Port scan spike hints at BrightStor attack
Detailed exploit code for gaping worm holes in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warning from security researchers.
At least three exploits -- which provide step-by-step instructions to launch remote attacks -- have been posted at Milw0rm.com, increasing the likelihood of code execution attacks against large datacenters, individual departments and small- to medium-sized businesses that use the BrightStor back-up and recovery suite.
CA has had advisories/patches available for the three vulnerabilities since January 11 but, because patch testing and deployment procedures often run for months, many businesses have still not applied these updates. The US-CERT says it is aware of "active exploitation" of one of the bugs -- a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests -- and strongly urged BrightStor users to treat the patches with the highest priority.
More ominously, Arbor Networks, a company that tracks malicious Internet activity, has seen early signs that a large-scale attack might be imminent. In the past 24 hours, Arbor's censors have picked up a spike in scans on TCP port 6503, which is used by one of the vulnerable BrightStor products.
"It's only a fraction of the day's scanning activity (about 1% by byte count), but this is probably the tip of the iceberg. I don't know if this exploit has been rolled into a bot yet, but it wouldn't surprise me to see this happen soon," says Jose Nazario, senior software engineer at Arbor Networks.