December 3–9, 2007The IntelliShield Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The Cyber Risk Reports are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team (IntelliShield Alert Manager, Applied Intelligence, and IPS), ROS, PSIRT, the Corporate Security Programs Organization, and Legal Support. VulnerabilityDuring the time period, vulnerability and threat activity levels remained consistent with the high levels reported during the preceding weeks. Microsoft released a Security Advisory and Knowledge Base article to address an information disclosure vulnerability in the Web Proxy Auto-Discovery feature that affects the Windows operating system and the Internet Explorer web browser. An attacker could exploit this vulnerability to conduct a man-in-the-middle attack and gain access to sensitive information, including authentication credentials. Only limited technical details are publicly available; however, a system must meet very specific configuration requirements to be vulnerable. IntelliShield Alert 14683 details this vulnerability. Microsoft released the Microsoft Security Bulletin Advance Notification for December 2007. Of the seven bulletins that are scheduled for release on December 11, 2007, Microsoft scored three with a maximum severity rating of Critical and four with a maximum severity rating of Important. These bulletins cover vulnerabilities that are associated with the Windows operating system, the DirectX APIs, the Internet Explorer web browser, and the Windows Media Format Runtime and Windows Media Services components. Cisco released a Security Advisory and updated software to address the Windows system driver buffer overflow vulnerability affecting the Cisco Security Agent. IntelliShield reported this vulnerability in Alert 14655. A remote attacker could exploit this vulnerability to cause a denial of service condition or take complete control of the vulnerable system. A remotely exploitable vulnerability such as this, which likely affects a large number of highly sensitive systems, is an attractive target and may garner significant interest from agencies or individuals that are planning attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Malicious code activity during the time period included LiveDeath.A, a new trojan using old tactics of destructive behavior. IntelliShield Alert 14719 details this trojan. In the past, the goal for malware authors was to cause as much damage to an infected system as possible by formatting hard drives and erasing data in addition to other harmful actions. When the trojan LiveDeath.A is executed on a system, a question and answer game is launched. When a user completes the game, the trojan attempts to delete all files from the C:\ drive and reboot the system. This malicious code may delete enough files to render the affected system inoperable. IronPort reported a virus outbreak on December 6, 2007 for a variant of the Pushdo family of trojans, as documented in IntelliShield Alerts 14612 and 14290. The latest spamming of Pushdo appears to be propagating using naked.zip as the e-mail attachment, with naked.exe as the malicious executable. Currently, this trojan has limited antivirus detection. Security best practices dictate that administrators should restrict or block all file formats that are commonly associated with malicious code from entering the corporate network. Only files specifically required for business purposes should be allowed to enter the network. IntelliShield published 120 events last week: 51 new events and 69 updated events. Of the 120 events, 94 were Vulnerability Alerts, 12 were Security Issue Alerts, five were Daily Malicious Code Summaries, four were Security Activity Bulletins, four were Malicious Code Alerts, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for December 3–9, 2007Cisco Security Agent Windows System Driver Buffer Overflow Vulnerability Cisco Security Agent contain a vulnerability that could allow an attacker to cause a denial of service or execute arbitrary code. A remotely exploitable vulnerability such as this, one that likely affects a large number of highly sensitive systems, is a very attractive target and may garner significant interest from agencies or individuals perpetrating attacks. Public knowledge of the details of this vulnerability may place these sensitive systems at increased risk. Cisco has confirmed this vulnerability and released updated software. Previous Alerts That Still Represent Significant RiskApple QuickTime RTSP Response Content-Type Header Buffer Overflow Vulnerability Apple QuickTime Player contains a buffer overflow vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. With the release of functional exploit code, this vulnerability will likely be exploited in the wild. The vulnerability is triggered during the initial handshake of the RTSP negotiation via a malformed Content-Type header. An attacker is required to send less than 2000 bytes of data to compromise an affected host. Because of the nature of the vulnerability, attackers have a large payload window that they may leverage. Microsoft Internet Explorer Script Error Handling Memory Corruption Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an attacker to execute arbitrary code. Attackers cannot exploit this vulnerability directly and instead must convince a user to visit a malicious website. The Cisco Remote Operations Services organization has detected activity that indicates public attempts to exploit this vulnerability. Microsoft has confirmed this vulnerability in a security bulletin and released updates. Microsoft Internet Explorer ShellExecute() URL Handling Vulnerability Microsoft Internet Explorer contains a vulnerability that may allow an attacker to execute arbitrary commands with the privileges of the user. If the user possesses sufficient privileges, an exploit could allow the attacker to gain full control over the affected system. This vulnerability was originally disclosed in July 2007. Exploit code is now publicly available, and attackers are actively exploiting this vulnerability in the wild. Microsoft has confirmed this vulnerability in a security advisory, and third-party vendor updates are available. RealNetworks RealPlayer ierpplug.dll ActiveX Control Arbitrary Code Execution Vulnerability RealPlayer contains a vulnerability that could allow an attacker to execute arbitrary code with the privileges of the user. Exploit code is publicly available, and reports indicate that active exploitation is currently ongoing. RealNetworks has confirmed this vulnerability and released updates. Microsoft Word Memory Corruption Vulnerability Microsoft Word and Office for Mac contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Malicious code that exploits this vulnerability is circulating in the wild. IntelliShield reported this malicious code as a variant of the Mdropper trojan in Alert 12562. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user that started the affected application. Depending on the privileges of the user, the attacker could create new accounts, install programs, or view, change, or delete data. Security Activity Bulletin: Oracle Critical Patch Update October 2007 Oracle released the October 2007 Critical Patch Update to address 51 vulnerabilities across Oracle products. Oracle does not publicly release technical details that concern specific vulnerabilities. IntelliShield expects independent security researchers to release details regarding individual vulnerabilities as researchers test and verify the Oracle patches. Samba WINS Server Daemon Buffer Overflow Vulnerability Samba contains a vulnerability that could allow an attacker to cause a denial of service condition or execute arbitrary code. Only systems configured as WINS server daemons are vulnerable; however, this is a common configuration in environments that use Samba to perform domain authentication. Due to the large number of potential targets, this type of vulnerability could be used to produce malicious code that propagates in an automated manner. PhysicalHeavy Storms in Northwestern United States Disrupt Businesses and ServicesHeavy storms during the time period damaged an undersea cable route that is used by Southern Cross Cable to connect Australian Internet service providers (ISPs) to global Internet hubs located in the United States (U.S.). Southern Cross Cable provides broadband Internet service to several Australian ISPs, including iiNet, Internode, and AAPT. The company also has an additional undersea cable route, currently unaffected, that travels from Hawaii to California. Storm conditions caused power outages in Washington, U.S., affecting the Imperium Renewables biodiesel plant in Grays Harbor. The weather conditions also caused severe flooding. Read more IntelliShield Analysis: The impact to the Australian ISPs will vary depending on the way affected ISPs respond to the rerouting of IP traffic; however, each ISP can expect drastically reduced bandwidth and possible network outages until the situation can be resolved. Southern Cross Cable has not publicly released a timeframe for service to be restored to full capacity. Because it is relatively early in the winter season, storms will likely continue to mount. Organizations should ensure that business continuity plans are in place in order to prepare for interruptions of day-to-day business operations due to loss of power, low employee attendance, and employee safety. LegalBotnet King ArrestedNew Zealand police have apprehended Owen Walker, who is suspected of being in control of one million bot-infected slave computers. This arrest occurred after an information-sharing session between the United States Federal Bureau of Investigation (FBI) and the New Zealand police. The FBI have linked the botnets that were allegedly under Walker's control to a denial of service attack against the University of Pennsylvania systems in the U.S. in early 2006. Walker has been released from prison while authorities continue forensic examinations of his seized computers. Read more IntelliShield Analysis: The FBI, in the midst of what is being called Operation Bot Roast, is attempting to discover the persons responsible for creating and controlling Botnets. The case in New Zealand is a part of that operation. It is interesting to see that the U.S. government is acting specifically against Botnet owners, trying to shut them down. While going after the large number of infected systems is a much more difficult problem to address, shutting down command and control infrastructure and prosecuting the controllers is a worthwhile tactic. Recent efforts by the FBI and other law enforcement agencies have shown an increase in the attention paid to cybercrime and international cooperation, both of which are good signs for businesses. TrustEquipment Stolen from Verizon Data CenterIn Britain, London's Metropolitan Police have reported that the Verizon data center near King's Cross station was robbed. A group of men dressed as police officers and claiming to be investigating reports of people on the roof convinced Verizon staffers to let them inside of the data center. Once inside, the perpetrators tied up the staff members, grabbed computer equipment, and left. Verizon is unsure of the value of the equipment stolen but has assured customers that the theft will not affect business operations. The robbery investigation is being conducted by the Department to the Serious and Organized Crime Command of the Metropolitan Police. Read more IntelliShield Analysis: Without additional details, it is difficult to ascertain how much access the criminals had to the data center and what was involved in coercing the staff. Access controls may have deterred the robbery or slowed it enough to allow the legitimate police to be summoned. Most people want to be helpful and the sight of a uniform usually induces compliance. Under certain circumstances, employees and staff may be allowed to deny access to police forces until proper identification is produced. Telephone calls to dispatchers may also be used to confirm the identity and motivation of those claiming to be law officers. Reminding workers of this capability may help them make safe decisions if they are under pressure to respond quickly. IdentityCanadian Passport Security BreachA security breach in an online filing system was recently discovered in the Passport Canada website. The breach disclosed sensitive information belonging to passport applicants, including social insurance numbers, birth dates, and drivers license numbers. An online passport applicant discovered the weakness by modifying a single character of the Internet address, which allowed the applicant to view the applications of other people. Officials at Passport Canada confirmed the weakness and shut down the website. A spokesperson for Passport Canada said that the incident was an "isolated anomaly" and that measures are in place to prevent weaknesses. The website resumed operations December 3, 2007; however, reports indicate that personal information, such as applicant names and addresses, continued to be disclosed. Read more IntelliShield Analysis: A spokesperson for Passport Canada asserted that the website continues to be a "highly secure application," but recent breaches are a cause for concern. Canadian government agencies are not alone in facing exposures such as this one, but agencies are at a serious disadvantage if underprepared in their IT budgets to address testing. Organizations are encouraged to appropriately assign resources to verify code before it goes into production use and to perform appropriate spot checks through penetration tests or other means after code is in use. HumanChristmas Malware CirculatingMalware authors often take advantage of the holiday season, and Christmas is a popular holiday for attackers to try to implement social engineering exploits. A recent variant of the Agent family of worms is circulating via e-mail disguised as an e-card. The e-mail contains a link to a false Yahoo! greeting card site. Users who follow the link are prompted to download a phony update for a flash player to view the e-card. The flash player update is the worm and, if it infects a system, can steal and upload information from the user's system to an attacker-controlled website. Reports indicate that a variant of the Zapchas family of trojans is also circulating as an e-card. The Zapchas trojan installs a backdoor on the system, allowing an attacker to execute commands on the infected system using IRC. IntelliShield Analysis: The holiday season is a prime time for malware authors to use e-cards as a form of social engineering by convincing users to follow malicious links provided in e-mails. Users receiving e-mails that contain an e-card or otherwise suspicious link or attachment should verify the authenticity of the source before following such links or opening attachments. User education about social engineering schemes can protect hosts as well as business assets and information. Organizations are strongly encouraged to emphasize education at all levels to protect against a variety of social engineering tactics. GeopoliticalChina Faces High-level Accusations of Cyber-spyingIn recent weeks, there has been a flurry of accusations leveled at China of electronic espionage directed at Western governments and businesses. During the time period, Britain's domestic security agency, MI-5, issued written warnings to companies that Chinese government-sponsored cybercrime targeting United Kingdom (U.K.) businesses is on the rise. The warnings reportedly were sent to some 300 firms, including banks and financial institutions. The Chinese government is reported to have reacted angrily to the letters, which came in the wake of a United States (U.S.) Congressional report issued just two weeks earlier naming Chinese cyber attacks as the single biggest threat to the security of U.S. technology. The U.S. and U.K. actions join similar complaints in recent months from other countries. France, Germany, Australia and New Zealand have also complained of China-based hacking of sensitive government networks. Allegations of electronic espionage at several major commercial enterprises have surfaced in recent weeks as well, including Rolls Royce and Royal Dutch Shell. IntelliShield Analysis: Given the difficulty of proving the origin of an external electronic attack, and particularly of proving state sponsorship of cybercrime, these high-level public accusations stand out. Regardless of their validity, these cases have served to increase tensions between China and Western governments. These cases have also heightened security awareness in Western government institutions and private enterprises as China seeks to close the technology gap. Upcoming Security ActivityMicrosoft Security Bulletin Update for December: December 11, 2007 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Hanukkah: December 4–12, 2007 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free, 30-day trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
||||||||||||||||||||||||||||||||||||||||||
