Port scan spike hints at BrightStor attack

Port scan spike hints at BrightStor attack

Summary: Detailed exploit code for a gaping worm hole in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warnings from security researchers.

SHARE:
TOPICS: Security
0

Detailed exploit code for gaping worm holes in CA's BrightStor ARCserve Backup product has been posted on the Internet, prompting a strong "patch now or else!" warning from security researchers.

At least three exploits -- which provide step-by-step instructions to launch remote attacks -- have been posted at Milw0rm.com, increasing the likelihood of code execution attacks against large datacenters, individual departments and small- to medium-sized businesses that use the BrightStor back-up and recovery suite.

CA has had advisories/patches available for the three vulnerabilities since January 11 but, because patch testing and deployment procedures often run for months, many businesses have still not applied these updates.   The US-CERT says it is aware of "active exploitation" of one of the bugs -- a flaw in the way the BrightStor ARCserve Backup handles malformed RPC requests -- and strongly urged BrightStor users to treat the patches with the highest priority.

More ominously, Arbor Networks, a company that tracks malicious Internet activity, has seen early signs that a large-scale attack might be imminent. In the past 24 hours, Arbor's censors have picked up a spike in scans on TCP port 6503, which is used by one of the vulnerable BrightStor products.

"It's only a fraction of the day's scanning activity (about 1% by byte count), but this is probably the tip of the iceberg. I don't know if this exploit has been rolled into a bot yet, but it wouldn't surprise me to see this happen soon," says Jose Nazario, senior software engineer at Arbor Networks.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion