IntelliShield has updated this alert to reflect additional technical information that addresses the Red October cyber espionage campaign.
Description
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra).
Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.
The malicious software embeds itself on infected systems and functions as the attacker's access point to an infected system. A successful exploit could allow the attacker to install any of the 34 identified Red October modules. These modules can extend the functionality of the Red October framework with the following capabilities:
Compile hardware, software, and operating environment of the targeted system
Compile network-related information, including Windows Network neighborhood share information
Exploit weak or default passwords and SNMP community strings to compile network device configurations
Scan the LAN for ports and hosts vulnerable to additional exploits
Steal sensitive browser, e-mail, and FTP related information including cookies, credentials, and history
Gather data from locally attached mobile devices, including iPhones, Nokia phones, and Windows Mobile phones
Access locally attached Windows Mobile devices and install a back door
Install back doors on targeted devices
Capture screen shots and record keystrokes
Execute arbitrary files that are embedded in certain documents
Access data on removable storage devices, possibly including deleted files
Access LAN FTP sites and shared disks
Access e-mail databases from POP/IMAP servers or local Microsoft Outlook storage
Install Adobe Reader and Microsoft Office DocBackdoor plug-ins
Execute arbitrary code and commands
Exploit system access of targeted systems using Administrator credentials
Target and compile mail.ru e-mail account information
Launch additional modules
Upload gathered intelligence and data to the command and control server
Reports also indicate that Red October targets files and documents with the following extensions:
Red October appears to be designed to execute tasks as assigned by the command and control (C&C) systems. These tasks are provided to the infected system as portable executable (PE) DLL libraries that are executed in memory and subsequently cleared. An exception to this are several tasks that remain on the infected system. These tasks are provided as PE EXE files and are installed locally on the infected system.
Reports also indicate that Red October may be assigning a unique identifier to individual victim systems and may be able to re-initiate control of infected systems via a one-way covert communications channel.
Reports also indicate that Red October uses known vulnerabilities with existing exploit code for targeted attacks. The reports have identified the following, known exploits in active use by Red October:
To exploit these vulnerabilities, the attacker may provide a file to the user or a link to a malicious file and persuade the user to open or execute the file or follow the malicious link by using misleading language or instructions.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers can be found at the following links:
Version 1, January 16, 2013, 11:05 AM: Red October is a cyber-espionage campaign that attempts to steal data from infected systems, install additional software, and allow an attacker remote access to a targeted system.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Security Activity Bulletin
Original Release Base
Associated Products:
N/A
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
