Cisco Security

Threat Type:Cyber Risk Report
IntelliShield ID:28719
First Published:2013 March 25 16:42 GMT
Last Published:2013 March 25 16:42 GMT
Port: Not available
Urgency:Weakness Found
Severity:Mild Damage
Version Summary:This is the Cyber Risk Report for March 18-24, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.



Security Standards
Attacks and Compromises
Upcoming Security Activity
Additional Information


Listen to the Podcast (11:00 min) 


Vulnerability activity for the period returned to previous levels, following the high level of activity for the last period. Following up on the Microsoft Security Bulletins for March 2013, Cisco Security is seeing only threat activity related to the Microsoft SharePoint Directory Traversal Information Disclosure Vulnerability, reported in IntelliShield Alert 28470.

Cisco released a security advisory for a Cisco IOS and Cisco IOS XE Type 4 passwords issue. Cisco will release the next semiannual Cisco IOS Software Security Advisory Bundled Publication on March 27, 2013.

IBM reported multiple vulnerabilities in InfoSphere Information Server, Rational ClearQuest, Tivoli, and WebSphere, and vulnerabilities were reported in Oracle MySQL and Automated Service Manager. Following some media reports on the risks of vulnerabilities in security products, vulnerabilities were reported in HP OpenView Network Node Manager, McAfee Vulnerability Manager, CA SiteMinder Products, and Symantec Enterprise Vault.

Apple released updates for an iPhone lock screen unauthorized access issue, and reports identified a similar phone lock bypass vulnerability with Android phones.

In ICS/SCADA activity, new vulnerabilities and updates were reported for Schneider Electric PLCS, Siemens SIMATIC WinCC, Schweitzer Engineering Laboratories AcSELerator, and 3S CODESYS Gateway-Server.

The U.S. Department of Homeland Security and Internal Revenue Service continue to release warnings and information regarding various scams and fraud related to the U.S. tax filing season.

Mandiant released Appendix F to the APT1 report, containing additional information on the technical details. Mandiant also reported their websites are under an extended distributed denial of service (DDoS) attack.

Hacktivist groups continue to run operations against selected targets. Anonymous released data reportedly captured during #OpIsrael attacks against Israeli government targets, and the DDoS attacks on U.S. banks continue from the Al Qassam group.

IntelliShield published 113 events last week: 69 new events and 44 updated events. Of the 113 events, 80 were Vulnerability Alerts, four were Security Activity Bulletins, nine were Security Issue Alerts, 18 were Threat Outbreak Alerts, one was an Applied Mitigation Bulletin, and one was Cyber Risk Report. The alert publication totals are as follows:

Day Date
Friday 03/22/2013
Thursday 03/21/2013
Wednesday 03/20/2013
Tuesday 03/19/2013
Monday 03/18/2013

Significant Alerts for the Time Period

Cisco IOS and Cisco IOS XE Type 4 Passwords Issue
IntelliShield Vulnerability Alert 28621, Version 1, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Cisco IOS and Cisco IOS XE devices contain an issue that could allow an authenticated, remote attacker to access sensitive information on a targeted device. Functional code that exploits the issue is publicly available. Cisco has confirmed the issue in security response cisco-sr-20130318-type4; however, software updates are not available.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 5, March 12, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM, and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 2, March 13, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Adobe ColdFusion Security Advisory January 2013
IntelliShield Vulnerability Alert 27769, Version 2, March 15, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0629, CVE-2013-0631, CVE-2013-0625, CVE-2013-0632
Adobe ColdFusion for Windows, Macintosh, and UNIX contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions to gain unauthorized access or access to sensitive information. Adobe has released an additional security bulletin and software updates to address multiple vulnerabilities. Reports indicate that these vulnerabilities are being exploited in the wild. The vulnerabilities, CVE-2013-0625 and CVE-2013-0629, affect users who do not have password protection enabled or have no password set on their system.

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 8, March 12, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability. Red Hat has released an additional security advisory and updated packages.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Adobe Flash Player Security Updates February 2013
IntelliShield Activity Bulletin 28400, Version 2, February 28, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0504, CVE-2013-0643, CVE-2013-0648
Adobe Flash Player contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Microsoft, and Red Hat have released updated software.

Adobe Reader and Acrobat Security Update for February 2013
IntelliShield Activity Bulletin 28227, Version 4, February 22, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0640 , CVE-2013-0641
Adobe Product Security Incident Response Team investigated reports of active exploitation of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions. Adobe has released a security advisory and updated software to address multiple vulnerabilities in Adobe Reader and Acrobat.

Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28046, Version 3, February 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.

Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 5, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions


AT&T Hacker Gets Prison Time

Andrew Auernheimer, aka Weev, was sentenced to 41 months in prison for downloading the personal information of over 120,000 AT&T customers from the publicly available AT&T websites. Auernheimer was found guilty of conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act.
AT&T Hacker ‘Weev’ Sentenced to 3.5 Years in Prison
US hacker Andrew Auernheimer given three-year jail term for AT&T breach

In this case, Andrew Auernheimer, a self-described internet troll, originally notified Gawker Media of the security hole before notifying AT&T about the availability of the obscured data. The description of Auernheimer's access to the AT&T data as unauthorized is questionable. He did not download or use anyone else's password. AT&T decided to use the guessable individual iPad IDs as an authorization token to the AT&T servers, and the data was downloaded on a wholesale basis as a result. The data included e-mail addresses of high-profile government officials and industry leaders. What impact will this case have on the body of law related to acceptable use and unauthorized access? Will the case impact behavior of the community of vulnerability researchers who follow reasonable disclosure practices?

Normal and responsible vulnerability disclosure by the security research community involves notifying the vendor or service provider first (in this case, AT&T) and after a reasonable amount of time the vulnerability is disclosed by the vendor, the researcher, or both. Researchers often reverse engineer products and technically are violating the law; however, vendors are willing to work with the researchers in the context of reasonable disclosure. Researchers get press, vendors sell secure products, and the public benefits. Auernheimer is not a researcher in this sense, but if the morass of "unauthorized access" is not made clear by the courts, the consequence may be less-secure resources across Internet infrastructures. Researchers may be reluctant to disclose responsibly because of rulings and sentences similar to the Auernheimer case. Research gives birth to new products, and many businesses would not exist if every discovered vulnerability was a crime.

Security Standards

A Good Week for Information Security Standards

The security community had several welcome developments in the past week. Google announced that Google's Public DNS service now supports Domain Name System Security (DNSSEC). DNSSEC is an effort to combat DNS cache poisoning attacks by using public key cryptography and digital signatures to authenticate DNS transactions. In addition to the Google announcement, Cisco's own Mike Schiffman announced the release of cvrfparse, a tool for parsing Common Vulnerability Reporting Framework (CVRF) formatted security advisories, and the Common Vulnerability Scoring System (CVSS) Special Interest Group (SIG) released a development update for CVSS version 3.
Google Public DNS Now Supports DNSSEC Validation
Common Vulnerability Scoring System, V3 Development Update
CVSS Usage within Cisco
Common Vulnerability Reporting Framework (CVRF)
Tools of the Trade: cvrfparse

Analysis: The world of information security is fast paced and filled with complexity. The ever-evolving threat and vulnerability landscape requires constant vigilance, new tools, and a continual re-examination of current standards. Developments such as Google's implementation of DNSSEC for a large public-facing service, tools to work with existing standards such as cvrfparse, and the efforts to address gaps in existing standards such as the development of CVSS version 3 are welcome additions to the community. Security practitioners are advised to review these developments and consider implementation where applicable.

Attacks and Compromises

Attacks on South Korea Investigated

Recent reports of widespread attacks on South Korean banks, media, and the energy sector continue to be investigated. Multiple antivirus vendors are reporting research on the malicious code identified in the attacks, and researchers and investigators are releasing reports on additional details of the attacks. The original evidence suggesting the attack originated from an IP address in China has been corrected, and investigators now believe the origin was an IP address that was on an internal South Korean network. As this investigation continues, the details of the report may prove valuable to others in identifying future attacks.
South Korean Banks and Broadcasters Paralyzed by Cyber Attacks
Your Hard Drive will Self-Destruct at 2 PM
South Korea cyberattacks hold lessons
Alienvault: Information About the South Korean Banks and Media Systems Attacks

Analysis: Likely due to pressure on incident response teams to respond to these attacks from the media and the government, initial reports have contained largely incorrect information. As the investigation continues and corrections are made to the earlier reports, this may be the first lesson learned. The first rule of incident response is to remain calm, calm those around you, and go to work in an orderly process. Regardless of the type or extent of the attacks, pressuring the incident response teams for answers, or involving others who can misinterpret early findings only leads to confusion and repeated resets for the teams. This incident to date also shows the importance of those communications teams that work with the incident response teams. Releasing information before it is validated makes the combined teams and officials appear unprofessional and potentially incompetent. The incident response teams are well aware of the communications requirements, and must provide regular communication updates whether they have new information to report or not. All have seen organizations in various crisis situations that have done this well, and those that have not. The key to success in most cases is to have thoroughly planned, organized, and trained teams that follow their procedures and do not vary due to pressures from higher officials or the media. A second lesson that is still developing appears to be that the energy sector targets demonstrated a greater resiliency than other targets. More to come.


New Espionage Cases Revisit Classic Human Vulnerabilities

U.S. federal agents arrested a foreign scientist this month as he tried to leave the country, according to a variety of reports. He had been working on a contract with the U.S. National Aeronautics and Space Administration (NASA) through the nonprofit National Institute of Aerospace (NIA). According to Representative Frank Wolf of Virginia, the scientist had been involved in developing imaging technology software and had generous access to sensitive NASA information. Separately this month, another contractor was arrested for passing classified information to a foreign national with whom he was romantically involved. He had access to military information through his work at Pacific Command (PACCOM) in Hawaii; he met the woman at a conference in 2011. He has been charged with passing classified information to her and with violating the terms of his security clearance requirements by concealing his relationship with a foreign national.
U.S. Defense Contractor Arrested Passing Secrets
NASA-Linked Chinese Scientist Arrested

Analysis: These two cases are a reminder that classic espionage tactics are alive and well, and anyone with access to sensitive proprietary or classified information would do well to pay heed. Contractors frequently are not as closely vetted as full-time employees. Even with the best intentions, faced with tight deadlines and shortages of qualified personnel, managers may need to give foreign nationals privileged access. The vast majority, of course, do not violate their privileges, but everyone involved in classified or confidential work must grant privileged access carefully and keep it under constant watch. The second case is a classic “honeypot” incident. We must all keep in mind that a romantic or suspiciously friendly approach may have ulterior motives. Sensitive access is a privilege that we all have a personal duty to protect.

Upcoming Security Activity

Interop Las Vegas: May 6–10, 2013
Cisco Live US: June 23–27, 2013
Black Hat 2013: July 27–August 1, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

U.S. NCAA Men's Basketball Tournament: March 19–April 8, 2013
ASEAN Summit: March 23–25, 2013
BRICS Summit: March 26–28, 2013
Arab League Summit: March 26–28, 2013
IMF World Bank Meeting: April 19–21, 2013
G8 Summit: May 17–18, 2013

Additional Information

For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.

Alert History

Initial Release

Product Sets
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products: