This is the Cyber Risk Report for March 11-17, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
Vulnerability activity for the period was significantly increased due to multiple updates from major vendors. Microsoft, Adobe, Red Hat, Apple, and MontaVista released multiple security advisories and software updates.
Microsoft published the monthly security bulletin release on March 12, 2013. Microsoft released seven bulletins that addressed 20 vulnerabilities. The bulletins addressed vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office, and Microsoft Silverlight. The vulnerabilities allow an attacker to execute arbitrary code, access sensitive information, cause a denial of service condition, or gain elevated privileges. Full details of the vulnerabilities, Cisco IPS signatures, and recommended mitigations are available at the Cisco Event Response: Microsoft Security Bulletin Release for March 2013.
Adobe released Adobe Flash Player and AIR Security Updates on March 12, 2013, correcting 4 vulnerabilities; in addition to the ColdFusion Security Advisory for January 2013, which corrected 4 vulnerabilities.
Apple released the Mac OS X Security Update for March 2013. The OS X Mountain Lion update corrects 21 vulnerabilities, including a security update to not allow the CA certificates mistakenly issued by TURKTRUST, and a malware removal tool update. Also included in the Mac Security Update for March 2013 are updates for Mac OS X 10.6.8, Mac OS X 10.6.8 Server, Mac OS X 10.7, Mac OS X 10.7.5 Server, and the Mac OS X 10.8.3 Combo Update.
Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
Cisco Prime Infrastructure CSRF Vulnerability
Cisco Aironet Access Point Denial of Service Vulnerability
Cisco Prime Central for Hosted Collaboration Solution Assurance Excessive CPU Utilization Issue
Lancope Stealthwatch released additional technical indicators research on the APT1 attacks. The StealthWatch blog post includes details on APT1 Domain Names, MD5 signatures, IP addresses, and geolocation information.
Anonymous and affiliated groups announced plans for attacks against Israeli targets on April 7, 2013 as #OpIsrael. The Al Qaida Electronic Army (AQEA) and the Tunisian Cyber Army (TCA) released announcements and conducted what were reported as preliminary attacks for #OpBlackSummer. These groups announced they will attack the US in an electronic jihad from May 31–September 11, 2013, targeting government and critical infrastructure systems.
IntelliShield published 199 events last week: 92 new events and 107 updated events. Of the 199 events, 93 were Vulnerability Alerts, 31 were Security Activity Bulletins, nine were Security Issue Alerts, 61 were Threat Outbreak Alerts, and three were an Applied Mitigation Bulletin. The alert publication totals are as follows:
Day
Date
New
Updated
Total
Friday
03/15/2013
9
13
22
Thursday
03/14/2013
22
23
45
Wednesday
03/13/2013
9
13
22
Tuesday
03/12/2013
38
12
50
Monday
03/11/2013
14
46
60
Significant Alerts for March 11-17, 2013
Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 5, March 12, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM and Red Hat have confirmed these vulnerabilities and released patches.
Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 2, March 13, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.
Adobe ColdFusion Security Advisory January 2013
IntelliShield Vulnerability Alert 27769, Version 2, March 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0629, CVE-2013-0631, CVE-2013-0625, CVE-2013-0632
Adobe ColdFusion for Windows, Macintosh and UNIX contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions to gain unauthorized access or access to sensitive information. Adobe has released an additional security bulletin and software updates to address multiple vulnerabilities. Reports indicate that these vulnerabilities are being exploited in the wild. The vulnerabilities, CVE-2013-0625 and CVE-2013-0629, affect users who do not have password protection enabled or have no password set on their system.
Previous Alerts That Still Represent Significant Risk
Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 8, March 12, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability. Red Hat has released an additional security advisory and updated packages.
Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.
Adobe Flash Player Security Updates February 2013
IntelliShield Activity Bulletin 28400, Version 2, February 28, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0504, CVE-2013-0643, CVE-2013-0648
Adobe Flash Player contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Microsoft, and Red Hat have released updated software.
Adobe Reader and Acrobat Security Update for February 2013
IntelliShield Activity Bulletin 28227, Version 4, February 22, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0640 , CVE-2013-0641
Adobe Product Security Incident Response Team investigated reports of active exploitation of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions. Adobe has released a security advisory and updated software to address multiple vulnerabilities in Adobe Reader and Acrobat.
Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28046, Version 3, February 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2012-0439
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.
Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0025
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.
Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 4, February 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.
Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities
IntelliShield Activity Bulletin 28002, Version 4, January 31, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that exploits these vulnerabilities is publicly available. The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-sa-20130129-upnp
Red October Cyber Espionage Campaign Identified
IntelliShield Activity Bulletin 27890, Version 2, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra). Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.
The personal information of several celebrities including Michelle Obama, Joe Biden, Hillary Rodham Clinton, FBI Director Robert Mueller, Beyonce, Mel Gibson, Paris Hilton, and Los Angeles Police Chief Charlie Beck was posted on a website with a Russian address. While much of the information may have come from public websites, or was at least publicly available, other personal information such as social security numbers and credit histories do appear to have come from compromised sources. Equifax has confirmed that some of the individuals' credit files had been compromised. The U.S. Secret Service and FBI are investigating the posting. Website Posts Personal Data on Biden, Beyonce, Others Equifax Confirms Hackers Stole Financial Data
Analysis: As millions could personally attest, the wide-spread media coverage of these compromises serves as a reminder of the current Identity threats. Criminals are proficient at mining data from web sources that are likely to include information that many would assume is not available. Similarly, as likely with websites like annualcreditreport.com, criminals may be able to collect sufficient public information to answer the security questions required to gain access to non-public files. In protecting this information, it is not enough for individuals to be aware of the threats, but be actively engaged in protecting their information. Vigilance in sharing or posting personal information, reviewing the privacy statements of websites that collect your personal information, managing your sensitive accounts, passwords and secret questions, and monitoring your accounts for any suspicious activity needs to be a part of every individual's online activity. When a compromise occurs, individuals should know how to respond to limit the damage. While commercial services to protect your identity are available, there are multiple public sources for education and information, such as the Federal Trade Commission Consumer Information website.
Mobile
FTC Sends Stop Message to SMS Spammers
On March 7, the Federal Trade Commission filed eight separate complaints in four U.S. states against 29 defendants allegedly involved in facilitating free giveaway scams via SMS text messages. According to the FTC, the defendants were responsible for more than 180 million SMS spam texts used to drive traffic to fraudulent websites. The FTC complaints were leveraged at both the SMS spammers and the websites funding the scams. On the opposite side of the SMS spectrum, over the weekend of March 2, residents in St. Louis, Missouri were greeted with unexpected SMS text messages concerning an AMBER alert for a missing young girl. The unexpected messages apparently confused a number of recipients, who were unaware of the service and unsure of the validity of the message. FTC Cracks Down on Senders of Spam Text Messages Promoting "Free" Gift Cards FTC Cracking Down on spam Text Message Senders What Was That Strange Message Over The Weekend?
Analysis: While SMS text spam may seem trivial at first glance, it can have significant adverse consequences. With the free giveaway scams, potential victims were lured via SMS text messages promising free gift cards and other expensive giveaways. Qualifying for the promised "free offer" required completing potentially sensitive surveys and meeting the requirements of convoluted terms of service designed to ensure few (if any) could qualify. These terms typically involved purchasing items well above their standard value - guaranteeing that even if a victim did manage to qualify for the "free" giveaway, the scammers would still profit. There were other hidden costs as well. According to the FTC, an estimated 12% of recipients did not subscribe to a text messaging plan, which could have resulted in approximately US$4.3 million in total victim costs–simply by having received the text.
Unfortunately, while the FTC battles the problem of free giveaway scams, other developments in SMS text messaging could be laying the groundwork for future text messaging scams. A new partnership between FEMA, the FCC, and wireless providers sends unsolicited wireless emergency alerts to cellphone subscribers free-of-charge. These alerts may take one of three forms: presidential alerts, imminent threat alerts, and AMBER alerts. While the wireless emergency alerts are notably good in their intent, it is not unlikely that scammers will send SMS text messages masquerading as one of these official alerts in order to entice victims into visiting fraudulent websites, dial premium rate numbers, or otherwise engage in harmful or risky activities.
Attacks/Compromises
Trusted Websites Serving Malware
The National Institute of Standards (NIST) and Technology National Vulnerability Database (NVD) were reported to have been compromised and serving malicious code. Multiple other websites including the National Journal, multiple NBC domains, and the LA Times have also recently been identified as serving malicious code from their websites. The National Journal representatives reported that an estimated 40,000 visitors may have been impacted, and were only prompted to download the malicious software if they went to the website through a search engine. This is the second time in the last 30 days that the National Journal has been impacted by these attacks. The visitors to these sites are commonly redirected by a script on the websites to a malicious website serving multiple exploits including the Fiesta and Zeroaccess exploit kits. US National Vulnerability Database Hacked National Journal Hacked, Used to Push Malware via Fiesta Exploit Kit
Analysis: For those not yet familiar with "drive by" and "watering hole" attacks, these attacks are not new, but have become more prevalent as attackers attempt to gain access to a secured environment. As Cisco reported in the 2013 Annual Security Report, the criminals are shifting away from websites widely known to be hazardous, instead choosing to infect popular and trusted websites frequented by specific groups. The websites may be compromised through a variety of vulnerabilities that allow the attacker to embed malicious code in the webpages in order to redirect or infect a visitor. The infections often occur automatically by accessing the webpage, often with no indicators or requiring any specific actions by the visitor. The compromised user, now infected, provides that initial entry point for the attackers. These attacks can be prevented through website security, enterprise web security products, updated browsers and applications, and monitoring network activity for suspicious activity indicating an infected system, and security information sharing to alert website owners that they may be compromised.
Geopolitical
Cyber Threat to Infrastructure Tops U.S. Security Concerns
In his annual prepared testimony to Congress last week, Director of National Intelligence (ODNI) James Clapper called out the threat of a cyber attack on U.S. critical infrastructure as the U.S. intelligence community's most concerning threat scenario. According to press reports, this was the first time cyber got top billing in this annual assessment, and the first time since 9/11 that terrorism did not rank first. He termed the likelihood of a catastrophic infrastructure outage as "remote," but said that the likelihood of less severe, but still damaging, cyber attacks was growing. In the testimony, Clapper noted that sequestration would require automatic spending cuts across the intelligence community, including within cyber security programs, and that this would weaken our ability to respond. Security Leader Says U.S. Would Retaliate Against Cyberattacks Worldwide Threat Assessment Remarks to the Senate Select Committee on Intelligence Director Clapper Statement for the Record, Senate Select Committee on Intelligence
Analysis: Promotion of cyber to the top of the U.S. national security threat roster comes amid a heated global discussion related to suspected state-led cyber attacks and a call for rules of engagement. However, Clapper's testimony is a reminder that the cyber threat is not a classic state-to-state issue, but rather part of an emerging global threat that is asymmetric, pluralistic, and largely stateless. The Internet-powered interplay between states, crime groups, terrorists, and empowered activists outstrips the arsenal of any one nation's military. It lacks the Mutually Assured-Destruction constraints that kept Cold War super powers from pushing the proverbial "red button." While the terrorist threat of the 2000's lacked traditional sovereign constraints, it was hard to imagine realistic scenarios that could disrupt the global economy more than a few days at a time. The emergence of national economies dependent on a largely open Internet creates a whole new, troubling menu of critical vulnerabilities that are keeping national security officials worldwide awake at night.
Upcoming Security Activity
Interop Las Vegas: May 6-10, 2013
Cisco Live U.S.: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013
Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:
U.S. NCAA Mens Basketball Tournament: March 19-April 8, 2013
NATO Meeting: March 16-17, 2013
ASEAN Summit: March 23-25, 2013
BRICS Summit: March 26-28, 2013
Arab League Summit: March 26-28, 2013
IMF World Bank Meeting: April 19-21, 2013
G8 Summit: May 17-18, 2013
Additional Information
For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.
For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
The security vulnerability applies to the following combinations of products.
Primary Products:
IntelliShield
Cyber Risk Report
Original Release Base
Associated Products:
N/A
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
