Researchers from Kaspersky Lab have released information about a large-scale cyber espionage campaign called Operation Red October (otherwise known as Rocra). The report has garnered the attention of multiple news agencies and generated many published articles since the Kaspersky report has claimed that attackers were targeting hundreds of diplomatic, governmental, and scientific organizations in numerous countries.
These reports indicate that the command-and-control (C&C) infrastructure that is used on these attacks receives stolen information using more than 60 domain names to hide its identity. Furthermore, this information appears to be funneled into a second tier of proxy servers. These are very clever attacks that many are now claiming have been taking place for more than five years! Red October is being compared with other malware that has been associated with cyber espionage such as Duqu, Flame, and Gauss.
In its paper, Kaspersky indicated that at least three different exploits for previously known vulnerabilities in Microsoft Office products were used in these attacks:
A later report claims that the Oracle Java Applet Rhino Script Engine arbitrary code execution vulnerability documented in CVE-2011-3544 was used by one of the command and control servers in the Red October infrastructure.
Cisco Security Intelligence Operations (SIO) provides an array of security resources to help customers secure their networks in response to events such as Microsoft Patch Tuesdays . This collateral is not unique to Microsoft Patch Tuesdays, but instead is part of Cisco SIO’s response to current security events. The following are some of the resources:
The following table associates the Microsoft vulnerabilities and with multiple resources that were published by Cisco SIO to help provide awareness and protection for these vulnerabilities:
|Exploited Vulnerabilities||Cisco SIO Resources||CVE ID||Cisco Mitigations|| |
CVSS Base Score
|MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution||Vulnerability Alert: Microsoft MSCOMCTL.OCX ActiveX Control Remote Code Execution VulnerabilityEvent Response: Microsoft Security Bulletin Release for April 2012|
Applied Mitigation Bulletin: Microsoft Security Bulletin Release for April 2012
Cisco IOS NetFlow
Cisco Security Manager
Cisco IPS Signature 1131-0
|MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution||Vulnerability Alert: Microsoft Office Rich Text Format Content Processing Buffer Overflow VulnerabilityEvent Response: Microsoft Security Bulletin Release for November 2010|
Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2010
|MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution||Vulnerability Alert: Microsoft Office Excel Featheader Record Processing Arbitrary Code Execution VulnerabilityEvent Response: Microsoft Security Bulletin Release for November 2009|
Applied Mitigation Bulletin: Microsoft Security Bulletin Release for November 2009
|Oracle Java Critical Patch Update (CPU) -- October 2011: Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability||Vulnerability Alert: Oracle Java Applet Rhino Script Engine Arbitrary Code Execution Vulnerability||CVE-2011-3544||--||10.0|
Once again, the aforementioned vulnerabilities have been disclosed and patched for quite some time; however, cyber criminals are still successfully exploiting them.
Note: Customers using Cisco IPS solutions have also been protected via signatures delivered for all three vulnerabilities.
A patch management process is a critical component of any infrastructure. Security best practices and the use of common knowledge by security, network, and systems administrators to identify and analyze metrics in each security process, procedure, or operational area is of extreme importance.
Additionally, the malware in question has been observed to harvest the configurations of Cisco networking equipment. Cisco PSIRT has been in direct communication with the research team at Kaspersky and has received confirmation from them stating that the network device configuration and other information were obtained by exploiting weak Simple Network Management Protocol (SNMP) community strings and network device passwords. These attacks were not due to a known or unknown Cisco vulnerability. The malware contained a large list of hardcoded commonly-used SNMP community strings that were used to attack infrastructure devices.
Opportunistic criminals can be expected to leverage default or weak passwords and SNMP community strings. Why? Because it is easy! And, people continue to use them! Many successful breaches historically, and nowadays, start with a weak, default password, or a stolen and reused credentials.
Examples of weak passwords include:
Cisco has created a collection of device hardening guides that contains information to help you secure your infrastructure devices. The following are a few examples:
Many more resources and whitepapers are available at the Cisco Security Intelligence Operations portal.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.