January 26–February 1, 2009The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityMany of the vulnerability and threat activity levels from the month of January centered on well-publicized malicious code attacks. Attackers leveraged current events and rumors surrounding United States President Barack Obama to convince users to open crafted e-mails or visit malicious websites. W32/Conficker.worm, also known as Downadup, continued to exploit vulnerability in Microsoft Windows, infecting more than 10 million systems, according to some estimates. The authors of the W32.Waledac worm continued to use current events or holiday-themed messages to lure users into visiting malicious websites. Extensive research has been conducted on W32.Waledac by the Cisco Security Intelligence Operations team. The team has analyzed the network traffic and the data exchange between the worm and its command and control servers and the Cisco IPS team has developed signatures to block the worm. According to research from Cisco Security Intelligence Operations, W32.Waledac is the likely successor or variant of the Storm worm and botnet. The worms generate and send spam, handle communications, and exchange data in a similar manner. W32.Waledac is currently propagating using e-mail message subjects related to President Obama. W32.Waledac is documented in IntelliShield Threat Outbreak Alert 17421. The worm is also being distributed in Valentine's Day-themed e-mail messages with subject lines similar to I give my heart to you and You are the ONE. Users are encouraged to exercise additional caution when viewing Valentine's Day holiday-related e-mail messages or web content because of the propensity of malicious code authors to use this holiday to distribute malware. W32.Waledac is documented in IntelliShield Alert 17327. During the time period, the website my.barackobama.com was targeted by attackers. The website supports an online community for supporters of President Obama and allows registered users to create blogs. Malicious users registered numerous user accounts on the site to distribute malicious code. The attackers created malicious blogs and embedded YouTube-type videos that contain the text Click here to see movie. If a user clicks the video link, the user is prompted to install a video codec that is actually a trojan. The attack has been successful because my.barackobama.com is highly visible, reputable, and has thousands of other websites linked to the site. Regardless of the legitimacy of a website, users should always verify the authenticity of the source, especially on Web 2.0 sites that allow any user to register and post content. Recent research from AVG Technologies indicates that, on a daily basis, between 200,000 and 300,000 new malicious websites are created and legitimate websites are compromised. The compromised websites can be reconfigured to redirect users to malicious websites that infect the user's system with malicious code. The malicious websites are typically designed to persuade users to download malicious files by disguising them as seemingly innocuous files such as video codecs or other multimedia files. As many as 94 percent of these crafted websites are removed by the Internet Service Provider (ISP) within 10 days. The sheer number of malicious or compromised websites and their transient nature prevents blacklisting from being effective as a primary means of protection. Read More IntelliShield published 120 events last week: 33 new events and 87 updated events. Of the 120 events, 95 were Vulnerability Alerts, 12 were Security Issue Alerts, four were Threat Outbreak Alerts, one was a Security Activity Bulletin, one was an Applied Mitigation Bulletin, six were Malicious Code Alerts, and one was the Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
2009 Monthly Alert Totals
Previous Alerts That Still Represent Significant RiskWorm: W32.Waledac W32.Waledac is a worm that attempts to open a back door on an infected system. The worm propagates by sending a copy of itself to e-mail addresses found on the infected system. The e-mail messages are configured to leverage interest in current events or holidays to convince users to open their attachments. W32.Waledac may download files on an infected system and provide an attacker with backdoor access. The worm also attempts to steal confidential information that is related to numerous online banking entities. Worm: W32/Conficker.worm W32/Conficker.worm is a worm that is quickly propagating across many networks. The worm has reportedly infected millions of systems. One of the worms propagation routines involves exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability as described in IntelliShield alert 16941. The worm prevents the system from accessing essential antivirus and security-related websites, which makes diagnosis and removal efforts more difficult. Administrators are advised to apply the MS08-067 Microsoft update to prevent attacks by the worm and steps to isolate any suspected infected systems until the machine can be fully restored. Weak MD5 Cryptographic Algorithm Allows for Certification Authority Certificate Spoofing Attacks Security researchers have identified a weakness in the Internet Public Key Infrastructure (PKI), which is used to issue digital signatures and certificates for secure websites. The attack is possible because of advances in cryptographic research that target the MD5 cryptographic hash function. Attackers could construct Certification Authority (CA) certificates that have the same MD5 hash as a valid CA certificate to impersonate trusted root CA certificates. Successful MD5 collisions allow attackers to impersonate root CA certificates that rely on the weak MD5 algorithm. Root CAs that do not rely on the MD5 algorithm cannot be impersonated using this attack. The researchers claim that the proof-of-concept rogue certificate they have created is accepted as valid by most web browsers. Microsoft Internet Explorer XML Parsing Arbitrary Code Execution Vulnerability Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code or cause a crash of the browser, resulting in a denial of service condition. Proof-of-concept code is available. Microsoft has confirmed the vulnerability and released updated software. Reports indicate that known websites are attempting to exploit this vulnerability to install malicious software on vulnerable systems. Microsoft Windows WordPad Text Converter File Handling Memory Corruption Vulnerability Microsoft Windows contains a vulnerability within the WordPad Text Converter that could allow an unauthenticated, remote attacker to corrupt memory and execute arbitrary code on the system. Microsoft has confirmed the vulnerability, but updated software is not currently available. Reports indicate that this vulnerability is actively being exploited and several antivirus vendors are detecting exploits that install additional malicious code on the targeted system. Other exploits contain a backdoor trojan, which could provide attackers with unauthorized access to infected systems. This tactic is commonly referred to as exploiting a zero-day vulnerability. Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, Acrobat 3D, Acrobat Standard and Adobe Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans, as described in IntelliShield Alert 14388, is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail messages. Microsoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available. The Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worms are also actively exploiting this vulnerability to install themselves on target systems. Additional information about these worms is available in IntelliShield alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure that current antivirus definitions are installed. PhysicalUnited States Department of Energy Janitor Pleads GuiltyA former United States (U.S.) Department of Energy (DOE) janitor, Roy Lynn Oakley, recently changed his plea to guilty after admitting he attempted to sell nuclear materials to a Federal Bureau of Investigation (FBI) agent who was posing as a French government official. Oakley worked for the East Tennessee Technology Park in Oak Ridge, Tennessee during 2006 and 2007 and, as janitor, had access to information and materials classified as "Restricted Data" under the Atomic Energy Act. Oakley contacted the French Embassy in January 2007 in an attempt to sell certain nuclear materials for US$200,000. The French Embassy in turn contacted the U.S. FBI. If convicted, Oakley could face up to 10 years in prison and US$250,000 in fines. Read More IntelliShield Analysis: The janitor's success in obtaining the nuclear material can most likely be attributed to his ability to be admitted through secured entrances to work in office spaces where his activities were not monitored. After employees left for the day, Oakley removed certain equipment from the premises, rather than disposing of it as required. The East Tennessee Technology Park appears to have failed to control the assets through lack of employee oversight or procedures to ensure the proper disposal of the materials. Businesses can address these challenges by addressing the procedural, human, and social elements of physical security controls Organizations are encouraged to implement thorough background checks and layered physical controls. Sensitive materials-handling procedures should require two-person controls to verify the proper accounting, handling, and disposal of the materials, with auditing of those records to verify compliance with the procedures. LegalCSG Services Administrator Resigns, Deletes RecordsAn employee of CSG Services hired to maintain computer systems for the Northern Territory (NT) Government in Australia resigned his position over what he perceived as mistreatment from his employer. After resigning, David Anthony McIntosh did not surrender his passwords and access rights in accordance with a signed employment agreement. McIntosh used a non-surrendered password to establish a VPN connection to the NT Government's systems to delete records associated with 10,475 public servants. His actions also caused a denial of service condition that impacted multiple NT government servers, including those associated with the Supreme Court, Berrimah Prison, Royal Darwin Hospital, and the Health Department. Read More IntelliShield Analysis: With current economic conditions impacting many businesses, the handling of employees who are let go should be given careful attention. Procedures for terminating the employment of individuals who have had controlled access at various levels should be established and reviewed as part of the release meetings. Many businesses have administrator and user agreements that require all passwords and other sensitive information to be turned in by employees leaving the company. When the individual leaves the organization, the business should uphold their part of the agreement and ensure that the employee complies with the agreement. Particular attention should be given to the release of administrators. Companies must ensure that all support staff employees are aware that the employee is no longer allowed on the premises and that the released employee is denied access to any new passwords. Companies may also consider the additional step of performing full backups of key software and server configurations, changing passwords, and checking the systems for suspicious files and accounts. Companies upholding their side of the agreement will help reduce the potential risk of attacks from former employees. TrustFannie Mae Malware Could Have Crippled DatacenterThe U.S. Justice Department is pursuing a federal computer intrusion charge against Rajendrasinh Makwana, a consultant who worked on-site at the Federal National Mortgage Association (commonly known as Fannie Mae). Makwana is charged with the October 24, 2008, deployment of a logic bomb that was set to erase all 4,000 of Fannie Mae's servers on January 31, 2009. Makwana was terminated on October 24 for a scripting error, but his access privileges were not immediately revoked. Another worker at Fannie Mae discovered the malicious script five days after it was deployed in October, before any damage could be done. IntelliShield Analysis: Officials at Fannie Mae are fortunate that the planted code was discovered before it was scheduled to execute. If the script had been installed with better concealment to prevent detection, the organization could have been severely impacted. Organizations should practice privilege revocation in conjunction with employment termination and use physical security staff to escort the released employee during the time they remain on the premises. System operations require administrators to possess a high level of trust, but the trust should be monitored and not remain with those administrators who have the motivation or opportunity to harm the company. IdentityHeartland Fallout ContinuesForensic investigators have located a well-concealed malicious code installed on a Heartland Payment Systems server that captured data while it was transiting the processing systems. The investigation identified a sniffer malicious code hidden in the unallocated portion of the system's disk in temporary files, suggesting that the attack was either very sophisticated or required high-level access. Comments by the U.S. Secret Service involved in the investigation suggested the group responsible for the compromise may also be involved in other breaches that are currently under investigation. A growing list of financial institutions have initiated notifications to customers about the breach, as well as law suits that claim Heartland announced misleading information and omissions regarding the breach. Read More IntelliShield Analysis: With the identification of the malicious code that appears to be the means of the breach, it should be underscored that only limited identification information is likely to have been compromised. Identifying a well-concealed malicious code can be very difficult; this particular code was nearly missed by the two forensic investigations. Both baseline system and network monitoring may have allowed the malicious code or traffic to be identified, which was not indicated until credit card companies began to investigate fraudulent charges. Heartland is now releasing statements about industry end-to-end encryption controls to improve protection of customer data in transit. However, encryption has positive and negative implications regarding security improvement, processing load, and costs. Encryption may also blind many security controls that could be used to detect and defend against breaches. Heartland representatives commented that the current low costs incurred from fraudulent charges and breaches would not likely justify end-to-end encryption controls. The more effective pursuit may be cooperation with international law enforcement efforts to investigate and prosecute the groups that perform the criminal activity. HumanFiles Discovered on MP3 Player Highlights Security ConcernsUnited States military files dating from 2005 were discovered on an MP3 player purchased from a used-goods store in the state of Oklahoma. Files on the device included personal information, such as names and social security numbers, of military service personnel. The age of the data has led to speculation that, even if disclosed, the data is unlikely to compromise operational security. Read More IntelliShield Analysis: The loss of data by means of misplaced devices such as media players or other removable storage devices continues to affect governments and businesses. Many sites have adopted responsible-use policies regarding the handling of sensitive data, often prohibiting the downloading of data onto removable devices. Sites are advised to review and reintroduce these policies with users and to provide clear guidelines related to data protection and acceptable uses of removable media devices. Additionally, administrators may consider deploying end-host security software to prevent the egress of data from systems hosting sensitive data to removable media. GeopoliticalWTO Ruling on Intellectual Property Piracy Sends Mixed MessageThe World Trade Organization (WTO) dispute settlement body issued a mixed verdict last week in an intellectual property rights (IPR) case that pitted the U.S. against the Peoples Republic of China. The WTO verdict, which centered on whether China was in compliance with the multinational Trade Related Aspects of Intellectual Property (TRIPS) agreement, found China guilty of not taking proper notice of the widespread piracy of digital media. However, the WTO did not find China guilty of setting the bar too high for criminal prosecution of digital media piracy, one of the key charges at issue. Read More IntelliShield Analysis: While the U.S. is publicly claiming victory, the ruling has been widely portrayed as a disappointment for U.S. trade officials. The issue of setting appropriate thresholds for prosecution was crucial, not only to Western businesses whose intellectual property (IP) is illegally distributed in China, but for Chinese businesses with IP at risk as well. The U.S. can claim progress if the goal was to raise awareness of the massive scale of IP theft, particularly in China, and to increase international pressure on countries and organizations that may follow the letter, but not the spirit, of the TRIPS agreement. The Chinese government has reaffirmed its intention to improve its IP protection regime, and while it has a long way to go, this WTO ruling will move the process forward by turning international attention to the problem. Beijing authorities are no doubt aware that if a country is unable to protect intellectual property, business will go elsewhere. To the extent that this case has renewed attention to the problem, then, all sides can claim progress. OtherKyrgyzstan Internet Service Providers Hit By DDoS AttackThe Internet Service Providers (ISPs) of Kyrgyzstan were impacted by a distributed denial of service (DDoS) attack. The attacks began on January 18, 2009, and were reportedly conducted by a group of Russian cyber criminals. The attacks impacted three of the four ISPs in Kyrgyzstan and the Russia and Kazakhstan upstream service providers refused to pass traffic because of the scale of the attacks. The attacks blocked incoming and outgoing network traffic from Kyrgyzstan. Read More IntelliShield Analysis: The event raises concern about the growing frequency of DDoS attacks for political purposes. Reports indicate that the same Russian group is responsible for conducting the DDoS attack on Georgia's Internet infrastructure in August, 2008. Radio Free Europe, the Republic of Estonia, the U.S. Cable New Network (CNN), and websites in France have all been attacked in a similar fashion. The DDoS attack against Kyrgyzstan, which consisted of massive data flooding, is particularly effective against smaller infrastructures that are unable to handle the increased traffic levels. The attacks are the latest example of geopolitical disputes leading to attacks against the country's Internet infrastructure, a trend that is expected to continue, especially against smaller ISPs that are more susceptible to such DDoS attacks. Upcoming Security ActivityShmooCon 2009: February 6–8, 2009 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Israeli Legislative Election: February 10, 2009
Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||||||||||||||
