November 3–9, 2008The Cyber Risk Report is a strategic intelligence product that highlights current security activity and mid- to long-range perspectives. The report addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. Cyber Risk Reports are powered by Cisco Security Intelligence Operations, an advanced security infrastructure that identifies, analyzes, and defends against threats to keep organizations informed and protected. Cyber Risk Reports are the collaborative efforts of Cisco security analysts from the following teams: IntelliShield, Applied Intelligence, Remote Management Services, Intrusion Prevention System Signature Development, Cisco Product Security Incident Response, Cisco Malware Research, Strategic Technology Assessment Team, Infrastructure Security Research & Development, IronPort Email and Web Threat Research, Critical Infrastructure Assurance Group, Advanced Services, Security Sales and Engineering, Corporate Security Programs, Government Affairs, and Legal Support. VulnerabilityDuring the time period, attackers continued the trend of using vulnerabilities in office productivity documents to attack business users. Vulnerability and threat activity was highlighted by attacks that leveraged a buffer overflow vulnerability in the util.printf() of Adobe Reader. This vulnerability is detailed in IntelliShield Alert 16999. A remote attacker can exploit this vulnerability by convincing a user to open a malicious PDF document. Because PDF documents are commonly used in business settings and a knowledgeable attacker could construct a malicious file that may resemble a legitimate document, an exploit of this vulnerability may be easier to achieve. A vulnerability that could expose the Linux Kernel to a remotely exploitable buffer overflow vulnerability was recently discovered. The vulnerability exists in the NDISWrapper module, which provides support for Linux systems that use Windows-based wireless network card drivers. A remote attacker could exploit this vulnerability by sending malicious wireless traffic to the target system. This vulnerability will likely be limited to Linux-based laptops that use the module to support certain wireless cards. In most cases, the vulnerability will not affect production servers because they are not typically configured to use wireless connections. This vulnerability is detailed in IntelliShield Alert 17014. Recent malicious code activity has focused primarily on vulnerability exploits. W32.Wecorl and W32.Kernelbot.A are actively exploiting a RPC request handling vulnerability in the Microsoft Windows Serve, which is described in IntelliShield Alert 16941, to propagate to other systems that reside on the same local subnet. Additionally, a variant of the Pidief family of trojans is actively exploiting a buffer overflow vulnerability in the util.prinf() function of Adobe Acrobat products, which is described in IntelliShield Alert 16999, to download and execute additional malicious files onto infected systems. To ensure environments are protected, IntelliShield strongly encourages administrators to apply the appropriate Microsoft and Adobe updates and ensure virus definitions are updated appropriately. IntelliShield published 118 events last week: 44 new events and 74 updated events. Of the 118 events, 90 were Vulnerability Alerts, 17 were Security Activity Bulletins, six were Malicious Code Alerts, four were Security Issue Alerts, and one Cyber Risk Report. The alert publication totals are as follows: Weekly Alert Totals
Significant Alerts for November 3–9, 2008Adobe Acrobat Products util.printf() Function Buffer Overflow Vulnerability Adobe Acrobat Professional, 3D, Standard, and Reader contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. A variant of the Pidief family of trojans described in IntelliShield Alert 14388 is actively exploiting this vulnerability in the wild. Adobe has confirmed the vulnerability and released updated software. Administrators are advised to apply the appropriate updates and to ensure current antivirus definitions are installed. Users should also be cautious of unsolicited PDF files that may arrive via e-mail. Previous Alerts That Still Represent Significant RiskMicrosoft Windows Server Service Remote Procedure Call Request Handling Code Execution Vulnerability Microsoft Windows contains a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service condition or execute arbitrary code. Exploit code is publicly available, and the Troj/Gimmiv-A, W32.Kernelbot.A, and W32.Wecorl worm is also actively exploiting this vulnerability to install itself on target systems. Additional information on these worms is available in IntelliShield alerts 16947, 16985, and 16994. Microsoft has confirmed the vulnerability and released software updates. Administrators are advised to apply the appropriate updates and to ensure current antivirus definitions are installed. Microsoft Windows Internet Printing Protocol Remote Code Execution Vulnerability Microsoft Windows contains a vulnerability in Internet Printing Protocol (IPP) request processing that could allow a remote attacker to execute arbitrary code. Only systems that have IIS installed and support Internet Printing services are vulnerable. Internet Printing is not supported in default installations of Windows Vista systems and Windows Server 2003 and Windows Server 2008 systems. When IIS is installed on Windows 2000 and Windows XP systems, Internet Printing is enabled by default. Functional exploit code is available. This vulnerability is actively being exploited. Microsoft has confirmed this vulnerability in a security bulletin and released software updates. Multiple Browsers and Adobe Flash Player Mouse Click Hijacking Vulnerability Independent security researchers have discovered a critical flaw affecting multiple, commonly used web browsers and the Adobe Flash Player. If an attacker can convince a user to visit a malicious web page, the attacker could take complete control over the user's mouse clicks, possibly fooling the user into thinking they are clicking on a legitimate link. If successful, the attacker could control the hidden HTML interaction that is occurring, hiding the invisible hyperlinks that the user is actually following. This type of exploit is being referred to as "clickjacking." Adobe has released both a security advisory and a security bulletin, as well as updated software to address this vulnerability. Sockstress Exploit Tool Exposes Vulnerabilities in TCP Stack Implementations of Multiple Vendors Independent security researchers developed the sockstress tool, which exposes vulnerabilities in the TCP stack implementation of multiple vendors. The researchers have not publicly released the sockstress tool yet and few technical details of the associated vulnerabilities are publicly available. The researchers are coordinating the release of details to affected vendors through Funet CERT of Finland. The researchers made their presentation but released few details on October 17, 2008 at the T2 2008 security conference in Helsinki, Finland. Cisco has released a Security Response for this activity. Citect CitectSCADA and CitectFacilities ODBC Service Buffer Overflow Vulnerability Citect CitectSCADA contains a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. Exploit code that could allow the attacker to achieve code execution is available. The vulnerable applications provide remote SQL access to a relational database with the use of the ODBC server component. Such systems should be contained in their own network and never connected to corporate networks or exposed to the Internet. Attackers who can access the network on which these machines reside must still connect to the TCP port that is used by the ODBC service. JustSystems Ichitaro Unspecified Arbitrary Code Execution Vulnerability JustSystems Ichitaro products contain a vulnerability that could allow a remote attacker to cause a DoS condition or execute arbitrary code. The vendor is reportedly investigating the issue, but updated software is not currently available. The vulnerability is being used to conduct the type of targeted attacks described in IntelliShield alert 16543. The attacks occurred before the vulnerability was publicly disclosed. This tactic is commonly known as exploiting a zero-day vulnerability. PhysicalEngineers Plead Guilty to Hacking Traffic Light SystemIn the United States, two traffic engineers recently plead guilty to one felony count of "illegally accessing" the Automated Traffic Surveillance Center in Los Angeles, California on August 21, 2006. The security breach, which occurred just before the start of a job action against the city, disconnected the signal control boxes at four major intersections and caused congestion and gridlock. Operators spent four days repairing the control system before the lights regained complete functionality. The engineers have been sentenced to pay full restitution and serve 120 days in jail or 240 hours of community service. In addition, any personal and office computer systems must be monitored. Read More IntelliShield Analysis: Despite city officials' efforts to prevent a security breach by temporarily blocking access to the engineers, this incident clearly demonstrates how easily the traffic control system can be compromised. As a result of the breach, traffic was delayed for days during maintenance. Such delays can be of serious concern for businesses because they can affect travel and employee attendance. The congestion also had the potential to cause major traffic accidents. To prevent these kinds of incidents from occurring, organizations can implement strict access controls for trusted users, as well as ensure that strong firewalls and security blocks are configured during times of scrutiny. Administrators are also advised to continue to upgrade and test signal junctions. Security teams are advised to identify events with the potential for security implications far in advance and coordinate with local law enforcement and event security staff to assess business impact and adjust security postures. LegalFormer Intel Engineer Working for AMD Charged with Stealing Trade SecretsAn engineer who resigned from his job at Intel in June of 2008 but remained on the payroll while using vacation time has recently been charged with theft of confidential information. Although Biswamohan Pani told Intel he was investigating a job at a hedge fund when he resigned his position, he had already accepted a job with Intel's chief competition, AMD. While he was still on the Intel payroll using remaining vacation time, Pani continued to access Intel computer systems, and over a four-day period downloaded confidential information that Intel has valued at US$1 Billion. If Pani is found guilty of the charges, he could face a maximum prison term of 90 years. AMD is not being charged in this incident because investigators do not believe they had knowledge of or would benefit from Pani's actions. Read More IntelliShield Analysis: While it is a common practice to allow employees who resign to remain on the payroll while they use remaining vacation time, it is advisable to restrict or remove their computer access to prevent possible sabotage or data theft. Because Pani's wife also worked at Intel and he was thought to be moving to a hedge fund, not to rival AMD, Intel may have believed that there was limited to no risk involved in leaving his access in place. If restricting account access is not preferred, organizations should strongly consider implementing increased monitoring of accounts. In this particular incident, Intel was able to detect and substantiate the activity by monitoring Pani's account, but they could not prevent the transfer of the sensitive files. TrustUnited States State Department Discloses Passport ApplicationsThe United States (U.S.) State Department recently notified 383 passport applicants that their sensitive information, including social security numbers and other personal information, had been compromised. The compromise was discovered as part of an investigation concerning a U.S. State Department employee who was involved in a credit card scheme. Reports indicate that the employee shared passport information with other individuals in the credit card crime ring. The State Department has offered the affected passport applicants free credit monitoring. Read More IntelliShield Analysis: The investigation continues to proceed, and the notified applicants have not experienced any related identity theft. To help prevent these kinds of incidents, organizations are encouraged to thoroughly check the backgrounds of new employees and monitor sensitive data access. Many companies have found the additional security measure of monitoring personal information difficult or have failed to implement it, which makes data leakage and insider threats difficult to detect, prevent, or adequately quantify. Failures may occur when businesses opt to implement technology-heavy solutions rather than a balance of people, process, and technology solutions to safeguard data. IdentityStealth Trojan Steals Hundreds of Thousands of Bank AccountsTrojan.Mebroot, also known as Sinowal or Torpig has been reported to have infected nearly 300,000 machines and successfully stolen 270,000 bank account numbers and details for 240,000 credit and debit cards. The trojan was able to remain largely undetected since 2006. As part of its infection routine, the trojan writes itself to the Master Boot Record (MBR). In an attempt to extract confidential information from the user, Trojan.Mebroot performs an HTML injection attack on the user's browser when one of 2,700 URLs are accessed. Any captured information is then returned to an attacker-controlled database. Read More IntelliShield Analysis: Trojan.Mebroot has been successful largely because it employs the older tactic of infecting the MBR, which is no longer commonly used by malicious code authors. This tactic makes detection and remediation very difficult because users may need to completely re-format their hard drives to remove the trojan. Because the trojan can sit dormant and not perform any other action on the system until certain banking- or financial-related URLs are accessed, detection may also be difficult. Trojan.Mebroot is also suspected to have connections with the Russian Business Network (RBN), which is described in more detail in IntelliShield Alert 14457. All recent findings indicate that administrators should consider Trojan.Mebroot a serious and ongoing threat, especially because attackers are providing updates to the trojan on a regular basis to continue evasion. HumanStudy Reveals Flow of Money from Rogue Antivirus ApplicationsThe director of malware research at SecureWorks recently published the results from a study of the "rogue" or fake antivirus applications Antivirus XP 2008 and Antivirus XP 2009. The study explains how the malicious code affects the target system and how the malware attempts to mislead users into paying attackers for illegitimate antivirus services. The study also discuses the companies that actually distribute the malicious code, as well as detailing how and where the revenue is distributed. The study claims that Antivirus XP 2008 and Antivirus XP 2009 are distributed by Bakasoftware, also known as Pandora Software. The study also includes alleged insider information from Bakasoftware that estimates that some top affiliates have the ability to earn in excess of five million dollars in a single year. Read More IntelliShield Analysis: The distribution of questionable security software has been a growing trend over the past year. Due to the vast potential for profit, users can expect a continued large-scale distribution of such malicious software. According to the study, individuals that utilize botnets to distribute rogue antivirus applications can earn the highest returns. Users must then contend with further attempts to establish and expand the botnets, in addition to increasing attempts to distribute malicious code in the form of rogue antivirus software. Organizations should remind users to be cautious when downloading and installing security software from unknown or untrusted sources, because malicious code is often disguised as antivirus, firewall, spam filtering, vulnerability scans, and other security-related applications. GeopoliticalImplications of the United States Obama Administration for IT SecurityIT security industry leaders are assessing the impact of the new United States (U.S.) presidential administration on the global technology industry with interest and caution. In the short term, U.S. President-elect Obama is expected to be preoccupied with economic stimulus and job creation, which are positive moves for the tech industry if they contribute to economic recovery. Longer term, Obama's technology policy platform includes support for net neutrality, expanding domestic broadband access, and plans to appoint a chief technology officer. One of his early transition team appointments was technology advisor Julius Genachowski, a technology businessman. However, some in the IT industry have concerns about the President-elect's stance on international business and multilateral trade agreements, and in particular, his stated plans to penalize companies for off-shoring and outsourcing. IntelliShield Analysis: Of primary importance will be Obama's choice for chief technology officer; his or her ability to influence the new President-elect and the placement of this individual within the government hierarchy will be careful scrutinized. Press reports have already referenced Silicon Valley candidates, such as former Sun founder Bill Joy and Google CEO Eric Schmidt, for the position. The IT industry will also watch for loopholes in an otherwise less friendly environment for multilateral trade agreements, off-shoring, and outsourcing. Many pundits are predicting that, given the global economic crisis, the new President may not undertake these issues for some time. Additionally, the technology industry may find growth opportunities in alternative energy research, which the new administration has promised to prioritize. Finally, the new administration, which quite literally represents a generational shift, can be expected to carefully consider technology in all aspects of its decision-making. Such a transition could indicate a demand for more, rather than less, government-wide IT infrastructure and security solutions. MiscellaneousInternet Routing Table Growth Puts Routers at RiskAs the Internet continues to expand, network infrastructure, specifically routers and switches, will need to support the corresponding growth of Internet connected prefixes, which are summaries of an IP address range that represents a network or group of networks, and routes, which represent a network path to a prefix. This increased growth is not only due to the addition of new networks to the Internet, but is also caused by the disaggregation of existing prefixes–the process of breaking up one prefix into multiple prefixes–which most often occurs for legitimate purposes. The continued growth of the number of Internet-connected prefixes may cause some routers and switches to be unable to process the increased information load. Should this scenario occur, ramifications may include dropped routes, degraded performance, or in more severe cases, network device crashes or reboots. The Internet currently contains approximately 280,000 prefixes. With an average monthly growth rate of about 3,500 prefixes, the number of prefixes is expected to exceed 300,000 in early 2009. IntelliShield Analysis: It is becoming increasingly apparent that the limited memory and CPU capabilities of many routers and switches will not be sufficient to support the full Internet routing table of today's Internet. It is obvious that as the size of the Internet routing table continues to grow, it will begin to impact newer and larger platforms, even those with more memory and greater CPU power. It is expected that the use of dual-stack, or running IPv4 and IPv6 simultaneously, will likely exacerbate this growth trend and further accelerate hardware memory and CPU issues. The full Internet routing table is approaching 300,000 routes. While 300,000 is not necessarily a top limit, it should serve to remind administrators to assess all their platforms to determine the status of CPU load and memory consumption. If existing hardware is found to be deficient for current Internet routing table requirements, administrators are also advised to assess potential solutions. For example, administrators who run older platforms and hardware that are not capable of supporting the current number of prefixes have already begun experiencing Internet routing table growth issues. One approach that administrators can immediately explore is to first check existing routing tables to ensure that only required routes are accepted from BGP peers and installed in the local table. Best common practices require the use of Bogon prefix filters, which can help limit the accepted routes. Administrators are also advised to review their network prefixes and apply appropriate summarization and filtering while still maintaining routing accuracy. Upcoming Security ActivityDeepSec IDSC: November 11–14, 2008 Because of the potential for increased risk on multiple vectors, organizations' security teams should be aware of and consider making special preparations for the following dates: Thanksgiving: November 27, 2008 Additional InformationFor more information about the vulnerabilities contained in this report or the Cisco Security IntelliShield Alert Manager Service, please visit For information on obtaining a free trial of the Cisco Security IntelliShield Alert Manager Service, please visit This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
|
|||||||||||||||||||||||||||||||||||||
