Monthly Security Bulletin. Indian Computer Emergency Response Team. Department of Electronics and Information Technology

What is the main source of the vulnerabilities discovered during March 2015?
What does a request contain that can be used to perform arbitrary actions?
Who conducted security trainings for various agencies?

Transcription

1 Indian Computer Emergency Response Team Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India Monthly Security Bulletin March 2015

2 2 TABLE OF CONTENTS Comparison at a Glance 3 Cyber Intrusion Trends 4 Indian Website Defacements 7 Prevalent Global Attack Trends 11 Trainings Conducted by CERT-IN 12 Security Alerts 13 Malicious Code Threats 16 Security News 17

3 3 Comparison at a Glance 8.4% 3.8% Feb % 11 % 56.6 % 27.6 % % 25 % Mar-15 Figure 1: Trend Analysis Feb 2015-March 2015 March 2015 witnessed a decreased level of incidents related to spamming and incidents in others category. On the other hand incidents related to phishing, malicious code, network scanning, open proxy servers, websites infected with malicious content and website defacement witnessed an upward trend as compared to last month.

4 4 Cyber Intrusion Trends A total of 5810 security incidents including phishing, virus/malicious code, network scanning/probing, spam, spread of malware through website compromise and technical help under others category were reported to CERT-In from various National/International agencies in March, In addition, a total of 1939 Indian websites were defaced in March,2015.A consolidated picture of security incidents reported in March, 2015 and website defacements tracked by CERT-In during that period is shown in the pie chart below. The pie chart below indicates that 61.7% and 34.7% of reported incidents belonged to spam and website defacement categories respectively. Alongside 1.2%, 0.5%, 0.4 % incidents were related to spread of malware through website intrusion, phishing and technical help under others categories respectively. Malicious code and network scanning categories comprised of only 0.2% and 1.4% of the total incidents respectively in March, In this month CERT -In tracked bot-infected computers existing in India. The concerned ISPs were intimated to disinfect the bot infected systems to mitigate botnets. 0.4% 1.4% 0.5% 0.2% 34.7% 61.7% 1.2% Phishing Malicious Code Defacemnt WIMP Spam Network Scanning Others Figure 2: Cyber Intrusion during March 2015

5 spam incidents were reported to CERT-In March, spam involves nearly identical messages sent to numerous recipients by that may include malware as scripts, executable file attachments or hyperlinks. Clicking on the links in spam may send users to phishing web sites or sites that are hosting malware Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 3: Statistics of Spam tracked during Oct-14 to Mar-15 CERT-In tracked 157 Open Proxy Servers functioning in India during March, Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource. All the concerned ISPs were alerted immediately to shut down the open proxy servers Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 4: Statistics of Open Proxy Servers tracked during Oct-14 to Mar-15

6 6 CERT-In is tracking malicious web sites/urls on regular basis. In this month CERT-In tracked 70 websites infected with malicious contents. A user visiting these websites/urls is redirected to malicious sites which downloading malicious code such as virus, worm, trojan, keylogger, rootkit on to the user's computer. The website owners are informed to remove the infection from these websites and are advised to strengthen the security of their websites Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 5: Statistics of WIMP tracked during Oct-14 to Mar-15

7 7 Indian Website Defacements A total number of 2014 Indian websites were defaced during March Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 6: Statistics of Defacements tracked during Oct-14 to Mar-15 The following figure highlights the domain wise statistics of defaced websites during March A total of 459 '.com', 1346 '.in', 132 '.org', 18 '.net' and 59 websites belonging to other domains were defaced in this month com.org.net.in others Figure 7: Statistics of Defacements tracked during March-15

8 8 The following vulnerabilities discovered during March 2015 and some of the previously known vulnerabilities that might have been exploited for website defacements and intrusions: Vendor/Product Vulnerability References Information The WPML plugin before for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter. CVE The "menu sync" function in the WPML plugin before for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingualcms/menu/menus-sync.php. CVE Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE SQL injection vulnerability in the WPML plugin before for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. CVE Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks. CVE Multiple SQL injection vulnerabilities in admin/class-bulk-editor-listtable.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before for WordPress allow remote authenticated users to execute arbitrary SQL commands CVE

9 9 Vendor/Product Vulnerability References Information Cross-site request forgery (CSRF) vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the CF7DBPluginSubmissions page to wpadmin/admin.php. CVE Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes. CVE SQL injection vulnerability in the All In One WP Security & Firewall plugin before for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter. CVE Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote authenticated users to execute arbitrary SQL commands CVE SQL injection vulnerability in Spider Event Calendar for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php. CVE Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension in a fusion_save action, then accessing it via unspecified vectors. CVE

10 10 Vendor/Product Vulnerability References Information The BestWebSoft Google Captcha (aka recaptcha) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. CVE The BestWebSoft Captcha plugin before for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. CVE Drupal Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. CVE Joomla! Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component for Joomla! allow remote attackers to execute arbitrary SQL commands. CVE Table 1: Defacement related Vulnerabilities

11 11 Prevalent Global Attack Trends Man-in-The-Middle (MiTM) attack in SSL/TLS implementations (MiTM) attack in SSL/TLS implementation The vulnerability exists in Open SSL due to the usage of downgraded RSA export cipher suites. A remote attacker could exploit this vulnerability to decrypt SSL/TLS communication and gain access to sensitive information.

12 12 Trainings Conducted by CERT-IN Workshop on "Cyber Security Threats and Mitigation" on March 05, 2015 Cyber Security Threats and Mitigation A workshop on "Cyber Security Threats and Mitigation"was conducted on 5th March 2015 exclusively for trainee officer's of Army War College. Aim of the workshop was to give an exposure to cyber security threats, latest attack trends and mitigation strategies. Senior trainee officer's from the Army War College attended the workshop.

13 13 Security Alerts The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during March 2015 are given below: Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References GnuTLS GnuTLS Certificate Validation Security Bypass Vulnerability March 31, 2015 CIVN WordPress Multiple Vulnerabilities in WordPress Plugins March 31, 2015 CIVN Wireshark Multiple Vulnerabilities in Wireshark March 30, 2015 CIVN PHP PHP Use after free Vulnerability March 26, 2015 CIVN PHP PHP Buffer Overflow Vulnerability March 26, 2015 CIVN IBM IBM Tivoli Directory Server Information Disclosure Vulnerability March 20, 2015 CIVN Drupal Multiple Vulnerabilities in Drupal March 20, 2015 CIVN Siemens Siemens SPC Controller Series Denial of Service Vulnerability March 20, 2015 CIVN Schneider-electric Schneider Electric Pelco DS-NVs rvctl.dll ActiveX Control Buffer Overflow Vulnerability March 20, 2015 CIVN Cisco Multiple Vulnerabilities in Cisco TelePresence Video Communication Server, Expressway & TelePresence March 19, 2015 CIVN Cisco Cisco Virtual TelePresence Server Serial Console Privileged Access March 19, 2015 CIVN Cisco Cisco Intrusion Prevention System MainApp Secure Socket Layer Denial of Service Vulnerability March 19, 2015 CIVN Adobe Multiple Vulnerabilities in Adobe Flash Player March 19, 2015 CIVN WordPress Multiple Vulnerabilities in WordPress Plugins March 12, 2015 CIVN

14 14 Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References Cisco Cisco IOS Software and Cisco IOS XE Software Crafted RADIUS Packet Denial of Service Vulnerability March 12, 2015 CIVN Cisco Cisco Secure Access Control Server Default Tomcat Administration Interface Vulnerability March 12, 2015 CIVN Apple Multiple Vulnerabilities in Apple ios CIVN Denial of Service vulnerability in Windows Remote Desktop Protocol (RDP) CIVN Information Disclosure Vulnerability in Windows Photo Decoder Component CIVN Windows Task Scheduler Service Security Bypass Vulnerability CIVN NETLOGON Service Spoofing Vulnerability in Windows CIVN Multiple Vulnerabilities in Exchange Server CIVN Multiple Privilege Escalation Vulnerabilities in Windows Kernel CIVN Windows PNG Image Processing Information Disclosure Vulnerability CIVN Multiple Vulnerabilities in Windows Kernel-Mode Driver CIVN Office Could Allow Remote Code Execution Vulnerabilities CIVN Multiple Vulnerabilities in Adobe Font Driver CIVN Windows Remote Code Execution Vulnerabilities CIVN VBScript Scripting Engine Remote Code Execution Vulnerability CIVN

15 15 Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References Multiple vulnerabilities in Internet Explorer CIVN Security Bypass Vulnerability in Windows Schannel CIVN ISC BIND Denial of Service Vulnerability in ISC BIND March 02, 2015 CIVN Table 2: Security Alerts published in March 2015

16 16 Malicious Code Threats Title of Malicious Code Type Overview Publishing Date References BKDR_ALINA.SM Backdoor This is a new variant of the point-ofsale (PoS) malware family Alina. It was first seen in January This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Mar 02, 2015 Trendmicro W2KM_BARTALEX.EU Trojan This Trojan arrives as an attachment to messages spammed by other malware/grayware or malicious users. Once the malicous document is opened, the macro which contains the malware code executes and drops malicious files. Mar 07, 2015 Trendmicro Table 3: Malicious Code threats in March 2015

17 17 Security News Date News Source Yahoo slices your password out of login process, shows off end-to-end encryption March 16, 2015 Yahoo's trying a new approach of guillotining 2FA and discarding the step of having to have a primary password to begin with. Rather, its "on demand" passwords are going to rely solely on the second half of 2FA: namely, the one-use code sent to a mobile phone. Users will have to call up one of the codes every time they access Yahoo Mail. Sophos March 10, 2015 Fixes Stuxnet Bug, Again shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Krebsonsecurity March 13, 2015 Google Apps Defect Leaks Private WHOIS Data Of 280,000 Google has notified hundreds of thousands of domain registrants that their private WHOIS information has been exposed in the clear, opening them up to identity theft, phishing scams and more. The problem likely lies with one of Google s registrar partners enom and affects 94 percent of the 305,925 domains registered through the partnership. Threatpost March 5, 2015 Warns Schannel Vulnerable to FREAK Attacks issued an advisory warning Windows users that Secure Channel, or Schannel, the Windows implementation of SSL/TLS, is vulnerable to the FREAK attack. Threatpost March 3, 2015 New POS Malware Uses Mailslots to Avoid Detection New point-of-sale malware, LogPOS, has been using Windows mailslots technology that evades detection by allowing the malware to inject code and act like a client while it shuttles stolen credit card numbers off to its command and control server. Threatpost

18 18 Date News Source GitHub suffers 'largest DDoS' attack in site's history March 30, 2015 GitHub is suffering a DDoS attack deemed the largest in the website's history and believed to originate from China. The coding website is a popular repository for projects from game engines to security applications and web app frameworks, and is used by programmers and tech firms to develop and share tools. Zdnet Table 4: Security News in March 2015

19 19 Postal Address: Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi India incident@cert-in.org.in Phone: Fax :