Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: April 1-7, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:28876
Version:1
First Published:2013 April 08 19:46 GMT
Last Published:2013 April 08 19:46 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for April 1-7, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Legal
Trust
Geopolitical
Upcoming Security Activity
Additional Information

 

Listen to the Podcast (8:04 min) 

If you missed Cisco Live London or Cisco Live Melbourne, several of the session recordings are available at www.ciscolive365.com. If you do not have an account, you can create one at no charge. Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics. For information concerning the training and breakout sessions, please see the Cisco Security Blog Post Cisco Live 2013 Orlando: Security Training and Breakout Sessions.

Cisco released the Cisco Annual Security Report 2013, highlighting global threat patterns and trends, expert analysis and recommendations. Cisco released the results of a global survey of 1,800 IT professionals across 18 countries and a broad range of industries: Cisco® Connected World Technology Report (CCWTR). The survey explored their views on the potential and challenges of Big Data and beyond. The survey found that we are still in the early stages of Big Data adoption, and many IT managers feel they are not yet realizing strategic value from their data.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card

Vulnerability

Vulnerability activity for the period remained at expected levels. Highlights for the period include an update for Mozilla Firefox, the Microsoft Advance Notification for April 2013, and research on the Apache Darkleech Malware Hijacking.

Mozilla released Firefox 20 correcting 11 security vulnerabilities and updates for Thunderbird and SeaMonkey. Other security advisories and software updates were released for multiple vulnerabilities in OpenStack, PostgreSQL, Puppet Labs Puppet, and the Sophos Web Protection Appliance.

Darkleech attacks have successfully targeted an estimated 20,000 websites running Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for the hard drive manufacturer Seagate in March. Reports indicate that Darkleech attacks have been ongoing since at August 2012. Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system. Additional information concerning the attacks is available in the Cisco Security Blog post: Apache Darkleech Compromises.

A researcher blog post reported the identification of  an open FTP server in Taiwan that allegedly contained the source code to the AMI UEFI BIOS utilized by an unnamed manufacturer. Coupled with the source code, a private signing key was also found that could allow a malicious attacker to create a modified version of the BIOS that would appear to have originated from a valid source. AMI responded that the signing key is a default test key and instructed customers to change the key before building it into a production environment. The key reported lost was an AMI private key that can not be utilized to create a malicious firmware image for those devices.

Cisco released Security Notices for the following: Cisco Connected Grid Network Management System Cross-Site Scripting Vulnerabilities, Cisco Tivoli Business Service Manager Denial of Service Vulnerability, and a new Cisco Security blog post: Can’t Keep Up with All These Cisco Security Advisories: Do I Have to Upgrade? 

Concerning ICS/SCADA activity, a new Mitsubishi MX ActiveX Control Buffer Overflow Arbitrary Code Execution Vulnerability, reported in IntelliShield alert 28768, is another vulnerability that could have a far reaching impact on multiple critical infrastructure sectors. Cisco Applied Security Intelligence has released additional recommendations in the Applied Mitigation Bulletin: Identifying and Mitigating the Mitsubishi MX Buffer Overflow Vulnerability.

Two noteworthy reports were released last week. The reports were the Trustwave 2013 Global Security Report Preview that reported the findings from breaches investigated during the second half of 2012 and the FireEye Advanced Threat Report.
 
IntelliShield published 135 events last week: 70 new events and 65 updated events. Of the 135 events, 77 were Vulnerability Alerts, four were Security Activity Bulletins, nine were Security Issue Alerts, 42 were Threat Outbreak Alerts, and two were Applied Mitigation Bulletins. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 04/06/2013
     5
        1
     6
Friday 04/05/2013
   13
      10
   23
Thursday 04/04/2013
   13
        6
   19
Wednesday 04/03/2013
   24
      21
   45
Tuesday 04/02/2013
     9
      18
   27
Monday 04/01/2013
     6
        9
   15

Significant Alerts for the Time Period

Apache Darkleech Malware Hijacking Activity 
IntelliShield Security Activity Bulletin 28804, Version 1, April 3, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system. Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for hard drive manufacturer Seagate in March. Additional information is also available in the Cisco Security Blog post: Apache Darkleech Compromises.

Previous Alerts That Still Represent Significant Risk

ISC BIND Crafted Regular Expression Remote Denial of Service Vulnerability 
IntelliShield Vulnerability Alert 28730, Version 3, April 3, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2012-2266
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 4, March 26, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
IntelliShield Vulnerability Alert 28621, Version 1, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Cisco IOS and Cisco IOS XE devices contain an issue that could allow an authenticated, remote attacker to access sensitive information on a targeted device. Functional code that exploits the issue is publicly available. Cisco has confirmed the issue in security response cisco-sr-20130318-type4; however software updates are not available.

