Cyber Risk Report

Cyber Risk Report: October 7-13, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:31249
Version:1
First Published:2013 October 14 18:15 GMT
Last Published:2013 October 14 18:15 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for October 7-13, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Legal
Trust
Human
Upcoming Security Activity
Additional Information

Listen to the Podcast (8:04 min)

U.S. National Cyber Security Awareness Month (NCSAM) continues, and the Cisco Security Blog has several posts on the latest topics. Don't miss this week's post by John Stewart, Senior Vice President, Chief Security Officer: Cyber Security Awareness Month 2013: Trust is the Topic and other new posts throughout the month.

Vulnerability

Vulnerability activity returned to elevated levels with the release of security updates from Microsoft, Adobe, and Cisco.

Microsoft published its monthly security bulletin release on October 8, 2013. Microsoft originally released eight bulletins that addressed 26 vulnerabilities. The bulletins address vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office Excel, Microsoft Office Word, Microsoft SharePoint Server, Microsoft .NET Framework, and Microsoft Silverlight. The vulnerabilities could allow an attacker to execute arbitrary code, cause a denial of service condition, access sensitive information, or gain elevated privileges. The Internet Explorer security bulletin was rated critical, has public exploits, and two of the vulnerabilities are being actively exploited. Microsoft later updated the Internet Explorer bulletin to remove CVE-2013-3871, and said it would be addressed in a later security bulletin. Full details of the vulnerabilities, Cisco IPS signatures, and the Applied Mitigation Bulletin are available in the Cisco Event Response: Microsoft Security Bulletin Release for October 2013 and the Sourcefire VRT Blog.

Adobe released security updates for Reader, Acrobat, and RoboHelp to address multiple vulnerabilities. Apple released an update for iTunes. SAP reported a NetWeaver vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands. Updates are available. Proof-of-concept code that exploits this vulnerability is publicly available. To exploit this vulnerability, an attacker would likely need access to a trusted, internal network in which the targeted device may reside. Full details of the SAP vulnerability are available in IntelliShield Alert 31203.

Cisco released two security advisories for Cisco Adaptive Security Appliance (ASA) Software and Firewall Services Module Software:
Multiple Vulnerabilities in Cisco ASA Software
Multiple Vulnerabilities in Cisco Firewall Services Module Software

Cisco also released the following security notices:
Cisco Prime Central for HCS Portal Credentials Access Vulnerability
Cisco IOS Software DHCP Server remember Functionality Vulnerability
Cisco Identity Services Engine Troubleshooting Interface Cross-Site Scripting Vulnerability
Cisco Identity Services Engine Sponsor Portal Cross-Frame Scripting Vulnerability
Cisco IOS Software OSPF Opaque LSA Denial of Service Vulnerability
Cisco Fourth-Generation RT Style IP Phone Crafted SDP Packet Vulnerability

IntelliShield published 184 events last week: 132 new events and 52 updated events. Of the 184 events, 83 were Vulnerability Alerts, six were Security Activity Bulletins, four were Security Issue Alerts, 88 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and two were Cyber Risk Reports. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 10/11/2013
   19
      10
   29
Thursday 10/10/2013
   14
        5
   19
Wednesday 10/09/2013
   34
      18
   52
Tuesday 10/08/2013
   42
      10
   52
Monday 10/07/2013
   23
        9
   32

Significant Alerts for the Time Period

SAP NetWeaver SOAP Interface Arbitrary Command Execution Vulnerability
IntelliShield Vulnerability Alert 31203, Version 1, October 10, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE Not Available
SAP NetWeaver contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands. Proof-of-concept code that exploits this vulnerability is publicly available. SAP has confirmed this vulnerability and released software updates.

Previous Alerts That Still Represent Significant Risk

Microsoft Internet Explorer Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 30843, Version 3, October 8, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-3893
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Microsoft has released a security bulletin. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability and released software updates.

Microsoft Internet Explorer CAnchorElement Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 31049, Version 3, October 11, 2013
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2013-3871
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has not confirmed the vulnerability and software updates are not available.

Microsoft Windows Theme File Handling Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 30577, Version 3, September 23, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0810
Microsoft Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.

Oracle Java ByteComponentRaster Buffer Overflow Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 29855, Version 5, September 9, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-2473
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that demonstrates an exploit of this vulnerability is publicly available. Updates are available.

Attacks and Compromises

Avira, Metasploit Report DNS Attacks

Avira and other companies were identified in a DNS attack that hijacked their major domains and websites. The attack was carried out through the ISP Network Solutions. Unauthorized changes were made to the DNS records to change them to other domains. This attack was reportedly executed through a false password reset that was accepted by the ISP. A similar attack, reportedly by the same group, was executed against the metasploit.com website to hijack its DNS record, reportedly by using a fax message to change the records.
Major DNS Hijacking Affecting Major Websites
Metasploit Website Hijacked

Analysis: As has been reported in previous similar incidents, domain owners can coordinate additional controls with their ISPs to prevent many of these attacks and fraudulent attempts to change DNS records. All organizations should carefully monitor their own domains and websites for suspicious activity, redirections, unauthorized updates, and malware infections and have methods to verify their ownership with the ISP to prevent or recover an attacked DNS record or domain.

Legal

Stepped-Up Cyber Attack Arrests

Multiple arrests have highlighted law enforcement's efforts to track and prosecute cyber attackers. Multiple members of anonymous were arrested in Operation Payback for their participation in previous distributed denial of service (DDoS) attacks. The author of the Blackhole exploit kit was arrested in Russia. Additional arrests were made related to the recent takedown of the Silk Road.
Anonymous No More
Blackhole Exploit Kit Author Arrested in Russia
Blackhole Collapses
Silk Road Users Arrested In US, UK And Sweden

Analysis: International law enforcement activity has had serious impact on cyber criminal activity with the Silk Road and Blackhole arrests. This is likely only the next round of Silk Road arrests, and many will follow as law enforcement works through the electronic evidence and questions the suspects. Indications are the existing and widely used Blackhole exploit kit and sites have been impacted, although many suspect it will quickly be picked up by other criminals. The arrests continue to reduce the Anonymous ranks, whose last several campaigns have not delivered as announced.

Trust

Affordable Care Act Growing Pains

With the availability of the U.S. Affordable Care Act (ACA), enrollment at healthcare.org suffering from overwhelming connections, and some reported technical difficulties, the registration process is continuing. Many analysts have noted the complaints and confusion of users attempting to register at the website, and concerns about privacy and protection of the data continue. Of course, criminals have not missed the opportunity to launch fake websites and spam campaigns to attract users to their malicious websites by using themes associated with ACA enrollment.
Obamacare Marketplace Personal Data
Healthcare Website Problems
Obamacare's Error-Plagued Websites

Analysis: The issues with the continuing enrollment have fueled opposition and complaints on everything from the government and contractor IT capabilities, to privacy concerns over who has access to the sensitive health information provided. Possibly more concerning is the expected volume of criminal and fraudulent activity that has tricked many users into providing sensitive data on malicious websites, some even providing credit cards and payments for information and enrollment assistance. The spam campaign seized on the interest around the enrollment, offering tips and information that lured users to malicious websites to become infected with malware. The explosion of this malicious activity was expected and all users should be aware of this malicious activity and only go to the authentic website at healthcare.org. But as with most businesses and organizations, a loss of trust in the organization can impact the users more seriously than delays and technical problems.

Human

Focus on the Insider

Multiple reports have raised the issue of insider threats and the potential impact of these dangerous threats. Forrester released its State of Data Security and Privacy report, finding that insiders were the leading cause of breaches in the last year. A second report, the Vormetric 2013 Insider Threat Report, highlights the insider threat and the limited security controls used to monitor and detect these threats.
Report Indicates Insider Threats
Major Gaps in Enterprise Insider Threat Detection
CIA Didn't Trust Snowden

Analysis: Many business and security organizations are taking a closer look at insiders following the reports about Edward Snowden and the U.S. National Security Agency (NSA), and they are finding that the insider threat continues to be prevalent and generally has a higher impact than many external attacks. Noteworthy is a report that the U.S. Central Intelligence Agency (CIA) was questioning Snowden's trust before he moved to the NSA, but the questions were either not known or not considered when he was hired at the NSA. The key point is that insider threats come in many varieties, including directly malicious and criminal activity; unintentional human errors; and failures to properly vet and secure access by employees, partners, and third-party providers. Detecting the variety of insider threats is complex and requires careful reviews and security controls.

Upcoming Security Activity

Seoul Conference on Cyber Space 2013: October 17-18, 2013
RSA Conference Europe 2013: October 29-31, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Eid al-Adha holiday: October 14, 2013
First of Muharram: November 4, 2013
U.S. election day: November 5, 2013
Ashura holiday: November 15, 2013
Hanukkah holiday: November 27, 2013-December 5, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013
World Economic Forum: January 22-25, 2014
Winter Olympics: February 7-23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield