February 23–March 1, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityVulnerability and threat activity levels remained consistent with those from previous weeks. The majority of vulnerability activity came from major vendors releasing security advisories and updated software to address vulnerabilities in their products. Adobe released security advisories and updated software to address five vulnerabilities in the Adobe Flash Player and two vulnerabilities in the Adobe RoboHelp server. Included among the vulnerabilities that Adobe resolved were two variations of an attack technique known as clickjacking. This technique allows an attacker to control user mouse clicks through various means. The attacker can perform multiple actions such as accessing user webmail accounts, redirecting users to a website that installs malicious code onto user systems, or accessing restricted information. Web 2.0 technologies, such as Adobe Flash Player, are becoming more integrated in the current business environment. Attackers are increasingly using vulnerabilities in these technologies to compromise user systems. Cisco released three security advisories as well as updated software to address multiple vulnerabilities in ACE, Application Networking Manager, and Unified MeetingPlace. These vulnerabilities include the existence of default credentials, authentication bypass, and privilege escalation. Cisco also released a security response detailing a persistent cross-site scripting vulnerability in Cisco Unified MeetingPlace. This response was part of a coordinated release between Cisco PSIRT and the Security Assurance Team of the National Australia Bank. Microsoft released a security advisory and updated software to address the NoDriveTypeAutoRun registry setting handling issue, as detailed in IntelliShield alert 15504. The NoDriveTypeAutoRun setting is commonly used to disable AutoRun functionality. Malicious software often attempts to propagate using removable media devices, using the AutoRun features to execute malicious programs when the media device is read by a Windows system. This issue may result in the functioning of some enabled AutoRun features even though the system is configured to disable AutoRun. This behavior may result in a misconfiguration of the system or undocumented operations. Microsoft released an additional security advisory to address a vulnerability that exists in Microsoft Excel when it processes invalid objects, as described in IntelliShield alert 17689. This vulnerability was being actively exploited prior to its public disclosure. This tactic is commonly known as exploiting a zero day vulnerability. The vulnerability is being exploited by a variant of the Mdropper family of trojans, Trojan.Mdropper.AC, as described in IntelliShield alert 12562. Attackers are using this family of trojans to conduct limited attacks against specific targets. Microsoft has not released updated software to resolve the vulnerability in Excel. Administrators are advised to educate users about the dangers of opening documents from untrusted sources. Also in malicious code activity, the SymbOS.Exy.A trojan targeted phones running the Symbian Services 60 3rd edition operating system. This trojan propagates by collecting all the contact numbers within a targeted device and sending SMS messages to those contacts along with a link to a website that hosts a copy of the trojan. Because the messages are sent from a user's known contacts, possibly a trusted contact, the probability of successful infection increases. Furthermore, the trojan uses a valid certificate, further deceiving targeted users. The certificate is in the process of being revoked. SymbOS.Exy.A has the ability to terminate certain file and process monitoring utilities. SymbOS.Exy.A collects information about the phone, such as serial number and phone number, and posts the data to an attacker-controlled server. The trojan appears to be a legitimate application that goes by the name Sexy View or Sexy Girls and the vendor name is Play Boy. Fortunately, the malicious software does not use a hidden interface and can be easily uninstalled using the App manager. The SymbOS.Exy trojan is detailed in IntelliShield alert 17695. Google's DoubleClick advertising network was again discovered to be spreading malware by way of compromised banner advertisements. Reports indicate that attackers bypassed DoubleClick's security measures and have been using the advertising network to distribute malicious code. eWeek Security News was among those websites unknowingly spreading malware in malicious advertisements on their home page. Users of the eWeek site who clicked on the advertisement were redirected to malicious websites as a result of an invisible iFrame within the banner. The malicious website immediately attempts to install malicious code on a user's system. Information has not been released to describe how the attack was executed and how many websites were affected. IntelliShield published 120 events last week: 55 new events and 65 updated events. Of the 120 events, 87 were Vulnerability Alerts, 10 were Threat Outbreak Alerts, eight were Malicious Code Alerts, seven were Security Activity Bulletins, six were Security Issue Alerts, one was an Applied Mitigation Bulletin, and one was a Cyber Risk Report. The alert publication totals are as follows:
Weekly Alert Totals
2009 Monthly Alert Totals
The totals for the first two months of 2009 show a sharp decline from the same period of 2008. The first months of 2008 had higher than normal levels of activity that declined as the year progressed, resulting in a 6.77 percent increase over the entire year. The 2009 numbers are consistent with the same period from 2007 and continue to reflect the general increase that has occurred over the past three to five years. Significant Alerts for February 23-March 1, 2009Microsoft Office Excel Invalid Object Arbitrary Code Execution Vulnerability Microsoft Excel and related products contain a vulnerability that could allow a remote attacker to execute arbitrary code. Attackers are actively exploiting this vulnerability to conduct limited malicious code attacks that are designed to infect targeted systems with a variant of the Mdropper family of trojans. This family of trojans is detailed in IntelliShield alert 12562. Microsoft has confirmed this vulnerability, but updated software is not available. Previous Alerts That Still Represent Significant RiskAdobe Acrobat Products PDF File Buffer Overflow Vulnerability Adobe Reader and Adobe Acrobat Professional, Acrobat Professional Extended, and Acrobat Standard contain a buffer overflow vulnerability that could allow a remote attacker to create a denial of service condition or execute arbitrary code with the privileges of the user. The level of user privileges and the code that is executed determine the degree to which the system is compromised. This vulnerability is actively being exploited in the wild by the Pidief family of trojans. Additional information about the trojan is available in IntelliShield alert 14388. Adobe has confirmed the vulnerability; however, updates are not available. Misconfigured Router Causes Increased BGP Traffic and Isolated Outages for Internet Services On Monday, February 16, 2009, a misconfigured router from SuproNet, a Czech Internet Service Provider, caused high increases in Border Gateway Protocol (BGP) updates as well as isolated outages for Internet services around the world. The disruption was caused by a SuproNet router issuing routing announcement updates that contained overly long Autonomous System (AS) paths. Cisco Security Intelligence Operations has released additional technical information and workarounds to mitigate denial of service conditions that result from overly long AS paths. This information is available in IntelliShield alert 17670. OpenBSD has fixed a similar flaw, as described in IntelliShield alert 17658. Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability Microsoft Internet Explorer version 7.0 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or crash the browser, resulting in a denial of service condition. On systems that grant users Administrator privileges, an attacker could execute code that may result in the complete compromise of the affected system. Reports have confirmed the existence of exploit code that is being delivered using a Microsoft Office Word document saved in an XML format. Exploits have been observed wherein attackers build Word documents using XML constructs, save them as .doc files, and delivering the malicious document via e-mail or host it on websites. Several antivirus vendors are reporting the activity. Worm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses on the infected system. Recently, the Waledac family was observed disguising itself as valentine-related e-cards. The e-mail messages are configured to take advantage of interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One propagation routine of the worm involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and to take steps to isolate any suspected infected systems until they can be fully restored. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Reader, Acrobat Professional, Acrobat 3D, and Acrobat Standard contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, described in IntelliShield alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. PhysicalEconomic Crisis Causing Civilian UnrestRiots and protests are becoming increasingly common because of the global economic downturn, as was the situation recently in several European countries. In Dublin, Ireland, approximately 120,000 protestors demonstrated against the government. Riots in Iceland resulted in a government collapse. Violent protests took place in Greece as farmers demanded higher agricultural prices, and over a million French citizens protested against the government to fight for job protection. Read More IntelliShield Analysis: The current economic crisis has instilled concern and fear among many nations. The stress has lead to multiple riots and protests world-wide. The fear and associated stress do not appear to be subsiding anytime soon, which could lead to escalations and additional violent confrontations. Organizations are advised to stay up-to-date on current events and prepare for unexpected ones. Political instability, strikes, and protests may impact business continuity, especially if transportation and communication infrastructure are damaged or suspended. Organizations are encouraged to maintain updated continuity plans and educate employees about procedures and expectations during political or economic upheaval. Organizations should also consolidate or closely tie network and physical security operations to expedite the coordination required for emergency response and daily operations. LegalAgreement Settles Lawsuit Against Irish ISPA lawsuit against Ireland-based Internet service provider, Eircom, was settled after Eircom agreed to block file-sharing sites. Eircom has agreed to implement network blocks after the Irish Recorded Music Association (IRMA) compiles a list of sites that host infringing or copyrighted material. Eircom has also agreed to block individual IP addresses of customers who are discovered uploading or downloading infringing or copyrighted material from P2P sites. After three violations, Eircom will discontinue service to customers who allegedly upload or download infringing or copyrighted material. Read More IntelliShield Analysis: The settlement and resulting agreement between Eircom, the IRMA, and the recording companies represented by the IRMA sets a difficult precedent for ISPs worldwide. In order to comply with the agreement, ISPs are compelled to remove their own customers at the request of a third party, an act that will likely drive business to other, non-compliant service providers. However, the agreement may be one of necessity and a model for future network policing actions, because ISPs that continue to be taken to court by content owners must protect themselves from further legal action. Although some content providers have taken a different approach in realigning their business models to the current technologies and only prosecuting the most extreme cases, there is no consensus on effective measures to counter the pirating of content. Providers can expect to see continued and varied efforts by these organizations, which will further complicate service delivery. TrustEuropean Banking Program Aimed at Reducing Fraud May Increase Risk for UsersIn an effort to reduce banking fraud, European banks have begun issuing portable PIN devices to customers, along with banking smart cards, to produce login and transaction authentication. The underlying protocol used by the banks was not publicly disclosed, which prompted researchers from Cambridge University to reverse engineer the protocol and study its security mechanisms. The researchers released a paper detailing their findings, including suggestions for improvement. Read More IntelliShield Analysis: Security is always at the expense of cost or functionality, and in some cases, risk is reduced by transferring it from one party to another. According to this research, the portable card readers that were distributed to users undercut costs and complexities to increase functionality, which in turn reduces security for users. Concerns identified by the Cambridge research team include a primary risk for end users. The use of portable devices may transfer the risk of fraud entirely to the user and away from the bank. Although technology and policy must be combined to decrease the risk of bank fraud, the security concerns it exposes may result in consumer feedback seeking a more balanced distribution of risk between banks and customers. IdentityEmployee Files Lawsuit Against StarbucksA current Starbucks employee, Laura Krottner, has filed a lawsuit against the company. The lawsuit states that Starbucks failed to take proper actions in protecting all former and current employees from invasions of privacy, fraud, and identity theft. On October 29, 2008, a laptop containing employee names, addresses, and social security numbers was stolen from Starbucks. Starbucks notified all 97,000 employees of the laptop breach and offered a free one year credit monitoring service. Read More IntelliShield Analysis: Many organizations have been impacted by failed procedures for securing laptops and other data storage devices, resulting in a large number of exposures. Krottner is seeking to have Starbucks extend the one year credit monitoring to five years and submit periodic security audits to ensure that the company is implementing sufficient security procedures. All employees should be trained to appropriately transport, store, and control devices to limit the risk from attacks of opportunity against unattended devices or those stored in plain sight or obvious locations. HumanGmail Outage Leveraged by Hackers to Distribute Malicious CodeGoogle's Gmail experienced a temporary outage on February 24, 2009, and hackers were quick to leverage this event to distribute malware. The hackers created a Google Group called "Gmail Down". Google groups are similar to Yahoo! groups as they provide a free forum for people to meet and discuss things of interest. During the outage, the Gmail Down group was the first search result in a list that users received when performing a Google Search on "Gmail Down". By clicking on the link and visiting the malicious site, it was possible for the attackers to install malicious code on the computers of unsuspecting users. Read More IntelliShield Analysis: This is a new twist on social engineering and is indicative of how quickly attackers will act to take advantage of an opportunity to distribute malicious code. The "Gmail Down" group contained links to pornography and other sites hosting malicious code. The installation of malcode was not automatic, but placing malicious sites like that in front of a large audience of people makes it likely that some users will be deceived. If possible, administrators are advised to block sites that serve up pornography by using an HTTP content-filtering proxy or by other similar means. Browser security features can also provide some protection if users are aware of them and have enabled and correctly configured such features. GeopoliticalChina's Internet Monitoring Chief Arrested for BriberyThe head of the China's Internet monitoring department in the Beijing Public Security Bureau has been arrested for taking bribes valued at 40 million RMB (US$5.8 million), according to press reports. The chief of the bureau, which monitors e-mail and Internet use in China, was charged with taking the bribes from an antivirus software company in return for falsifying information about a competitor. Chinese company Rising allegedly paid the government official to manufacture evidence against the vice president of competitor Micropoint Technology. The evidence suggested that Micropoint's vice president spread computer viruses and tried to steal proprietary company information and resulted in the executive's incarceration. IntelliShield Analysis: This incident may be instructive on a number of levels for Western IT specialists doing business with Chinese clients. The scheme serves a reminder of the pervasive monitoring of electronic communications which constitute a risk for Western companies whose brands are at risk if their products are perceived to be facilitating anti-democratic government activities. It also points to high levels of corruption in government agencies and complex government-business relationships, which can put foreign and domestic companies alike at a disadvantage. On the contrary, Beijing is making progress toward rooting out corruption and more aggressively prosecuting thefts of intellectual property. Although criminal corruption prosecutions run the risk of being politicized, China's President Hu Jintao has made these issues high priorities, and many more high-profile corruption cases can be expected in the future. Upcoming Security ActivityInfoSec World 2009: March 7-13, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Daylight Saving Time for the United States, Canada, and most of Central America and the Caribbean: March 8, 2009
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
