A recommendation direct from Symantec (see URL below) states “At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks”.

The concern is related to a potential man in the middle attack which would allow the stealing of credentials that could allow unauthorized system access.

The pcAnywhere Security Recommendations direct from Symantec are located at the following URL:
http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

For any further advice or assistance on this matter contact Janet CSIRT at irt@csirt.ja.net 0300 999 2340

"INSIST(! dns_rdataset_isassociated(sigrdataset))"

BIND 9.4-ESV-R, BIND 9.6-ESV-R, BIND 9.7 and BIND 9.8 appear to be affected. Further details are available at https://www.isc.org/software/bind/advisories/cve-2011-4313

The eventual outcome is integer overflow as the reference counter is overwhelmed. This may result in a denial of service, system crash, memory corruption or a worse case, remote code execution. Whilst such packets are normally filtered at the network perimeter and this combined with the large number of packets required to succeed with such an attack it is deemed by Microsoft top be low at this time. There is the strong likelihood that worm based attacks are going to be developed to exploit this vulnerability.

http://technet.microsoft.com/en-us/security/bulletin/ms11-083

It appears that the malware is spreading by using unprotected JMX consoles, it then uses the JMX console to execute code running as the JBoss user on the system.

A site which has investigated this has advised us about the malware conducting the scanning.

“The malware appears to scan out for some vulnerability in /jmx-console/HtmlAdaptor before connecting to an HTTP bot at magicstick.dyndns-remote.com.” An update to JBoss enterprise server was released earlier last year to mitigate this vulnerability.

https://access.redhat.com/kb/docs/DOC-30741

We have also been able to see that currently the attacks have been limited to a couple of different applications.

If you would like further information or assistance investigating this issue please contact JANET CSIRT.

Every so often, after a ground- breaking discovery or an event that has a substantial impact on the security community, a new phrase/ term/acronym enters the lexicon of the security researcher. Over the last few years, several high profile compromises have hit the news headlines. Attacks on an unprecedented scale targeted a slew of companies in the technology, financial and defence sectors, and ‘Advanced Persistent Threats’ became a common topic for discussion.

Dawn of a new threat

In 2010 Google reported on its official blog that it had suffered a sustained attack from a source appearing to originate in China. Google said that some of its intellectual property had been stolen and that the attacks were highly sophisticated, utilising complex vectors and multiple levels of encryption to avoid detection and gain control of target systems. Essentially the compromise involved several layers of well hidden encrypted traffic that penetrated deeper and deeper into their network over a period of time. Google also suggested that the attack may have been carried out by the Chinese state to gain access to the email accounts of Chinese dissidents. However, the attack was not solely targeting Google. Other companies targeted in what became known as ‘Operation Aurora’ included Yahoo, Adobe Systems, Juniper Networks and Rackspace Hosting.

In March this year, RSA admitted it had been the target of a highly sophisticated attack that successfully penetrated its infrastructure. The compromised data was specifically related to RSA’s SecurID two-factor authentication products. In an open letter to its customers, RSA’s Executive Chairman states: ‘While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack’. In other words, the two-part authentication mechanism generally utilised by many as the de facto standard for authentication had been compromised, undermining the integrity of the RSA SecurID system. At this stage there is no confirmation as to who was behind this attack.

It was only a matter of time before a possible motive behind the RSA compromise revealed itself. Soon after, defence contractors Lockheed Martin and L-3 were attacked by an unknown quantity. As America’s largest defence contractor, Lockheed Martin is responsible for some of America’s most advanced military technology, including the F-22 fighter aircraft and the Trident submarine-launched missile. Initial reports suggest that these security breaches were in part facilitated by compromised RSA SecurID token seeds. It is entirely possible that the RSA seeds will be used again before RSA are able to replace the 40 million RSA keys that are used by their customers.

Level of threat

In these high profile incidents, the attackers used advanced techniques and zero day exploits – software that uses a security hole to carry out an attack – to gain access to secure systems. Many would argue that this is what constitutes the definition of an advanced persistent threat: seemingly endless resources including teams of highly skilled security experts, programmers and a large budget, possibly backed up by operatives on the ground. Are these kinds of resources only available to a government? Or can we expect to see this level of sophistication emerging from high level industrial espionage? One thing is for certain: information is valuable, and a determined organisation will (with enough resources) eventually find a way into secure systems.

What to do?

These examples of advanced persistent threats illustrate scenarios that any organisation could face. If globally respected security companies can be compromised, is there any hope for the rest of us? With a little analysis, this can easily be put into perspective. If your organisation’s data or intellectual property is valuable to another organisation, there is a greater risk that your competitors will attempt to compromise it. Therefore more resources should be allocated to protecting that data or IP. The answer is not to increase the security budget for software that claims to protect you from ‘all known threats or your money back’, because we have seen time and time again that software alone is not enough.

We suggest that you make sure that staff are specially trained in securing and hardening systems and networks, access control is enforced, and IDS systems configured correctly. There is no magic software that does all of this out of the box that will meet your organisation’s requirements.

JANET supporting you

JANET CSIRT handles incidents that involve compromises on a daily basis. Whilst many of these compromises are relatively minor, occasionally they are potentially very damaging for the organisation and need to be dealt with in a swift and appropriate manner.

If you suspect that your organisation is the target of an attack or would like information about how we can assist you in the event of a suspected compromise, please get in touch.