Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: June 10-16, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:29684
Version:1
First Published:2013 June 17 17:56 GMT
Last Published:2013 June 17 17:56 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for June 10-16, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Trust
Geopolitical
Upcoming Security Activity
Additional Information

 

Listen to the Podcast (9:31 min) 

Cisco Live 2013 is next week, June 23-27 in Orlando, Florida. Several members of the Cisco Security Intelligence Operations (SIO) team will be presenting training and security topics. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco SIO at Cisco Live 2013: Security Training and Breakout Sessions.


We also invite you to join Cisco SIO at Black Hat 2013 in Las Vegas. Visit the Cisco booth to meet Cisco SIO engineers and sign up for the 2-day, hands-on Network Threat Defense, Countermeasures, and Controls course. Courses will be offered on July 27-28 and July 29-30, 2013.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security Intelligence Operations portal comment card.

Vulnerability

Vulnerability activity for the period was decreased. The highlights for the period were the Microsoft Security Bulletin release for June 2013 and additional updates for Adobe Flash Player and AIR, the Linux Kernel, VMware vCenter, and RSA Authentication Manager.

Microsoft published its monthly security bulletin release on June 11, 2013. Microsoft released five bulletins that addressed 23 vulnerabilities. The bulletins address vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, and Microsoft Office. The vulnerabilities could allow an attacker to execute arbitrary code, cause a denial of service condition, or gain elevated privileges. Details of the vulnerabilities and correlated Cisco mitigation information on the release is available at the Cisco Event Response: Microsoft Security Bulletin Release for June 2013. New exploit activity was identified targeting the previously reported Microsoft Internet Explorer Use-After-Free Arbitrary Code Execution Vulnerability, reported in Microsoft Security Bulletin MS13-037 and IntelliShield Alert 29192.

Adobe released security updates for Flash Player and AIR, reported in IntelliShield Alert 29642. VMware vCenter and RSA Authentication Manager released vulnerabilities related to plain text logging of sensitive information, reported in IntelliShield Alerts 29643 and 29608. Linux released the new kernel version 3.4.42 to correct multiple vulnerabilities, and Wireshark released a new version correcting multiple vulnerabilities.

HP reported multiple vulnerabilities in HP Service Manager, Storage, iLO3, and iLO4.

Cisco released the following Security Notices during the period:

In new security reports on threat activity, multiple sources have been tracking and reporting on the increasing use of P2P networks for botnet command and control. The latest updates are CERT-PL ZeuS-P2P Monitoring and Analysis and P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets.

In upcoming activity, Oracle is scheduled to release the Oracle Java SE Critical Patch Updates on June 18, 2013.

IntelliShield published 138 events last week: 84 new events and 54 updated events. Of the 138 events, 59 were Vulnerability Alerts, 17 were Security Activity Bulletins, two were Security Issue Alerts, 57 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 06/14/2013
   10
        4
   14
Thursday 06/13/2013
     7
      18
   25
Wednesday 06/12/2013
   13
      23
   36
Tuesday 06/11/2013
   42
        5
   47
Monday 06/10/2013
   12
        4
   16

Significant Alerts for the Time Period

Microsoft Internet Explorer Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29192, Version 2, June 13, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2551
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability in Security Bulletin MS13-037 and released software updates.

Parallels Plesk Remote PHP Command Execution Vulnerability
IntelliShield Vulnerability Alert 29594, Version 2, June 12, 2013
Urgency/Credibility/Severity Rating: 3/5/3
CVE Not Available
Parallels Plesk contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary PHP script on a targeted system. Proof-of-concept code is publicly available. Parallels has confirmed the vulnerability is a variation of the CVE-2012-1823 vulnerability, which is documented in IntelliShield Alert 25816. Parallels has also confirmed that all current supported versions of Parallels Plesk Panel 9.5 or later are not vulnerable from this variation. Additional details are in the Cisco Security Blog post: Plesk 0-Day Targets Web Servers.

Previous Alerts That Still Represent Significant Risk

ISC BIND Malformed Zone Request Processing Denial of Service Vulnerability
IntelliShield Vulnerability Alert 29572, Version 2, June 6, 2013
Urgency/Credibility/Severity Rating: 2/5/3
CVE-2013-3919
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. ISC has confirmed the vulnerability and released software updates.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 6, May 29, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0156
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code, originally reported in January 2013. Ruby on Rails has confirmed the vulnerability in a security announcement and released software updates. Event data from Cisco has detected intrusion prevention system signature activity related to this vulnerability. This activity on May 24, 2013, could indicate increased attempts to exploit the vulnerability in Ruby on Rails. Additional analysis is available in the Cisco Security Blog post: Botnets Riding Rails to Your Data Center.

HangOver Malicious Software Used in Targeted Attacks
IntelliShield Security Activity Bulletin 29383, Version 1, May 20, 2013
Urgency/Credibility/Severity Rating: 3/4/3
CVE Not Available
Researchers have identified malicious software used in targeted attacks against government national security organizations and private commercial organizations. The HangOver malicious software, also known as Hanove, is distributed mainly through targeted spear-phishing email campaigns. HangOver exploits known vulnerabilities for which patches exist.

Linux Kernel PERF_EVENT perf_swevent_init() Function Privilege Escalation Vulnerability
IntelliShield Vulnerability Alert 29336, Version 5, May 21, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-2094
A vulnerability in the Performance Events (PERF_EVENT) implementation in the Linux Kernel could allow an authenticated, local attacker to elevate privileges on a targeted system. Functional code that exploits the vulnerability is publicly available. Kernel.org has confirmed this vulnerability in the git repository and updated software is available.

Adobe Reader and Acrobat Security Updates for May 14, 2013
IntelliShield Security Activity Bulletin 29320, Version 2, May 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in Adobe Reader and Acrobat versions 9.5.4 and prior, 10.1.6 and prior, and 11.0.02 and prior could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of a targeted user. Adobe has confirmed the vulnerabilities in a security bulletin and released software updates.

Microsoft Internet Explorer Memory Corruption Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29210, Version 5, May 15, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-1347
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Exploits in the wild have been observed. Current exploits target Internet Explorer 8.0 on Windows XP and reliably achieve code execution. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Oracle Java SE Critical Patch Update for April 2013
IntelliShield Security Activity Bulletin 29004, Version 5, May 23, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Oracle, Apple, CentOS, and Red Hat have released security advisories and updates software. Additional Java security information is available at Cisco Java Security Best Practices.

Attacks and Compromises

Web and Hosting Services Targeted

Security researchers have presented examples of sophisticated attacks aimed directly at web servers managed by cloud service and hosting providers through different methods and attack vectors. In a recent high-profile incident in Germany, a hosting service reported that its customer data was compromised by an intruder who was apparently able to establish a back door to one of the service's servers. The intruders have not yet been caught and the actual method and means used to commit the attack have not been determined.
Cybercriminals Are Picking on U.S. Cloud Hosting Providers
Hetzner Web Hosting Service Hacked
Hetzner Security Breach Exposes Customer Passwords, Payment Information

Analysis: Attacks to gain control over web servers directly put the confidentiality, integrity, and availability of the inherent resources, including sensitive customer data, at risk. These attacks have been well documented in the referenced reports. It is incumbent upon the service providers responsible for the integrity of their hosted services to maintain a rigorous security practice to protect their servers, data, and underlying IT infrastructure. To that extent, hosting and web service providers should strive to regularly evaluate and update their security practices and policies. These activities should include, but not be limited to, hardening the network/server infrastructure, monitoring for indicators of compromise and anomalies, enforcing adequate access controls, and applying current security patches for all software and systems.

Trust

2013 Online Trust Honor Roll Released

The Online Trust Alliance (OTA) released its 2013 Online Trust Honor Roll report, highlighting websites that demonstrate the best practices for privacy, security, and consumer protection. The OTA audits a wide range of websites including retailers, government and financial domains, and web pages. The report focuses on domain, brand and consumer protection, site, server and infrastructure security, and data protection and privacy.
Top Sites Revealed
2013 Online Trust Honor Roll

Analysis: This extensive audit report highlights several of the best security and privacy practices across a wide range of organizations' websites that can be useful for all to consider for their domains and policies. While roughly 25 percent across the various groups audited make the Honor Roll, findings called out Extended Validation SSL certificate adoption, DNSSEC adoption, and email authentication adoption as important best practices this year for the top websites. As mentioned above in the Attacks and Compromises section, attack trends continue to shift to compromising infrastructure systems for the increased processing power and bandwidth of those systems. Securing these systems is a combined and coordinated operation between the hosting and service providers and the organization and owner of the domain and websites. Both should be aware of the increased threats to these systems and consider the best practices identified in this report.

Geopolitical

Turkey Situation

Turkish Prime Minister Recep Tayyip Erdogan cleared Gezi Park and Taksim Square of protesters over the weekend, after earlier appearing to compromise by offering concessions. Tensions in Istanbul have been building as angry citizens occupied Gezi Park in Istanbul almost 2 weeks ago. Predictably, politically motivated cyber attacks against authorities accompanied the street protests. In this case, hackers claiming affiliation with Anonymous and members of the pro-Assad Syrian Electronic Army found common ground, taking credit for outages on Syrian government websites. Through a phishing attack, hackers obtained the Turkish Prime Minister's passwords and contact information and disabled his official website. In a somewhat ironic twist, the hackers did not publish other personal details gained in the sweep, or other sensitive data, because (they said) "Anonymous respects people's privacy." Meanwhile, the Syrian Electronic Army hacked Turkey's Interior Ministry website, publishing username and password information. Supporters of Erdogan did not take these attacks lying down: IsBank, said to support the protesters, was knocked offline early in the protests.
Turkish Protesters Embrace Erdogan Insult
'Cyber warfare' of Gezi Park Continues
Map of Worldwide Protests in Sympathy with Gezi Protests
Anonymous and Syrian Electronic Army Hack Turkish Government Networks

Analysis: In last week's analysis, we cited an image of a woman in a red dress blasted with pepper spray by overzealous policemen. The image captured the spirit of the situation and was an instant viral Internet success. This week, a popular meme emerging from the protests is the "capuling" craze. Protesters are mocking the angry words Prime Minister Erdogan used against them. He called them capulcu, or "hooligans," leading protesters to take the phrase as a badge of courage and humor, and spawning another Internet craze. Other powerful images spread via the Internet this week include shots of police and protest activity taken by a civilian-controlled drone over Gezi Park.

As of this writing, although some protesters have been arrested for using social media to organize protests or energize dissent, Turkish authorities have not cut Internet access or blocked access to popular sites. Erdogan has repeatedly blamed the protests on "outsiders," and while clearly most of the protesters are Turkish citizens, the role of outsiders in the ongoing events is worth considering. For one thing, there can be little doubt that social media and the Internet have influenced Turkey's young protesters, as they call for a more flexible, responsive democracy. More to the point, the attacks by Anonymous and the Syrian Electronic Army probably came from outside Turkey. Erdogan's supporters allege that supporters of Syria's Bashar Al Assad are fanning the flames of popular anger, as instability in Turkey could play into their hands, particularly as outside organizations such as the United Nations consider intervention. Turkey is also home to a large contingent of Kurdish separatists whose PKK party has frequently resorted to violence. The Kurdish minority has become agitated by the tumult in nearby Syria, which also is home to a large Kurdish minority. Information security specialists may want to keep an eye on these outside actors, as they may be better able to bridge geography through cyber means, and they may sense an opportunity to press their advantage against Erdogan in coming weeks. Whatever we may think of Erdogan, continued instability is not in the best interests of Turkey's citizens or her allies.

Upcoming Security Activity

Cisco Live US: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013
DEFCON 2013: August 1-4, 2013
22nd USENIX Security Symposium: August 14-16, 2013
(ISC)2 Security Congress 2013: September 24-27, 2013
Interop New York 2013: September 30-October 4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G8 Summit: June 17-18, 2013
St. Petersburg International Economic Forum: June 20-22, 2013
Ramadan: July 9-August 7, 2013

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield