Cisco Blogs


Cisco Blog > Security

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »

Tags: , , , , , , , , , , , , , , , , , , ,

Linux/CDorked FAQs

Last Friday (April 26), ESET and Sucuri simultaneously blogged about the discovery of Linux/CDorked, a backdoor impacting Apache servers running cPanel. Since that announcement, there has been some confusion surrounding the exact nature of these attacks. Rather than reinvent the analysis that has already been done, this blog post is intended to clear up some of the confusion.

When did Linux/CDorked first appear?
According to Cisco TRAC analysis, the first encounter was on March 4, 2013.

How is Linux/CDorked related to DarkLeech?
The appearance of Linux/CDorked coincided with a drop in the number of DarkLeech infections, an indication the attacker(s) may be one and the same.

Unlike DarkLeech, the Linux/CDorked infections appear to be only targeting Apache servers with cPanel installed. Conversely, DarkLeech was found on servers running a variety of control panels (or not).  Read More »

Tags: , , , , , ,

Possible Exploit Vector for DarkLeech Compromises

April 24, 2013 at 5:34 am PST

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited.  Read More »

Tags: , , , , , ,

Latest Oracle Java Patches and Security Best Practices

Java exploits account for 87% of total web exploits - Cisco 2013 Annual Security Report

This month’s release of the Oracle Java SE Critical Patch Update includes patches for 42 vulnerabilities. Vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component have received widespread attention as of late because of the potential for an attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition. To make matters worse, Java vulnerabilities are often harnessed by exploit packs with tremendous success.

Many in the industry, as well as Cisco analysts, advise against having Java installed unless absolutely necessary. And if you must have Java installed, they advise using only the Java plug-in and Java Web Start provided with the latest JDK or JRE 7 release. But is there more to it than that?  Read More »

Tags: , , , , ,

London Calling

The Infosec London Conference is coming up this week, running April 23-25 at the Earl’s Court Exhibition Center. Cisco will be there of course, in a booth showing the latest Cisco security innovations and presenting four papers on:

• “Securely Accelerate Access to Data Center Applications” (Tuesday, April 23, 10:30)
• “The Changing Landscape of Identity: Is 802.1X Enough?” (Tuesday, April 23, 16:00)
• “Outbound Content Security” (Wednesday, April 24, 10:30)
• “BYOD Demo—Onboarding the iPad With Cisco Identity Services Engine” (Thursday, April 25, 10:30)

While taking in Cisco content at the show is definitely a must do item, I have a little insider travel tip to impart. Show goers should also check out the small and emerging companies usually found next to the walls in the convention hall. Read More »

Tags: , , , , , ,