March Madness May Equal to Malware Madness
Are you excited about March Madness? Turn on a TV and it will be hard to avoid the games, the news, the commentaries, and the jokes about it. If you eavesdrop in any restaurant, bar, or office conversation, I can assure you that you will hear something about it. Even U.S. President Barack Obama filled out a March Madness bracket. Productivity in many offices drops significantly as employees search and watch videos to see how their bracket picks are progressing. At Cisco, we have an open policy and employees can watch and search the scores of their favorite teams. Watch this video posted by CNN where Kip Compton, Cisco’s Video Collaboration Group CTO, talks about March Madness.
A few things to keep in mind:
- Legitimate business sites may have vulnerabilities that allow a hostile site to deliver malware.
- In most drive-by downloads, the victim is willing to dismissively click pop-ups and warnings as they navigate to the desired content. In this case, users may just click on pop-ups or ads to watch videos about their favorite team.
- Most drive-by downloads can be prevented by keeping software up to date.
Java is one of the major targets nowadays and cyber-criminals are currently leveraging several of its vulnerabilities in preparation for March Madness. This timeline includes some of the recent vulnerabilities. Information on the most recent vulnerabilities is available at the Cisco Security Intelligence Operations (SIO) portal:
- Oracle Java Applet JMX Remote Code Execution Vulnerability
- Oracle Java Security Manager Security Bypass Arbitrary Code Execution Vulnerability
- Oracle Java SE Security Bypass Arbitrary Code Execution Vulnerabilities
- Oracle Java AWT Image Transform Remote Code Execution Vulnerability
- Oracle Java SE Critical Patch Update Advisory
Additionally, security researchers recently released details on multiple new instances of certain types of vulnerabilities in Java. It is still recommended that you disable Java in web browsers. The following links provide instructions on how to disable Java in various web browsers:
- How to disable the Java web plug-in for Safari
- How to disable plug-ins for Chrome
- How to turn off Java applets for Firefox
- How to disable the Java web plug-in for Internet Explorer
If you are using Java 7 Update 10 or later, you can execute the Java installer with the WEB_JAVA=0 command-line option. Oracle’s Java documentation has more detailed information about this feature.
Java vulnerabilities are certainly not the only challenge. Every day exploit-kits and other “crimeware” tools are used by cyber-criminals to attack other vulnerable and outdated browser plug-ins, as well as client software such as Adobe Flash, Acrobat Reader, ColdFusion, and many others. For instance, you might remember the Adobe Reader and Acrobat sandbox bypass arbitrary code execution vulnerabilities (CVE-2013-0640 and CVE-2013-0641) back in February. These vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on affected systems. The ColdFusion vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631, and CVE-2013-0632) are recent examples that are still being exploited in the wild.
Regarding web browser plugins, please keep in mind that many of them don’t always update automatically. You can use tools such as Mozilla’s plug-in check to verify that you are running the latest versions of plug-ins installed in your browser.
Note: For those of you that may be interested in learning how web browser plug-ins work on a more technical level, Google has a great document that describes Chrome plug-in architecture and Mozilla has one that describes the plug-in architecture in Firefox.
Mobile Devices Are Not Immune!
Mobile device malware is increasing at a very rapid pace. For example, Android malware grew 2577 percent over 2012 (more information in our Annual Security Report). In other words, the post-PC malware threat is already happening and it is here to stay. Mobile devices have become the favorite target for many cyber-criminals because unfortunately things as simple as password management have become very weak. A large number of users simply do not even use basic and common sense password protection on their handsets or tablets.
It might not be the most groundbreaking bit of advice, but staying up on all the security updates for Android, Apple iOS, and others is extremely important. Download apps from respected sources! Mobile device users must try to avoid malicious and compromised mobile apps. That may be common sense, but folks are currently bypassing vendor marketplaces such as Google Play and Apple Store to download “free games and free apps.” Many times, these free apps come with other gifts (i.e., malware).
Enterprise Security Professionals Look Out!
Command and Control (C&C) is the interface between the victims and the attackers. The attacker commands the C&C, and the C&C commands the malware installed on victims’ systems. Historically, these have been controlled using Internet Relay Chat (IRC) because of its simplicity, flexibility, and ease of administration. However, these days, a lot of C&C is happening over encrypted channels (TLS/HTTPS) and Tor.
DNS monitoring is one of the few things that can be done in that case. Many of these attacks leverage dynamic DNS. Passive DNS monitoring is a great tool for finding additional malicious IP addresses and hostnames. Even if you don’t have the expertise and capability of deploying elaborate techniques such as deploying your own ISC DNS Data Base, at the very least, you should only allow DNS queries to go through internal recursive servers. Prevent clients to direct query external DNS servers (i.e., only permit known “safe” servers).
Most of these attacks can leave a trail that can be used to identify subsequent attempts to perform the same or similar actions. There are many best practices that can be used to protect against some of these attacks. The following are a few resources that can help you maintain a good level of security within your network and your users:
- Identifying and Correlating Attack Indicators
- DNS Best Practices, Network Protections, and Attack Identification
- Understanding SQL Injection
- Understanding Cross-Site Scripting (XSS) Threat Vectors
- Other Tactical Resources
Whether your team is Duke, Memphis, Oregon, or Michigan State, regardless of whether they play good defense, you must always maintain a good defense against the bad guys out there. Comments are welcome about your favorite team or favorite best practice to combat the bad guys these days.