This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.
The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.
US-CERT is aware of public reports indicating a widespread infection of the Conficker worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across the network if the host is not patched with MS08-067.
The presence of a Conficker infection may be detected if a user is unable to navigate to the following websites:
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp+link_conficker_worm
http://www.mcafee.com
If a user is unable to reach either of these websites, the Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in Knowledgebase Article 962007.
US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Microsoft in October 2008), disabling AutoRun functionality (see US-CERT Technical Cyber Security Alert TA09-020A), and maintaining up-to-date antivirus software.
US-CERT will provide additional information as it becomes available.
Sun Releases Updates for Java SE
added March 26, 2009 at 08:54 am
Sun has released updates for Java SE to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.
US-CERT encourages users to review the Sun Java SE 6 Update Release Notes and upgrade to Java SE version 1.6.0_13 to help mitigate the risks.
Comments Off
Source: US-CERT
As part of the Microsoft Security Bulletin Summary for March 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows and Windows Server.
A remote, unauthenticated attacker could gain elevated privileges, poison the DNS cache, execute arbitrary code, or cause a vulnerable application to crash.
Solution
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).