Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: May 6-12, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:29305
Version:1
First Published:2013 May 13 19:32 GMT
Last Published:2013 May 13 19:32 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for May 6-12, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Physical
Legal
Identity
Geopolitical
Upcoming Security Activity
Additional Information


Listen to the Podcast (10:23 min) 


Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco SIO at Cisco Live 2013: Security Training and Breakout Sessions.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.

Vulnerability

Vulnerability activity for the period remained below previous heightened levels. The highlights for the period included new vulnerabilities reported in Adobe ColdFusion and Oracle Java and an additional Microsoft security advisory with a workaround for a new Internet Explorer vulnerability. Other significant vulnerabilities and security advisories included multiple vulnerabilities in EMC AlphaStor, Avamar, and Documentum products and in RSA Archer eGRC products.

Nginx.org released an advisory and updated software for a stack-based buffer overflow vulnerability in Nginx Web Server, reported in IntelliShield Alert 29247. Separate from this new vulnerability, multiple sources are also reporting the Linux/Cdorked trojan is now spreading through Nginx and Lighthttp web servers. While some may not be familiar with the Nginx Web Server (pronounced "engine X"), it is currently rated as having the third-largest web server market share, behind Apache and Microsoft Internet Information Services (ISS), with over 100 million active sites (based on Netcraft web server surveys). In related web server activity, WhiteHat released its most recent web server vulnerability survey showing a decline in serious web server vulnerabilities, but the survey also indicated that many continue to have serious vulnerabilities.

Cisco released one Security Advisory and accompanying Applied Mitigation Bulletin (AMB) and three Security Notices:

For upcoming activity, Microsoft released the Security Bulletin Advance Notification for May 2013, including ten security bulletins, with two rated critical for Windows and Internet Explorer and the eight others rated Important for Windows, .NET Framework, Microsoft Lync, Microsoft Office, and Microsoft Security Essentials. Adobe also announced security updates for Acrobat and Reader that will also be released on Tuesday, May 14, 2013.

IntelliShield published 106 events last week: 74 new events and 32 updated events. Of the 106 events, 49 were Vulnerability Alerts, five were Security Activity Bulletins, three were Security Issue Alerts, 46 were Threat Outbreak Alerts, and two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 05/10/2013
   13
        5
   18
Thursday 05/09/2013
     4
        7
   11
Wednesday 05/08/2013
   22
      11
   33
Tuesday 05/07/2013
   17
        4
   21
Monday 05/06/2013
   18
        5
   23


Significant Alerts for the Time Period


Adobe ColdFusion download.cfm Arbitrary File Retrieval Vulnerability
IntelliShield Vulnerability Alert 29265, Version 2, May 9, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2013-3336
A vulnerability in Adobe ColdFusion could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system. Adobe has released a security advisory to address the ColdFusion download.cfm arbitrary file retrieval vulnerability. Exploit code that allows exploitation of the vulnerability is publicly available.

Oracle Java performSSVValidation Security Warning Dialog Bypass Vulnerability
IntelliShield Vulnerability Alert 29242, Version 1, May 7, 2013
Urgency/Credibility/Severity Rating: 3/4/3
Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions. Proof-of-concept code that exploits this vulnerability is publicly available. Oracle has not confirmed the vulnerability and software updates are not available. Reports indicate that the vulnerability has been fixed in Oracle Java version 7 Update 21. However, vendor confirmation is not publicly available.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Memory Corruption Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29210, Version 4, May 10, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1347
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are not available. Microsoft has confirmed the vulnerability in a security bulletin and released approved workarounds. However, software updates are not available. Exploits in the wild have been observed. Current exploits target Internet Explorer 8.0 on Windows XP and reliably achieve code execution.

Malicious Apache Linux/Cdorked.A Trojan in Compromised Web Servers
IntelliShield Security Activity Bulletin 29133, Version 2, May 10, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Linux/Cdorked.A is an Apache trojan that could allow an unauthenticated, remote attacker to redirect users to malicious websites. Reports indicate that hundreds of Apache web servers are affected by the Linux/Cdorked.A trojan and it could be redirecting legitimate HTTP requests from affected hosts to malicious software on other websites created by the Blackhole Exploit Kit as described in IntelliShield Alert 25108. Additional information is also available in the Cisco Security Blog post: Linux/CDorked FAQs.

Oracle Java Applet Object Type Confusion Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29067, Version 1, April 23, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2423
Oracle Java Runtime Environment (JRE) contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Reports indicate that this vulnerability is being actively exploited in the wild.

Oracle Java SE Critical Patch Update for April 2013
IntelliShield Security Activity Bulletin 29004, Version 4, April 24, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in the Oracle Java SE JRE component could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Oracle, Apple, CentOS, and Red Hat have released security advisories and updated software. Additional Java security information is available at Cisco Java Security Best Practices.

Apache Darkleech Malware Hijacking Activity
IntelliShield Security Activity Bulletin 28804, Version 1, April 3, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Darkleech is an exploitation toolkit that could help an unauthenticated, remote attacker to inject malicious software on a targeted system. Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for the hard drive manufacturer Seagate in March. Additional information is also available in the Cisco Security Blog post: Apache Darkleech Compromises.

ISC BIND Crafted Regular Expression Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28730, Version 4, May 1, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2013-2266
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Red Hat, HP, and FreeBSD has released security advisories and updated patches.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 4, March 26, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions.

Physical

Office Control Systems Hack Demonstrated

Researchers from the security firm Cylance demonstrated a compromise of the building management systems at the Google Sydney, Australia office. The firm reported that they exploited a 6-month-old, known vulnerability in the Tridium Niagara framework, which is used by hundreds of thousands of organizations to manage such systems as HVAC, alarms, lighting, fire, security and access controls, elevators, and other property management controls. In related activity, the U.S. Department of Homeland Security released a warning for U.S. companies about the increased risk of cyber attacks on control systems.
Researchers Hack Google Office
U.S. Warns Industry of Risk of Cyberattack

Analysis: While industrial control and SCADA systems are often thought to impact only a limited group of industries using these systems in their production plants, the control systems actually impact nearly every business and building, homes, and a variety of property management systems. As more and more of these systems are deployed and their management systems are connected to the Internet for remote administration and monitoring, the lack of security and vulnerabilities in these systems are exposed to anyone with Internet access. This event also demonstrated the problems with updating and patching these systems, which continue to challenge the system vendors and operators. All organizations should perform a risk analysis of these systems and either implement processes to manage them or disable the Internet access until they can be secured. Owners of these systems must also consider the potential risk exposure when considering a smartphone or similar application for remote access of their systems.

Legal

National Institute of Standards and Technology Core Computer Security Guide Updated

The National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-53 Revision 4, also known as the Core Computer Security Guide. This most recent update of the document follows Revision 3, last updated in early 2010. New policies and practices in the document govern evolving technologies and risks such as cloud services, mobile computing, and advanced persistent threats.
NIST SP800-53

Analysis: The Core Computer Security Guide may be most relevant for U.S. government organizations or businesses that supply government organizations and may have policies that require following practices described in the guide. However, the guide contains a wealth of security practices applicable to many organizations unrelated to the U.S. government.

Identity

U.S. Federal Trade Commission Cracks Down on Data Brokers

The U.S. Federal Trade Commission (FTC) announced an investigation focused on data broker practices that may violate the U.S. Fair Credit Reporting Act (FCRA). The investigation focused on Internet services that provide online background checks and credit checks, regarding how that collected information is handled, reported, and stored. The investigation found roughly 20 percent of those services may be in violation of the FCRA. And in odd related activity, media in the United Kingdom are reporting an offer to sell the personal data of 27 million mobile phone customers to the Metropolitan Police Service.
FTC Investigates Data Brokers and Services
Million of Phone Records Offered for Sale to Police

Analysis: As we have seen in multiple reports, the volume of personal data available and for sale is staggering, including both legitimate services and criminal operations. As the FTC investigation shows, there are laws protecting how organizations can use this data, not only in the United States but across the globe, as well as existing and increasing regulatory and compliance requirements that dictate how businesses must handle sensitive personal data. Businesses are well aware of these requirements, and it's good to see the FTC and other government agencies attempting to enforce these laws. As we reported in the Cisco 2013 Annual Security Report, we expect the trend of increased investigation, enforcement, and prosecutions. Organizations and businesses that might use these online services for employment checks or other services should consider the potential impact if these services are found to be in violation of these laws.

Geopolitical

Syrian Internet Goes Offline and Loses Domains

While Syria dropped off the Internet for about 20 hours, in an apparently unrelated action the domain registrar Network Solutions seized over 700 Syrian-registered domains under international trade sanctions. Network Solutions marked the seized domains with "OFAC Holding," in reference to the U.S. Department of the Treasury Office of Foreign Assets Control. The seizure appears to have been performed independently by Network Solutions as the registrar, and not in conjunction with other U.S. government law enforcement agencies or investigations. The domains seized included those registered to the Syrian Electronic Army, a hacktivist groups recently responsible for the hacking of multiple Twitter accounts, and the Syrian Computer Society, which has multiple Internet management functions in Syria and has been indicated as having close ties with the Syrian government and security organizations.
Trade Sanctions Cited in Syrian Domain Seizures
Network Solutions Seizes Syrian Domains
Syria Drops Off the Internet

Analysis: The only identified explanation for the Syrian drop from the Internet was a report of a fiber cable cut, which does not seem likely considering the multiple fiber networks entering and exiting Syria. There have been previous events where Syrian domains and activity dropped off the Internet with little explanation, and the drop does not appear to be related to the Network Solutions domain seizure. The seizure is important in itself, as it is reported to be based on the international trade sanctions against Syria, which do include the registering of domains. It may be challenged by Syria, but there are currently no reports of pending legal challenges.

While the physical and cyber hostilities continue in Syria, the Internet has played a central role in military and opposition forces' communications, disinformation operations, malicious code attacks targeting opposition forces, and attempts to identify and locate those forces using geolocation information. The Syrian situation is giving many what might be considered the first glimpse into what could be actual cyber warfare operations, where two opposing forces are attempting to use the Internet in a variety of methods to influence the physical ground military engagements. As those capabilities continue to be developed across the globe by multiple governments, those governments are also developing their playbooks on how the Internet and cyber operations could be used, with possible lessons learned from Syria.

International organizations have now also entered the developing cyber operations with the seizure of the domains, raising further questions of how the Internet could be involved in future sanctions or actions. With these continuing developments, the most serious questions for the larger community are the potential for collateral damage and what the impact could be, as well as measures to prevent, mitigate, or respond to that impact. Most of these questions are currently unknowns, but the developing situation in Syria may provide some insights.

Upcoming Security Activity

IEEE Symposium on Security and Privacy: May 19–22, 2013
Cisco Live US: June 23–27, 2013
Black Hat 2013: July 27–August 1, 2013
DEFCON 2013: August 1–4, 2013
22nd USENIX Security Symposium: August 14–16, 2013
(ISC)2 Security Congress 2013: September 24–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G8 Summit: May 17–18, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield