April 20–26, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityWhile activity levels have decreased, overall trends do not appear to have changed significantly during the time period. With the popular RSA Conference 2009 occurring April 20-23 in San Francisco, California, the focus may have temporarily shifted away from threat reporting. The Rustock botnet has been known primarily as a prolific spam source. Cisco Security Intelligence engineers recently noticed a change in Rustock behavior and have reported that the botnet is attempting to grow larger by exploiting additional systems. IntelliShield previously reported on this trojan in IntelliShield Daily Malicious Code Summaries 11062 and 11243. Sources indicate that the botnet may account for approximately 26 percent of all spam. Typically, it is capable of sending hundreds of thousands of spam messages an hour from a single, low-end system. Additional details on the evolution of the Rustock botnet are available in IntelliShield alert 18062. Following the release of the Oracle Critical Patch Update Advisory for April 2009, several of the vulnerabilities patched have been updated. For two of these vulnerabilities, documented in IntelliShield alerts 18066 and 18039, exploit examples have emerged publicly. Mozilla recently updated its Firefox, Thunderbird, and Seamonkey products to correct nine vulnerabilities. Most of these vulnerabilities were not severe; however, three of the vulnerabilities could allow code execution or privilege elevation and users are encouraged to apply the appropriate updates. IntelliShield published 53 events last week: 31 new events and 22 updated events. Of the 53 events, 43 were Vulnerability Alerts, three were Security Activity Bulletins, four were Threat Outbreak Alerts, one was a Security Issue Alert, one was an Applied Mitigation Bulletin, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Previous Alerts That Still Represent Significant RiskWorm: W32/Conficker.worm W32/Conficker has changed is command and control communications methods and begun to download malicious files to the infected systems. Conficker has now changed from a malicious code that infects vulnerable systems to an operational botnet. It is expected to continue to attempt to infect vulnerable systems, change command and control communication and download additional malicious files to the infected systems. Adobe Acrobat Products PDF File Buffer Overflow Vulnerability Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates, as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router that issued routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, which is described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer Version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in the XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and deliver the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open malicious e-mail attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. PhysicalEuropean Union Releases Terrorism Situation and Trend ReportEuropol released the European Union (EU) Terrorism Situation and Trend Report covering terrorist activity in the member states for 2008. The statistics show a 24 percent decrease in 2008 activity from 2007. The total number of identified successful or unsuccessful terrorist attacks was 515, with 1009 terrorism-related arrests across the EU member states. The vast majority of these attacks occurred in France and Spain. Identifying the attacks by the Europol categories showed 77 percent were identified as separatists, five percent as left-wing groups, and no terrorist attacks (0 percent) were identified as Islamist terrorism (the number excludes United Kingdom data). The report also noted that the Internet is central to all terrorist groups for communications, propaganda, and recruiting. Many groups identified by the report maintain their own websites. Read More IntelliShield Analysis: There was one Islamist terrorism attack in the United Kingdom in 2008, but that attack was excluded from the official EU statistics. Even so, the reports statistics may surprise many and could raise more questions than providing answers. Islamist terrorism is still considered the biggest global threat by many countries, yet the statistics do not seem to support that conclusion. The EU and other countries have greatly increased intelligence and law enforcement counter-terrorism activities, signified by the continuing high number of arrests. This may suggest the known Islamist terrorism groups have been identified and severely restricted in financing, planning, and executing attacks. Arrest statistics also indicate the majority of the Islamist arrests were identified as belonging to small, home-grown groups that were not associated with prominent Islamist terrorist organizations. While these report statistics may accurately represent the physical situation, on the Internet, the full spectrum of terrorist groups are highly active and continue to increase. LegalPotential Conflict of Interest Throws Pirate Bay Decision Into DoubtAfter a guilty verdict was reached in the Pirate Bay case in Sweden, sentencing was set at one year of jail time and fines exceeding US$4 million. Defense lawyers are attempting to appeal to a higher court to retry the case because new information has surfaced regarding a potential conflict of interest regarding the presiding judge in the case. Tomas Norstrom, the judge in the original case, belongs to the Swedish Copyright Association and is a board member for the Swedish Association for the Protection of Industrial Property. Read More IntelliShield Analysis: Memberships to the entertainment industry copyright advocate organizations may be the basis for declaring a retrial in the Pirate Bay trial. Believing the judge may have been influenced by his associations with the recording and entertainment industry groups, the defense may seek a retrial with a judge more sympathetic to their position. Even if the request for a retrial is not granted, the defense is likely to appeal the final verdict. TrustGathering Storm over Cloud SecurityCloud security overshadowed discussions held at the annual RSA Conference 2009 with industry leaders sounding alarms and the release of a Deloitte/Ponemon Institute survey that reported a 82.6 percent of the businesses surveyed had no formal plans in place to protect the data they have entrusted to third-party cloud storage providers. According to press reports, nearly 45 percent of the survey respondents are using cloud computing services for data storage (27.7 percent), e-mail (12.8 percent), financial applications (17 percent), and database applications (16.1 percent). IntelliShield Analysis: The excitement generated by the buzz surrounding the potential benefits of cloud computing may have deemphasized concerns about risks to data security. Legal and regulatory compliance issues could also obscure real costs incurred when entrusting data to third-party cloud service providers. Businesses are advised to ensure they perform due diligence, detail the security levels and controls in the service level agreements, know where and how their data is physically and logically stored, and review cloud service providers compliance and regulatory documentation for the countries over which cloud services may transit. IdentityHackers Pay Thousands for Old Nokia PhonesA discontinued model of a Nokia cell phone that was manufactured in millions is now commanding prices up to US$32 thousand in secondary markets, prompting interest from fraud investigators. The Nokia 1100 models that are in high demand were made in a factory in Bochum, Germany. Investigators have found that this model may contain a software error that allows attackers to obtain the onetime password or transaction authentication number (TAN) that is necessary to complete a banking transaction. Some European banks have been configured to send a number to a user's cell phone as a security measure to overcome phishing attacks. By reprogramming the phone number attached to the affected phone, attackers may be able to acquire the TAN for an arbitrary user's phone number. Read More HumanThere was no significant activity in this category during the time period. GeopoliticalUnited States has a New Chief Technology OfficerAneesh Chopra, former Commonwealth of Virginia Secretary of Technology, has been named the new national Chief Technology Officer for the United States, according to press reports. Chopra will work closely with new Chief Information Officer Vivek Kundra to use technology to streamline, strengthen, and make more transparent a host of public services, including healthcare and education. The choice has met with a generally positive reception from the technology community, as Chopra is seen as a strong advocate for more and better technology solutions for a wide variety of public needs. IntelliShield Analysis: As more public services go online, both the quantity and criticality of data at risk increases exponentially. This process is inevitable and the potential benefits probably outweigh the concerns, but digitization of public services is a nightmare for information security professionals. From a legal perspective, privacy concerns surrounding access and the inevitable leakage of personal information must also be confronted. The problems Chopra and Kundra will wrestle with are relevant to a host of technology-related issues handled by competing government authorities, virtually guaranteeing power struggles. Chopra and Kundra, along with corporate technology partners and government IT stake-holders, may be wise to seek public understanding of the risks involved as they seek to guide public services down this promising but perilous road. Upcoming Security ActivityCSI SX Security Exchange: May 17–21, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: India General Elections: April 16–May 13, 2009 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
