X
Tech

Port scan spike hints at BrightStor attack

Detailed exploit code for a gaping worm hole in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warnings from security researchers.
Written by Ryan Naraine, Contributor

Detailed exploit code for gaping worm holes in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warning from security researchers.

At least three exploits -- which provide step-by-step instructions to launch remote attacks -- have been posted at Milw0rm.com, increasing the likelihood of code execution attacks against large datacenters, individual departments and small- to medium-sized businesses that use the BrightStor back-up and recovery suite.

CA has had advisories/patches available for the three vulnerabilities since January 11 but, because patch testing and deployment procedures often run for months, many businesses have still not applied these updates.   The US-CERT says it is aware of "active exploitation" of one of the bugs -- a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests -- and strongly urged BrightStor users to treat the patches with the highest priority.

More ominously, Arbor Networks, a company that tracks malicious Internet activity, has seen early signs that a large-scale attack might be imminent. In the past 24 hours, Arbor's censors have picked up a spike in scans on TCP port 6503, which is used by one of the vulnerable BrightStor products.

"It's only a fraction of the day's scanning activity (about 1% by byte count), but this is probably the tip of the iceberg. I don't know if this exploit has been rolled into a bot yet, but it wouldn't surprise me to see this happen soon," says Jose Nazario, senior software engineer at Arbor Networks.

Editorial standards