Researchers from Kaspersky Lab have released information about a large-scale cyber espionage campaign called Operation Red October (otherwise known as Rocra). The report has garnered the attention of multiple news agencies and generated many published articles since the Kaspersky report has claimed that attackers were targeting hundreds of diplomatic, governmental, and scientific organizations in numerous countries.
These reports indicate that the command-and-control (C&C) infrastructure that is used on these attacks receives stolen information using more than 60 domain names to hide its identity. Furthermore, this information appears to be funneled into a second tier of proxy servers. These are very clever attacks that many are now claiming have been taking place for more than five years! Red October is being compared with other malware that has been associated with cyber espionage such as Duqu, Flame, and Gauss.
In its paper, Kaspersky indicated that at least three different exploits for previously known vulnerabilities in Microsoft Office products were used in these attacks:
- CVE-2009-3129 -- Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution Vulnerability
- CVE-2010-3333 - Microsoft Office Rich Text Format Content Processing Buffer Overflow Vulnerability
- CVE-2012-0158 -- Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution Vulnerability
A later report claims that the Oracle Java Applet Rhino Script Engine arbitrary code execution vulnerability documented in CVE-2011-3544 was used by one of the command and control servers in the Red October infrastructure.
Cisco Security Intelligence Operations (SIO) provides an array of security resources to help customers secure their networks in response to events such as Microsoft Patch Tuesdays . This collateral is not unique to Microsoft Patch Tuesdays, but instead is part of Cisco SIO’s response to current security events. The following are some of the resources:
- Event Responses provide information about security events that have the potential for widespread impact on customer networks, applications, and devices.
- Applied Mitigation Bulletins (AMBs) provide techniques to detect and mitigate exploits on Cisco products.
- IPS Signatures are created to detect and block security threats.
- IntelliShield Alerts provide multi-vendor early-warning intelligence, threat and vulnerability analysis.
The following table associates the Microsoft vulnerabilities and with multiple resources that were published by Cisco SIO to help provide awareness and protection for these vulnerabilities:
Once again, the aforementioned vulnerabilities have been disclosed and patched for quite some time; however, cyber criminals are still successfully exploiting them.
Note: Customers using Cisco IPS solutions have also been protected via signatures delivered for all three vulnerabilities.
A patch management process is a critical component of any infrastructure. Security best practices and the use of common knowledge by security, network, and systems administrators to identify and analyze metrics in each security process, procedure, or operational area is of extreme importance.
Cisco Device Configuration Harvesting
Additionally, the malware in question has been observed to harvest the configurations of Cisco networking equipment. Cisco PSIRT has been in direct communication with the research team at Kaspersky and has received confirmation from them stating that the network device configuration and other information were obtained by exploiting weak Simple Network Management Protocol (SNMP) community strings and network device passwords. These attacks were not due to a known or unknown Cisco vulnerability. The malware contained a large list of hardcoded commonly-used SNMP community strings that were used to attack infrastructure devices.
Opportunistic criminals can be expected to leverage default or weak passwords and SNMP community strings. Why? Because it is easy! And, people continue to use them! Many successful breaches historically, and nowadays, start with a weak, default password, or a stolen and reused credentials.
Examples of weak passwords include:
- Dictionary words including words in many different languages.
- Words with numbers such as: cisco123, password1, mypassword123, etc.
- Default passwords from vendors that are meant to be changed at installation time. Several lists of default passwords are widely available online.
- Words with simple obfuscation: p4ssw0rd, P@ssw0rd, C1sco, C1sco123
- Doubled words: passwordpassword, ciscocisco, passpass
- Well known numbers such as 911, 314159 (pi) etc.
- Common sequences from a keyboard row: 1qaz2wsx, 123qwe, qwerty, etc.
- Personal information such as current or past telephone numbers, address, previous addresses, birthdays, sports teams, userids, etc.
Cisco has created a collection of device hardening guides that contains information to help you secure your infrastructure devices. The following are a few examples:
- Cisco Guide to Harden Cisco IOS Devices
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco TelePresence Hardening Guide
- Cisco Guide to Securing Cisco NX-OS Software Devices
- Cisco ASA SNMP and Administration Documentation
- Cisco Unified Communications Security Guide
Many more resources and whitepapers are available at the Cisco Security Intelligence Operations portal.