Cyber Risk Report

September 27–October 3, 2010

The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support.

Vulnerability

Vulnerability activity was decreased during the period and for the month of September 2010. Although September activity levels were low compared to previous months of 2010, the cumulative annual level of activity continues to be slightly above 2009 levels, with the focus remaining on application-level vulnerabilities and exploits in widely distributed products.

Vulnerability highlights for the period include multiple security advisories by IBM for the Tivoli Storage Manager Fastback Server, an ISC BIND DNS Cache ACL Misconfiguration Issue, a Trend Micro Internet Security Pro ActiveX Control Arbitrary Code Execution Vulnerability and a VMware Workstation VMkbd.sys Local Denial of Service Issue.

Public exploit code was released for the Microsoft Windows Cinepak Codec Media Decompression Arbitrary Code Execution Vulnerability, Microsoft Office Excel Record Parsing Arbitrary Code Execution Vulnerability, and Microsoft Windows and Office Uniscribe Font Parsing Arbitrary Code Execution Vulnerability. These alerts, updates, and mitigations are available on the Cisco Security Intelligence Operations web site.

Discussion and research continues on the Stuxnet malicious code. Symantec released a new research paper and finding in their W32.Stuxnet Dossier and additional research and analysis of Stuxnet is being widely distributed in the security media. Cisco Security Intelligence Operations is closely monitoring this research and activity and updating the Stuxnet-related IntelliShield alerts with the latest validated findings.

October has been designated Cyber Security Awareness Month in the United States (U.S.) and Canada. Cisco Security Intelligence Operations frequently cites user awareness as one of the strongest prevention methods. The U.S. Department of Homeland Security has released related information, training materials, and events on Cyber Security Awareness activity and multiple security organizations have posted additional materials. Organizations are encouraged to review the material and consider the training and event opportunities to improve user awareness.

IntelliShield published 92 events last week: 40 new events and 52 updated events. Of the 92 events, 64 were Vulnerability Alerts, four were Security Activity Bulletins, seven were Security Issue Alerts, 15 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Weekly Alert Totals

Day Date New Updated Total
Friday 10/01/2010   6  24  30
Thursday 09/30/2010  17  16  33
Wednesday 09/29/2010   2   5   7
Tuesday 09/28/2010   9   4  13
Monday 09/27/2010   6   3   9
Weekly Total   —  40  52  92

 

2010 Monthly Alert Totals

Month New Updated Monthly Total
January 158 259 417
February 177 253 430
March 194 324 518
April 208 167 375
May 148 174 322
June 240 294 534
July 212 210 422
August 255 286 541
September 190 167 357
Annual Total 1782 2134 3916


Significant Alerts for September 27-October 3, 2010

Microsoft ASP.NET Information Disclosure Vulnerability
IntelliShield Vulnerability Alert 21398, Version 4, September 28, 2010
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2010-3332

Microsoft has re-released a security advisory with an updated workaround to address the ASP.NET information disclosure vulnerability.

bzip2 Integer Overflow Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21411, Version 2, September 29, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2010-0405

The bzip2 program contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the system. Updates are available.

Previous Alerts That Still Represent Significant Risk

Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21358, Version 3, September 23, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2884

Adobe has released a security bulletin and updated software to address the remote arbitrary code execution vulnerability in Flash Player. Red Hat and FreeBSD have also released security advisories and updated packages to address the vulnerability.

Microsoft Windows Applications Insecure Library Loading Behavior
IntelliShield Vulnerability Alert 21215, Version 3, August 30, 2010
Urgency/Credibility/Severity Rating: 2/5/4

Microsoft has released a security advisory that details an application behavior that could affect a large number of Windows-based applications. An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of a user.

Adobe Acrobat and Reader cooltype.dll Remote Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21093, Version 4, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-2862

Adobe Acrobat and Reader contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Adobe has confirmed this vulnerability and software updates are available.

Multiple Vendor PDF Viewer /launch Program Execution Attack
IntelliShield Vulnerability Alert 20294, Version 3, August 20, 2010
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2010-1240

Adobe has released a security bulletin and updated software to address the multiple vendor PDF viewer /launch program execution attack.

Microsoft Windows Win32k Kernel Driver Window Creation Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21027, Version 3, August 12, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1897

Exploits of the Microsoft Windows Win32k kernel driver window creation privilege escalation vulnerability are currently being observed in the wild.

Microsoft Windows XML Core Services Response Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 21021, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2561

Proof-of-concept code that exploits the Microsoft Windows XML core services response handling arbitrary code execution vulnerability is publicly available. The alert update also indicates an increase in urgency.

Microsoft Windows Tracing Feature for Services Registry Key Access Control Lists Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21018, Version 3, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2554

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Server Message Block Packet Processing Pool Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 21014, Version 4, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2550

Exploits are currently being observed in the wild. Microsoft is aware of an increase in the number of targeted attacks that use the readily available exploit code.

Microsoft Windows Kernel Win32k Driver Exception Handling Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 21024, Version 2, August 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-1894

Proof-of-concept code that demonstrates an exploit of the Microsoft Windows Kernel Win32k driver exception handling privilege escalation vulnerability is publicly available. This updated alert indicates an increase in the urgency.

Microsoft Windows .lnk File Processing Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 20918, Version 5, September 11, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin and updates to address the Windows .lnk file processing arbitrary code execution vulnerability. Functional exploit code that is a part of the Metasploit framework is publicly available.

Microsoft Windows .lnk File Vulnerability Used for Malware Outbreak Targeting SCADA Systems
IntelliShield Vulnerability Alert 20915, Version 6, August 27, 2010
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2010-2568

Microsoft has released a security bulletin along with software updates to address the vulnerability exploited by malicious software.

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability
IntelliShield Vulnerability Alert 19361, Version 62, September 20, 2010
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2009-3555

Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. HP has released an additional security bulletin and updated software to address this vulnerability.

Physical

Terror Threats and Protests Obstruct Operations in Europe

Media sources reported the discovery and disruption of plans to launch attacks across targets in Europe. The reports come after the recent evacuation of the Eiffel Tower in response to a bomb threat for the second time in two weeks. As a result of the reports of potential attacks in Europe, the U.S. Department of State released a precautionary travel advisory. Additionally, tens of thousands of protestors in Greece, Spain, Portugal, and Belgium marched in opposition to austerity measures adopted by those governments. The ongoing events contributed to a general feeling of unease in many parts of Europe.
Read More
Additional Information
Additional Information

IntelliShield Analysis: The emergence of austerity protests may mark a growing trend of demonstrative opposition to government cuts. With more workers unemployed, additional protests and even more disruptive activities may occur. In combination with the terror attack warnings, the disruptive nature of protests on travel and business operations may cause businesses to review disaster recovery and alternate worker transit plans to have a ready response for potential events.

Legal

There was no significant activity in this category during the time period.

Trust

ZeuS Attacking Two-Factor Authentication Through SMS Messages

Researchers with S21sec and Fortinet have detailed a new piece of malware targeting Symbian and BlackBerry phones. The malicious code seems to have been designed to coordinate attack efforts with ZeuS malware on the desktop for instances where banks have protected their logins through out-of-band codes sent via SMS. Infection begins on the desktop, and then via social engineering, the attackers attempt to extract information about victims' mobile phones. Once obtained, this information is used to launch malware against the phone, which arrives under the guise of a security certificate update. If malware is present both on the phone and the desktop, the phone can be used to capture the incoming SMS authorization codes and relay them to the attacker, who can pair those codes with the credentials stolen from the desktop keyboard to gain access to the victim's account.
Read More
Additional Information

IntelliShield Analysis: The move by attackers to compromise mobile phones and thereby compromise out-of-band security codes is significant. Mobile device usage, especially with smartphones, is an emerging attack surface with few native technical defenses available. Still, attacks attempting to coordinate infection between mobile and traditional environments are significantly more complex and may not be a significant threat at this stage. Until more defenses emerge in software, from service providers or elsewhere, users should be reminded of best practices that protect against social engineering attacks.

