Red October in January: The Cyber Espionage Era

Blog

Jan 15, 2013 1:11 PM
Jan 15th, 2013

Researchers from Kaspersky Lab have released information about a large-scale cyber espionage campaign called Operation Red October (otherwise known as Rocra).  The report has garnered the attention of multiple news agencies and  generated many published articles since the Kaspersky report has claimed  that attackers were targeting hundreds of diplomatic, governmental, and  scientific organizations in numerous countries.

These reports indicate that the command-and-control (C&C)  infrastructure that is used on these attacks receives stolen information  using more than 60 domain names to hide its identity. Furthermore, this  information appears to be funneled into a second tier of proxy servers.  These are very clever attacks that many are now claiming have been  taking place for more than five years! Red October is being compared  with other malware that has been associated with cyber espionage such as  Duqu, Flame, and Gauss.

In its paper,  Kaspersky indicated that at least three different exploits for  previously known vulnerabilities in Microsoft Office products were used  in these attacks:

  • CVE-2009-3129 -- Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability
  • CVE-2010-3333 - Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability
  • CVE-2012-0158 -- Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability

A later report claims that the Oracle Java Applet Rhino Script Engine arbitrary code execution vulnerability documented in CVE-2011-3544 was used by one of the command and control servers in the Red October infrastructure.

Cisco Security Intelligence Operations (SIO) provides an array of security resources to help customers secure their networks in response to events such as Microsoft Patch Tuesdays . This collateral is not unique to Microsoft Patch Tuesdays, but  instead is part of Cisco SIO’s response to current security events. The  following are some of the resources:

  • Event Responses provide information about security events that have the potential for  widespread impact on customer networks, applications, and devices.
  • Applied Mitigation Bulletins (AMBs) provide techniques to detect and mitigate exploits on Cisco products.
  • IPS Signatures are created to detect and block security threats.
  • IntelliShield Alerts provide multi-vendor early-warning intelligence, threat and vulnerability analysis.

The following table associates the Microsoft vulnerabilities and with  multiple resources that were published by Cisco SIO to help provide  awareness and protection for these vulnerabilities:

Exploited Vulnerabilities Cisco SIO Resources CVE ID Cisco Mitigations

CVSS Base Score

MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code ExecutionVulnerability Alert: Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution VulnerabilityEvent Response: Microsoft Security Bulletin Release for April 2012

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2012

CVE-2012-0158

Cisco IOS NetFlow

Cisco ASA/ASASM/FWSM

Cisco ACE

Cisco Security Manager

Cisco IPS Signature 1131-0

9.3

MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code ExecutionVulnerability Alert: Microsoft Office Rich Text Format Content Processing Buffer Overflow VulnerabilityEvent Response: Microsoft Security Bulletin Release for November 2010

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2010

CVE-2010-3333

Cisco IPS Signature 31239-0

Cisco IPS Signature 31239-1

9.3

MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code ExecutionVulnerability Alert: Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution VulnerabilityEvent Response: Microsoft Security Bulletin Release for November 2009

Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2009

CVE-2009-3129

Cisco IPS Signature 21920-0

Cisco IPS Signature 22083-0

9.3

Oracle Java Critical Patch Update (CPU) -- October 2011: Oracle Java Applet Rhino Script Engine Arbitrary Code Execution VulnerabilityVulnerability Alert: Oracle Java Applet Rhino Script Engine Arbitrary Code Execution VulnerabilityCVE-2011-3544--10.0

Once again, the aforementioned vulnerabilities have been disclosed  and patched for quite some time; however, cyber criminals are still  successfully exploiting them.

Note: Customers using Cisco IPS solutions have also been protected via signatures delivered for all three vulnerabilities.

A patch management process is a critical component of any infrastructure. Security best practices  and the use of common knowledge by security, network, and systems  administrators to identify and analyze metrics in each security process, procedure, or operational area is of extreme importance.

Cisco Device Configuration Harvesting

Additionally, the malware in question has been observed to harvest  the configurations of Cisco networking equipment. Cisco PSIRT has been  in direct communication with the research team at Kaspersky and has  received confirmation from them stating that the network device  configuration and other information were obtained by exploiting weak  Simple Network Management Protocol (SNMP) community strings and network  device passwords. These attacks were not due to a known or unknown Cisco  vulnerability. The malware contained a large list of hardcoded  commonly-used SNMP community strings that were used to attack  infrastructure devices.

Opportunistic criminals can be expected to leverage default or weak  passwords and SNMP community strings. Why? Because it is easy! And,  people continue to use them! Many successful breaches historically, and  nowadays, start with a weak, default password, or a stolen and reused  credentials.

Examples of weak passwords include:

  • Dictionary words including words in many different languages.
  • Words with numbers such as: cisco123, password1, mypassword123, etc.
  • Default passwords from vendors that are meant to be changed at  installation time. Several lists of default passwords are widely  available online.
  • Words with simple obfuscation: p4ssw0rd, P@ssw0rd, C1sco, C1sco123
  • Doubled words: passwordpassword, ciscocisco, passpass
  • Well known numbers such as 911, 314159 (pi) etc.
  • Common sequences from a keyboard row: 1qaz2wsx, 123qwe, qwerty, etc.
  • Personal information such as current or past telephone numbers,  address, previous addresses, birthdays, sports teams, userids, etc.

A few general guidelines on how to create secure and meaningful passwords is posted here.

Cisco has created a collection of device hardening guides that  contains information to help you secure your infrastructure devices. The  following are a few examples:

Many more resources and whitepapers are available at the Cisco Security Intelligence Operations portal.

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

Related Content