Monthly Security Bulletin

July 2015

Indian Computer Emergency Response Team

Department of Electronics and Information Technology

Ministry of Communications and Information Technology

Government of India

| 2

TABLE OF CONTENTS

Comparison at a Glance 3

Cyber Intrusion Trends 4

Indian Website Defacements 7

Prevalent Global Attack Trends 10

Trainings Conducted by CERT-IN 11

Security Alerts 11

Malicious Code Threats 15

Security News 16

| 3

Comparison at a Glance

July 2015 witnessed a decreased level of incidents related to phishing, malicious code and websites infected with malicious

content. On the other hand incidents related to network scanning, spamming ,open proxy servers , website defacement and

incidents in others category witnessed an upward trend as compared to last month.

Jun-15

Jul-1514.5 % 21.4 %

69.3 %

60.3 % 35.7 %

61.1 %

83.2 %

Figure 1: Trend Analysis Jun 2015-July 2015

6%

| 4

Cyber Intrusion Trends

A total of 12020 security incidents including phishing, virus/malicious code, network scanning/probing, spam, spread of

malware through website compromise and technical help under others category were reported to CERT-In from various

National/International agencies in July, 2015.

In addition, a total of 2852 Indian websites were defaced in July,2015. A consolidated picture of security incidents reported

in July, 2015 and website defacements tracked by CERT-In during that period is shown in the pie chart below.

The pie chart below indicates that 74.6% and 23.7% of reported incidents belonged to spam and website defacement

categories respectively. Alongside 0.2%, 0.4%, 0.5% incidents were related to spread of malware through website intrusion,

phishing and technical help under others categories respectively. Malicious code and network scanning categories

comprised of only 0.1% and 0.4% of the total incidents respectively in July, 2015.

In this month CERT -In tracked 1696389 bot-infected computers existing in India. The concerned ISPs were intimated to

disinfect the bot infected systems to mitigate botnets.

0.4% 0.1%23.7% 0.2%

74.6%

0.4%0.5%

Phishing

Malicious Code

Defacemnt

WIMP

Spam

Network Scanning

Others

Figure 2: Cyber Intrusion during July 2015

| 5

8966 Email spam incidents were reported to CERT-In July, 2015. Email spam involves nearly identical messages sent to

numerous recipients by email that may include malware as scripts, executable file attachments or hyperlinks. Clicking on

the links in spam email may send users to phishing web sites or sites that are hosting malware.

CERT-In tracked 186 Open Proxy Servers functioning in India during July, 2015. Any proxy server that doesn't restrict its

client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open

proxy server will accept client connections from any IP address and make connections to any Internet resource.

All the concerned ISPs were alerted immediately to shut down the open proxy servers.

39113582

51604578

5294

8966

Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15

123

157

110 113 116

186

Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15

Figure 3: Statistics of Spam tracked during Feb-15 to July-15

Figure 4: Statistics of Open Proxy Servers tracked during Feb-15 to July-15

| 6

CERT-In is tracking malicious web sites/URLs on regular basis. In this month CERT-In tracked 28 websites infected with

malicious contents. A user visiting these websites/URLs is redirected to malicious sites which downloading malicious code

such as virus, worm, trojan, keylogger, rootkit on to the user's computer.

The website owners are informed to remove the infection from these websites and are advised to strengthen the security

of their websites.

34

7059 60

167

28

Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15

Figure 5: Statistics of WIMP tracked during Feb-15 to July-15

| 7

Indian Website Defacements A total number of 2852 Indian websites were defaced during July 2015.

The following figure highlights the domain wise statistics of defaced websites during July 2015. A total of 757 '.com', 1812

'.in', 182 '.org', 24 '.net' and 77 websites belonging to other domains were defaced in this month.

1939 2014

13861226

1770

2852

Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15

757

182

24

1812

77

.com .org .net .in others

Figure 6: Statistics of Defacements tracked during Feb-15 to Jul-15

Figure 7: Statistics of Defacements tracked during July-15

| 8

The following vulnerabilities discovered during July 2015 and some of the previously known vulnerabilities that might have

been exploited for website defacements and intrusions:

Vendor/Product Vulnerability References Information

Wordpress

Multiple cross-site scripting (XSS) vulnerabilities in the Welcart

plugin before 1.4.18 for WordPress allow remote attackers to inject

arbitrary web script or HTML.

CVE-2015-2973

Wordpress

Cross-site scripting (XSS) vulnerability in the save_order function in

class-floating-social-bar.php in the Floating Social Bar plugin before

1.1.6 for WordPress allows remote attackers to inject arbitrary web

script or HTML .

CVE-2015-5528

Wordpress

Open redirect vulnerability in the Redirect function in

stageshow_redirect.php in the StageShow plugin before 5.0.9 for

WordPress allows remote attackers to redirect users to arbitrary

web sites and conduct phishing attacks via a URL in the url

parameter.

CVE-2015-5461

Wordpress

Directory traversal vulnerability in includes/MapPinImageSave.php

in the Easy2Map plugin before 1.2.5 for WordPress allows remote

attackers to create arbitrary files via a .. (dot dot) in the map_id

parameter.

CVE-2015-4616

Wordpress

Multiple SQL injection vulnerabilities in includes/Function.php in the

Easy2Map plugin before 1.2.5 for WordPress allow remote attackers

to execute arbitrary SQL commands via the mapName parameter in

an e2m_img_save_map_name action to wp-admin/admin-ajax.php

and other unspecified vectors.

CVE-2015-4614

Joomla!

Multiple SQL injection vulnerabilities in the J2Store (com_j2store)

extension before 3.1.7 for Joomla! allow remote attackers to

execute arbitrary SQL commands .

CVE-2015-6513

Joomla!

Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0

through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to

hijack the authentication of unspecified victims for requests that

upload code via unknown vectors.

CVE-2015-5397

| 9

Vendor/Product Vulnerability References Information

Drupal

Multiple cross-site scripting (XSS) vulnerabilities in the Tournament

module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated

users with certain permissions to inject arbitrary web script or

HTML.

CVE-2014-9738

Drupal

Open redirect vulnerability in the Language Switcher Dropdown

module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to

redirect users to arbitrary web sites and conduct phishing attacks via

a URL in a block.

CVE-2014-9737

Table 1: Defacement related Vulnerabilities

| 10

Prevalent Global Attack Trends

Adobe Flash Player Zero Day (CVE-2015-5122, CVE-2015-5123)

Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe Flash Player Zero Day

| 11

Trainings Conducted by CERT-IN

Workshop on "Data Leakage Detection & Prevention" on July 30, 2015

A workshop on "Data Leakage Detection & Prevention" was held on July 30, 2015 for CISOs of public sector . Aim of the workshop was to address the issues concerning data breach/leakage in an organization and prevention techniques. The workshop emphasized on Data Leakage Detection and their mitigations strategies using the Next Generation Prevention Mechanisms. IT Heads, Systems & Network Administrators and senior IT executives from of various public sector organizations attended the workshop.

Workshop on "Cloud Security" on July 17, 2015

A workshop on "Cloud Security" was held on 17th July 2015 for Government Department and Ministries. Aim of the workshop was to give an overview of security issues/concerns associated with cloud computing. The workshop emphasized on the various approach and methodologies for securing cloud infrastructure & services with latest tools and techniques.IT heads, CISO's, System/Network Administrators and Senior Government Officers from Government Departments and Ministries attended the workshop. workshop.

Workshop on "Cyber Security Threats and Countermeasures" on July 30, 2015

A workshop on "Advanced Web Application Security" was conducted on 22nd May 2015 for Government Departments and Ministries. Aim of the workshop was to give an overview of Web Application Security. It also covered various web application attacks and their prevention employing secure application design and security implementations. Senior Government officials, Web Developers and Web Administrators attended the workshop.

Data Leakage

Detection &

Prevention

Cloud

Security

Cyber Security

Threats and

countermeasures

| 12

Security Alerts The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered

during July 2015 are given below:

Vendor/Product Title of Vulnerability Discovery/Publish

Date

CERT-In References

ISC BIND ISC BIND Zone TKEY Query Handling Denial of

Service Vulnerability

July 30, 2015 CIVN-2015-0197

Siemens Siemens SICAM MIC Authentication Bypass

Vulnerability

July 29, 2015 CIVN-2015-0196

Microsoft Multiple vulnerabilities in Microsoft Internet

Explorer for Mobile Devices

July 27, 2015 CIVN-2015-0195

ISC BIND ISC BIND Zone Data DNS Query Handling

Denial of Service Vulnerability

July 24, 2015 CIVN-2015-0194

Drupal Multiple vulnerabilities in DrupalModule July 24, 2015 CIVN-2015-0193

Cisco Cisco IOS Software TFTP Server Denial of

Service Vulnerability

July 24, 2015 CIVN-2015-0192

Cisco Cisco Application Policy Infrastructure

Controller Access Control Vulnerability

July 23, 2015 CIVN-2015-0191

Microsoft Remote Code Execution Vulnerability in

Microsoft Windows OpenType Font Driver

July 22, 2015 CIVN-2015-0189

Cisco Cisco Unified Meeting Place Unauthorized

Password Change Vulnerability

July 23, 2015 CIVN-2015-0190

Cisco Cisco Videoscape Delivery System Denial of

Service Vulnerability

July 22, 2015 CIVN-2015-0188

IBM Multiple Vulnerabilities in IBM DB2 July 21, 2015 CIVN-2015-0187

Joomla Cross-site request forgery vulnerability in

Joomla

July 20, 2015 CIVN-2015-0186

Google Denial of Service Vulnerability in Google V8 July 17, 2015 CIVN-2015-0185

| 13

Vendor/Product Title of Vulnerability Discovery/Publish

Date

CERT-In References

Solaris Multiple Vulnerabilities in Solaris July 16, 2015 CIVN-2015-0184

Oracle Multiple Vulnerabilities in Oracle Java SE July 16, 2015 CIVN-2015-0183

Juniper Juniper Junos BFD Processing weakness,

allows remote users crash BFD daemon or

Execute Arbitrary Code

July 16, 2015 CIVN-2015-0182

Juniper Juniper Junos BGP-VPLS processing weakness,

allows remote Users crash system &Deny

Services.

July 16, 2015 CIVN-2015-0181

Juniper Juniper Junos LAST_ACK State Transition Bug

allows remote Userto exhaust mbuf & Deny

Service

July 16, 2015 CIVN-2015-0180

Juniper Juniper Junos SRX Series Console Port Access

Control weakness allow slocal physical Users

Gain Root

July 16, 2015 CIVN-2015-0179

Microsoft Microsoft Windows Adobe Type Manager

Privilege Escalation Vulnerability

July 15, 2015 CIVN-2015-0178

Microsoft Microsoft Windows Remote Procedure Call

Local Privilege Escalation Vulnerability

July 15, 2015 CIVN-2015-0177

Microsoft Microsoft Windows OLE Privilege Escalation

Vulnerability

July 15, 2015 CIVN-2015-0176

Microsoft Microsoft Windows Installer Component

Privilege Escalation Vulnerability

July 15, 2015 CIVN-2015-0175

Microsoft Multiple Privilege Escalation Vulnerabilities in

Microsoft Windows Kernel-Mode Driver

July 15, 2015 CIVN-2015-0174

Microsoft Microsoft Windows Graphics Component

Privilege Escalation Vulnerability

July 15, 2015 CIVN-2015-0173

Microsoft Microsoft Windows NetLogon Service

Spoofing Vulnerability

July 15, 2015 CIVN-2015-0172

Microsoft Multiple Remote Code Execution

Vulnerabilities in Microsoft Office

July 15, 2015 CIVN-2015-0171

| 14

Vendor/Product Title of Vulnerability Discovery/Publish

Date

CERT-In References

Microsoft Microsoft Windows Arbitrary Code Execution

Vulnerabilities

July 15, 2015 CIVN-2015-0170

Microsoft Multiple Remote Code Execution

Vulnerabilities in Microsoft Windows Hyper-V

July 15, 2015 CIVN-2015-0169

Microsoft Remote Code Execution Vulnerability in

Remote Desktop Protocol (RDP)

July 15, 2015 CIVN-2015-0168

Microsoft Remote Code Execution Vulnerability in

Microsoft VBScript Engine

July 15, 2015 CIVN-2015-0167

Microsoft Multiple Vulnerabilities in Microsoft Internet

Explorer

July 15, 2015 CIVN-2015-0166

Microsoft SQL Server Could Allow Remote Code

Execution & Elevation of Privilege

Vulnerabilities

July 15, 2015 CIVN-2015-0165

Openssl Openssl Alternative Chains Certificate Forgery

Vulnerability

July 15, 2015 CIVN-2015-0164

RedHat Multiple Vulnerabilities in RedHat JBoss Fuse

6.2.0

July 15, 2015 CIVN-2015-0163

Adobe Multiple Vulnerabilities in Adobe Flash Player July 15, 2015 CIVN-2015-0162

Wordpress Multiple vulnerabilities in various plugins for

Wordpress

July 13, 2015 CIVN-2015-0161

Adobe Adobe flash Player AS3 ByteArray Class Use-

After Free Vulnerability

July 07, 2015 CIVN-2015-0160

Apple Multiple vulnerabilities in Apple Safari July 07, 2015 CIVN-2015-0159

Cisco Cisco Unified Communications Domain

Manager Default Static Privileged Account

Credentials

July 06, 2015 CIVN-2015-0158

Cisco Multiple Default SSH Keys Vulnerabilities in

Cisco Virtual WSA, ESA and SMA

July 01, 2015 CIVN-2015-0157

Table 2: Security Alerts published in July 2015

| 15

Malicious Code Threats

Title of Malicious Code Type Overview

Publishing

Date

References

• Golroted Malware Trojan/

Spyware

It has been reported that variants of

a new malware family, dubbed as

"Golroted", having spyware

functionalities are spreading. These

malware typically spread through

spear phishing mails having

attachments as Zipped archives (key

loggers) or Microsoft Office

Document exploits or via removable

drives.

July 17,

2015 CERT-In

• TROJ_CRYPTESLA.CAG Trojan

This crypto-ransomware is one of

the malware payloads of Fiesta

exploit kit. Typically, exploit kits are

used to deliver or spread threats.

This Trojan arrives on a system as a

file dropped by other malware or as

a file downloaded unknowingly by

users when visiting malicious sites.

It may be dropped by other

malware.

July 08,

2015 Trendmicro

Table 3: Malicious Code threats in July 2015

| 16

Security News

Date News Source

July 30,

2015

Cisco Fixes DoS Vulnerability in ASR 1000 Routers

Cisco has patched a denial-of-service vulnerability in its ASR 1000 line of

routers, a bug that’s caused by an issue with the way the routers handle some

fragmented packets.

The company said the DoS vulnerability affects all of the ASR 1000 Series

Aggregation Services Routers that are running a vulnerable version of the IOS XE

software. The ASR 1000 routers are edge routers designed for enterprise and

service provider environments.

Threatpost

July 29,

2015

Stagefright vulnerabilities pose serious threat to Android users

Android devices running Android versions 2.2 through 5.1.1_r5 contain

vulnerabilities in the Stagefright media playback engine. Exploitation of these

vulnerabilities may allow an attacker to access multimedia files or potentially

take control of a vulnerable device.

Symantec

July 01,

2015

Windows 10 Wi-Fi Sense feature shares your Wi-Fi network with your friends

Wi-Fi Sense is a feature of the soon-to-be-released Windows 10 operating

system that not only allows you to automatically connect a compatible device to

any in-range open crowdsourced Wi-Fi network, but also grants access to

password-protected networks by sharing login credentials between friends.

Sophos

July 30,

2015

Facebook Security Checkup Tool Keeps Tabs on Security Settings

Facebook announced the general availability of Security Checkup, a new tool

designed to help users better protect their accounts. Security Checkup makes it

easier to find and use the security controls for your account.

Threatpost

July 22,

2015

Bartalex Variants Spotted Dropping Pony, Dyre Malware

Some strains of Bartalex malware, a macro-based malware, have recently been

spotted dropping Pony loader malware and the Dyre banking Trojan.

Primarily spread through spam, the first iterations of Bartalex were observed in

late March embedded in Microsoft Word and Excel macros.

Threatpost

Table 4: Security News in July 2015

| 17

Postal Address:

Indian Computer Emergency Response Team (CERT-In)

Department of Information Technology

Ministry of Communications & Information Technology

Government of India

Electronics Niketan

6, CGO Complex, Lodhi Road,

New Delhi - 110 003

India

Email:

incident@cert-in.org.in

Phone:

+91-11-24368572

Fax :

+91-1800-11-6969