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 6, April 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 3, March 14, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Adobe ColdFusion Security Advisory January 2013
IntelliShield Vulnerability Alert 27769, Version 2, March 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0629, CVE-2013-0631, CVE-2013-0625, CVE-2013-0632
Adobe ColdFusion for Windows, Macintosh and UNIX contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions to gain unauthorized access or access to sensitive information. Adobe has released an additional security bulletin and software updates to address multiple vulnerabilities. Reports indicate that these vulnerabilities are being exploited in the wild. The vulnerabilities, CVE-2013-0625 and CVE-2013-0629, affect users who do not have password protection enabled or have no password set on their system.

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 10, April 5, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability. Red Hat has released an additional security advisory and updated packages.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 5, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Legal

The Protected Secrecy of Attorney-Client Privilege

A recent finding reported by the US Security and Exchange Commission (SEC) found that only a small number of companies were reporting cyber attack risks and compromises in their SEC filings. Another report found that the lack of SEC reporting could be the result of the companies hiring law firms, who hire the technical and forensics experts to investigate possible compromises and attacks. Hiring the law firm allows the companies to keep the information regarding the compromise or attack confidential by claiming attorney-client privilege.
Massive Security Breach Details Attorney-Client Privilege
Companies tell SEC Losses are Few

Analysis: While this practice appears to be widely used by large companies, and has not been legally challenged by organizations such as the SEC, it does limit the availability of information for the larger community concerning these attacks. These large attacks and compromises seldom occur in a bubble. The attacks could have far reaching impacts on other companies and organizations who could benefit from the details that could identify or prevent attacks on their companies. Information sharing across the business and government security community continues to be limited due to several factors, including this confidentiality example.

Trust

Security Concerns Over New gTLD

Several organizations have raised security concerns to ICANN regarding the pending release of new generic top level domains (gTLD) planned for April 23, 2013. ICANN has responded to many of the security concerns and is considering additional security controls.  They also commented that the planned release will not see a flood of the new domains registered and released. ICANN also responded that it will continue to work with the registrars and others to address security issues.
gTLD Flaws ICANN
Disaster Loom with Rollout of New Top Level Domains

Analysis: The planned and scheduled public release of gTLD domains has been through extensive review with many security issues addressed in current publications. While the concerns of the registrars and others involved in the rollout are legitimate, the ICANN plans to proceed cautiously with a controlled rollout addressing additional security issues as they are identified. One major concern is what impact will the gTLD's pose to those who currently hold domains and protecting those domains and trademarks. Many are concerned or currently  planning to register multiple new domains to protect their existing domains and trademarks, which could be very expensive. Many organizations already perform similar practices to prevent typosquatting domain registrations. Typosquatting directs customers to websites as a result of incorrectly entering the domain name. All organizations should be aware of these new domains, assess the risks to their organizations and customers, and closely monitor registration of the new domains to prevent infringements.

Geopolitical

#OpNorthKorea

In the past week, individuals claiming affiliation with the Anonymous hacker collective disrupted several official North Korean websites, including AirKoryo.com.kp and DPRK news site Uriminzokkiri. They also attacked Twitter and Flickr accounts owned by the North Korean government. Hackers claimed to have taken 15,000 personal records from Uriminzokkiri and posted many of them online. Further examination suggests the aforementioned claim to be untrue. The hackers, coupled with conflicting claims of responsibility, posted various demands and insist that they oppose all oppressive governments, including the United States.  
Anonymous Continues North Korea Attack with Twitter Hack 
#OpNorthKorea Hits Websites 
 
Analysis: Activist hackers will find it challenging to steal North Korean user information or hack into North Korean accounts. Ironically, North Korea is well insulated from cyber attacks because its network has few portals to the Internet. In contrast, South Korea is one of the most wired nations on earth, making it far more vulnerable. Involving amateur hackers in sensitive global confrontations adds a new and unpredictable element to old-fashioned saber rattling. In this case, when one of the players is an erratic, isolated, nuclear-armed nation, the hackers run the risk of creating a miscalculation that military analysts fear. Internet intelligent governments may understand the habits of hacktivists but the hope is that Kim Jung-Un and his advisors are wiser given the recent embarrassment when they assumed that an article by The Onion that named the North Korean leader the "sexiest man" was authentic.

Upcoming Security Activity


Hack in the Box Amsterdam: April 10-11,2013
Source Boston 2013: April 16-18, 2013
InfoSec Southwest 2013: April 19-21, 2013
Interop Las Vegas May 6-10, 2013
Cisco Live US: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013
DEFCON 2013: August 1-4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

IMF World Bank Meeting: April 19-21, 2013
G8 Summit: May 17-18, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield