Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: October 21-27, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:31512
Version:1
First Published:2013 October 28 16:28 GMT
Last Published:2013 October 28 16:28 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for October 21-27, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Physical
Attacks and Compromise
Trust
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (8:50 min)

We're wrapping up National Cyber Security Awareness Month (NCSAM) on the Cisco Security Blog with new posts on the latest topics.

Vulnerability

Vulnerability activity was again increased this period, primarily due to the large updates from Apple for OS X, iOS, and iTunes. Details of the Oracle CPU for October Java vulnerabilities continue to be released.

Apple released multiple security updates for the iTunes Media Player, Safari Browser, iOS 7.0.3 for mobile devices, Maverick OS X 10.9, OS X Server 3.0, and two versions of the Apple Remote Desktop. The security updates correct over 100 vulnerabilities. There is particular attention on the Apple Remote Desktop vulnerabilities, as the functionality of Apple Remote Desktop often demands that systems with the affected software be connected to untrusted, external networks to allow connections remotely over the Internet. In addition, because the vulnerability exists in the authentication mechanism of the software, attackers can exploit the vulnerability prior to authentication.

Details of the Java vulnerabilities reported in the Oracle CPU for October 2013 continue to released and reported. As these details are more widely publicized and attackers evaluate the vulnerabilities, they present an increasing risk of exploits being added to botnets and exploit tools.

Similarly, additional details of the WordPress vulnerabilities reported in version 3.7 also continue to be released. There were also multiple security advisories for WordPress Plugins that could allow the compromise of the underlying systems. WordPress and other Content Management Systems (CMS) continue to be targeted to compromise web systems for use in malicious activity.

Exploit code was reported for two Microsoft Silverlight vulnerabilities, reported in Microsoft Security Bulletins MS13-022 and MS13-087.

New exploit code was reported regarding a known vulnerability in the HP Intelligent Management Center.

Cisco released the following three Security Advisories: Multiple antivirus vendors and researchers have reported on the new version of CryptoLocker, which was initially identified early in October and continues to increase its activity levels. The primary change to the new version is the time limit placed on the ransom key, requiring users to respond within a set period to recover their files. However, as with all ransomware, users are advised to not respond to the ransom demand, update their antivirus software to remove the malicious code, and recover their files from backups.

IntelliShield published 237 events last week: 131 new events and 106 updated events. Of the 237 events, 100 were Vulnerability Alerts, 24 were Security Activity Bulletins, 15 were Security Issue Alerts, 97 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 10/25/2013
   13
      14
   27
Thursday 10/24/2013
   37
      39
   76
Wednesday 10/23/2013
   36
      25
   61
Tuesday 10/22/2013
   18
      16
   34
Monday 10/21/2013
   27
      12
   39


Significant Alerts for the Time Period

Apple Remote Desktop Username Format String Arbitrary Code Execution Vulnerability
IntelliShield Security Activity Bulletin 31443, Version 2, October 24, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-5135
Apple Remote Desktop contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Multiple factors contribute to an easily exploited vulnerability, possibly very attractive to a wide variety of attackers. Updates are available.

Previous Alerts That Still Represent Significant Risk

Oracle Critical Patch Update for October 2013
IntelliShield Security Activity Bulletin 31270, Version 6, October 24, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle has released the October 2013 Critical Patch Update. The update contains 127 new security fixes that address multiple Oracle product families. The October CPU also includes the Java security updates, previously issued separately. Red Hat and Apple have released additional security updates for their products.

HP Data Protector Cell Request Service Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 31269, Version 1, October 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-2333
HP Data Protector contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is publicly available as part of the Metasploit framework. HP has confirmed the vulnerability in a security bulletin and released software updates.

vBulletin Administrator Injection Vulnerability
IntelliShield Security Activity Bulletin 31285, Version 2, October 17, 2013
Urgency/Credibility/Severity Rating: 3/4/4
CVE Not Available
A vulnerability in the vBulletin content management system could allow an unauthenticated, remote attacker to perform PHP injection attacks on a targeted system. Proof-of-concept code that demonstrates an exploit of this vulnerability is publicly available. Reports indicate that widespread attacks are ongoing, resulting in recent exploitation of more than 35,000 websites because of this vulnerability. The vendor has advised customers to delete /install and /core/install directories in versions 4.x and 5.x respectively.

Microsoft Internet Explorer CDisplayPointer Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 31096, Version 2, October 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-3897
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional code that demonstrates an exploit of this vulnerability is publicly available. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Microsoft Internet Explorer CAnchorElement Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 31049, Version 3, October 11, 2013
Urgency/Credibility/Severity Rating: 2/4/4
CVE-2013-3871
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft has not confirmed the vulnerability in a security bulletin and and software updates are not available. This vulnerability was previously announced as fixed as part of the Cumulative Security Update for Internet Explorer Security Bulletin MS13-080. However, Microsoft stated that the vulnerability was incorrectly included in the bulletin and that the available patches did not correct the vulnerability. Microsoft also stated that the vulnerability would be corrected in a future update.

Physical

Surge Protectors Fire Risk, Recall

Schneider Electric has released a recall announcement for APC 7 and 8 surge protectors made prior to 2003. The surge protectors have been involved in over 700 reports of fires, personal injuries, and property damage resulting from the surge protectors overheating. Schneider Electric IT Corp. has posted details of the recall and contact information at http://recall.apc.com.
Surge Protectors Recalled

Analysis: While these surge protectors were produced prior to 2003, surge protectors seldom fail or require replacement. These surge protectors could be in many homes, offices, closets, and data centers in concealed locations. All users should be advised to check for these surge protectors and remove them immediately. There is a picture of the product in the linked report to assist in identification.

Attacks and Compromises

OpSyria, OpSerbia, DDoS Attacks, and More

As reported in the Geopolitical section below, the Guy Fawkes anniversary is approaching with several planned events, including physical and cyber protests. November 5, 2013 is also the U.S. Election Day, which could be an inviting target for some of these protests. After several attack announcements that resulted in little or no impact, the Anonymous group and its affiliated groups are currently conducting multiple operations against the Government of Syria, attacks on the .ru domain reportedly in response to Greenpeace arrests in Russia, and others.
OpSyria Reports
Russia Targeted for Greenpeace Arrests

Analysis: While the Anonymous groups have had limited success over the past year following the arrests of several suspected members, the Guy Fawkes anniversary will likely motivate these groups to produce significant protests. While several other groups have recently stolen the spotlight for their DNS attacks, and account compromises, Anonymous is likely to continue to continue using phishing attacks, and potentially insiders, to compromise data from selected targets and launch Distributed Denial of Service (DDoS) attacks using the known attacks tools and botnets. All organizations and users should exercise increased vigilance in the coming week, monitor their outgoing connections and flows, and be prepared for physical onsite protests.

Trust

Who is Collecting and Selling Your Information?

Experian was recently identified as having released personal data to an attacker posing as a private investigator for a third party. The investigation uncovered that the data was being shared with third parties that operated underground criminal information market websites. Similar attacks and compromises have targeted LexisNexis and other organizations with large data stores. Many have raised concerns of the increasing number of healthcare related information compromises, the new healthcare.org websites security, and other government data stores at various agencies.
Experian Sold Consumer Data to ID Theft Service
A Wolf in Sheep's Clothing

Analysis: As these large data compromises continue, and the abilities to track and market information continues to increase, we have reached a point where it is nearly impossible for an individual, or business in some cases, to know who may have their sensitive information. As with the current thinking on network security of assuming attackers have penetrated your networks, you now have to assume your sensitive data has been compromised and take protective measures to monitor and defend against the unauthorized use of that data. Many organizations offer multiple methods for an individual or organization to do this with notifications of changes, alerts, and additional authorization requirements. There are several available commercial protection services that will monitor your personal information and protect against its illegal use. There are also technical methods that individuals can use to identify who is tracking their Internet activity, capturing their data and potentially using or selling it such as Mozilla Firefox browser plugins Ghostery, Collusion, and the new Lightbeam. This shift in thinking is reasonable, and requires a change in tactics and tooling, while continuing to maintain and automate the recommended preventive security measures such as antivirus protection, firewalls, and software updates. As NCSAM comes to a close, users should be advised to consider this change in thinking, and consider protection and monitoring that detects or prevents the unauthorized use of their compromised sensitive data.

Geopolitical

Remember, Remember, the 5th of November

In the name of the Occupy Wall Street and Anonymous hacker movements, a "Million Mask March" is scheduled to take place in Washington, D.C., on November 5, 2013, also known (originally in Great Britain) as Guy Fawkes Day or Bonfire Night. Hundreds of sympathetic protest marches and actions are planned worldwide this year, according to a variety of reports, as a day of global civil disobedience.
Million Mask March
NBC Website Defaced with Guy Fawkes Day Message
#Nov5th 2013: Anonymous Pledges to Hack Government Websites Globally
#OpVendetta #Million Mask March #NOV5th 2013

Analysis: While some event planners are attempting to keep the focus of the protest on physical marches as opposed to online attacks, the amorphous nature of the Anonymous and Occupy Wall Street movements means that website attacks on a variety of politically-exposed organizations are likely. Social media and press reports point to familiar targets such as "all governments worldwide," energy companies and financial institutions. In 2012, Guy Fawkes Day-related network attacks were underwhelming—early reports of attacks on online payments company PayPal and defacements of NBC and performer Lady Gaga websites proved temporary. Information security specialists will want to be vigilant, however, as past experience may not be a reliable predictor of future performance.

Upcoming Security Activity

RSA Conference Europe 2013: October 29-31, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

First of Muharram: November 4, 2013
US Election Day: November 5, 2013
Guy Fawkes Anniversary: November 5, 2013
Ashura Holiday: November 15, 2013
Hanukkah Holiday: November 27, 2013
Cloud Security Alliance Congress 2013: December 4-5, 2013
World Economic Forum: January 22–25, 2014
Winter Olympics: February 7–23, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield