have released security advisories and software updates.

Physical

There was no significant activity in this category during the time period.

Legal

U.S. FBI Investigates Attacks on Banks and Financial Institutions

The U.S. Federal Bureau of Investigation (FBI) is working with the banks, exchanges, and other financial institutions that have been attacked with distributed denial of service (DDoS) for the past weeks. A group calling itself Izz ad-Din al-Qassam, or Qassam Cyber Fighters, posted a message on September 18, 2012, calling for a volunteer DDoS attack named Operation Ababil. The initial attacks targeted Bank of America, the New York Stock Exchange, and JPMorgan Chase; however, the attacks have since shifted to other banks and financial institutions. Multiple government sources originally suggested the attacks may be state sponsored by Iran, but investigators indicated the attacks aligned more with activist groups and methods. The attacks have not compromised the financial systems but have disrupted customer-facing websites, delaying or preventing customer access. The group has continued its attacks and has posted additional messages to claim credit and call for additional volunteers.
Read More
Additional Information
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: As we reported in last week's Cyber Risk Report, these attacks have had limited impact; however, they are considered a significant attack on U.S. critical infrastructure. The attacks have attracted the attention of U.S. government representatives, the FBI, and the U.S. Presidential administration. Attribution for these types of attacks is difficult, and credibility of the group claiming credit is difficult to substantiate. Little was known about the group that claimed credit, and there is little evidence to support the notion of a state-sponsored attack; however, previous attacks by similar, loosely aligned activist groups have appeared to have some level of state support. Similar to previous attacks, the original volunteer efforts were not likely sufficient to cause disruptions. The group appears to have included botnets in their attacks, which they likely rented or were operated by supporting entities of the group's causes. While the investigations continues, and as with previous activist group DDoS attacks, all organizations should be prepared to respond to these types of attacks as there is often few warnings or indications of when an organization may be targeted. High-level awareness and network monitoring are critical to detecting and minimizing the impact of pending and actual attacks. DDoS attacks are normally limited in duration and difficult to sustain, which allows prepared organizations to minimize the impact of an attack until it subsides.

Trust

Adobe Revokes Certificates

Adobe has identified and decommissioned valid certificates that are being used with the distribution of two malicious utilities. The malicious utilities present the valid Adobe certificates, causing the user to believe the malicious utilities are trusted files. The decommissioned certificates affect Adobe software signed with the certificates for Windows platforms and Adobe AIR applications for Windows and Apple platforms.
Read More
Additional Information
Additional Information

IntelliShield Analysis: Adobe discovered that the certificates had been compromised through an internal development system and is decommissioning the certificates. Multiple malicious code distributors are using either compromised certificates or what may appear to be legitimate certificates in an attempt to convince users that the malicious code is trusted. While the debate about control and management of certificates continues, users should be aware of these criminal techniques and review closely the certificate presentations and warnings that appear during the download and installation of software. If the certificate cannot be validated, users should not to install the software even if it appears to be from a well-known vendor such as Microsoft or Adobe.

Identity

There was no significant activity in this category during the time period.

Human

There was no significant activity in this category during the time period.

Geopolitical

Venezuelan Elections Highlight Social Media's Role

Venezuela holds presidential elections on Friday, October 7, 2012, pitting incumbent President Hugo Chavez against a popular challenger, Henrique Capriles. If Chavez winsand most analysts believe he will despite national polls with confusingly different resultsit will give the 14-year incumbent one more 6-year term. The race has played out to an unusual extent on social media, where President Chavez boasts some three million Twitter followers. While in Cuba receiving medical treatment for cancer over the past two years, Chavez is said to have employed a staff of 200 people to manage his Twitter account, particularly when his illness made him less able to make the long in-person speeches for which he is famous. During campaign speeches, Governor Capriles has even accused Chavez of "ruling via Twitter." For his part, comparatively business-friendly Capriles is more active on Facebook, where he has a numerical advantage over the incumbent.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: The election outcome will have implications for the global economy. Venezuela continues to be a major exporter of oil, although U.S. dependence on Venezuelan oil has declined during Chavez's tenure as the nation's oil industry has disintegrated and exports to India and China have increased. Most businesses would prefer a Capriles' victory. In the wake of increased criticism of Chavez following a deadly oil refinery last month, the race has tightened and some observers say it is a statistical dead heat. In recent years, the popularity of social media in Latin America has given Venezuelan citizens greater speech freedom, but with the tight race, Capriles says Chavez is curbing those freedoms. Indeed, a Capriles' rally was blocked on public access television recently, angering Capriles' supporters.

Venezuelan citizens, as well as foreign investors, need access to accurate information, whether via social media or mass media. This includes polling data and clear communication about Chavez's prognosis and potential successors. Information security specialists may want to watch the outcome carefully, particularly as a backlash against a Chavez victorywhile unlikely to lead to widespread instabilitycould play out in the form of website hacking and other cyber attacks.

Upcoming Security Activity

Oracle OpenWorld: September 30–October 4, 2012
Information Systems Security Association (ISSA) International Conference: October 25–26, 2012
Information Security Forum 23rd Annual World Congress: November 4–6, 2012
Cisco Live Cancun: November 6–8, 2012
Cloud Security Alliance Congress 2012: November 7–8, 2012
Cisco Live London: January 28–February 1, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. Presidential Debates:
October 3, 2012: University of Denver in Denver, Colorado
October 11, 2012: Centre College in Danville, Kentucky
October 16, 2012: Hofstra University in Hempstead, New York
October 22, 2012: Lynn University in Boca Raton, Florida

U.S. Presidential Election: November 6, 2012
Asia Pacific Economic Cooperation (APEC) Summit: November 7–13, 2012

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top