Embed Size (px)
Citation preview
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES
5th November 2019
Summary Headlines
Impact Metric Against Count of Events
Critical High Medium Informative
Regional Highlights 0 0 0 1
Top Stories 0 2 0 1
System vulnerabilities
0 2 0 0
Malware 0 3 0 0
DDoS/Botnets 0 1 0 0
Spam & phishing 0 1 0 0
Web Security 0 1 1 0
Updates & alerts 0 0 1 1
Regional Highlights
Source 1: Business Today ( https://businesstoday.co.ke/ )https://businesstoday.co.ke/fighting-insurance-fraud-using-technology/Impact value: Informative
Technology Offers Better Cover Against Insurance Fraud. The insurance market is a
dynamic sector offering increasingly sophisticated products to its customers and
providing competition to other parts of the financial services industry. The global
insurance sector’s growth over the last few years has increased dramatically.
Unfortunately, being a dynamic market with so many products makes this industry
vulnerable and at the same time very attractive to fraudsters.
Top Stories
Source 1: Bestsecuritysearch ( https://bestsecuritysearch.com/ )https://bestsecuritysearch.com/remove-toec-ransomware-virus/Impact value: HighToec Ransomware. The Toec ransomware is a new malware threat which aims to process certainuser files with a strong cipher in order to render them inaccessible. The associated extension willbe applied to the victim data and a ransomware note will be crafted in order to blackmail theusers into paying the victims a ransomware decryption fee.
Source 2: Threatpost ( https://threatpost.com/ ) https://threatpost.com/eye-clinic-breach-reveals-data-of-20000-patients/149878/Impact value: High Eye Clinic Breach Reveals Data of 20,000 Patients. A Utah eye clinic is in the process of informing 20,000 patients that they were the victims of a data breach that happened a year and a half ago and linked patients to a scam involving PayPal. The breach at the Utah Valley Eye Center in Provo, Utah, that exposed patient emails once again highlights third-party risk in terms of data security. It also sheds light on the added requirements of medical providers under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) when data breaches occur..
Source 3: Helpnetsecurity ( https://www.helpnetsecurity.com/ ) https://www.helpnetsecurity.com/2019/11/05/vulnerabilities-remediation-challenge/Impact value: InformativeEmployees know vulnerabilities exist, but they can’t resolve them quickly enough. There is asharp remediation gap between when organizations first detect vulnerabilities and when thoseissues are ultimately resolved, Adaptiva survey reveals. The survey also found that companiesoverwhelmingly do not have the staff to handle today’s security demands, and leveragingcurrent vulnerability management tools is one of their greatest cybersecurity challenges.
System vulnerabilities
Source 1: Threatpost ( https://threatpost.com/ ) Impact value: Highhttps://threatpost.com/alexa-siri-google-smart-speakers-hacked-via-laser-beam/149860/Alexa, Siri, Google Smart Speakers Hacked Via Laser Beam. Researchers have discovered a new way to hack Alexa and Siri smart speakers merely by using a laser light beam. No physical access of the victims’ device, or owner interaction, is needed to launch the hack, which allows attackers to send voice assistants inaudible commands such as unlocking doors.
Source 2: Arstechnica ( https://arstechnica.com/ ) https://arstechnica.com/information-technology/2019/11/scammers-are-exploiting-an-unpatched-firefox-bug-to-send-users-into-a-panic/Impact value: HighActively exploited bug in fully updated Firefox is sending users into a tizzy. Scammers areactively exploiting a bug in Firefox that causes the browser to lock up after displaying amessage warning the computer is running a pirated version of Windows that has beenhacked. Fraudulent tech-support sites cause Firefox to freeze while displaying scarymessage. The message then advises the person to call a toll-free number in the nextfive minutes or face having the computer disabled. The attack works on both Windowsand Mac versions of the open source browser. The only way to close the window is toforce-close the entire browser using either the Windows task manager or the ForceClose function in macOS. Even then, Firefox will reopen previously open tabs, resultingin an endless loop.
Malware
Source 1: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/brooklyn-hospital-loses-patient-data-in-ransomware-attack/Impact value: HighBrooklyn Hospital Loses Patient Data In Ransomware Attack. A ransomware attack hitting severalcomputer systems at the Brooklyn Hospital Center in New York caused permanent loss of somepatient's data. The hospital tried to recover the data but all efforts were in vain. This indicates that aransom for decrypting the files was not paid.
https://www.bleepingcomputer.com/news/security/ransomware-attacks-hit-everis-and-spains-largest-radio-network/Impact value: High Ransomware Attacks Hit Everis and Spain's Largest Radio Network. Everis, an NTT DATA company andone of Spain's largest managed service providers (MSP), had its computer systems encrypted todayin a ransomware attack, just as it happened to Spain's largest radio station Cadena SER (SociedadEspañola de Radiodifusión). While the ransomware attacks were not yet publicly acknowledged bythe company, the ransom note left on Everis' encrypted computers has already leaked and BleepingComputer can confirm that the MSP's data was infected using the BitPaymer ransomware.
Source 2:Threatpost ( https://threatpost.com/ ) https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/Impact value: HighWizard Spider Upgrades Ryuk Ransomware to Reach Deep into LANs. The Ryuk ransomware hasadded two features to enhance its effectiveness: The ability to target systems that are in “standby”or sleep mode; and the use of Address Resolution Protocol (ARP) pinging to find drives on acompany’s LAN. Both are employed after the initial network compromise of a victim organization.
DDoS/Botnets
Source 1: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/nemty-ransomware-now-spreads-via-trik-botnet/Impact value: High Nemty Ransomware Now Spreads via Trik Botnet. The operators of Nemtyransomware have found a new distributor for their file-encrypting malware, whichnow spreads via Trik, a botnet that pushes all sorts of threats. The malware isspread to systems that have the Server Message Block (SMB) networkcommunication protocol exposed on the web and protected by weak credentials.
Spam & Phishing
Source 1: Siliconrepublic ( https://www.siliconrepublic.com/ ) https://www.siliconrepublic.com/enterprise/vodafone-invoice-phishing-email-scamImpact value: HighWatch out for this phishing email posing as a Vodafone invoice in your inbox. ESEThas warned Irish internet users of a phishing attempt using a well-known brand asbait. The IT security company says this latest attempt at sourcing user details is a“professional-looking” email masquerading as a reminder from Vodafone to checkyour invoice details for uninterrupted service. Signing off as “CustomerDepartment”, the phishing email informs customers that payment of an invoice hasfailed and that this may result in being cut off from the service.
Web Security
Source 1: Threatpost ( https://threatpost.com/ ) https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/Impact value: HighMagecart Groups Attack Simultaneous Sites in Card-Theft Frenzy. In an interestingdevelopment on the financial cybercrime scene, different Magecart groups have beenspoted stepping over each other and attacking the same sites. According to research fromPerimeterX, multiple Magecart attacks are skimming credit cards from sites at the sametime. These don’t seem to be coordinated, according to the firm, given that each of theattacks were different in terms of the techniques used to compromise the target retailers.
Source 2: Vice ( https://www.vice.com/ ) https://www.vice.com/en_in/article/bjwk85/bjp-website-hacked-once-again-this-time-with-pro-pakistan-messages-and-threatsImpact value: MediumBJP Website Hacked Once Again, This Time With Pro-Pakistan Messages and Threats. WhileIndia’s Prime Minister Narendra Modi was taking oath at his swearing-in ceremony in May2019, a hacker called Shadow Viper bypassed the Bharatiya Janata Party’s (BJP) Delhiwebsite and filled it with photos and recipes of beef instead. You’d think that this experiencewould be enough to reveal all vulnerabilities of the website, that still doesn’t use the httpscertification, which aids security. But alas, the hackers have struck again and this time it’s notas light-hearted as how to make beef chilli fry.
Bulletins
Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )
https://www.us-cert.gov/ncas/bulletins/SB19301Vulnerability Summary for the Week of October 21, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability.
Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )
https://www.oracle.com/security-alerts/cpuoct2019.htmlOracle Critical Patch Update Advisory - October 2019; advised action to run available security updates.
https://www.oracle.com/security-alerts/alert-cve-2019-2729.htmlOracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates.
https://www.oracle.com/security-alerts/bulletinoct2019.htmlOracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches.
https://www.oracle.com/security-alerts/linuxbulletinoct2019.htmlOracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes.
https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.htmlMap of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities.
https://www.oracle.com/security-alerts/linuxbulletinoct2019.htmlOracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.
Updates & Alerts
Source 1: Fortiguard ( https://fortiguard.com/ )https://fortiguard.com/encyclopedia/virus/8146154Impact value: MediumMSIL/BruteForce.ND!tr is classified as a Trojan - a type of malware that performs activiteswithout the user’s knowledge. These activities commonly include establishing remote accessconnections, capturing keyboard input, collecting system information, downloading/uploadingfiles, dropping other malware into the infected system, performing denial-of-service (DoS)attacks, and running/terminating processes. Recommended actions; make sure that yourFortiGate/FortiClient system is using the latest AV database. Quarantine/delete files that aredetected and replace infected files with clean backup copies.
Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ )https://www.bleepingcomputer.com/news/microsoft/office-365-to-prevent-malicious-docs-from-infecting-windows/Impact value: InformativeOffice 365 to Prevent Malicious Docs From Infecting Windows. Microsoft Office 365 ProPlus is
getting a new feature called Application Guard that will allow users to open attachments in a
virtualized container to protect Windows from malicious macros and exploits. Microsoft Edge
for Windows 10 includes a feature called Windows Defender Application Guard that allows you
to launch a browser tab into a special sandboxed environment. As this browsing environment
is sandboxed, any malicious sites that attempt to exploit vulnerabilities, download malicious
software, or exhibit malicious behavior will be blocked from affecting the normal machine.
www.ke-cirt.go.ke
