Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: April 15-21, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:29059
Version:1
First Published:2013 April 22 20:30 GMT
Last Published:2013 April 22 20:30 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for April 15-21, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Physical
Crime
Trust
Geopolitical
Upcoming Security Activity
Additional Information


Listen to the Podcast
(10:40 min) 

If you missed Cisco Live London or Cisco Live Melbourne, several of the session recordings are available at www.ciscolive365.com. If you do not have an account, you can create one at no charge. Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco SIO at Cisco Live 2013: Security Training and Breakout Sessions.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.

Vulnerability

Vulnerability activity for the period continued at increased levels. The highlights for the period were the Oracle Critical Patch Update for April 2013 and Oracle Java SE Critical Patch Update for April 2013. However, the underlying theme for this period seemed to be vulnerabilities in security products and software updates that caused system issues. Multiple vulnerabilities were reported in security products, including CheckPoint Unified Threat Management, Dell SonicWall, Fortinet, NetSweeper, and Rapid7 Nexpose. Users and vendors reported issues with multiple updates, including a Malwarebytes antivirus update and Microsoft security update 2823324.

A new Microsoft buffer overflow vulnerability was reported in the Microsoft Indexing Service ActiveX control that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. Microsoft has not confirmed the vulnerability and software updates are not available. Proof-of-concept code that exploits this vulnerability is publicly available. Additional security advisories were reported in the Google Chrome stable channel update for April 15, 2013, and HP reported multiple security updates for previously reported vulnerabilities in Apache and Tomcat.

Cisco released two security advisories for Cisco Network Admission Control Manager SQL Injection Vulnerability and Cisco TelePresence Infrastructure Denial of Service Vulnerability and the following security notices during the period:

Multiple notable security reports were released during the period. Microsoft released the Microsoft Security Intelligence Report Volume 14, Symantec released the Internet Threat Report Volume 18 and Appendices, and NQ Mobile released the NQ Mobile 2012 Security Report.

IntelliShield published 143 events last week: 93 new events and 50 updated events. Of the 143 events, 54 were Vulnerability Alerts, 28 were Security Activity Bulletins, five were Security Issue Alerts, 55 were Threat Outbreak Alerts, and one was an Applied Mitigation Bulletin. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 04/19/2013
   11
        2
   13
Thursday 04/18/2013
   13
        7
   20
Wednesday 04/17/2013
   20
      15
   35
Tuesday 04/16/2013
   28
      14
   42
Monday 04/15/2013
   21
      12
   33

Significant Alerts for the Time Period

Boston Marathon Spam Activity
IntelliShield Security Activity Bulletin 29020, Version 1, April 17, 2013
Urgency/Credibility/Severity Rating: 3/5/3
E-mail spam campaigns, fraudulent monetary scams, and exploits against known vulnerabilities are ongoing related to the April 15, 2013, explosions at the Boston Marathon. Reports indicate that the attacker-controlled site may contain .jar files that can compromise vulnerable machines, which may target the vulnerability documented in IntelliShield Alert 26159. Another spam campaign is linked to graphical HTML content claiming to be breaking news from CNN. Customers using Cisco products such as Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have been protected by these products since the beginning of the spamming campaigns. Blog posts Yesterday Boston, Today Waco, Tomorrow Malware and Massive Spam and Malware Campaign Following the Boston Tragedy provide details about the campaigns.

Oracle Java SE Critical Patch Update for April 2013
IntelliShield Security Activity Bulletin 29004, Version 3, April 19, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a DoS condition on a targeted system. Oracle, Apple, CentOS, and Red Hat have released security advisories and updated software. Additional Java security information is available at Cisco Java Security Best Practices.

Previous Alerts That Still Represent Significant Risk

Apache Darkleech Malware Hijacking Activity
IntelliShield Vulnerability Alert 28804, Version 1, April 3, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system. Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for the hard drive manufacturer Seagate in March. Additional information is also available in the Cisco Security Blog post: Apache Darkleech Compromises.

ISC BIND Crafted Regular Expression Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28730, Version 3, April 3, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2012-2266
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Red Hat and FreeBSD have released a security advisory and updated patches.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 4, March 26, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. Distributed denial of service (DDoS) attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
IntelliShield Vulnerability Alert 28621, Version 1, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Cisco IOS and Cisco IOS XE devices contain an issue that could allow an authenticated, remote attacker to access sensitive information on a targeted device. Functional code that exploits the issue is publicly available. Cisco has confirmed the issue in security response cisco-sr-20130318-type4; however, software updates are not available.

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 6, April 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM, and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 3, March 14, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 5, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit framework.

Attacks and Compromises

WordPress Websites Under Attack

Multiple sources are reporting large distributed brute-force password attacks on WordPress websites. An estimated 64 million websites include WordPress. Sources investigating the attack report that the WordPress websites are being targeted as a point of entry to compromise the website, potentially installing malicious code on the site, and compromising the websites for use in distributed denial of service (DDoS) attacks.
WordPress Hackers Exploit Username 'Admin'
WordPress Sites Attacked; May Be Prep for DDoS Barrage
IntelliShield Alert: Increasing Distributed, Brute-Force Attacks Against WordPress

Analysis: These types of attacks against content management systems (CMS) such as WordPress, Joomla, and others have been increasing and being tracked for months. The potentially weak authentication and known vulnerabilities in these systems, present on millions of websites, provide a relatively easy way for attackers to access, compromise, and use the websites for malicious activity. Aside from infecting the websites, the one major concern is that these compromised websites will have botnet software installed, allowing the attackers and controllers to use these websites' increased power and bandwidth in future DDoS attacks. With the increasing popularity and resources used in the DDoS attacks, they could easily overwhelm the DDoS defenses of most websites. All website operators are advised to check and update the CMS systems and remove those no longer used or maintained. Additional information is also available on the Cisco Security Blog post Customized WordPress, Joomla Brute Force Login Attempts.

Physical

Boston Bombing Investigation Continues

As many followed over the weekend, one of the alleged Boston Marathon bombers was killed and the other is in police custody. The bombing and investigation have raised issues and questions around physical security at these types of events, the motivations of the perpetrators, and the roles of law enforcement, the mainstream media, and social media in the investigation and resulting apprehension of the suspects. Many are particularly focused on the high volume of misinformation that may have hindered the investigation or at least confused the situation and those impacted by the bombing.
Bombing Suspect in Custody
Boston Marathon Cell Phone Outages
How Internet Detectives Got It Wrong

Analysis: In addition to the reported spam and malicious activity around this event, the other lead topic has been the law enforcement requests and working with social media to disseminate information and collect evidence throughout the investigation. The Boston police communicated via Twitter, using @Boston_Police to relay information and requests to the public, and many discovered and passed information through social media, including the ability to monitor police and fire radio networks through public websites. This websites were quickly flooded with hits, becoming unreachable for extended periods. While the investigation continues, the roles of social media, crowd sourcing, and collective intelligence will continue to be examined and reviewed for their effectiveness and how they might be used in future events.

Crime

Schnuck's Grocery Point of Sale Systems Compromised

Schnuck's grocery reported the compromise of customer and account information from an attack on the grocery chain's point-of-sale (POS) systems. The report indicated as many as 2.4 million debit and credit cards may have been compromised by attackers that installed malware on the systems, not the physical compromise of the POS systems as seen in similar previous attacks on other retailers. A forensic investigation of the attack continues, while Schnuck's is working with authorities and customers affected by the attack.
Schnuck's: Million of Cards Exposed
Schnuck's Press Release

Analysis: Unlike previous similar attacks where the criminals either directly compromised the POS device or replaced it with a compromised device, this attack is based on a malware infection of the systems transmitting the POS information and data. The malware appears to have been installed on the servers, allowing a man-in-the-middle type attack to compromise the data. The POS devices are known to have weaknesses and physical vulnerabilities that allow criminals to compromise them. In this case, the use of malware to infect the processing system provides an even greater threat, potentially allowing access to a central point of data flow to be compromised. This case will likely show additional vulnerabilities and weaknesses in the processing system that will need to be addressed by all retailers to protect these systems.

Trust

Patches: To Trust or Not to Trust?

Last week, a faulty security update from the popular Malwarebytes erroneously labeled certain Windows system files as malware, Microsoft released an ISO image to help restore systems impacted by the installation of security update 2823324, and Mac update 10.8.3 continued to cause problems for a large number of users. These events fell on the heels of an Oracle update designed to fix 42 security flaws in Java and unrelated charges from the ACLU contending that mobile service providers weren't providing security updates for Android users.
Malwarebytes Cripples Thousands of Computers
Repair Disk for KB2823324 and KB2782476 (KB2840165)
Java Update Plugs 42 Security Holes
ACLU Asks Government to Investigate Phone Carriers Over Android Security Threat

Analysis: Patching failures can lead to a loss of consumer confidence in security updates. After the recent spate of patch mishaps in recent weeks, this confidence may be at an all-time low. Any loss of confidence in patching is a concern, particularly if that loss of confidence leads to a delay in installing the latest updates from Oracle. Due to its ubiquitous use, Java vulnerabilities continue to be the single most exploited vector leading to malware infection. Certainly preventing these exploits is key. These events also raise the question of whether security updates should be pushed automatically to users, as the ACLU proposes with Android devices, or whether updates should remain at the discretion of users. There are no easy answers, but clearly there is more work to be done to ensure security updates do not introduce system instability and that confidence in automatic updates is restored.

Geopolitical

Misinformation Is No Joke

Individuals claiming affiliation with the hacker group Anonymous claimed to have penetrated the public website of Israeli intelligence organization Mossad and stolen sensitive information, according to hacker websites quoted by a variety of media outlets. The information included personally identifying information (PII) for Israel Defense Forces (IDF) officials and Mossad informants, the websites claimed. The names of some 35,000 alleged agents included many thousands of Israeli Arabs. Almost immediately, questions about the validity of the information emerged; eventually, a series of refutations and apologies followed.
Hack Claims Against Mossad Website
Hoax “Mossad Agents list” Circulating Online
#OpIsrael

Analysis: Misinformation can have real-world consequences, and for Israeli Arabs supposedly “outed” as Mossad agents, it could be fatal. Research conducted by Electronic Intifada and the Times of Israel shows that the information may have started as an online customer list, stolen and posted on pastebin.com months ago. The list was described by hackers in progressively more damaging claims as IDF officials, Mossad agents, and eventually Mossad informants. In the rush to claim victories in the competitive hacktivist world, the hackers took little apparent care in making wild claims about their stolen data. This incident also underscores that over time, online communities and researchers are learning to question and double-check facts that seem dubious. In the interim, information security professionals may keep in mind that the data they protect may carry a higher price than they might think.

Upcoming Security Activity

Interop Las Vegas May 6–10, 2013
Cisco Live US: June 23–27, 2013
Black Hat 2013: July 27–August 1, 2013
DEFCON 2013: August 1–4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G8 Summit: May 17–18, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield