Cisco Blogs

Red October in January: The Cyber Espionage Era

- January 15, 2013 - 0 Comments

Researchers from Kaspersky Lab have released information about a large-scale cyber espionage campaign called Operation Red October (otherwise known as Rocra). The report has garnered the attention of multiple news agencies and generated many published articles since the Kaspersky report has claimed that attackers were targeting hundreds of diplomatic, governmental, and scientific organizations in numerous countries.

These reports indicate that the command-and-control (C&C) infrastructure that is used on these attacks receives stolen information using more than 60 domain names to hide its identity. Furthermore, this information appears to be funneled into a second tier of proxy servers. These are very clever attacks that many are now claiming have been taking place for more than five years! Red October is being compared with other malware that has been associated with cyber espionage such as Duqu, Flame, and Gauss.

In its paper, Kaspersky indicated that at least three different exploits for previously known vulnerabilities in Microsoft Office products were used in these attacks:

  • CVE-2009-3129 – Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability
  • CVE-2010-3333 – Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability
  • CVE-2012-0158 – Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability

A later report claims that the Oracle Java Applet Rhino Script Engine arbitrary code execution vulnerability documented in CVE-2011-3544 was used by one of the command and control servers in the Red October infrastructure.

This vulnerability is also documented in Intellishield Alert 27890. The following is an interesting fact explained on this IntelliShield alert:

The malicious software embeds itself on infected systems and functions as the attacker’s access point to an infected system. A successful exploit could allow the attacker to install any of the 34 identified Red October modules. These modules can extend the functionality of the Red October framework with the following capabilities:

  • Compile hardware, software, and operating environment of the targeted system
  • Compile network-related information, including Windows Network neighborhood share information
  • Exploit weak or default passwords and SNMP community strings to compile network device configurations
  • Scan the LAN for ports and hosts vulnerable to additional exploits
  • Steal sensitive browser, e-mail, and FTP related information including cookies, credentials, and history
  • Gather data from locally attached mobile devices, including iPhones, Nokia phones, and Windows Mobile phones
  • Access locally attached Windows Mobile devices and install a back door
  • Install back doors on targeted devices
  • Capture screen shots and record keystrokes
  • Execute arbitrary files that are embedded in certain documents
  • Access data on removable storage devices, possibly including deleted files
  • Access LAN FTP sites and shared disks
  • Access e-mail databases from POP/IMAP servers or local Microsoft Outlook storage
  • Install Adobe Reader and Microsoft Office DocBackdoor plug-ins
  • Execute arbitrary code and commands
  • Exploit system access of targeted systems using Administrator credentials
  • Target and compile e-mail account information
  • Launch additional modules
  • Upload gathered intelligence and data to the command and control server

Reports also indicate that Red October targets files and documents with the following extensions:

txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa.

Update: Kaspersky released over 140 pages of technical details regarding each of the modules used in the Red October operation in the “second-part” of their research paper. They divide the information into two major sections: one explaining the first stage of the attack and another explaining the second stage.

Cisco Security Intelligence Operations (SIO) provides an array of security resources to help customers secure their networks in response to events such as Microsoft Patch Tuesdays . This collateral is not unique to Microsoft Patch Tuesdays, but instead is part of Cisco SIO’s response to current security events. The following are some of the resources:

  • Event Responses provide information about security events that have the potential for widespread impact on customer networks, applications, and devices.
  • Applied Mitigation Bulletins (AMBs) provide techniques to detect and mitigate exploits on Cisco products.
  • IPS Signatures are created to detect and block security threats.
  • IntelliShield Alerts provide multi-vendor early-warning intelligence, threat and vulnerability analysis.

The following table associates the Microsoft vulnerabilities and with multiple resources that were published by Cisco SIO to help provide awareness and protection for these vulnerabilities:

Exploited Vulnerabilities Cisco SIO Resources CVE ID Cisco Mitigations
CVSS Base Score
MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution Vulnerability Alert: Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability

Event Response: Microsoft Security Bulletin Release for April 2012

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2012


Cisco IOS NetFlow


Cisco ACE

Cisco Security Manager

Cisco IPS Signature 1131-0

MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution Vulnerability Alert: Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability

Event Response: Microsoft Security Bulletin Release for November 2010

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2010


Cisco IPS Signature 31239-0

Cisco IPS Signature 31239-1

MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution Vulnerability Alert: Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability

Event Response: Microsoft Security Bulletin Release for November 2009

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2009


Cisco IPS Signature 21920-0

Cisco IPS Signature 22083-0

Oracle Java Critical Patch Update (CPU) – October 2011Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability Vulnerability Alert: Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability CVE-2011-3544 10.0


Once again, the aforementioned vulnerabilities have been disclosed and patched for quite some time; however, cyber criminals are still successfully exploiting them.

Note: Customers using Cisco IPS solutions have also been protected via signatures delivered for all three vulnerabilities.

A patch management process is a critical component of any infrastructure. Security best practices and the use of common knowledge by security, network, and systems administrators to identify and analyze metrics in each security process, procedure, or operational area is of extreme importance.

Cisco Device Configuration Harvesting

Additionally, the malware in question has been observed to harvest the configurations of Cisco networking equipment. Cisco PSIRT has been in direct communication with the research team at Kaspersky and has received confirmation from them stating that the network device configuration and other information were obtained by exploiting weak Simple Network Management Protocol (SNMP) community strings and network device passwords. These attacks were not due to a known or unknown Cisco vulnerability. The malware contained a large list of hardcoded commonly-used SNMP community strings that were used to attack infrastructure devices.

Update: Details about the Netscan module used for network device configuration harvesting have been posted in the second part of Kaspersky’s research paper.

The following is a quote from their paper:

The scan begins with pinging the target with 2 seconds timeout. Then the scanner gets target hostname and MAC address. After that it tries to send an SNMPv3 request. Unlike SNMPv2, SNMPv3 responds even if the username is wrong allowing you to identify if the port is open or not. If the remote SNMP agent responds, then the scanner will try to talk further.

It tries to guess the SNMP agent community name from a list of 600 hardcoded variants. The list itself interesting enough as it seems to be made of previously discovered SNMP agent community names from various locations where the attackers managed to penetrate networks.

The list of the 600+ passwords was also shared.

Opportunistic criminals can be expected to leverage default or weak passwords and SNMP community strings. Why? Because it is easy! And, people continue to use them! Many successful breaches historically, and nowadays, start with a weak, default password, or a stolen and reused credentials.

Examples of weak passwords include:

  • Dictionary words including words in many different languages.
  • Words with numbers such as: cisco123, password1, mypassword123, etc.
  • Default passwords from vendors that are meant to be changed at installation time. Several lists of default passwords are widely available online.
  • Words with simple obfuscation: p4ssw0rd, P@ssw0rd, C1sco, C1sco123
  • Doubled words: passwordpassword, ciscocisco, passpass
  • Well known numbers such as 911, 314159 (pi) etc.
  • Common sequences from a keyboard row: 1qaz2wsx, 123qwe, qwerty, etc.
  • Personal information such as current or past telephone numbers, address, previous addresses, birthdays, sports teams, userids, etc.

A few general guidelines on how to create secure and meaningful passwords is posted here.

Cisco has created a collection of device hardening guides that contains information to help you secure your infrastructure devices. The following are a few examples:

Many more resources and whitepapers are available at the Cisco Security Intelligence Operations portal.

Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.