Port scan spike hints at BrightStor attack

Summary:Detailed exploit code for a gaping worm hole in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warnings from security researchers.

Detailed exploit code for gaping worm holes in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warning from security researchers.

At least three exploits -- which provide step-by-step instructions to launch remote attacks -- have been posted at Milw0rm.com, increasing the likelihood of code execution attacks against large datacenters, individual departments and small- to medium-sized businesses that use the BrightStor back-up and recovery suite.

CA has had advisories/patches available for the three vulnerabilities since January 11 but, because patch testing and deployment procedures often run for months, many businesses have still not applied these updates.   The US-CERT says it is aware of "active exploitation" of one of the bugs -- a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests -- and strongly urged BrightStor users to treat the patches with the highest priority.

More ominously, Arbor Networks, a company that tracks malicious Internet activity, has seen early signs that a large-scale attack might be imminent. In the past 24 hours, Arbor's censors have picked up a spike in scans on TCP port 6503, which is used by one of the vulnerable BrightStor products.

"It's only a fraction of the day's scanning activity (about 1% by byte count), but this is probably the tip of the iceberg. I don't know if this exploit has been rolled into a bot yet, but it wouldn't surprise me to see this happen soon," says Jose Nazario, senior software engineer at Arbor Networks.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.