Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: January 13-19, 2014

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:32503
Version:1
First Published:2014 January 21 22:05 GMT
Last Published:2014 January 21 22:05 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for January 13–19, 2014. The report details the significant events for this period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Physical
Human
Geopolitical
Internet of Everything
Upcoming Security Activity
Additional Information

Listen to the Podcast (11:46 min)

The Cisco 2014 Annual Security Report has been released following months of collaboration between threat researchers and other cybersecurity experts at Cisco and Sourcefire. As promised, it provides a "warts-and-all analysis" of security news from 2013 and our perspective for the year ahead based on the data collected through Cisco security products and analyzed by our researchers. Cisco Senior Vice President, Chief Security Officer John Stewart has posted a blog with highlights and insights on the Cisco 2014 Annual Security Report.

Cisco Live Milan is scheduled for January 27–31. Multiple online resources will be available for guests that are unable to attend live.

Vulnerability

Vulnerability activity remained at consistent levels. Highlights for the period include the small but significant Microsoft Security Bulletin release, security updates from Adobe, and the Oracle Critical Patch Update with security updates for multiple Oracle products and Java.

Full details of the Microsoft Security Bulletins are available in the Cisco Event Response: Microsoft Security Bulletin Release for January 2014 and the Cisco Sourcefire blog post. The most significant Microsoft security bulletin is an update for the Microsoft Windows NDProxy Local Code Execution Vulnerability reported in MS14-002. Exploit code is publicly available and reports indicate that the vulnerability is being actively exploited in the wild in conjunction with an Adobe Reader exploit that appears to target a patched vulnerability in Adobe Reader. Microsoft also announced it will extend antivirus protection for Windows XP systems after the announced end-of-support on April 8, 2014. Microsoft was also the latest victim of the Syrian Electronic Army (SEA) account compromises. A Turkish hacker known as Turkguvenligi compromised and defaced multiple SEA websites, highlighting the continued tensions around the Syrian conflict.

Oracle released the Oracle Critical Patch Update Advisory for January 2014. The update contains 144 new security fixes that address multiple Oracle product families. The oracle CPU also included a Java security update correcting multiple vulnerabilities. As highlighted in the Cisco 2014 Annual Security Report, Java continues to be actively exploited by multiple attack toolkits and direct attacks. Users and administrators should update their Java version to prevent a large number of these exploits.

Adobe released security advisories for Flash Player, AIR, and Reader addressing multiple vulnerabilities. The Flash Player updates require users to update the plug-ins in all popular browsers. Adobe has also reported ongoing phishing activity involving malicious email messages that claim to deliver license keys for a variety of Adobe products. These email messages attempt to persuade users to follow malicious URLs or download malicious file attachments.

Cisco published the following Cisco Security Advisories, Cisco Security Notices, and Cisco Event Responses:
  • Undocumented Test Interface in Cisco Small Business Devices
  • Multiple Vulnerabilities in Cisco Secure Access Control System
  • Cisco Network Time Protocol Distributed Reflective Denial of Service Vulnerability
  • Cisco WebEx Meetings Server Enterprise License Manager Administrative Password Disclosure Vulnerability
  • Cisco Secure ACS RMI Arbitrary File Read Vulnerability
  • Cisco Jabber for Windows Remote Code Execution Vulnerability
  • Cisco ISE Unprivileged Support Bundle Download Vulnerability
ICS/SCADA vulnerability activity continues to be elevated with reports of an Ecava IntegraXor DLL Loading Buffer Overflow Vulnerability and security advisories and software updates for Schneider Electric ClearSCADA and multiple WellinTech products. In related activity, the SANS ICS also released a new ICS Breach Response Guide to assist operators with handling security incidents.

Multiple sources are reporting increased threat activity related to PHP global variable overwrite attacks that allow attackers to modify global variables and can be used to exploit latent vulnerabilities in PHP application code. The Cisco Remote Management Services (RMS) team has reported a spike in signature 7212 traffic, which may indicate that attackers are actively attempting to conduct PHP global variable overwrite attacks. Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.

IntelliShield published 133 events last week: 86 new events and 47 updated events. Of the 133 events, there were 78 Threat Outbreak Alerts, 40 Vulnerability Alerts, 11 Security Activity Bulletins, 2 Security Issue Alerts, 1 Applied Mitigation Bulletin, and 1 Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Friday 01/17/2014
   11

      11

   22
Thursday 01/16/2014
   19

        5

   24
Wednesday 01/15/2014
   27

      16

   43
Tuesday 01/14/2014
   25

        6

   31
Monday 01/13/2014
     4

        9

   13

Significant Alerts for the Time Period


Microsoft Windows NDProxy Local Code Execution Vulnerability
IntelliShield Vulnerability Alert 31948, Version 3, January 14, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-5065
Microsoft Windows contains a vulnerability that could allow a local attacker to execute arbitrary code. Proof-of-concept code that exploits this vulnerability is publicly available. Reports indicate that the vulnerability is being actively exploited in the wild. Microsoft has confirmed the vulnerability and released software updates.

Previous Alerts That Still Represent Significant Risk

HP LoadRunner lrFileIOService ActiveX Control WriteFileString Function Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 32324, Version 1, January 6, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-4798
HP LoadRunner contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. HP has confirmed this vulnerability and software updates are available.

Samba DCE-RPC Packet Processing Buffer Overflow Vulnerability
IntelliShield Vulnerability Alert 32103, Version 1, December 10, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-4408
Samba contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges or cause a denial of service condition. Updates are available.

Attacks and Compromises

Target Point-of-Sale Malware Identified

As the investigation into the Target compromise continues, researchers and investigators have released information on specific malware that appears to have been involved in the compromise. The malware is similar to previously reported point-of-sale (POS) malware that captures card data and transmits it to the criminals' external systems. Sources also report the Target compromise may have been a part of a larger criminal operation that compromised multiple retailers throughout the holiday period.
Target Intrusion Malware
A Closer Look at the Target Malware
Fraud Patterns Suggest New Breaches

Analysis: The investigation and now reported fraud activity suggests that multiple businesses in addition to Target and Nieman Marcus have also been compromised. This highlights a few security issues that may have aided in the detection and prevention of this and similar events. First, is the increased monitoring and incident response that all organizations need to focus more effort on in 2014. It is assumed that your organization will be attacked and compromised, making detection and response key to limiting and controlling the incidents. The second issue is sharing information across industries. Ideally, the indicators of the compromise would have been detected, alerting other retailers and businesses to the activity. In turn, they could check their systems and the scale and breadth of the attack would have been known earlier to allow for a response. Focusing on these capabilities, and where the industry needs to improve, is worth noting and putting on our agendas for the coming year.

Physical


Security Gearing Up for Sochi Olympics


The Sochi Olympics is quickly approaching on February 7–23. The Olympic security efforts have been deployed, and layered security perimeters established around the Olympic sites. Reports suggest the Sochi games will have some of the highest physical and cyber security measures of any Olympics, particularly due to the known threats and groups that have announced their intentions to disrupt the games. Multiple security incidents have already occurred in the extended Sochi area, and private security organizations are being added to the Russian security forces.
Russia Launches Sochi Security Clampdown
Russia Turns Olympic Town into "Impenetrable Fortress"
Hacking Group Threat to Winter Games
Caucasus Terrorist Threaten Cyber War Over Sochi Olympics

Analysis: The Sochi Olympic games has one of the highest security profiles and threat levels of any recent games. While the security will likely be downplayed throughout the games, observant viewers are challenged to look in the background of the televised events for signs of the security activity. With clear threats to the games, there are likely to be incidents that will deserve careful review. Unfortunately, the security activity and incidents could overshadow the actual athletes and competition at these games, but provide security professionals with insights and lessons learned to consider for their own future deployments.

Human

Day of Protest in Memory of Aaron Swartz

Multiple activists and hacktivists organizations are planning a "Day of Protest" in memory of Aaron Swartz on February 11, 2014, marking the one-year anniversary of Swartz's suicide. The online protests are focused on Internet surveillance and what the groups are calling mass spying. Several organizations have joined the effort including Reddit, the Electronic Freedom Foundation, Free Press and Mozilla, as well as hacktivists groups and Anonymous affiliates.
Reddit, Mozilla, EFF to Hold Day of Protest, Activism in Memory of Aaron Swartz
The Day We Fight Back Website
MIT Website Hacked by Anonymous on Anniversary of Aaron Swartz Suicide

Analysis: The actual anniversary of Swartz's suicide was January 11, 2014, but the online protest movement is planned for February 11. While the majority of these groups are calling for peaceful protest activities, the hacktivists groups joining the protest have performed attacks on at least one website. Organizations should monitor this event for indicators of attacks against their networks, indications that their network is being used to perform or participate in the protests and attacks, or compromised systems.

Geopolitical

The Evolution of Protest Movements

A new breed of protests known as rolezinho ("little walk") are of mounting concern to Brasilia, according to the Financial Times and New York Times. These initially low-key protests against racism and social inequality communicate rapidly through social media (Brazil is home to Facebook’s second largest community after the United States). Flash mobs congregating often in shopping areas, they are reminiscent of the "strolling protests" that took place in Beijing, coinciding with the outbreak of the popular Arab uprisings of 2011. This new spate of protests in Brazil frequently morph into criminal activity and violence, according to local authorities. Meanwhile, protests in Ukraine are picking up again, following announcement of a new set of rules cracking down on exactly that—public protests.
Flashmob Protests Sweep Across Brazil
In Ukraine Protests Over New Laws
Social Media has Changed the World, Look at Ukraine
Whose Mall Is It?
China Floods Beijing with Security Before Planned Protest
Secret State of North Korea

Analysis: It is no longer noteworthy to observe that social media played a role in the organization of these protests. In 2014, that is a fairly safe assumption. Instead, enough data representing a broad sampling of different countries over several years now exists to allow us to analyze how social media impacts popular protests, and what the implications may be for information security professionals and multinationals. For example, social media makes grass roots organization easier, less accountable, and less focused on a pre-planned outcome or set of demands. It may be a raw expression of popular anger or frustration, making it, on the face of things, less likely to pose an existential threat to governments or local authorities, and more likely to fizzle. On the other hand, because of the viral nature of social media, calls to action can go national or even international within hours. It is difficult if not impossible for authorities to control, without unplugging the Internet entirely (Egypt's Mubarak did this, and it only served to enflame anger further).

This brings to mind the situation in North Korea, where a recent documentary aired by Frontline confirms that even in the most isolated state on earth, laptops and thumb drives are being smuggled in, giving North Koreans incentive to resist and question their repressive regime. Information security specialists will continue to face the challenges of viral information and misinformation—and over the short term may want to keep an eye on Internet-fed popular movements growing in Brazil and Ukraine.

Internet of Everything

Internet Of Everything Highlights at CES

At the recent Consumer Electronics Show (CES), Cisco Chairman and CEO John Chambers and several other technology leaders discussed the Internet of Everything and the changes that this next evolution of the Internet will mean to technology companies, customers, and consumers. John Chambers' keynote presentation highlighted several of the current Internet of Everything technologies and activities across multiple sectors, and discussed the impact with his guest presenters. The keynote shows how the Internet of Everything is real, the financial impact of the technologies, and the potential moving forward.
International CES - Keynotes
Cisco Keynote Highlights from CES 2014
Cisco Internet of Everything
Internet of Everything, $19 Trillion Opportunity, Is Next Big Thing

Analysis: While much of the Internet of Everything is yet to come, the keynotes provided a strong insight into its existing state, current uses and deployments, and details of how those deployments are developing across multiple sectors. Those not directly involved in these operations will likely be surprised how many of these technologies are already in operation. From a security perspective, the Internet of Everything will alter the way security is planned, applied, and the services required to maintain the security of the "Everything" as it traverses the network.

Upcoming Security Activity


Cisco Live Milan: January 27–31, 2014
Network and Distributed System Security (NDSS) Symposium: February 23–26, 2014
RSA Conference USA 2014: February 24–28, 2014
CanSecWest: March 12–14, 2014
Cisco Live Melbourne: March 18–21, 2014
Cisco Partner Summit: March 24, 2014
Interop: March 31, 2014–April 4, 2014
Infosec World: April 5–11, 2014
Cisco Live US 2014: May 18–22, 2014
Black Hat USA: August 2–7, 2014

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

World Economic Forum: January 22–25, 2014
Winter Olympics in Sochi: February 7–23, 2014
ITU 6th World Telecom Development Conference: March 31–April 11, 2014

Additional Information


For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield