Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: December 2-8, 2013

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:32089
Version:1
First Published:2013 December 09 21:23 GMT
Last Published:2013 December 09 21:23 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:This is the Cyber Risk Report for December 2-8, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Legal
Trust
Identity
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (10:03 min)

Vulnerability

Vulnerability activity remained high and consistent with previous periods. Highlights for the period include the Microsoft December Security Bulletins Advance Notification, the Google Chrome December Update, multiple vulnerabilities in VMware products, and multiple vulnerabilities in Red Hat JBoss.

Microsoft posted the Advance Notification for the December Security Bulletins, announcing 11 Security Bulletins affecting Microsoft Windows, Office, Lync, Internet Explorer, Exchange, Server Software, and Development Tools. Microsoft rated five of the security bulletins critical, and six as important. It is believed that the Internet Explorer and Exchange security bulletins, both rated critical, will likely be the most important bulletins. There are active exploits for vulnerabilities in Internet Explorer that currently have no updates available, specifically the Microsoft Windows NDProxy Local Code Execution Vulnerability reported in IntelliShield alert 31948. The December bulletins will be released on December 10, 2013.

A Linux worm attacking Internet of Everything devices continues, additional details were reported in the Cisco Security Blog Post: The Internet of Everything, Including Malware. Similar to this malware campaign, multiple sources reported that malware campaigns continue to exploit known PHP, Ruby on Rails, and WordPress vulnerabilities to compromise web servers.

Google Chrome released the December update addressing seven vulnerabilities. VMware released updates for multiple vulnerabilities that impact multiple VMware products that run on hosts with older versions of operating systems. Red Hat released updates for multiple vulnerabilities in JBoss.

Cisco published the following Security Notices at Cisco Security Advisories, Responses, and Notices:
  • Cisco ASA Management Connections Denial of Service
  • Cisco IOS Software IP Device Tracking Denial of Service Vulnerability
  • Cisco Prime Collaboration Assurance Cross-Site Scripting Vulnerability
  • Cisco IOS XE Software TFTP Denial of Service Vulnerability
  • Cisco ONS 15454 Controller Card Denial of Service Vulnerability
  • Cisco ONS 15454 Controller Card Denial of Service Vulnerability
  • Cisco ASA Malformed DNS Reply Denial of Service Vulnerability
  • Cisco Secure ACS Unprivileged Support Bundle Download Vulnerability
Spam and phishing activity also continues to remain elevated while continuing to focus on variations of previously reported spam messages that use the themes of shipping, product orders, and financial notifications that contain malicious attachments or hyperlinks. During the elevated holiday shopping season, users should be cautioned and aware of these spam campaigns and use bookmarked websites to track the status of orders, shipments and payments.

IntelliShield published 192 events last week: 118 new events and 74 updated events. Of the 192 events, 58 were Vulnerability Alerts, 29 were Security Activity Bulletins, four were Security Issue Alerts, 100 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 12/06/2013
20
29
49
Thursday 12/05/2013
27
13
40
Wednesday 12/04/2013
14
9
23
Tuesday 12/03/2013
23
16
39
Monday 12/02/2013
34
7
41

Significant Alerts for the Time Period


Microsoft Windows NDProxy Local Code Execution Vulnerability
IntelliShield Vulnerability Alert 31948, Version 2, December 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-5065
Microsoft Windows contains a vulnerability that could allow a local attacker to execute arbitrary code. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability and released a security advisory.

Previous Alerts That Still Represent Significant Risk

PHP php5-cgi Binary Setup Remote Unsanitized Command-Line Parameter Processing Vulnerability
IntelliShield Vulnerability Alert 25816, Version 13, September 21, 2012
Urgency/Credibility/Severity Rating: 3/5/3
CVE-2012-1823
PHP versions prior to 5.3.12 contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information, cause a denial of service (DoS) condition, or execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. PHP has confirmed this vulnerability and released updated software. This vulnerability is being exploited in the current Linux worm malware attacks.

Microsoft Internet Explorer CAnchorElement Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 31049, Version 4, November 18, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-3871
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. This vulnerability was previously announced as fixed as part of the Cumulative Security Update for Internet Explorer Security Bulletin MS13-080. However, Microsoft stated that the vulnerability was incorrectly included in the bulletin and that the available patches did not correct the vulnerability. Microsoft has confirmed the vulnerability in security bulletin MS13-088 and released software updates.

Microsoft Internet Explorer Watering Hole Attack
IntelliShield Security Activity Bulletin 31696, Version 2, November 13, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-3918
Reports indicate that malicious websites are exploiting multiple vulnerabilities in Microsoft Internet Explorer versions 7, 8, 9, and 10. The vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system. Microsoft has released a security bulletin and software updates to address the Microsoft Internet Explorer Watering Hole attack.

Multiple Microsoft Products Microsoft Graphics Component Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 31655, Version 2, November 8, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-3906
Multiple Microsoft products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. This vulnerability has been exploited in the wild in targeted attacks and used in Operation HangOver attacks as documented in IntelliShield Alert 29383. This vulnerability has also been exploited by the Arx group, which has been identified by various reports for delivering the Citadel trojan as documented in IntelliShield Alert 28396. Microsoft has released a security advisory and Fix It solution.

Oracle Critical Patch Update for October 2013
IntelliShield Security Activity Bulletin 31270, Version 9, December 6, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Oracle has released the October 2013 Critical Patch Update. The update contains 127 new security fixes that address multiple Oracle product families. The October CPU also includes Java security updates, which were previously issued separately. Red Hat and Apple have released additional security updates for their products.

Legal

Law Enforcement Agencies Take Down 700 Websites

Customs officials and agencies in the U.S., Europe, and Hong Kong seized and shut down over 700 websites on Cyber Monday. The global and multi-agency operation was coordinated through the National Intellectual Property Rights Coordination Center (IPR Center) in an effort to remove counterfeit and copyright infringement materials for sale on the offending websites. The websites are now the property of the multiple government law enforcement agencies and contain only a posting that the website has been seized. Payment and ordering are participating in the investigation to seize the funds and property involved in the counterfeit cases.
700 Domains seized by ICE, Europol and Hong Kong Customs

Analysis: Shoppers and business system users have an additional threat to consider in their holiday shopping. While many of the holiday sales offer major discounts, online shoppers should be cautious to use only  known and trusted websites to purchase these types of products. Particularly in this operations, many of the products were not the expensive high-value items, but included a variety of less expensive items such as digital video recorders, clothing, and assorted other items that illegally used copyrighted trademarks. The online shoppers have no way to validate the authenticity of a trademark item, other than to purchase them from recognized websites.

Trust

Bitcoin Market Volatility Continues

The Bitcoin marketplaces, wallets, and forums continue to be highly volatile following the law enforcement take down of the Silkroad and seizure of millions of Bitcoins. Following this large takedown, multiple new Bitcoin marketplaces have appeared in attempts to reestablish the trading and purchases. One of these sites known as Sheep Market is now under scrutiny following the apparent theft of over $100 million in Bitcoins. It has not been determined if the theft was an external operation, or the owners of the site itself have stolen the Bitcoins. Another Bitcoin forum reported a DNS attack that may have compromised multiple accounts. A software company has settled a case without admitting fault for the installation of Bitcoin unwanted software that was included with the downloads of their software. All of this is occurring as multiple government, business, and financial organizations are attempting to establish policies and practices for handling Bitcoin transactions for legitimate products.
Bitcoin Mining Bundled with Legitimate Applications
Sheep Market Scam
Bitcoins.org Passwords in Danger

Analysis: The Bitcoin market is a highly active and dangerous place these days. While many legitimate organizations and users have invested, purchased, and handled Bitcoin virtual currency, the value of the Bitcoins continues to fluctuate wildly. While initially primarily used by criminals on the Internet, the Bitcoins have gained legitimacy, and governments and financial organizations either now handle these transactions or are establishing policy to do so. China released an announcement that forbid all China banks and financial institutions from handling Bitcoin transactions, but many others continue to process the payments. This market is highly volatile and requires investors, business, and financial organizations to use extreme caution when interacting with these websites, forums, and transactions.

Identity

Pony Botnet Compromised Accounts

Multiple sources reported the discovery of a Pony botnet command and control server that contained over two million compromised Facebook, Google, Yahoo, ADP, and other accounts. This is only the latest discovery of a large cache of compromised accounts and passwords to be reported. As expected, analysis of the compromised passwords indicated that a large percentage of them were poorly constructed.
Botnet Controller Holds 2 Million Passwords
Hacker Database Exposed Millions of Passwords

Analysis: Breaches and compromises have now become so common, despite the regulatory and notifications requirements, that users must take a more active role in protecting their privacy and identity information. There are several websites that now offer technology improvements, such as dual authentication and secure connections, but users still need to go further. It is highly recommended that users install password management software, which is widely available with some at no cost for their multiple systems and devices. These password management systems can initially be difficult to set up, but most will quickly learn and provide complex passwords that can be managed by the user only remembering one complex password. They also make it much easier for users to change their passwords regularly, and not use the same password across multiple accounts. A quick search for "password management software" will return several options, but users should be cautioned to only download the software from known websites. User may also consider account and identity monitoring services to assist them in managing and protecting their information. The bottom line is that there are several technologies, commercial offerings, and no cost services that users can adopt, but users need to understand that they must take an active role in protecting their information.

Geopolitical

What Protests in Thailand and Ukraine Have in Common

Over the past several weeks, large-scale public protests over government policies have taken place in Thailand and Ukraine. In Thailand, hundreds of thousands of protestors flooded the streets of Bangkok to protest an amnesty bill introduced by Prime Minister Yingluck Shinawatra. Many objected because the bill effectively would have cleared Shinawatra’s brother, exiled former Prime Minister Thaksin Shinawatra, of corruption charges, paving the way for his return to Thailand. In Kiev, President Yanukovych’s last-minute rejection (under pressure from Russia) of the Eastern Partnership, a trade pact with the European Union, sent hundreds of thousands into the streets. It also sent them online—with Twitter and Facebook usage surging in the past two weeks, according to BBC.
How Social Media is Changing Governing and Governance Around the World
How social Media is Shaping Ukraine’s Protest Movement
How Protests are Impacting Thailand’s “no-shirts”

Analysis: These protests—taking place under very different circumstances in very different parts of the world—speak to the dramatic impact of information communications technology and globalization faced by these emerging market countries. They are indicative of a new species of popular movement fueled by mobile social media and grass-roots awareness of economic inequalities. Like many recent large-scale popular movements, moreover, they demonstrate a growing ability of small groups to gain support quickly by harnessing the Internet. Internet-connected young people in Kiev are watching their counterparts in Rio de Janeiro, who are watching their counterparts in Bangkok, Istanbul, and so on. The fact that most of these recent protest movements fizzled may be due to their viral, social, and youthful nature. It suggests that in a pre-Internet world, they might have gone mostly unnoticed and probably would not have attracted as many participants. That said, the protests in Thailand and Kiev both gained momentum over the weekend, and it remains to be seen if they can capture a national following by harnessing a clear message. Youth around the world are having formative experiences using the power of popular protest. They are learning lessons about protest logistics powered by mobile phones and laptops, and may be able to take their causes to a national scale faster and more effectively in the future.

Upcoming Security Activity

SHMOOCON 2014: January 17–19, 2014
Cisco Live Milan: January 27–31, 2014
RSA Conference USA 2014: February 24–28, 2014
Cisco Live Melbourne: March 18–21, 2014
Cisco Live 2014: May 18–22, 2014

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. Affordable Care Act: January 1, 2014
World Economic Forum: January 22–25, 2014
Winter Olympics-Sochi: February 7–23, 2014
ITU 6th World Telecom Development Conference: March 31–April 11, 2014

Additional Information

For information and commentary from the experts in Cisco Security Intelligence Operations, please visit the Cisco Security Blog.

For timely information from across Cisco Security Intelligence Operations, please consider following @CiscoSecurity on Twitter.
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original Release Base

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield