indian computer emergency response team department of
TRANSCRIPT
Monthly Security Bulletin
July 2015
Indian Computer Emergency Response Team
Department of Electronics and Information Technology
Ministry of Communications and Information Technology
Government of India
| 2
TABLE OF CONTENTS
Comparison at a Glance 3
Cyber Intrusion Trends 4
Indian Website Defacements 7
Prevalent Global Attack Trends 10
Trainings Conducted by CERT-IN 11
Security Alerts 11
Malicious Code Threats 15
Security News 16
| 3
Comparison at a Glance
July 2015 witnessed a decreased level of incidents related to phishing, malicious code and websites infected with malicious
content. On the other hand incidents related to network scanning, spamming ,open proxy servers , website defacement and
incidents in others category witnessed an upward trend as compared to last month.
Jun-15
Jul-1514.5 % 21.4 %
69.3 %
60.3 % 35.7 %
61.1 %
83.2 %
Figure 1: Trend Analysis Jun 2015-July 2015
6%
| 4
Cyber Intrusion Trends
A total of 12020 security incidents including phishing, virus/malicious code, network scanning/probing, spam, spread of
malware through website compromise and technical help under others category were reported to CERT-In from various
National/International agencies in July, 2015.
In addition, a total of 2852 Indian websites were defaced in July,2015. A consolidated picture of security incidents reported
in July, 2015 and website defacements tracked by CERT-In during that period is shown in the pie chart below.
The pie chart below indicates that 74.6% and 23.7% of reported incidents belonged to spam and website defacement
categories respectively. Alongside 0.2%, 0.4%, 0.5% incidents were related to spread of malware through website intrusion,
phishing and technical help under others categories respectively. Malicious code and network scanning categories
comprised of only 0.1% and 0.4% of the total incidents respectively in July, 2015.
In this month CERT -In tracked 1696389 bot-infected computers existing in India. The concerned ISPs were intimated to
disinfect the bot infected systems to mitigate botnets.
0.4% 0.1%23.7% 0.2%
74.6%
0.4%0.5%
Phishing
Malicious Code
Defacemnt
WIMP
Spam
Network Scanning
Others
Figure 2: Cyber Intrusion during July 2015
| 5
8966 Email spam incidents were reported to CERT-In July, 2015. Email spam involves nearly identical messages sent to
numerous recipients by email that may include malware as scripts, executable file attachments or hyperlinks. Clicking on
the links in spam email may send users to phishing web sites or sites that are hosting malware.
CERT-In tracked 186 Open Proxy Servers functioning in India during July, 2015. Any proxy server that doesn't restrict its
client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open
proxy server will accept client connections from any IP address and make connections to any Internet resource.
All the concerned ISPs were alerted immediately to shut down the open proxy servers.
39113582
51604578
5294
8966
Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15
123
157
110 113 116
186
Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15
Figure 3: Statistics of Spam tracked during Feb-15 to July-15
Figure 4: Statistics of Open Proxy Servers tracked during Feb-15 to July-15
| 6
CERT-In is tracking malicious web sites/URLs on regular basis. In this month CERT-In tracked 28 websites infected with
malicious contents. A user visiting these websites/URLs is redirected to malicious sites which downloading malicious code
such as virus, worm, trojan, keylogger, rootkit on to the user's computer.
The website owners are informed to remove the infection from these websites and are advised to strengthen the security
of their websites.
34
7059 60
167
28
Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15
Figure 5: Statistics of WIMP tracked during Feb-15 to July-15
| 7
Indian Website Defacements A total number of 2852 Indian websites were defaced during July 2015.
The following figure highlights the domain wise statistics of defaced websites during July 2015. A total of 757 '.com', 1812
'.in', 182 '.org', 24 '.net' and 77 websites belonging to other domains were defaced in this month.
1939 2014
13861226
1770
2852
Feb-15 Mar-15 Apr-15 May-15 Jun-15 Jul-15
757
182
24
1812
77
.com .org .net .in others
Figure 6: Statistics of Defacements tracked during Feb-15 to Jul-15
Figure 7: Statistics of Defacements tracked during July-15
| 8
The following vulnerabilities discovered during July 2015 and some of the previously known vulnerabilities that might have
been exploited for website defacements and intrusions:
Vendor/Product Vulnerability References Information
Wordpress
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart
plugin before 1.4.18 for WordPress allow remote attackers to inject
arbitrary web script or HTML.
CVE-2015-2973
Wordpress
Cross-site scripting (XSS) vulnerability in the save_order function in
class-floating-social-bar.php in the Floating Social Bar plugin before
1.1.6 for WordPress allows remote attackers to inject arbitrary web
script or HTML .
CVE-2015-5528
Wordpress
Open redirect vulnerability in the Redirect function in
stageshow_redirect.php in the StageShow plugin before 5.0.9 for
WordPress allows remote attackers to redirect users to arbitrary
web sites and conduct phishing attacks via a URL in the url
parameter.
CVE-2015-5461
Wordpress
Directory traversal vulnerability in includes/MapPinImageSave.php
in the Easy2Map plugin before 1.2.5 for WordPress allows remote
attackers to create arbitrary files via a .. (dot dot) in the map_id
parameter.
CVE-2015-4616
Wordpress
Multiple SQL injection vulnerabilities in includes/Function.php in the
Easy2Map plugin before 1.2.5 for WordPress allow remote attackers
to execute arbitrary SQL commands via the mapName parameter in
an e2m_img_save_map_name action to wp-admin/admin-ajax.php
and other unspecified vectors.
CVE-2015-4614
Joomla!
Multiple SQL injection vulnerabilities in the J2Store (com_j2store)
extension before 3.1.7 for Joomla! allow remote attackers to
execute arbitrary SQL commands .
CVE-2015-6513
Joomla!
Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0
through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to
hijack the authentication of unspecified victims for requests that
upload code via unknown vectors.
CVE-2015-5397
| 9
Vendor/Product Vulnerability References Information
Drupal
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament
module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated
users with certain permissions to inject arbitrary web script or
HTML.
CVE-2014-9738
Drupal
Open redirect vulnerability in the Language Switcher Dropdown
module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to
redirect users to arbitrary web sites and conduct phishing attacks via
a URL in a block.
CVE-2014-9737
Table 1: Defacement related Vulnerabilities
| 10
Prevalent Global Attack Trends
Adobe Flash Player Zero Day (CVE-2015-5122, CVE-2015-5123)
Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified in Adobe Flash Player 18.0.0.204 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe Flash Player Zero Day
| 11
Trainings Conducted by CERT-IN
Workshop on "Data Leakage Detection & Prevention" on July 30, 2015
A workshop on "Data Leakage Detection & Prevention" was held on July 30, 2015 for CISOs of public sector . Aim of the workshop was to address the issues concerning data breach/leakage in an organization and prevention techniques. The workshop emphasized on Data Leakage Detection and their mitigations strategies using the Next Generation Prevention Mechanisms. IT Heads, Systems & Network Administrators and senior IT executives from of various public sector organizations attended the workshop.
Workshop on "Cloud Security" on July 17, 2015
A workshop on "Cloud Security" was held on 17th July 2015 for Government Department and Ministries. Aim of the workshop was to give an overview of security issues/concerns associated with cloud computing. The workshop emphasized on the various approach and methodologies for securing cloud infrastructure & services with latest tools and techniques.IT heads, CISO's, System/Network Administrators and Senior Government Officers from Government Departments and Ministries attended the workshop. workshop.
Workshop on "Cyber Security Threats and Countermeasures" on July 30, 2015
A workshop on "Advanced Web Application Security" was conducted on 22nd May 2015 for Government Departments and Ministries. Aim of the workshop was to give an overview of Web Application Security. It also covered various web application attacks and their prevention employing secure application design and security implementations. Senior Government officials, Web Developers and Web Administrators attended the workshop.
Data Leakage
Detection &
Prevention
Cloud
Security
Cyber Security
Threats and
countermeasures
| 12
Security Alerts The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered
during July 2015 are given below:
Vendor/Product Title of Vulnerability Discovery/Publish
Date
CERT-In References
ISC BIND ISC BIND Zone TKEY Query Handling Denial of
Service Vulnerability
July 30, 2015 CIVN-2015-0197
Siemens Siemens SICAM MIC Authentication Bypass
Vulnerability
July 29, 2015 CIVN-2015-0196
Microsoft Multiple vulnerabilities in Microsoft Internet
Explorer for Mobile Devices
July 27, 2015 CIVN-2015-0195
ISC BIND ISC BIND Zone Data DNS Query Handling
Denial of Service Vulnerability
July 24, 2015 CIVN-2015-0194
Drupal Multiple vulnerabilities in DrupalModule July 24, 2015 CIVN-2015-0193
Cisco Cisco IOS Software TFTP Server Denial of
Service Vulnerability
July 24, 2015 CIVN-2015-0192
Cisco Cisco Application Policy Infrastructure
Controller Access Control Vulnerability
July 23, 2015 CIVN-2015-0191
Microsoft Remote Code Execution Vulnerability in
Microsoft Windows OpenType Font Driver
July 22, 2015 CIVN-2015-0189
Cisco Cisco Unified Meeting Place Unauthorized
Password Change Vulnerability
July 23, 2015 CIVN-2015-0190
Cisco Cisco Videoscape Delivery System Denial of
Service Vulnerability
July 22, 2015 CIVN-2015-0188
IBM Multiple Vulnerabilities in IBM DB2 July 21, 2015 CIVN-2015-0187
Joomla Cross-site request forgery vulnerability in
Joomla
July 20, 2015 CIVN-2015-0186
Google Denial of Service Vulnerability in Google V8 July 17, 2015 CIVN-2015-0185
| 13
Vendor/Product Title of Vulnerability Discovery/Publish
Date
CERT-In References
Solaris Multiple Vulnerabilities in Solaris July 16, 2015 CIVN-2015-0184
Oracle Multiple Vulnerabilities in Oracle Java SE July 16, 2015 CIVN-2015-0183
Juniper Juniper Junos BFD Processing weakness,
allows remote users crash BFD daemon or
Execute Arbitrary Code
July 16, 2015 CIVN-2015-0182
Juniper Juniper Junos BGP-VPLS processing weakness,
allows remote Users crash system &Deny
Services.
July 16, 2015 CIVN-2015-0181
Juniper Juniper Junos LAST_ACK State Transition Bug
allows remote Userto exhaust mbuf & Deny
Service
July 16, 2015 CIVN-2015-0180
Juniper Juniper Junos SRX Series Console Port Access
Control weakness allow slocal physical Users
Gain Root
July 16, 2015 CIVN-2015-0179
Microsoft Microsoft Windows Adobe Type Manager
Privilege Escalation Vulnerability
July 15, 2015 CIVN-2015-0178
Microsoft Microsoft Windows Remote Procedure Call
Local Privilege Escalation Vulnerability
July 15, 2015 CIVN-2015-0177
Microsoft Microsoft Windows OLE Privilege Escalation
Vulnerability
July 15, 2015 CIVN-2015-0176
Microsoft Microsoft Windows Installer Component
Privilege Escalation Vulnerability
July 15, 2015 CIVN-2015-0175
Microsoft Multiple Privilege Escalation Vulnerabilities in
Microsoft Windows Kernel-Mode Driver
July 15, 2015 CIVN-2015-0174
Microsoft Microsoft Windows Graphics Component
Privilege Escalation Vulnerability
July 15, 2015 CIVN-2015-0173
Microsoft Microsoft Windows NetLogon Service
Spoofing Vulnerability
July 15, 2015 CIVN-2015-0172
Microsoft Multiple Remote Code Execution
Vulnerabilities in Microsoft Office
July 15, 2015 CIVN-2015-0171
| 14
Vendor/Product Title of Vulnerability Discovery/Publish
Date
CERT-In References
Microsoft Microsoft Windows Arbitrary Code Execution
Vulnerabilities
July 15, 2015 CIVN-2015-0170
Microsoft Multiple Remote Code Execution
Vulnerabilities in Microsoft Windows Hyper-V
July 15, 2015 CIVN-2015-0169
Microsoft Remote Code Execution Vulnerability in
Remote Desktop Protocol (RDP)
July 15, 2015 CIVN-2015-0168
Microsoft Remote Code Execution Vulnerability in
Microsoft VBScript Engine
July 15, 2015 CIVN-2015-0167
Microsoft Multiple Vulnerabilities in Microsoft Internet
Explorer
July 15, 2015 CIVN-2015-0166
Microsoft SQL Server Could Allow Remote Code
Execution & Elevation of Privilege
Vulnerabilities
July 15, 2015 CIVN-2015-0165
Openssl Openssl Alternative Chains Certificate Forgery
Vulnerability
July 15, 2015 CIVN-2015-0164
RedHat Multiple Vulnerabilities in RedHat JBoss Fuse
6.2.0
July 15, 2015 CIVN-2015-0163
Adobe Multiple Vulnerabilities in Adobe Flash Player July 15, 2015 CIVN-2015-0162
Wordpress Multiple vulnerabilities in various plugins for
Wordpress
July 13, 2015 CIVN-2015-0161
Adobe Adobe flash Player AS3 ByteArray Class Use-
After Free Vulnerability
July 07, 2015 CIVN-2015-0160
Apple Multiple vulnerabilities in Apple Safari July 07, 2015 CIVN-2015-0159
Cisco Cisco Unified Communications Domain
Manager Default Static Privileged Account
Credentials
July 06, 2015 CIVN-2015-0158
Cisco Multiple Default SSH Keys Vulnerabilities in
Cisco Virtual WSA, ESA and SMA
July 01, 2015 CIVN-2015-0157
Table 2: Security Alerts published in July 2015
| 15
Malicious Code Threats
Title of Malicious Code Type Overview
Publishing
Date
References
• Golroted Malware Trojan/
Spyware
It has been reported that variants of
a new malware family, dubbed as
"Golroted", having spyware
functionalities are spreading. These
malware typically spread through
spear phishing mails having
attachments as Zipped archives (key
loggers) or Microsoft Office
Document exploits or via removable
drives.
July 17,
2015 CERT-In
• TROJ_CRYPTESLA.CAG Trojan
This crypto-ransomware is one of
the malware payloads of Fiesta
exploit kit. Typically, exploit kits are
used to deliver or spread threats.
This Trojan arrives on a system as a
file dropped by other malware or as
a file downloaded unknowingly by
users when visiting malicious sites.
It may be dropped by other
malware.
July 08,
2015 Trendmicro
Table 3: Malicious Code threats in July 2015
| 16
Security News
Date News Source
July 30,
2015
Cisco Fixes DoS Vulnerability in ASR 1000 Routers
Cisco has patched a denial-of-service vulnerability in its ASR 1000 line of
routers, a bug that’s caused by an issue with the way the routers handle some
fragmented packets.
The company said the DoS vulnerability affects all of the ASR 1000 Series
Aggregation Services Routers that are running a vulnerable version of the IOS XE
software. The ASR 1000 routers are edge routers designed for enterprise and
service provider environments.
Threatpost
July 29,
2015
Stagefright vulnerabilities pose serious threat to Android users
Android devices running Android versions 2.2 through 5.1.1_r5 contain
vulnerabilities in the Stagefright media playback engine. Exploitation of these
vulnerabilities may allow an attacker to access multimedia files or potentially
take control of a vulnerable device.
Symantec
July 01,
2015
Windows 10 Wi-Fi Sense feature shares your Wi-Fi network with your friends
Wi-Fi Sense is a feature of the soon-to-be-released Windows 10 operating
system that not only allows you to automatically connect a compatible device to
any in-range open crowdsourced Wi-Fi network, but also grants access to
password-protected networks by sharing login credentials between friends.
Sophos
July 30,
2015
Facebook Security Checkup Tool Keeps Tabs on Security Settings
Facebook announced the general availability of Security Checkup, a new tool
designed to help users better protect their accounts. Security Checkup makes it
easier to find and use the security controls for your account.
Threatpost
July 22,
2015
Bartalex Variants Spotted Dropping Pony, Dyre Malware
Some strains of Bartalex malware, a macro-based malware, have recently been
spotted dropping Pony loader malware and the Dyre banking Trojan.
Primarily spread through spam, the first iterations of Bartalex were observed in
late March embedded in Microsoft Word and Excel macros.
Threatpost
Table 4: Security News in July 2015
| 17
Postal Address:
Indian Computer Emergency Response Team (CERT-In)
Department of Information Technology
Ministry of Communications & Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
Email:
Phone:
+91-11-24368572
Fax :
+91-1800-11-6969