Cisco Security

Threat Type:Cyber Risk Report
IntelliShield ID:29128
First Published:2013 April 29 17:28 GMT
Last Published:2013 April 29 17:28 GMT
Port: Not available
Urgency:Weakness Found
Severity:Mild Damage
Version Summary:This is the Cyber Risk Report for April 22-28, 2013. The report details the significant events for this time period and covers multiple threat and risk management categories.



Attacks and Compromises
Upcoming Security Activity
Additional Information

Listen to the Podcast (12:00 min) 

If you missed Cisco Live London or Cisco Live Melbourne, several of the session recordings are available at If you do not have an account, you can create one at no charge. Information and registration for Cisco Live 2013, June 23–27 in Orlando, Florida, is now available. Several members of the Cisco Security (SIO) team will be presenting training and security topics. The Cisco Security Blog post provides an overview of the Cisco Live security track sessions and those available from Cisco Security at Cisco Live 2013: Security Training and Breakout Sessions.

As always, we invite your feedback on the Cyber Risk Reports through the Cisco Security portal comment card.


Vulnerability activity for the period declined from previous periods. Highlights for the period included the reporting of new Java vulnerability exploits, multiple Cisco security advisories, and an update for Microsoft Security Bulletin MS13-036.

New active exploits were reported targeting the Oracle Java Applet Object Type Confusion Arbitrary Code Execution Vulnerability reported in the Oracle Java SE Critical Patch Update Advisory for April 2013 and IntelliShield alert 29067. Users that have not yet installed the latest Java updates are advised to make the updates a priority.

Microsoft released an updated Security Bulletin MS13-036, adding a new CVE, but not a fix for the previously released and then withdrawn update that caused some systems to fail after installing the update.

Threat Outbreak Alerts covering new spam and phishing threats reported new malicious messages targeting American Express and Career Builder users, as well as new variations of the payment transfers, online payments, and payment receipts spam. All Threat Outbreak Alerts are available at the Cisco Security portal Security Alerts tab.

LivingSocial was targeted by a reported massive attack on their systems that may have compromised an estimated 50 million customer records. LivingSocial has reportedly notified its customers of the compromise and advised users to reset their passwords. LivingSocial also noted that while the millions of customer records may have been compromised, the compromise does not include credit card and financial account information. LivingSocial is a global service, although the compromise is reportedly limited to customers in the Washington DC, U.S., area. All customers are advised to check their accounts, information, and LivingSocial for additional information as the investigation continues.

Cisco released three security advisories and two accompanying Applied Mitigation Bulletins:

Cisco also released the following Security Notices during the period: Notable security reports for the period included the Verizon DBIR, the Akamai Q4 2012 State of the Internet Report, the Arbor Networks first quarter ATLAS report, and the APWG Phishing Report. Rapid7 released their InfoSec Southwest 2013 conference presentation on serial port servers, or terminal servers, scanning and vulnerabilities. Google recently released their Transparency Report for the second half of 2012, showing an increase in requests to remove content by governments and other highlights of requests received by Google.

IntelliShield published 127 events last week: 70 new events and 57 updated events. Of the 127 events, 63 were Vulnerability Alerts, four were Security Activity Bulletins, three were Security Issue Alerts, 53 were Threat Outbreak Alerts, and three were Applied Mitigation Bulletins. The alert publication totals are as follows:
Day Date
Friday 04/26/2013
Thursday 04/25/2013
Wednesday 04/24/2013
Tuesday 04/23/2013
Monday 04/22/2013
Significant Alerts for the Time Period

Oracle Java Applet Object Type Confusion Arbitrary Code Execution Vulnerability
IntelliShield Vulnerability Alert 29067, Version 1, April 23, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Oracle Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available. Reports indicate that this vulnerability is being actively exploited in the wild.

Previous Alerts That Still Represent Significant Risk

Boston Marathon Spam Activity
IntelliShield Security Activity Bulletin 29020, Version 1, April 17, 2013
Urgency/Credibility/Severity Rating: 3/5/3
E-mail spam campaigns, fraudulent monetary scams, and exploits against known vulnerabilities are ongoing, related to the April 15, 2013 explosions at the Boston Marathon. Reports indicate that the attacker-controlled site may contain .jar files that can compromise vulnerable machines, which may target the vulnerability documented in IntelliShield Alert 26159. Another spam campaign is linked to graphical HTML content claiming to be breaking news from CNN. Customers using Cisco products such as Cisco Intrusion Prevention System devices, Cloud Web Security, Email Security Appliances, and Web Security Appliances have been protected by these products since the beginning of the spamming campaigns. Blog posts at Yesterday Boston, Today Waco, Tomorrow Malware and Massive Spam and Malware Campaign Following the Boston Tragedy provide details about the campaigns.

Oracle Java SE Critical Patch Update for April 2013
IntelliShield Security Activity Bulletin 29004, Version 4, April 24, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Multiple CVEs
Multiple vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component could allow an unauthenticated, remote attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition on a targeted system. Oracle, Apple, CentOS and Red Hat have released security advisories and updates software. Additional Java security information is available at Cisco Java Security Best Practices.

Apache Darkleech Malware Hijacking Activity
IntelliShield Security Activity Bulletin 28804, Version 1, April 3, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Darkleech is an exploitation toolkit that could aid an unauthenticated, remote attacker to inject malicious software on a targeted system. Reports indicate that Darkleech attacks have been ongoing since at least August 2012. Darkleech attacks have successfully targeted an estimated 20,000 websites running the Apache web server in the past few weeks, including prominent websites such as the Los Angeles Times in February and a blog for the hard drive manufacturer Seagate in March. additional information is also available in the Cisco Security Blog post: Apache Darkleech Compromises.

ISC BIND Crafted Regular Expression Remote Denial of Service Vulnerability
IntelliShield Vulnerability Alert 28730, Version 3, April 3, 2013
Urgency/Credibility/Severity Rating: 2/5/3
ISC BIND contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available. Red Hat and FreeBSD have released a security advisory and updated patches.

Financial Institution Websites Targeted by Distributed Denial of Service Attacks
IntelliShield Security Activity Bulletin 27076, Version 4, March 26, 2012
Urgency/Credibility/Severity Rating: 3/5/3
Websites owned by banks and other financial institutions continue to be targeted by distributed denial of service attacks, decreasing availability of those sites to legitimate customers. DDoS attacks may still be ongoing. Site administrators are advised to take steps to protect their Internet-facing web services. Cisco has released a guide to protecting environments against DDoS attacks at the following link: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. Cisco has released an Applied Mitigation Bulletin available at the following link: Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions

Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
IntelliShield Vulnerability Alert 28462, Version 7, April 17, 2013
Urgency/Credibility/Severity Rating: 3/5/4
CVE-2013-0809, CVE-2013-1493
Oracle Java SE contains vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Reports indicate that CVE-2013-1493 is being actively exploited by the McRat trojan malicious code. Oracle, Apple, IBM, HP, and Red Hat have confirmed these vulnerabilities and released patches.

Adobe Flash Player and AIR Security Updates for March 12, 2013
IntelliShield Vulnerability Alert 28565, Version 3, March 14, 2013
Urgency/Credibility/Severity Rating: 2/5/4
CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375
Adobe Flash Player and AIR contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Updates are available.

Multiple Java Security Explorations
IntelliShield Activity Bulletin 28404, Version 3, March 14, 2013
Urgency/Credibility/Severity Rating: 2/5/4
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector. Proof-of-concept code that could aid attackers in building functional exploits is publicly available. Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Ruby on Rails Action Pack Parameter Processing Remote Code Execution Vulnerability
IntelliShield Vulnerability Alert 27831, Version 5, March 18, 2013
Urgency/Credibility/Severity Rating: 3/5/4
Ruby on Rails contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. Ruby on Rails, Apple, FreeBSD, and Red Hat have released security advisories and software Updates. Functional code that exploits this vulnerability is publicly available as part of the Metasploit Framework.


Alleged Canadian Train Attack

The Royal Canadian Police (RCP) arrested two individuals on charges of terrorism because of an apparent plot to blow up passenger trains from the United States. One of the suspects had traveled recently to Iran and the RCP alleges that the trip was for "direction and guidance."
Alleged terror plot sparks concerns about trains, Pan Am Games

Analysis: If the charges are true, the plot would be similar in nature to the London bombings of 2005 where 52 people died when peroxide based explosives were detonated in backpacks aboard public transportation. A few weeks after the London bombings, there were failed repeat attacks where the bombs did not detonate, followed by a manhunt in which edgy police shot and killed the wrong person. The London bombers had no known direct assistance from Al-Qaeda. Additionally, the Spain train bombings of 2004 that killed 191 were Al-Qaeda inspired backpack explosions with residual duds found on train tracks a few weeks later. The alleged plot in Canada and the very real attacks in Europe all have one thing in common, which is to kill as many people on the passenger trains as possible.

The Pan Am games in Toronto are in 800 days and some are questioning if the security budget is enough in light of the alleged plot. One thing about the games is certain: the unfortunate juxtaposition of the plot with the marketing theme for the games: "Expect the Unexpected"

Attacks and Compromises

#OpUSA Announced for May 7, 2013

An array of Hacktivist groups have announced their intentions to launch attacks targeting U.S. financial institutions on May 7, 2013, called Operation United States of America or #OpUSA. Some of the Hacktivist groups are affiliated with Anonymous and may have recently participated in the #OpIsrael attacks on Israeli websites. The groups are launching the attacks in protest to U.S. drone attacks across multiple countries and announced they were targeting U.S. banks due to the perceived impact on the United States.
7 May 2013 #opUSA

Analysis: U.S. financial institutions are always under varying levels of cyber attacks, and over the past several months the continued Operation Ababil Distributed Denial of Service (DDoS) attacks credited to the Izz ad-Din al-Qassam Cyber Fighters have resulted in increased defenses across the sector. The larger financial institutions are likely well prepared to handle any new attacks, as were many of the websites targeted in the #OpIsrael attacks. The primary concern is the smaller financial institutions and organizations that may not have experienced these attacks and developed the defenses and experience. As these types of attacks continue, and as has been seen with the Al Qassam attacks, the attacks are likely to shift from the large financial institutions to the smaller institutions and associated organizations, and possibly to other financial institutions and organizations outside the United States. While these attacks can be difficult for attackers to organize and execute, a strong defense and limited impact will likely cause the attackers to shift to what may be perceived as softer targets. All financial and associated organizations should be prepared to implement incident response plans and escalating defensive measures for this pending attack, as well as increased monitoring and vigilance to detect other types of penetration attacks that attempt to use the DDoS attacks as a diversion.


Visualization to Assist Security Analysts

A recent presentation at SOURCE Boston titled "Data Analysis & Visualization for Security Professionals," by Bob Rudis and Jay Jacobs, presented some more advanced techniques for visualizing the volumes of data generated by current monitoring and big data operations. The presentation provides several methods designed to provide a better representation of the data for security engineers, analysts, and managers. For those unable to attend the presentation, the slides and information are available on Bob Rudis' website.
Data Analysis & Visualization for Security Professionals

Analysis: The visualization of the mounting volume of data being collected is one problem currently attempting to be addressed. While some data analysis tools have built in visualization capabilities and features, many are also very limited or non-existent in the ability to provide a human readable representation of the data to assist analysts in identifying and further analyzing suspicious data. This presentation provides some in-depth representations and thoughts on how security engineers and analysts can improve visualization and address some of the current issues. As this field continues to develop,and several others are attempting to address the problem, new tooling, scripting and graphics will become available in commercial and open source products. The state of the art for visualizing the volume of data is in its early stages, but security groups should monitor the developments and implement those that best fit their specific needs.


Twitter Panic on Wall Street

The Associated Press became the latest media outfit to have its Twitter account compromised, when a false tweet triggered a 145-point plunge in the Dow Jones Industrial Average last Tuesday. The compromised AP account tweeted: “Breaking:  Two explosions in the White House and Barack Obama is injured.” Within seconds, automated trading systems compounded the human panic reaction, creating a roller coaster-like drop and full recovery seven minutes later. The “Syrian Electronic Army” (SEA) claimed credit for the hack. The SEA first became active in 2011, and is said to be affiliated with the regime of Syrian President Bashar Al-Assad. In recent weeks, SEA has broken into Twitter accounts belonging to CBS, NPR, and the BBC.
Twitter Plays Cat-and-Mouse with Hackers of the Syrian Electronic Army
AP Twitter Hack: Why the Dow Fell So Incredibly Fast, and Why It's a Problem
Syrian Electronic Army: Background, Operations, Government Affiliations

Analysis: There are two main takeaways for information security professionals from last week’s Dow Jones drama:

First is the impressive success of the Syrian Electronic Army's attacks against major media organizations' Twitter accounts. Twitter security teams have engaged in what is being dubbed a "whack-a-mole" chase, closing down compromised and bogus accounts as rapidly as they are created. Twitter is also reportedly considering two-factor authentication, but even that would not have prevented these attacks, attributed to phishing exploits. Given the success of politically motivated hacking, network security experts can expect it to proliferate. Moreover, given last week's news about the possible use of chemical weapons by the Assad regime—a stated 'red line' for the USA—attacks related to Syria may spike over the short term.

Second is the striking vulnerability of markets to social media in the new era of automated trading. According to Professor Michael Hudson, author of "The Bubble and Beyond," the average length of time a stock was held in 2011 was 22 seconds. Thanks to US legislation put in place after the "flash crash" of 2010, there are now "circuit breakers" that automatically pause trading in case of sudden swings. Still, the vulnerability remains, and the problem is not one to be solved by Twitter. It is first of all Wall Street's problem, but anything that is Wall Street's problem is everyone's problem. Algorithms will need to get smarter about breaking news and emotional responses. Indeed, software is uniquely qualified to avoid emotional and panic reactions; the problem is that algorithms are developed for financial institutions whose first priority is minimizing losses. It seems volatility has already been factored in by markets, given how fast they recovered last week. But things may not always turn out as well in the future.

Upcoming Security Activity

Cisco Live US: June 23-27, 2013
Black Hat 2013: July 27-August 1, 2013
DEFCON 2013: August 1-4, 2013

Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following:

G8 Summit: May 17-18, 2013

Additional Information

For information and commentary from the experts in Cisco Security, please visit the Cisco Security Blog.

For timely information from across Cisco Security, please consider following @CiscoSecurity on Twitter.
Alert History

Initial Release

Product Sets
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldCyber Risk Report Original ReleaseBase

Associated Products: