Embed Size (px)
Citation preview
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES
17th October 2019
Summary Headlines
Impact Metric Against Count of Events
Critical High Medium Informative
Regional Highlights 0 0 0 1
Top Stories 0 0 0 2
System vulnerabilities
0 2 0 1
Malware 0 1 0 1
DDoS/Botnets 0 2 0 0
Spam & phishing 0 2 0 0
Web Security 0 2 0 0
Updates & alerts 1 5 22 2
Regional Highlights
Source 1: National KE-CIRT/CC ( https://twitter.com/KeCIRT )https://twitter.com/KeCIRT/status/1184353273953902592Impact value: Informative
CA Cybersecurity Conference 2019 from 23rd to 25th October at Safari Park Hotel, Nairobi.
Top Stories
Source 1: Defense News ( https://www.defensenews.com/ )https://www.defensenews.com/show-reporter/ausa/2019/10/16/cyber-command-wants-to-work-more-closely-with-the-energy-sector/Impact value: InformativeCyber Command wants to work more closely with the energy sector. U.S. Cyber Command is working with the energy sector and the Department of Energy as a way to bolster their relationship in case of a malicious, or catastrophic, cyberattack.
Source 2: FWC ( https://fcw.com/ )https://fcw.com/articles/2019/10/16/cisa-bill-cyber-subpoena.aspxImpact value: InformativeWhy CISA wants subpoena authority to probe cyber risks. Officials at the Cybersecurity and Infrastructure Security Agency have told lawmakers that there have been at least a half dozen instances over the past year where they have been unable to adequately respond to known cyber risks because they could not identify the owners of vulnerable IP addresses. The agency is pressing Congress for new administrative subpoena powers to compel Internet Service Providers (ISP) to turn over subscriber information for IP addresses associated with critical infrastructure.
System vulnerabilities
Source 1: My Broadband ( https://mybroadband.co.za/ )https://mybroadband.co.za/news/security/323350-big-discovery-bank-security-flaw.htmlImpact value: HighBig Discovery Bank security flaw. Discovery Bank credit cards were affected by a security vulnerability that allowed customers to make online purchases without knowing a specific bank card’s Card Verification Value (CVV). The CVV issue was fixed by the bank on Monday, 14th
October 2019; along with the one-time PIN issue. The bank has stated that they mitigated the issues soon after learning about the flaws.
Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ )https://www.bleepingcomputer.com/news/security/symantec-fixes-bad-ips-definitions-that-cause-a-windows-bsod/Impact value: InformativeSymantec Fixes Bad IPS Definitions That Cause a Windows BSOD. Symantec has fixed an issue causing Blue Screen of Death (BSOD) condition for customers running the company’s Endpoint Protection Client software. The software impacts the systems running the Windows operating system from version 7 to 10.
Source 3: Computer Business Review ( https://www.cbronline.com/ )https://www.cbronline.com/news/oracle-patches-nosql-vulnerabilityImpact value: HighOracle Patches 219 Security Vulnerabilities – 142 Remotely Exploitable. Oracle has rolled out security patches for a total of 219 flaws, 142 of which can be remotely exploited. The patches also fix an issue affecting Oracle NoSQL Database. The vulnerability has scored a maximum of 10 on the CVSS scale.
Malware
Source 1: CYWARE ( https://cyware.com/news/ )https://cyware.com/news/newly-discovered-cutlet-maker-malware-used-in-series-of-jackpotting-attacks-on-atms-in-germany-0e6fdf24/Impact value: HighNewly Discovered ‘Cutlet Maker’ Malware Used in Series of Jackpotting Attacks on ATMs in Germany. A new piece of malware named ‘Cutlet Maker’ was found to have helped cybercriminals in stealing over $1.5 million from different ATMs in Germany between February and November 2017. One of the major impacted banks was Santander. The bank used old and slow Windows systems, thus enabling the cybercriminals to hijack ATMs.
Source 2: Info Security ( https://www.infosecurity-magazine.com/ )https://www.infosecurity-magazine.com/news/iswuk-ransomware-present-future/Impact value: Informative
Ransomware Remains Top Threat For Present and Future. Highlighted at the NTT Security Information Security World 2019 conference in London were the top cyber-threats impacting the security of data today. The top five current threats listed included: Ransomware, Compromised data, DDoS attacks, card not present fraud and the Dark Web.
DDoS/Botnets
Source 1: The Hacker News ( https://thehackernews.com/ )https://thehackernews.com/2019/10/phorpiex-botnet-sextortion-emails.htmlImpact value: High
Phorpiex Botnet Sending Out Millions of Sextortion Emails Using Hacked Computers. A large-scale “sextortion” campaign is making use of a network of more than 450,000 hijacked computers to send aggressive emails. The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin.
Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ )https://www.bleepingcomputer.com/news/security/new-sdbot-remote-access-trojan-used-in-ta505-malspam-campaigns/Impact value: High
New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns. Researchers discovered two new malware strains distributed via phishing campaigns carried out by the TA505 hacking group during the last two months, a new downloader dubbed Get2 and an undocumented remote access Trojan (RAT) named SDBbot. Attackers used this new downloader to deliver other malware payloads including FlawedGrace, FlawedAmmyy, Snatch, and the new SDBbot RAT as second-stage payloads to compromised systems.
Spam & Phishing
Source 1: CYWARE ( https://cyware.com/news/ )https://cyware.com/news/new-click-fraud-scam-uses-fake-checkra1n-ios-jailbreak-d853acf2Impact value: High
New Click Fraud Scam Uses Fake Checkra1n iOS Jailbreak. Cybercriminals are using a fake Checkra1n iOS jailbreak tool in a new click fraud campaign. Checkra1n is a recently developed iOS jailbreak tool that makes use of the Checkm8 jailbreak-enabling iOS bootrom exploit to modify the bootrom and load a jailbroken image onto the iPhone. The campaign primarily targets users in the US, the UK, France, Nigeria, Iraq, Vietnam, Venezuela, Egypt, Georgia, Australia, Canada, Turkey, Netherlands, and Italy.
Source 2: Threat Post ( https://threatpost.com/ )https://threatpost.com/silent-librarian-phishing-student-credentials/149249/Impact value: High
Silent Librarian Retools Phishing Emails to Hook Student Credentials. Silent Librarian is targeting university students in full force with a revamped phishing campaign. The threat group, aiming to steal student login credentials, is using new tricks that bring more credibility to its phishing emails and helping it avoid detection.
Web Security
Source 1: Security Discovery ( https://securitydiscovery.com/ )https://securitydiscovery.com/whirlpool-exposed-database-with-home-appliances-scan-results/Impact value: High
Whirlpool Exposed Database with Home Appliances Scan Results. An unprotected MongoDB database belonging to Whirlpool has exposed more than 28 million records. The database was used to collect information from IoT connected home appliances such as customer email, smart appliance ID, model name and number, different attributes of the scanned appliance, etc. The leaky database was pulled down within 24 hours after the company was alerted.
Source 2: Krebs on Security ( https://krebsonsecurity.com/ )https://krebsonsecurity.com/2019/10/briansclub-hack-rescues-26m-stolen-cards/Impact value: High“BriansClub” Hack Rescues 26M Stolen Cards. One of the web’s largest marketplaces, BriansClub, has been hacked. The underground store included more than 26 million stolen credit and debit card records from online and brick-and-mortar retailers. This data was stolen over the past four years. Between January and August 2019, BriansClub had added roughly 7.6 million records.
Bulletins
Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )https://www.us-cert.gov/ncas/bulletins/sb19-287Vulnerability Summary for the Week of October 7, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability.
Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlOracle Critical Patch Update Pre-Release Announcement - October 2019; advised action to run available security updates.
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.htmlOracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates.
https://www.oracle.com/technetwork/topics/security/bulletinoct2019-5781621.htmlOracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches.
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2019-5781618.htmlOracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes.
https://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.htmlMap of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities.
https://www.oracle.com/technetwork/topics/security/ovmbulletinoct2019-5781619.htmlOracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.
Updates & Alerts
Source 1: Cisco Security Advisories &
Alerts(http://tools.cisco.com/security/center/publicationListing.x )
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-airo-
unauth-access
Impact value: Critical
Cisco Aironet Access Points Unauthorized Access Vulnerability. Due to insufficient access control
for certain URLs on an affected device a remote attacker could gain unauthorized access to a
targeted device with elevated privileges.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-wlc-
ssh-dos
Impact value: High
Cisco Wireless LAN Controller Secure Shell Denial of Service Vulnerability. Due to the Secure Shell
(SSH) process not being properly deleted when an SSH connection to the device is disconnected,
a remote attacker could cause a Denial of Service (DoS) condition on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-
rce
Impact value: High
Cisco SPA100 Series Analog Telephone Adapters Remote Code Execution Vulnerabilities. Due to
improper validation of user-supplied input to the web-based management interface, an
authenticated adjacent attacker could execute arbitrary code with elevated privileges.
Updates & Alerts
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-sbss-
csrf
Impact value: High
Cisco Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability. Due
to insufficient Cross-site Request Forgery (CSRF) protections for the web-based management
interface on an affected device, remote attacker could conduct a CSRF attack on an affected
system.
https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-
day_sir&limit=50#~Vulnerabilities
Additional Cisco Security Advisories. Further to the 4 highlighted advisories by Cisco, there are 25
more advisories that have been released. 2 of high impact, 22 of medium impact and 1
informational advisory.
Source 2: SC Magazine ( https://www.scmagazine.com/ )https://www.scmagazine.com/home/security-news/vulnerabilities/adobe-patches-81-vulnerabilities-for-four-products/Impact value: Informative
Adobe patches 81 vulnerabilities for four products. Adobe has issued an out of band update for a
total of 81 vulnerabilities affecting Experience Manager, Experience Manager Forms, Adobe
Acrobat and Reader, and Download Manager. Acrobat and Reader have received the highest
number of patches, fixing around 67 vulnerabilities. Adobe Experience Manager had 12 CVEs
rated important or moderate.
www.ke-cirt.go.ke