Identity

There was no significant activity in this category during the time period.

Human

The Use of Social Media Information for Job Hiring

A new California-based startup firm is using personal yet publicly shared data to provide background checks for companies to screen candidates for employment. Information routinely posted to social networking sites such as Facebook, Twitter, and LinkedIn is being used to put together a more complete depiction of a person's character than what is presented in a typical resume. Read More

IntelliShield Analysis: For those who lead a nondescript lifestyle, this service does not present much of a worry other than a possible concern over invasion of privacy in that this information is not intended for the eyes of potential or current employers. The sharing of this data does, however, accentuate the fact that information (text, video, still photos, etc.) published on the Internet through social networking sites has a long lifetime and can be made available to parties for whom it was never intended.

Geopolitical

Brazil Chooses a New President

This past weekend, Brazilians went to the polls to elect a new president to replace the outgoing and hugely popular President Lula da Silva. President Lula's handpicked successor, Dilma Rousseff, did not receive enough votes to win outright, so a runoff against Jose Serra will take place next month. A former Energy and Mines Minister and Chief of Staff, Roussef—a member of the left-leaning ruling Workers Party (PT)—is almost certain to win the runoff. She is an experienced administrator but has never before run for elected office. She is seen as levelheaded, pragmatic, and unlikely to rock the boat by making sweeping changes or instituting radical reforms. She is said to be less charismatic and is certainly less politically experienced than Lula, so the lack of an outright majority strengthens concerns that she will face an uphill climb in managing the current 10-party coalition government. Imprisoned and reportedly tortured in the 1970s for her participation in a resistance group opposed to the military dictatorship that controlled Brazil at the time, she has strong populist and socialist credentials.
Read More
Additional Information
Additional Information
Additional Information

IntelliShield Analysis: Brazil's presidential elections are noteworthy for information security professionals for a number of reasons. First, it represents the end of the era of President Lula, under whom Brazil's economy and self-confidence on the world stage grew rapidly. Analysts will be watching to see if Roussef will continue the recent trend toward greater state intervention in key sectors, including telecommunications. As Brazil prepares to host the 2014 World Cup and the 2016 Summer Olympics, fiscal spending supported by rising oil production is set to expand. Roussef is expected to focus on social programs and infrastructure—particularly electrical generation, Internet access, public transportation and oil transportation capacity—which may provide opportunities for foreign investors, if Ms Roussef welcomes outside participation in these projects. If Brazil's economy stays strong and stable under her, the resulting growth in jobs may chip away at past problems exacerbated by poverty, which include spam and fraud in the cyber sphere, as well as crime and corruption on the street. Many are optimistic that with this peaceful and democratic transfer of power, Brazil's importance as an IT manufacturing and outsourcing center, and as a key democratic leader in Latin America, will only grow.

Upcoming Security Activity

Cyber Security Awareness Month: October 2010
HackInTheBox Malaysia: October 11–14, 2010
RSA Europe: October 12–14, 2010
Microsoft Blue Hat v10: October 14–15, 2010
InterOp NY: October 18–22, 2010
Toorcon San Diego: October 22–24, 2010
CSI 2010: October 26–29, 2010
USENIX LISA: November 7–12, 2010
Black hat Abu Dhabi: November 8–11, 2010

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates:

World Expo (Shanghai, China): May 1–October 31, 2010
XIX CommonWealth Games (Delhi, India): October 3–14, 2010

 

Additional Information

For more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit
      Cisco Security IntelliShield Alert Manager Service

For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit
      Trial Registration



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top