Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Red October Cyber Espionage Campaign Identified

 
Threat Type:IntelliShield: Security Activity Bulletin
IntelliShield ID:27890
Version:2
First Published:2013 January 15 22:07 GMT
Last Published:2013 January 17 21:03 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
 
 
Version Summary:IntelliShield has updated this alert to reflect additional technical information that addresses the Red October cyber espionage campaign.
 

Description
 
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra).

Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.


The malicious software embeds itself on infected systems and functions as the attacker's access point to an infected system. A successful exploit could allow the attacker to install any of the 34 identified Red October modules. These modules can extend the functionality of the Red October framework with the following capabilities:
  • Compile hardware, software, and operating environment of the targeted system
  • Compile network-related information, including Windows Network neighborhood share information
  • Exploit weak or default passwords and SNMP community strings to compile network device configurations
  • Scan the LAN for ports and hosts vulnerable to additional exploits
  • Steal sensitive browser, e-mail, and FTP related information including cookies, credentials, and history
  • Gather data from locally attached mobile devices, including iPhones, Nokia phones, and Windows Mobile phones
  • Access locally attached Windows Mobile devices and install a back door
  • Install back doors on targeted devices
  • Capture screen shots and record keystrokes
  • Execute arbitrary files that are embedded in certain documents
  • Access data on removable storage devices, possibly including deleted files
  • Access LAN FTP sites and shared disks
  • Access e-mail databases from POP/IMAP servers or local Microsoft Outlook storage
  • Install Adobe Reader and Microsoft Office DocBackdoor plug-ins
  • Execute arbitrary code and commands
  • Exploit system access of targeted systems using Administrator credentials
  • Target and compile mail.ru e-mail account information
  • Launch additional modules
  • Upload gathered intelligence and data to the command and control server

Reports also indicate that Red October targets files and documents with the following extensions:

.acidcsa, .aciddsk, .acidppr, .acidpvr, .acidsca, .acidssa.cer, .cif, .crt, .csv, .doc, .docx, .eml, .gpg, .hse, .iau, .key, .mdb, .odt, .pdf, .pgp, .rst, .rtf, .sxw, .txt, .vsd, .wab, .xia, .xig, .xio, .xis, .xiu, .xls, .xps.

Red October appears to be designed to execute tasks as assigned by the command and control (C&C) systems. These tasks are provided to the infected system as portable executable (PE) DLL libraries that are executed in memory and subsequently cleared. An exception to this are several tasks that remain on the infected system. These tasks are provided as PE EXE files and are installed locally on the infected system.

Reports also indicate that Red October may be assigning a unique identifier to individual victim systems and may be able to re-initiate control of infected systems via a one-way covert communications channel.

Reports also indicate that Red October uses known vulnerabilities with existing exploit code for targeted attacks. The reports have identified the following, known exploits in active use by Red October:

CVE-2009-3129 - IntelliShield Alert 19322
Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability

CVE-2010-3333 - IntelliShield Alert 21716
Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability

CVE-2012-0158 - IntelliShield Alert 25557
Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability

CVE-2011-3544 - IntelliShield Alert 24470
Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability

CVE-2008-4250 - IntelliShield Alert 16941
Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability

To exploit these vulnerabilities, the attacker may provide a file to the user or a link to a malicious file and persuade the user to open or execute the file or follow the malicious link by using misleading language or instructions.

Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.

Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers can be found at the following links:
Administrators may consider uninstalling Java.
 
Alert History
 
Version 1, January 16, 2013, 11:05 AM: Red October is a cyber-espionage campaign that attempts to steal data from infected systems, install additional software, and allow an attacker remote access to a targeted system.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldSecurity Activity Bulletin Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield