Cisco Security

Threat Type:Cyber Risk Report
IntelliShield ID:28454
First Published:2013 March 05 00:02 GMT
Last Published:2013 March 05 00:02 GMT
Port: Not available
Urgency:Weakness Found
Severity:Mild Damage
Version Summary:This is the Cyber Risk Report for February 25-March 3, 2013. The report details the significant events for this time period and covers the following threat and risk management categories: vulnerability, physical, legal, trust, identity, human, geopolitical, and others.



Industry Trends
Upcoming Security Activity
Additional Information


Listen to the Podcast (11:46 min) 

We have introduced some changes to the format and structure of the Cyber Risk Reports. While we will remain focused on the seven primary risk categories, we also will be adding additional risk categories as they apply to activity in a specified period. These could include, for example, categories pertaining to botnets, cloud, mobile, and others. The Cyber Risk Report will remain focused on risk management, lessons learned, recommended practices, and analysis from our Cisco expert security engineers and analysts. In addition, we will not include risk categories that do not have activity for the period.

If you missed Cisco Live London or Cisco Live Melbourne, several of the session recordings are available at If you do not have an account, you can create one at no charge. Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security (SIO) team will be presenting training and security topics.

Cisco released the Cisco Annual Security Report 2013, highlighting global threat patterns and trends, expert analysis and recommendations, and the results of the Cisco Connected World Report.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security portal comment card.


Vulnerability activity for the period decreased from the previous period; however, it remained above past periods. Total alert activity for February 2013 increased slightly when compared to the same period in 2012; however, there was a significant increase in the number of new alerts (386 compared to 234). This trend shows a large increase in new vulnerabilities being reported by vendors and other sources, which presents a significant increase in risk and may stress vulnerability management procedures.

IntelliShield released two Malicious Code Alerts for the time period. One alert contains information on the Citadel trojan, which is a highly sophisticated trojan that is designed to steal online banking credentials or intellectual property from multiple business sectors. The other alert contains information on the MiniDuke trojan, which attempts to provide backdoor access to a remote attacker, install additional malware, and disclose sensitive information on Microsoft Windows systems. Both of these trojans are actively exploiting vulnerable systems.

Cisco released the following Cisco Security Advisories:

  • Cisco Unified Communications Manager Multiple Denial of Service Vulnerabilities
  • Cisco Prime Central for Hosted Collaboration Solution Assurance Excessive CPU Utilization Vulnerability
  • Cisco Unified Presence Server Denial of Service Vulnerability
Cisco released the following Cisco Security Notices:
  • Cisco Aironoet Access Point Denial of Service Vulnerability
  • Cisco Wireless LAN Controller Denial of Service Vulnerability
  • Cisco Adaptive Security Appliance Xlates Table Exhaustion Vulnerability
  • Cisco Network Admission Control Mac Agent Connects to ISE Server with Untrusted SSL Certificate
  • Cisco Unified Presence Server Denial of Service Vulnerability
  • Cisco Cloud Portal Information Disclosure Vulnerability.
The Cisco Security Advisories and Cisco Security Notices are available at the "Cisco Security Advisories, Responses, and Notices" section of the Cisco Security portal.

Other security advisories and software updates include the Google Chrome Stable Channel Update for February 2013, multiple vulnerabilities in Oracle Enterprise Manager, and multiple updates from Red Hat for Ruby on Rails, JBoss, and the Pluggable Authentication Modules (PAM). IntelliShield alert 28404 contains information that new security research was released indicating that there is a new java vulnerability and that attackers may be able to combine two known java vulnerabilities to circumvent current protections and exploit vulnerable systems.

Red Hat released a blog post with analysis of vulnerabilities impacting their products while pointing out that the vast majority of critical vulnerabilities are due to just four products: Konquerer, Firefox, Thunderbird, and OpenJDK.

Fake bank account updates, transfers and payment notifications, product order notifications, photo attachments, and ADP notifications continue to target selected users via e-mail.

IntelliShield published 131 events last week: 87 new events and 44 updated events. Of the 131 events, 60 were Vulnerability Alerts, six were Security Activity Bulletins, two were Malicious Code Alerts, 60 were Threat Outbreak Alerts, two were Applied Mitigation Bulletins, and one was a Cyber Risk Report. The alert publication totals are as follows:

Day Date New Updated Total
Friday 03/01/2013   20      19   39
Thursday 02/28/2013   11        3   14
Wednesday 02/27/2013   17        5   22
Tuesday 02/26/2013   26        7   33
Monday 02/25/2013   13      10   23


Month New Updated Total
January  303     224   527
February  386     212   598
Totals  689     436 1125

Significant Alerts for February 25-March 3, 2013

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 1, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Adobe Flash Player Security Updates February 2013
IntelliShield Activity Bulletin 28400, Version 2, February 28, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0504, CVE-2013-0643, CVE-2013-0648
Adobe Flash Player contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. Adobe, Microsoft, and Red Hat have released updated software.

Previous Alerts That Still Represent Significant Risk

Oracle Java SE Critical Patch Update Advisory for February 2013
IntelliShield Activity Bulletin 28080, Version 6, March 1, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. The patch update corrects 50 vulnerabilities in multiple components such as Java Runtime Environment (JRE), Java Development Kit (JDK), Software Development Kit (SDK), or JavaFX. Oracle has released additional security advisories and updated packages to address the vulnerabilities in Oracle Java SE critical patch update advisory for February 2013. Apple and Red Hat have also released updated packages to address this vulnerability.

Adobe Reader and Acrobat Security Update for February 2013
IntelliShield Activity Bulletin 28227, Version 4, February 22, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0640 , CVE-2013-0641
Adobe Product Security Incident Response Team investigated reports of active exploitation of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions. Adobe has released a security advisory and updated software to address multiple vulnerabilities in Adobe Reader and Acrobat.

Novell GroupWise Client for Windows ActiveX Control Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28046, Version 3, February 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Novell GroupWise Client for Windows contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Novell has confirmed the vulnerability and software updates are available.

Microsoft Internet Explorer SLayoutRun Use-After-Free Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 28065, Version 2, February 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system with the privileges of the user. Functional code that exploits this vulnerability is publicly available. Microsoft has confirmed the vulnerability in security bulletin MS13-009 and released software updates.

Intel 82574L Ethernet Controller Packet Processing Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28134, Version 2, February 12, 2013
Urgency/Credibility/Severity Rating: 2/5/3
Intel 82574L Ethernet Controllers contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Proof of concept code is publicly available. Reports indicate the availability of fixes; however, no confirmation of fixes exists.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 4, February 5, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.

Multiple Universal Plug and Play Devices Simple Service Discovery Protocol Processing Vulnerabilities
IntelliShield Activity Bulletin 28002, Version 4, January 31, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Multiple Universal Plug and Play devices contain vulnerabilities that could allow an unauthenticated, remote attacker to access sensitive information, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system. Proof-of-concept code that exploits these vulnerabilities is publicly available. The Cisco Applied Intelligence team has created the following companion document to guide administrators in identifying and mitigating attempts to exploit this vulnerability prior to applying updated software: cisco-sa-20130129-upnp

Fraudulent TURKTRUST Inc. Digital Certificates Issued
IntelliShield Security Activity Bulletin 27758, Version 3, January 29, 2013
Urgency/Credibility/Severity Rating: 3/5/3
Fraudulent certificates for were issued by a third-party certificate authority, possibly allowing spoofing attacks. Root certificate authorities have revoked the fraudulent certificates. Microsoft and Mozilla have released security advisories and software updates to revoke the certificate.

Red October Cyber Espionage Campaign Identified
IntelliShield Activity Bulletin 27890, Version 2, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Reports indicate that a large-scale cyber espionage campaign has been identified and named Red October (Rocra). Red October is a cyber espionage campaign that attempts to steal data from infected systems, install additional software, and allow remote access to an attacker.

Oracle Java Security Manager Security Bypass Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 27845, Version 4, January 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Oracle Java version 7 updates 10 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Functional exploit code exists publicly as part of exploit toolkits and the Metasploit framework. Functional code that exploits the vulnerability is publicly available and actively exploited in the wild. Reports indicate the Black hole and Nuclear Pack exploit kits have incorporated this vulnerability, which could help an attacker in a successful exploit. Exploit source code has also been posted publicly, further increasing the likelihood of exploitation. Oracle has confirmed the vulnerability and software updates are available.

Microsoft Internet Explorer CDwnBindInfo Object Processing Use-After-Free Vulnerability
IntelliShield Vulnerability Alert 27711, Version 2, January 14, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are not available. Functional code that exploits this vulnerability is available as part of the Metasploit framework. Microsoft has released a security bulletin and software updates.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 3, December 13, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions


Coast Guard Searches for Sailboat Emergency

The U.S. Coast Guard reported they had received emergency calls that a sailboat was sinking off the coast of California with a family aboard. The calls ceased and contact with the caller was lost. A search of the area found no indications of a sailboat in distress or individuals in the water from the sinking sailboat. The search was called off after finding no evidence of the emergency call events.
Coast Guard Missing Sailboat

Analysis: While this type of event is not uncommon for the U.S. Coast Guard, the lack of any evidence of a sinking ship or passengers is not common and appears to be very suspicious. This could be an event similar to cyber SWAT'ing events where the individuals make false calls to initiate the response, or it could be a deliberate manipulation of the Coast Guard resources to identify and misdirect those resources to allow other activity such as smuggling or drug running to bypass the Coast Guard patrols. Similarly, distributed denial of service (DDoS) attacks have been used to manipulate cyber security responses to allow attackers to perform other compromises while the security response is focused on the DDoS. Physical and cyber security teams should be aware of these tactics, techniques and practices to avoid being manipulated and misdirected by criminals and attackers.

Industry Trends

RSA Conference Highlights and Trends

The RSA Security Conference received widespread media attention and a wide variety of product and research announcements. While many of these announcements deserve review, the larger trends were not widely reported by the media or the participants at the conference. Cisco Security closely monitored the activity and identified multiple higher level security trends.
CrowdStrike Falcon Unveiled
CrowdStrike Active Defense Blog Post
McAfee Security Revamp

Analysis: Several security trends were identified at the RSA Security Conference, most notably a shift from defense to offense, which raised concerns in the security community. While defense in depth remains the recommended practice, an active defense or an offense of pursuing and possibly counter attacking raises technical and legal questions and potential liabilities. With the U.S. government leading the push in cyber warfare and military cyber operations forces, new services and products are being developed to support those efforts. Other trends included identification of attackers, improved security intelligence, data mining, and internal use of honeypots/honeynets to gather information on attacks.


The U.S. Six Strike Rule

Internet Service Providers (ISP's) will be watching the internet traffic of subscribers in a plan called the "Copyright Alert System" initiative. The program will monitor internet traffic for peer to peer file sharing, and if seen, notify subscribers of the infringing activities. If the notifications go unheeded, the subscriber could be redirected to websites about such infringement or have their internet speed throttled.
ISPs Reveal Details of Six Strikes

Analysis: Will this "educational" program continue to be a series of toothless nag messages? The Recording Industry Association of America (RIAA) who was a vocal negotiator for the plan, in 2008 had 30,000 outstanding lawsuits against individual file sharers. Who will keep information as to the IP addresses of the "uneducated"? How long will the program be in place? There are many unanswered questions as the Copyright Alert System initiative comes online. For insight we can look to a similar program which is operational in France. The French High Authority for the Distribution of Works and the Protection of Rights on the Internet (Hadopi) fined a man 150 Euros for failing to secure his internet connection. The man blamed (or testified against) his wife for the downloads. Hadopi has passed 14 files to the court for prosecution since 2010. Expect monitoring programs to proliferate as well as VPN and other technologies that bypasses monitoring.


OSINT Is Coming of Age, But Not Without Growing Pains

Last week, the information security firm Mandiant released a report on an Advanced Persistent Threat. The report heavily relies on open source intelligence (OSINT), information gleaned from publicly available sources; such as websites, domain name registrars, and social networking portals. Mandiant also released an appendix of supporting data, including over 3,000 technical indicators such as MD5 hashes of malware files, domain names and IP addresses that can be used to help identify and mitigate the threats described in the report. These indicators were identified as part of their investigations on the behalf of their customers. The report makes a compelling case for the utility of open source intelligence and its increasing prevalence in cyber investigations. The report also illustrates a level of intelligence gathering using OSINT once considered the domain of nation states and clandestine services; however, the report also highlights some of the issues with OSINT, including the challenges of attribution and confirmation.
Mandiant APT1 Report
An Open Framework for Sharing Threat Intelligence

Analysis: Today's information security professional has more tools and access to information than ever before. Managing the ever growing flood of threats, vulnerabilities, and related information continues to pose a challenge to the information security community. In addition, the community faces a double-edged sword related to sharing intelligence data such as indicators of compromise (IOC). Publicly sharing the indicators that point to the bad guys invariably compels them to change their tactics. While sharing these indicators can help disrupt ongoing attacks, it can also impact the ability of security researchers to investigate and identify ongoing advanced persistent threats. In addition, it can educate the adversary in regards to the adversary's operational security posture and their possible exposure to counter-intelligence efforts.


cPanel, Al Qassam, and Anonymous

Web management operators reported a server compromise and advised users to change their root passwords due to the possible compromise of those accounts. The Al Qassam group announced it would resume distributed denial of service (DDoS) attacks against U.S. financial institutions and called for the removal of offensive videos on video websites. Anonymous announced it had compromised systems at Bank of America and posted data from the compromised systems. Bank of America denied the compromise and specified the compromised data was from a third-party partner system.
Bank of America Compromise
DDoS attacks on Banks to Resume
cPanel Compromise

Analysis: The hacktivist groups continue to target selected businesses and government organizations; however, the targeted organizations have improved their security postures and are handling the attacks more effectively. The connection with cPanel is that compromised websites have been used to improve the effectiveness of DDoS attacks. Multiple research reports indicate web management products such as cPanel, Joomla, and WordPress are being used to compromise the websites, then malicious code is installed to participate in the DDoS attacks. Operators of these sites are advised to check the security of their sites and monitor activity for signs the systems are being used in the DDoS attacks.


Political Uncertainty and Cybercrime

General elections in Italy gave no party a parliamentary majority last week, renewing concerns over Eurozone debt problems and instability. The party with the most votes is led by anti-austerity advocate and comedian Beppe Grillo, leading some media outlets to conclude that the only clear result of the election is a rejection of the cost-cutting policies pursued by incumbent Prime Minister Mario Monti. Political and financial uncertainty is not the sole domain of Europe, however, as across-the-board spending cuts went into effect in the United States at the beginning of March. The US$85 billion in cuts are likely to cause disruptions in public services and may cause airport delays, as U.S. politicians work to strike a late compromise.
Inconclusive vote in Italy points to fragmenting of political system
European markets dip amid Italian uncertainty
Preparing for sequestration and budget cuts

Analysis: Events such as the U.S. funding sequester and inconclusive Italian elections are likely to have trickle down effects on information security. For example, given that U.S. defense spending will be affected by the funding cuts, Pentagon budget managers will probably cover mission critical programs and salaries first, and put other spending on hold, potentially including new cyber security initiatives. The U.S. stock market’s initial resilience in the face of the sequester, however, suggests that recent economic momentum may be enough to ward off any broad downturn that might lead to a spike in cybercrime and vigilante hacktivism. In Europe, meanwhile, shockingly high unemployment figures in the south, combined with Italy’s rejection of austerity measures, may force a softening by Europe’s largest creditors, as they seek to avoid even greater political uncertainty. Information security specialists may want to watch these trends as they seek to understand and predict trends in cybercrime and hacktivism over the coming weeks.

Upcoming Security Activity

Cisco Live, Melbourne: March 5–8, 2013
CanSecWest March 6–8, 2013
Black Hat Europe: March 12–15, 2013
Interop Las Vegas May 6–10, 2013
Cisco Live, U.S.: June 23–27, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

Kenya Presidential Election: March 4, 2013
China National People's Congress: March 4–9, 2013
NATO Meeting: March 16–17, 2013
ASEAN Summit: March 23–25, 2013
BRICS Summit: March 26–28, 2013
Arab League Summit: March 26–28, 2013
U.S. Budget Sequestration: March 27, 2013
IMF World Bank Meeting: April 19–21, 2013

Additional Information

For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.
Alert History
Initial Release

Product Sets
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products: