Cisco Security Intelligence Operations is tracking reports of ongoing exploitation of a vulnerability in the popular web application framework Ruby on Rails that creates a Linux-based botnet. The vulnerability dates back to January 2013 and affects Ruby on Rails versions prior to 3.2.11, 3.1.10, 3.0.19, and 2.3.15. Cisco Security Intelligence Operations’ has previously published an analysis of CVE-2013-0156. Cisco is receiving reports of attempted infection from Cisco IPS customers participating in Global Correlation.
Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities
Update 2 5/9/2013:
Microsoft has released a “Microsoft fix it” as a temporary mitigation for this issue on systems which require IE8. At this time, multiple sites have been observed hosting pages which exploit this vulnerability. Users of IE8 who cannot update to IE9+ are urged to apply the Fix It immediately.
An exploit for this bug is now publicly available within the metasploit framework. Users of the affected browser should consider updating to IE9+ or using a different browser until a patch is released. Given the nature of this vulnerability additional exploitation is likely.
At the end of April a Watering Hole–style attack was launched from a United States Department of Labor website. Many are theorizing that this attack may have been an attempt to use one compromised organization to target another. Visitors to specific pages hosting nuclear-related content at the Department of Labor website were also receiving malicious content loaded from the domain dol.ns01.us. Initially it appeared that this attack used CVE-2012-4792 to compromise vulnerable machines; however, Microsoft is now confirming that this is indeed a new issue. This issue is being designated CVE-2013-1347 and is reported to affect all versions of Internet Explorer 8.
On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.
If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.
Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »
Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability
Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:
The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited. Read More »
The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.
And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.