Cisco Security

Threat Type:Cyber Risk Report
IntelliShield ID:28622
First Published:2013 March 18 17:29 GMT
Last Published:2013 March 18 17:29 GMT
Port: Not available
Urgency:Weakness Found
Severity:Mild Damage
Version Summary:This is the Cyber Risk Report for March 11-17, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.



Upcoming Security Activity
Additional Information


Listen to the Podcast (12:12 min) 


Vulnerability activity for the period was significantly increased due to multiple updates from major vendors. Microsoft, Adobe, Red Hat, Apple, and MontaVista released multiple security advisories and software updates.

Microsoft published the monthly security bulletin release on March 12, 2013. Microsoft released seven bulletins that addressed 20 vulnerabilities. The bulletins addressed vulnerabilities in Microsoft Windows, Microsoft Internet Explorer, Microsoft Office, and Microsoft Silverlight. The vulnerabilities allow an attacker to execute arbitrary code, access sensitive information, cause a denial of service condition, or gain elevated privileges. Full details of the vulnerabilities, Cisco IPS signatures, and recommended mitigations are available at the Cisco Event Response: Microsoft Security Bulletin Release for March 2013.

Adobe released Adobe Flash Player and AIR Security Updates on March 12, 2013, correcting 4 vulnerabilities; in addition to the ColdFusion Security Advisory for January 2013, which corrected 4 vulnerabilities.

Apple released the Mac OS X Security Update for March 2013. The OS X Mountain Lion update corrects 21 vulnerabilities, including a security update to not allow the CA certificates mistakenly issued by TURKTRUST, and a malware removal tool update. Also included in the Mac Security Update for March 2013 are updates for Mac OS X 10.6.8, Mac OS X 10.6.8 Server, Mac OS X 10.7, Mac OS X 10.7.5 Server, and the Mac OS X 10.8.3 Combo Update.

Cisco released updates for the following Security Notices, available at the Cisco Security Security Advisories, Responses, and Notices website:

  • Cisco Wireless LAN Controllers Wireless Intrusion Prevention System (wIPS) Denial of Service Vulnerability
  • Cisco Prime Infrastructure CSRF Vulnerability
  • Cisco Aironet Access Point Denial of Service Vulnerability
  • Cisco Prime Central for Hosted Collaboration Solution Assurance Excessive CPU Utilization Issue
Lancope Stealthwatch released additional technical indicators research on the APT1 attacks. The StealthWatch blog post includes details on APT1 Domain Names, MD5 signatures, IP addresses, and geolocation information.

Anonymous and affiliated groups announced plans for attacks against Israeli targets on April 7, 2013 as #OpIsrael. The Al Qaida Electronic Army (AQEA) and the Tunisian Cyber Army (TCA) released announcements and conducted what were reported as preliminary attacks for #OpBlackSummer. These groups announced they will attack the US in an electronic jihad from May 31–September 11, 2013, targeting government and critical infrastructure systems.

IntelliShield published 199 events last week: 92 new events and 107 updated events. Of the 199 events, 93 were Vulnerability Alerts, 31 were Security Activity Bulletins, nine were Security Issue Alerts, 61 were Threat Outbreak Alerts, and three were an Applied Mitigation Bulletin. The alert publication totals are as follows:

Day Date
Friday 03/15/2013
Thursday 03/14/2013
Wednesday 03/13/2013
Tuesday 03/12/2013
Monday 03/11/2013
Significant Alerts for March 11-17, 2013

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 5, March 12, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 2, March 13, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Adobe ColdFusion Security Advisory January 2013
IntelliShield Vulnerability Alert 27769, Version 2, March 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0629, CVE-2013-0631, CVE-2013-0625, CVE-2013-0632
Adobe ColdFusion for Windows, Macintosh and UNIX contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions to gain unauthorized access or access to sensitive information. Adobe has released an additional security bulletin and software updates to address multiple vulnerabilities. Reports indicate that these vulnerabilities are being exploited in the wild. The vulnerabilities, CVE-2013-0625 and CVE-2013-0629, affect users who do not have password protection enabled or have no password set on their system.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 8, March 12, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability. Red Hat has released an additional security advisory and updated packages.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Adobe Flash Player Security Updates February 2013
IntelliShield Activity Bulletin 28400, Version 2, February 28, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0504, CVE-2013-0643, CVE-2013-0648
Adobe Flash Player contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Microsoft, and Red Hat have released updated software.

Adobe Reader and Acrobat Security Update for February 2013
IntelliShield Activity Bulletin 28227, Version 4, February 22, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0640 , CVE-2013-0641
Adobe Product Security Incident Response Team investigated reports of active exploitation of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions. Adobe has released a security advisory and updated software to address multiple vulnerabilities in Adobe Reader and Acrobat.

Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28046, Version 3, February 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.

Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 4, February 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities
IntelliShield Activity Bulletin 28002, Version 4, January 31, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that exploits these vulnerabilities is publicly available. The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-sa-20130129-upnp

Red October Cyber Espionage Campaign Identified
IntelliShield Activity Bulletin 27890, Version 2, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra). Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions


Celebrity Attacks Gain Media Attention

The personal information of several celebrities including Michelle Obama, Joe Biden, Hillary Rodham Clinton, FBI Director Robert Mueller, Beyonce, Mel Gibson, Paris Hilton, and Los Angeles Police Chief Charlie Beck was posted on a website with a Russian address. While much of the information may have come from public websites, or was at least publicly available, other personal information such as social security numbers and credit histories do appear to have come from compromised sources. Equifax has confirmed that some of the individuals' credit files had been compromised. The U.S. Secret Service and FBI are investigating the posting.
Website Posts Personal Data on Biden, Beyonce, Others
Equifax Confirms Hackers Stole Financial Data

Analysis: As millions could personally attest, the wide-spread media coverage of these compromises serves as a reminder of the current Identity threats. Criminals are proficient at mining data from web sources that are likely to include information that many would assume is not available. Similarly, as likely with websites like, criminals may be able to collect sufficient public information to answer the security questions required to gain access to non-public files. In protecting this information, it is not enough for individuals to be aware of the threats, but be actively engaged in protecting their information. Vigilance in sharing or posting personal information, reviewing the privacy statements of websites that collect your personal information, managing your sensitive accounts, passwords and secret questions, and monitoring your accounts for any suspicious activity needs to be a part of every individual's online activity. When a compromise occurs, individuals should know how to respond to limit the damage. While commercial services to protect your identity are available, there are multiple public sources for education and information, such as the Federal Trade Commission Consumer Information website.


FTC Sends Stop Message to SMS Spammers

On March 7, the Federal Trade Commission filed eight separate complaints in four U.S. states against 29 defendants allegedly involved in facilitating free giveaway scams via SMS text messages. According to the FTC, the defendants were responsible for more than 180 million SMS spam texts used to drive traffic to fraudulent websites. The FTC complaints were leveraged at both the SMS spammers and the websites funding the scams. On the opposite side of the SMS spectrum, over the weekend of March 2, residents in St. Louis, Missouri were greeted with unexpected SMS text messages concerning an AMBER alert for a missing young girl. The unexpected messages apparently confused a number of recipients, who were unaware of the service and unsure of the validity of the message.
FTC Cracks Down on Senders of Spam Text Messages Promoting "Free" Gift Cards
FTC Cracking Down on spam Text Message Senders
What Was That Strange Message Over The Weekend?

Analysis: While SMS text spam may seem trivial at first glance, it can have significant adverse consequences. With the free giveaway scams, potential victims were lured via SMS text messages promising free gift cards and other expensive giveaways. Qualifying for the promised "free offer" required completing potentially sensitive surveys and meeting the requirements of convoluted terms of service designed to ensure few (if any) could qualify. These terms typically involved purchasing items well above their standard value - guaranteeing that even if a victim did manage to qualify for the "free" giveaway, the scammers would still profit. There were other hidden costs as well. According to the FTC, an estimated 12% of recipients did not subscribe to a text messaging plan, which could have resulted in approximately US$4.3 million in total victim costs–simply by having received the text.

Unfortunately, while the FTC battles the problem of free giveaway scams, other developments in SMS text messaging could be laying the groundwork for future text messaging scams. A new partnership between FEMA, the FCC, and wireless providers sends unsolicited wireless emergency alerts to cellphone subscribers free-of-charge. These alerts may take one of three forms: presidential alerts, imminent threat alerts, and AMBER alerts. While the wireless emergency alerts are notably good in their intent, it is not unlikely that scammers will send SMS text messages masquerading as one of these official alerts in order to entice victims into visiting fraudulent websites, dial premium rate numbers, or otherwise engage in harmful or risky activities.


Trusted Websites Serving Malware

The National Institute of Standards (NIST) and Technology National Vulnerability Database (NVD) were reported to have been compromised and serving malicious code. Multiple other websites including the National Journal, multiple NBC domains, and the LA Times have also recently been identified as serving malicious code from their websites. The National Journal representatives reported that an estimated 40,000 visitors may have been impacted, and were only prompted to download the malicious software if they went to the website through a search engine. This is the second time in the last 30 days that the National Journal has been impacted by these attacks. The visitors to these sites are commonly redirected by a script on the websites to a malicious website serving multiple exploits including the Fiesta and Zeroaccess exploit kits.
US National Vulnerability Database Hacked
National Journal Hacked, Used to Push Malware via Fiesta Exploit Kit

Analysis: For those not yet familiar with "drive by" and "watering hole" attacks, these attacks are not new, but have become more prevalent as attackers attempt to gain access to a secured environment. As Cisco reported in the 2013 Annual Security Report, the criminals are shifting away from websites widely known to be hazardous, instead choosing to infect popular and trusted websites frequented by specific groups. The websites may be compromised through a variety of vulnerabilities that allow the attacker to embed malicious code in the webpages in order to redirect or infect a visitor. The infections often occur automatically by accessing the webpage, often with no indicators or requiring any specific actions by the visitor. The compromised user, now infected, provides that initial entry point for the attackers. These attacks can be prevented through website security, enterprise web security products, updated browsers and applications, and monitoring network activity for suspicious activity indicating an infected system, and security information sharing to alert website owners that they may be compromised.


Cyber Threat to Infrastructure Tops U.S. Security Concerns

In his annual prepared testimony to Congress last week, Director of National Intelligence (ODNI) James Clapper called out the threat of a cyber attack on U.S. critical infrastructure as the U.S. intelligence community's most concerning threat scenario. According to press reports, this was the first time cyber got top billing in this annual assessment, and the first time since 9/11 that terrorism did not rank first. He termed the likelihood of a catastrophic infrastructure outage as "remote," but said that the likelihood of less severe, but still damaging, cyber attacks was growing. In the testimony, Clapper noted that sequestration would require automatic spending cuts across the intelligence community, including within cyber security programs, and that this would weaken our ability to respond.
Security Leader Says U.S. Would Retaliate Against Cyberattacks
Worldwide Threat Assessment Remarks to the Senate Select Committee on Intelligence
Director Clapper Statement for the Record, Senate Select Committee on Intelligence

Analysis: Promotion of cyber to the top of the U.S. national security threat roster comes amid a heated global discussion related to suspected state-led cyber attacks and a call for rules of engagement. However, Clapper's testimony is a reminder that the cyber threat is not a classic state-to-state issue, but rather part of an emerging global threat that is asymmetric, pluralistic, and largely stateless. The Internet-powered interplay between states, crime groups, terrorists, and empowered activists outstrips the arsenal of any one nation's military. It lacks the Mutually Assured-Destruction constraints that kept Cold War super powers from pushing the proverbial "red button." While the terrorist threat of the 2000's lacked traditional sovereign constraints, it was hard to imagine realistic scenarios that could disrupt the global economy more than a few days at a time. The emergence of national economies dependent on a largely open Internet creates a whole new, troubling menu of critical vulnerabilities that are keeping national security officials worldwide awake at night.

Upcoming Security Activity

Interop Las Vegas: May 6-10, 2013
Cisco Live U.S.: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. NCAA Mens Basketball Tournament: March 19-April 8, 2013
NATO Meeting: March 16-17, 2013
ASEAN Summit: March 23-25, 2013
BRICS Summit: March 26-28, 2013
Arab League Summit: March 26-28, 2013
IMF World Bank Meeting: April 19-21, 2013
G8 Summit: May 17-18, 2013

Additional Information

For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.
Alert History

Initial Release

Product Sets
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products: