Cyber Risk Report

Cyber Risk Report: June 3-9, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:29613
Version:1
First Published:2013 June 10 17:13 GMT
Last Published:2013 June 10 17:13 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for June 3-9, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents


Vulnerability
Attacks and Compromises
Legal
Trust
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (9:50 min) 

Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco SIO at Cisco Live 2013: Security Training and Breakout Sessions.

We also invite you to join Cisco SIO at Black Hat 2013 in Las Vegas. Visit the Cisco booth to meet Cisco SIO engineers and sign up for the two-day hands-on Network Threat Defense, Countermeasures, and Controls course. Courses will be offered on July 27-28 and July 29-30, 2013.

Cisco also released a new report on the current state of the Internet of Things: Cisco Visual Network Index (VNI)

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.

Vulnerability

Vulnerability activity for the period remained at elevated levels. Highlights for the period include a new vulnerability in Parallels Plesk, large updates for Apple OS X and Safari, the ISC BIND denial of service vulnerability, and multiple vulnerabilities in Sophos Antivirus.

A new 0-Day vulnerability was identified in Parallels Plesk that is being actively exploited in the wild to compromise the systems and infect them with botnet malicious code. This vulnerability does not affect the latest major version of the software, but older versions of the Parallel Plesk software.

 A vulnerability in the ISC BIND server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. An unauthenticated, remote attacker could exploit the vulnerability by transmitting a resolution query for a malformed zone. This could cause the server to stop responding to legitimate DNS client users.

Apple released large updates for Apple OS X and Safari. The OS X update corrects 31 vulnerabilities, and the Safari browser update corrects 26 vulnerabilities, including several older vulnerabilities in products, such as Ruby on Rails, that have active exploits.

Other activity included a new release for Google Chrome Stable, a vulnerability in IBM QRadar, and a Microsoft Internet Explorer use-after-free vulnerability with proof-of-concept exploit code available.

 SCADA activity included updates for multiple vulnerabilities in Schneider Electric, but the released updates do not address the vulnerabilities on all versions. Cisco Applied Security Intelligence released a new Cisco Applied Mitigation Bulletin: Identifying and Mitigating the Siemens SCALANCE Privilege Escalation Vulnerabilities

In upcoming activity, Microsoft released the Security Bulletin Advance Notification for June 2013. The June release will include five Security Bulletins, including one rated critical by Microsoft. The bulletins will address vulnerabilities in Internet Explorer, Windows Operating Systems, and Microsoft Office.

IntelliShield published 152 events last week: 65 new events and 87 updated events. Of the 152 events, 75 were Vulnerability Alerts, seven were Security Activity Bulletins, nine were Security Issue Alerts, 59 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 06/08/2013
     4
        2
     6
Friday 06/07/2013
     5
        5
   10
Thursday 06/06/2013
   14
      33
   47
Wednesday 06/05/2013
   17
        8
   25
Tuesday 06/04/2013
     4
      20
   24
Monday 06/03/2013
   21
      19
   40

 

Significant Alerts for June 3-9, 2013

Parallels Plesk Remote PHP Command Execution Vulnerability
IntelliShield Vulnerability Alert 29594, Version 1, June 6, 2013
Urgency/Credibility/Severity Rating: 3/3/3
CVE Not Available
Parallels Plesk contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary PHP script on a targeted system. Updates are not available. Proof-of-concept code is publicly available. Additional details are available in the Cisco Security Blog post: Plesk 0-Day Targets Web Servers

ISC BIND Malformed Zone Request Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 29572, Version 2, June 6, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2013-3919
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. ISC has confirmed the vulnerability and released software updates.

Previous Alerts That Still Represent Significant Risk

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 6, May 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code, originally reported in January 2013. Ruby on Rails has confirmed the vulnerability in a security announcement and released software updates. Event data from Cisco has detected intrusion prevention system signature activity related to this vulnerability. This activity on May 24, 2013, could indicate increased attempts to exploit the vulnerability in Ruby on Rails. Additional analysis is available in the Cisco Security Blog post: Botnets Riding Rails to your Data Center

HangOver Malicious Software Used in Targeted Attacks
IntelliShield Security Activity Bulletin 29383, Version 1, May 20, 2013
Urgency/Credibility/Severity Rating: 3/4/3
CVE Not Available
Researchers have identified malicious software used in targeted attacks against government national security organizations and private commercial organizations. The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing e-mail campaigns. HangOver exploits known vulnerabilities for which patches exist.

Linux Kernel PERF_EVENT perf_swevent_init() Function Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 29336, Version 5, May 21, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-2094
A vulnerability in the Performance Events (PERF_EVENT) implementation in the Linux Kernel could allow an authenticated, local attacker to escalate privileges on the targeted system. Functional code that exploits the vulnerability is publicly available. Kernel.org has confirmed this vulnerability in the git repository and updated software is available.

Adobe Reader and Acrobat Security Updates for May 14, 2013
IntelliShield Security Activity Bulletin 29320, Version 2, May 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in Adobe Reader and Acrobat versions 9.5.4 and prior, 10.1.6 and prior, and 11.0.02 and prior, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of a targeted user. Adobe has confirmed the vulnerabilities in a security bulletin and released software updates.

Adobe ColdFusion download.cfm Arbitrary File Retrieval Vulnerability
IntelliShield Vulnerability Alert 29265, Version 3, May 14, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2013-3336
A vulnerability in Adobe ColdFusion could allow an unauthenticated, remote attacker to download arbitrary files from a targeted system. Exploit code is available publicly that allows exploitation of the vulnerability and attacks using the exploit are being reported in the wild. Adobe has confirmed this vulnerability and software updates are available.

Microsoft Internet Explorer Memory Corruption Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29210, Version 5, May 15, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1347
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Exploits in the wild have been observed. Current exploits target Internet Explorer 8.0 on Windows XP and reliably achieve code execution. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Oracle Java SE Critical Patch Update for April 2013
IntelliShield Security Activity Bulletin 29004, Version 5, May 23, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Oracle, Apple, CentOS and Red Hat have released security advisories and updates software. Additional Java security information is available at Cisco Java Security Best Practices.

Attacks and Compromises

Espionage and Distributed Denial of Service

Several reports have recently been released with in-depth analysis of espionage campaigns, Distributed Denial of Service (DDoS) attack malicious code, and botnets. Kaspersky Labs released a report on the NetTraveler Espionage campaign, with possible ties to earlier espionage campaigns. Arbor SERT and Prolexic released analysis of the DDoS trojan Black Revolution and DNS reflection attacks. Deep Research released a post on the continuing attacks on Joomla and Wordpress by the RFI botnet.
NetTraveler Espionage Campaign Uncovered, Links to Gh0st RAT, Titan Rain Found
The Revolution Will Be Written in Delphi
Prolexic Stops Largest-Ever DNS Reflection DDoS Attack
Under This Rock: Vulnerable Wordpress, Joomla Sites

Analysis: These in-depth reports and analysis provide security teams with the understanding and technical details needed to handle the current state of attacks. Organizations should review them and consider their security postures and handling procedures for these attacks. The understanding of the current state of attacks can assist teams in accurately identifying malicious activity, and how to effectively respond.

Legal

Microsoft and Law Enforcement Shut Down Citadel

Microsoft and Law Enforcement Agencies from across the U.S., Europe, and Asia announced the shut down of the Citadel cyber crime operation and botnet. The Citadel botnet is used to capture financial information and specifically targets information from several large financial institutions including credit card companies, online payment companies, banks, and auction sites. The Citadel operation included as many as 1400 botnets and is credited with being responsible for US$500 million in stolen funds.

Microsoft Torpedoes Citadel Botnet Infrastructure

Analysis: This takedown highlights the increasing cooperation and capabilities in addressing these complex and international cybercrime operations. Previously these criminals could operate with little risk from law enforcement or disruptions to their botnets, but particularly over the last couple years, the law enforcement community and the private sector have successfully interrupted several of these criminal operations. The next step is to further improve cooperation and prosecution of the individuals to further raise the cost of conducting these criminal operations.

Trust

NSA Collection of Internet and Phone Traffic

A whistleblower released information to the Guardian about the U.S. National Security Agency (NSA) collection of internet and phone traffic from multiple large internet companies. The initial reports have now been followed with statements from the Obama administration, the Director of National Intelligence (DNI), the NSA Director, several U.S. Representatives, and some of the companies involved. While the U.S. administration has launched an investigation in to the leaked information, the whistleblower has now identified himself as a 29 year old consultant working for the NSA, and has fled the country. The official government statements on the NSA PRISM program now confirm collecting the traffic, and that it was done legally under the Foreign Intelligence Surveillance Act (FISA) with oversight from the courts and U.S. House committees.
NSA Collecting Phone Records of Millions of Verizon Customers Daily
U.S., British Intelligence Mining Data From Nine U.S. Internet Companies in Broad Secret Program
DNI Statement on Recent Unauthorized Disclosures of Classified Information
Edward Snowden: The Whistleblower Behind the NSA Surveillance Revelations
Government Phone Surveillance for Dummies

Analysis: It should be no surprise that the NSA is collecting and monitoring internet and phone data, or that these large internet companies are required by U.S. law to provide the data under legal requests. This is what the NSA does, and has always done in its national security and intelligence missions. The finer points of interest in this disclosure are the legal questions of collecting this data under FISA, the possible monitoring of U.S. citizens data, and there being another serious leak of classified information from the U.S. government. As this investigation continues and more details are released, FISA will be reviewed and possibly modified by the U.S. House of Representatives, also impacting the internet companies and their legal obligations. And the debate will continue over the balancing of privacy versus security, with this latest disclosure possibly tipping the scale back toward the protection of privacy.

Geopolitical

Turkey Protests and Social Media

Amid protests over redevelopment plans for a park in central Istanbul last week, 25 people were arrested for using social media to enflame anti-government sentiment and incite violence, according to a variety of reports. The Turkish police, who have been widely criticized for their heavy-handed response to the protests, made the arrests after Turkish Prime Minister Recep Tayyep Erdogan called Twitter a "menace to society," and added "The best examples of lies can be found there." Later, a Reuters photo of a woman in a red dress being pepper sprayed by a police officer went viral and became the latest meme symbolizing the harsh reaction of Turkish police to the popular protests. Moreover, Anonymous and oddly enough the Syrian Electronic Army entered the fray by hacking Turkish government websites with the hashtag #OpTurkey.
Turkish Police Arrest 25 people for Using Social Media to Call for Protest
How the "Lady In Red" Became Turkey’s Most Inspiring Meme
Press Freedom and Rule of Law in Turkey
Turkey Has Third Most Engaged Online Audience in Europe

Analysis: Although Turkey is a democratic country, and Prime Minister Erdogan has been popularly elected three times, communications media are strictly controlled when it comes to criticism of government institutions. Freedom House terms Turkey a "partly free" country, pointing to challenges with freedom of the press. This is now clearly extending to social media, as reports surfaced during the protests that both Facebook and Twitter were inaccessible temporarily from within Istanbul and other parts of Turkey. Many users reportedly turned to free VPN services like HotSpot Shield to allow them to send their messages outside Turkish borders. In the inevitable comparisons of Turkey to other countries in the region that underwent political upheaval during the so-called Arab Spring, Turkey was a surprise to many observers because of the strength of its economy and its comparatively tolerant social system. However, compared to countries like Egypt and Tunisia, Internet penetration in Turkey is far deeper—Turkey has the third most engaged online audience in Europe, according to ComScore Inc. Moreover, two years have passed since the initial outbreak of protests in Tunisia in early 2011, and two years is a long time in the world of the Internet. Ultimately, most Turkey observers expect Erdogan to survive the protests, but political leaders around the world are undoubtedly taking note of the rapid spread of popular protest information via social media, the power of visual imagery, and the apparent futility of trying to turn off the spigots.

Upcoming Security Activity

Gartner Security & Risk Management Summit: June 10-13, 2013
Cisco Live US: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013
DEFCON 2013: August 1-4, 2013
22nd USENIX Security Symposium: August 14-16, 2013
ISC2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Iran Pressidential Elections: June 14, 2013
St. Petersburg International Economic Forum: June 20-22, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield