Indian Computer Emergency Response Team Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of India Monthly Security Bulletin March 2015
2 TABLE OF CONTENTS Comparison at a Glance 3 Cyber Intrusion Trends 4 Indian Website Defacements 7 Prevalent Global Attack Trends 11 Trainings Conducted by CERT-IN 12 Security Alerts 13 Malicious Code Threats 16 Security News 17
3 Comparison at a Glance 8.4% 3.8% Feb-15 3.4 % 11 % 56.6 % 27.6 % 105.8 % 25 % Mar-15 Figure 1: Trend Analysis Feb 2015-March 2015 March 2015 witnessed a decreased level of incidents related to spamming and incidents in others category. On the other hand incidents related to phishing, malicious code, network scanning, open proxy servers, websites infected with malicious content and website defacement witnessed an upward trend as compared to last month.
4 Cyber Intrusion Trends A total of 5810 security incidents including phishing, virus/malicious code, network scanning/probing, spam, spread of malware through website compromise and technical help under others category were reported to CERT-In from various National/International agencies in March, 2015. In addition, a total of 1939 Indian websites were defaced in March,2015.A consolidated picture of security incidents reported in March, 2015 and website defacements tracked by CERT-In during that period is shown in the pie chart below. The pie chart below indicates that 61.7% and 34.7% of reported incidents belonged to spam and website defacement categories respectively. Alongside 1.2%, 0.5%, 0.4 % incidents were related to spread of malware through website intrusion, phishing and technical help under others categories respectively. Malicious code and network scanning categories comprised of only 0.2% and 1.4% of the total incidents respectively in March, 2015. In this month CERT -In tracked 1696171 bot-infected computers existing in India. The concerned ISPs were intimated to disinfect the bot infected systems to mitigate botnets. 0.4% 1.4% 0.5% 0.2% 34.7% 61.7% 1.2% Phishing Malicious Code Defacemnt WIMP Spam Network Scanning Others Figure 2: Cyber Intrusion during March 2015
5 3582 Email spam incidents were reported to CERT-In March, 2015. Email spam involves nearly identical messages sent to numerous recipients by email that may include malware as scripts, executable file attachments or hyperlinks. Clicking on the links in spam email may send users to phishing web sites or sites that are hosting malware. 5919 3543 4487 4371 3911 3582 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 3: Statistics of Spam tracked during Oct-14 to Mar-15 CERT-In tracked 157 Open Proxy Servers functioning in India during March, 2015. Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource. All the concerned ISPs were alerted immediately to shut down the open proxy servers. 251 182 102 143 123 157 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 4: Statistics of Open Proxy Servers tracked during Oct-14 to Mar-15
6 CERT-In is tracking malicious web sites/urls on regular basis. In this month CERT-In tracked 70 websites infected with malicious contents. A user visiting these websites/urls is redirected to malicious sites which downloading malicious code such as virus, worm, trojan, keylogger, rootkit on to the user's computer. The website owners are informed to remove the infection from these websites and are advised to strengthen the security of their websites. 100 99 70 47 44 34 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 5: Statistics of WIMP tracked during Oct-14 to Mar-15
7 Indian Website Defacements A total number of 2014 Indian websites were defaced during March 2015. 2707 2224 1939 2014 963 1256 Oct-14 Nov-14 Dec-14 Jan-15 Feb-15 Mar-15 Figure 6: Statistics of Defacements tracked during Oct-14 to Mar-15 The following figure highlights the domain wise statistics of defaced websites during March 2015. A total of 459 '.com', 1346 '.in', 132 '.org', 18 '.net' and 59 websites belonging to other domains were defaced in this month. 1346 459 132 18 59.com.org.net.in others Figure 7: Statistics of Defacements tracked during March-15
8 The following vulnerabilities discovered during March 2015 and some of the previously known vulnerabilities that might have been exploited for website defacements and intrusions: Vendor/Product Vulnerability References Information The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter. CVE-2015-2792 The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingualcms/menu/menus-sync.php. CVE-2015-2791 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-2305 SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. CVE-2015-2314 Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks. CVE-2015-2293 Multiple SQL injection vulnerabilities in admin/class-bulk-editor-listtable.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands CVE-2015-2292
9 Vendor/Product Vulnerability References Information Cross-site request forgery (CSRF) vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.32 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the CF7DBPluginSubmissions page to wpadmin/admin.php. CVE-2015-1874 Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes. CVE-2015-0895 SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE-2015-0894 SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter. CVE-2015-2216 Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote authenticated users to execute arbitrary SQL commands CVE-2015-2199 SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php. CVE-2015-2196 Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension in a fusion_save action, then accessing it via unspecified vectors. CVE-2015-2194
10 Vendor/Product Vulnerability References Information The BestWebSoft Google Captcha (aka recaptcha) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. CVE-2015-0890 The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. CVE-2014-9283 Drupal Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. CVE-2015-2215 Joomla! Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component 1.2.5 for Joomla! allow remote attackers to execute arbitrary SQL commands. CVE-2015-2562 Table 1: Defacement related Vulnerabilities
11 Prevalent Global Attack Trends Man-in-The-Middle (MiTM) attack in SSL/TLS implementations (MiTM) attack in SSL/TLS implementation The vulnerability exists in Open SSL due to the usage of downgraded RSA export cipher suites. A remote attacker could exploit this vulnerability to decrypt SSL/TLS communication and gain access to sensitive information.
12 Trainings Conducted by CERT-IN Workshop on "Cyber Security Threats and Mitigation" on March 05, 2015 Cyber Security Threats and Mitigation A workshop on "Cyber Security Threats and Mitigation"was conducted on 5th March 2015 exclusively for trainee officer's of Army War College. Aim of the workshop was to give an exposure to cyber security threats, latest attack trends and mitigation strategies. Senior trainee officer's from the Army War College attended the workshop.
13 Security Alerts The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during March 2015 are given below: Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References GnuTLS GnuTLS Certificate Validation Security Bypass Vulnerability March 31, 2015 CIVN-2015-0070 WordPress Multiple Vulnerabilities in WordPress Plugins March 31, 2015 CIVN-2015-0069 Wireshark Multiple Vulnerabilities in Wireshark March 30, 2015 CIVN-2015-0068 PHP PHP Use after free Vulnerability March 26, 2015 CIVN-2015-0067 PHP PHP Buffer Overflow Vulnerability March 26, 2015 CIVN-2015-0066 IBM IBM Tivoli Directory Server Information Disclosure Vulnerability March 20, 2015 CIVN-2015-0065 Drupal Multiple Vulnerabilities in Drupal March 20, 2015 CIVN-2015-0064 Siemens Siemens SPC Controller Series Denial of Service Vulnerability March 20, 2015 CIVN-2015-0063 Schneider-electric Schneider Electric Pelco DS-NVs rvctl.dll ActiveX Control Buffer Overflow Vulnerability March 20, 2015 CIVN-2015-0062 Cisco Multiple Vulnerabilities in Cisco TelePresence Video Communication Server, Expressway & TelePresence March 19, 2015 CIVN-2015-0061 Cisco Cisco Virtual TelePresence Server Serial Console Privileged Access March 19, 2015 CIVN-2015-0060 Cisco Cisco Intrusion Prevention System MainApp Secure Socket Layer Denial of Service Vulnerability March 19, 2015 CIVN-2015-0059 Adobe Multiple Vulnerabilities in Adobe Flash Player March 19, 2015 CIVN-2015-0058 WordPress Multiple Vulnerabilities in WordPress Plugins March 12, 2015 CIVN-2015-0057
14 Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References Cisco Cisco IOS Software and Cisco IOS XE Software Crafted RADIUS Packet Denial of Service Vulnerability March 12, 2015 CIVN-2015-0056 Cisco Cisco Secure Access Control Server Default Tomcat Administration Interface Vulnerability March 12, 2015 CIVN-2015-0055 Apple Multiple Vulnerabilities in Apple ios CIVN-2015-0054 Denial of Service vulnerability in Windows Remote Desktop Protocol (RDP) CIVN-2015-0053 Information Disclosure Vulnerability in Windows Photo Decoder Component CIVN-2015-0052 Windows Task Scheduler Service Security Bypass Vulnerability CIVN-2015-0051 NETLOGON Service Spoofing Vulnerability in Windows CIVN-2015-0050 Multiple Vulnerabilities in Exchange Server CIVN-2015-0049 Multiple Privilege Escalation Vulnerabilities in Windows Kernel CIVN-2015-0048 Windows PNG Image Processing Information Disclosure Vulnerability CIVN-2015-0047 Multiple Vulnerabilities in Windows Kernel-Mode Driver CIVN-2015-0046 Office Could Allow Remote Code Execution Vulnerabilities CIVN-2015-0045 Multiple Vulnerabilities in Adobe Font Driver CIVN-2015-0044 Windows Remote Code Execution Vulnerabilities CIVN-2015-0043 VBScript Scripting Engine Remote Code Execution Vulnerability CIVN-2015-0042
15 Vendor/Product Title of Vulnerability Discovery/Publish Date CERT-In References Multiple vulnerabilities in Internet Explorer CIVN-2015-0041 Security Bypass Vulnerability in Windows Schannel CIVN-2015-0040 ISC BIND Denial of Service Vulnerability in ISC BIND March 02, 2015 CIVN-2015-0039 Table 2: Security Alerts published in March 2015
16 Malicious Code Threats Title of Malicious Code Type Overview Publishing Date References BKDR_ALINA.SM Backdoor This is a new variant of the point-ofsale (PoS) malware family Alina. It was first seen in January 2015. This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Mar 02, 2015 Trendmicro W2KM_BARTALEX.EU Trojan This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. Once the malicous document is opened, the macro which contains the malware code executes and drops malicious files. Mar 07, 2015 Trendmicro Table 3: Malicious Code threats in March 2015
17 Security News Date News Source Yahoo slices your password out of login process, shows off end-to-end encryption March 16, 2015 Yahoo's trying a new approach of guillotining 2FA and discarding the step of having to have a primary password to begin with. Rather, its "on demand" passwords are going to rely solely on the second half of 2FA: namely, the one-use code sent to a mobile phone. Users will have to call up one of the codes every time they access Yahoo Mail. Sophos March 10, 2015 Fixes Stuxnet Bug, Again shipped a bundle of security updates to address more than three dozen vulnerabilities in Windows and associated software. Included in the batch is a fix for a flaw first patched in 2010 the very same vulnerability that led to the discovery of the infamous cyberweapon known as Stuxnet. Krebsonsecurity March 13, 2015 Google Apps Defect Leaks Private WHOIS Data Of 280,000 Google has notified hundreds of thousands of domain registrants that their private WHOIS information has been exposed in the clear, opening them up to identity theft, phishing scams and more. The problem likely lies with one of Google s registrar partners enom and affects 94 percent of the 305,925 domains registered through the partnership. Threatpost March 5, 2015 Warns Schannel Vulnerable to FREAK Attacks issued an advisory warning Windows users that Secure Channel, or Schannel, the Windows implementation of SSL/TLS, is vulnerable to the FREAK attack. Threatpost March 3, 2015 New POS Malware Uses Mailslots to Avoid Detection New point-of-sale malware, LogPOS, has been using Windows mailslots technology that evades detection by allowing the malware to inject code and act like a client while it shuttles stolen credit card numbers off to its command and control server. Threatpost
18 Date News Source GitHub suffers 'largest DDoS' attack in site's history March 30, 2015 GitHub is suffering a DDoS attack deemed the largest in the website's history and believed to originate from China. The coding website is a popular repository for projects from game engines to security applications and web app frameworks, and is used by programmers and tech firms to develop and share tools. Zdnet Table 4: Security News in March 2015
19 Postal Address: Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology Government of India Electronics Niketan 6, CGO Complex, Lodhi Road, New Delhi - 110003 India Email: incident@cert-in.org.in Phone: +91-11-24368572 Fax : +91-1800-11-6969