Table of Contents

1. Technology news and Security updates: ............................................................. 2

1.1 Security starts with you ............................................................................................ 2

1.2 G Suite customers leak internal data via Groups .............................................. 2

1.3 China crams spyware on phones in Muslim-majority province .................... 3

1.4 Pathetic patching leaves over 70,000 Memcached servers still up for

grabs 3

1.5 Bitdefender: Organizations must empower IT staff to mitigate cyber

threats 4

1.6 Qualys unveils CloudView app framework for public cloud security .......... 5

1.8 600+ samples of Spring Dragon APT malware spotted ................................... 6

1.9 Variant of Surveillance Malware Fruitfly Targeting Mac Users ...................... 7

2. Cyber crime and Intelligence in the news: ........................................................... 8

2.1. The source code of SLocker ransomware has been leaked online .............. 8

2.2. Hundreds of companies expose PII, private emails through Google

Groups error ............................................................................................................................. 8

2.3. Veritaseum hack: $8.4m worth Ethereum stolen by hackers in yet another

heist 9

2.4. Hackers Breach Casino After Compromising a Smart Fish Tank ...............10

2.5. Sweden transport agency slips up, leaks top secret data ............................10

2.6. Newcastle University spoofed in phishing scam ............................................11

3. Technical Security Alerts: .......................................................................................13

3.1 Vulnerabilities, Malware and exploits .....................................................................13

1. Technology news and Security updates:

1.1 Security starts with you

A storm of cyber threats is hitting South Africa in the form of increased malware attacks,

primarily on businesses. Organisations around the world – and in South Africa – have

been crippled in the latest attacks. In view of the numerous recent incidents, one must

conclude that cyber security is as much a priority as physical security, says Parsec

Senior Product Manager Jaco Botha.

From a business or personal point of view, the theft of personal, financial and health

records is disturbing, however, the business impact of a ransomware or similar denial of

service attack could be devastating. It's now more vital than ever that businesses and

their employees should be educated about the importance of being secure against

attacks.

Botha says: "Simply put, cyber security is around protecting everything while you're

online, including people, devices, assets, data and pretty much everything that's

connected, against all sorts of threats that are present in a hyper-connected world."

Source:

http://www.itweb.co.za/index.php?option=com_content&view=article&id=163575:Security-starts-

with-you&catid=234

1.2 G Suite customers leak internal data via Groups

Tick a box configuration mistake. A simple configuration mistake has seen hundreds of

companies using Google's G Suite productivity platform publish internal information to

the internet, researchers have found.

G Suite provides the Google Groups sharing and messaging service, which was

originally designed as a gateway to Usenet newsgroups.

In an advisory, security vendor RedLock said several companies have allowed outside

access to messages posted on their Google Groups forums, potentially exposing

sensitive internal data to anyone on the internet.

The information leaked was in some cases sensitive personal data such as employee

email and home addresses and phone numbers.

Among the companies listed by RedLock as having exposed private information are

IBM-owned The Weather Company and helpdesk provider Freshworks.

Publisher Fusion Media Group, the parent company of well-known sites such as

Gizmodo, Lifehacker, The Onion, Kotaku, io9 and others, has also inadvertently leaked

organisational data.

Source: https://www.itnews.com.au/news/g-suite-customers-leak-internal-data-via-groups-469182

1.3 China crams spyware on phones in Muslim-majority province

The Chinese government is requiring citizens in Xinjiang province to install spyware on

their mobile phones and is enforcing the policy with police spot-checks, according to

several online reports.

Reflecting a country-wide clampdown on internet usage, users of WeChat in the regional

capital of Urumqi received a message on their phones earlier this month instructing them

to install an app called Jing Wang – "clean internet" in Chinese.

Those who do not install the app face up to 10 days in detention, the noticed warned.

And the police have been following up on that threat, according to several online posts.

One news article reported that 10 Kazakh women in the region were arrested after a

group chat discussion about immigrants was picked up by censors. And at the weekend,

a widely shared Twitter post showed a police checkpoint where citizens were forced to

hand over their phones to be checked for the spyware.

Source: http://www.theregister.co.uk/2017/07/24/china_installing_mobile_spyware/

1.4 Pathetic patching leaves over 70,000 Memcached servers still up for grabs

If you're running the caching service Memcached, and particularly if you're exposing it to

the public internet for some reason, please make sure you've patched it. Tens of

thousands of vulnerable systems haven't.

Back in October, researchers at Cisco’s Talos security team found three major security

vulnerabilities that would allow hackers easy access to running installations of version

1.4.31 of Memcached and earlier, with a critical flaw in the binary protocol and Simple

Authentication and Security Layer (SASL) code. The holes were fixed, and users

including big names like Facebook and Reddit were advised to get patching.

But from scans of the public internet, it seems that some people weren't listening very

hard. In February, Cisco did a sweep and found that: more than 85,000 public-facing

instances were still unpatched and vulnerable, only 22 per cent required any

authentication for access, and of that 22 per cent, all but one per cent of the

authenticated servers were not secure because patches hadn’t been properly installed.

“We made queries for all IP addresses to get contact emails for responsible

organizations in order to send a notification with a simple explanation and suggestions to

remedy this issue,” Cisco said. “This resulted in about 31 thousand unique emails which

are pending notifications.”

Source: http://www.theregister.co.uk/2017/07/24/70000_memcached_servers_exposed/

1.5 Bitdefender: Organizations must empower IT staff to mitigate cyber threats

With the WannaCry ransomware and Petya malware attack recently causing damage to

organizations worldwide, even halting chocolate production at Cadbury's Hobart factory,

security firm Bitdefender has urged organizations to assist IT teams in preparing for, and

mitigating against, future attacks.

According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, organizations

need to have mitigation in mind as it's a matter of when an attack happens, not if.

Speaking with ZDNet while visiting Sydney from Romania, Botezatu said organizations

first need to understand what type of security they need and not overlook any aspect,

while also trying to see through the noise, such as marketing buzzwords and an over-

saturated cybersecurity industry.

"An enterprise has a diverse range of technologies ... all these are potential threats," he

explained. "It's no use for you to have the best end-point security solution if your

payment processor in the cloud is left open."

Botezatu said a standard IT team finds itself constantly under fire, and it's important that

the responsibility doesn't just lie with them.

Source: http://www.zdnet.com/article/bitdefender-organisations-must-empower-it-staff-to-mitigate-

cyber-threats/

1.6 Qualys unveils CloudView app framework for public cloud security

Qualys has launched CloudView, a solution designed to keep public cloud infrastructure

secure.

On Monday, Qualys said that CloudView is designed to control and monitor security

policies applied to public cloud services on Amazon Web Services (AWS), Microsoft's

Azure and the Google Cloud Platform.

The cloud security and services provider said the new app framework in the Qualys

Cloud Platform "comprehensive and continuous protection of cloud infrastructure,

delivering InfoSec and DevSecOps teams a "single pane of glass" view of security and

compliance across cloud infrastructures."

The initial release of Qualys CloudView includes two apps, the Cloud Inventory (CI) app,

and the Cloud Security Assessment (CSA) application.

The CI app integrates with native APIs from public cloud providers to discover

resources, connections, and monitor systems for security issues related to industry

standards and architectural best practices and also provides topological views of the

infrastructure and relationships across cloud resources.

IT staff can search through these views to analyse locations, layouts, and security

groups to reach the root of any security problems.

Source: http://www.zdnet.com/article/qualys-unveils-cloudview-app-framework-for-public-cloud-

security/

1.7 Ubiquiti firmware patch stomps nasty redirect bug from login screen

Popular wireless networking hardware vendor Ubiquiti patched a couple of serious

vulnerabilities back in March and April – without telling the people who reported the

bugs.

If sysadmins weren't paying attention, they might not have noticed the importance of the

patches.

The bug patched in firmware version 6.0.3 was an open redirect at the administrative

login, found independently by SEC Consult and a bounty-hunter. Both filed the big with

HackerOne.

An exploit would be fairly straightforward, since all the attacker needed to do was

append their own site as the login page's target:

http://<IP-of-Device>/login.cgi?uri=https://www.sec-consult.com

Affected products include AirRouter, the TS-8-PRO switch, and various transceivers in

the LBE, NBE, PBE, and RM2-Ti access points.

The other bug affected the company's EdgeRouter products. An initialisation error in

/files/index created a reflected cross-site-scripting vulnerability that would let an attacker

hijack a user's session.

Source: http://www.theregister.co.uk/2017/07/25/ubiquiti_firmware_patch/

1.8 600+ samples of Spring Dragon APT malware spotted

The Chinese speaking ATP group Spring Dragon, a.k.a., LotusBlossom, has increased

attacks against high-profile organizations around the South China Sea.

Kaspersky researchers managed to collect more than 600 samples of malware from the

group suggesting they are operating on a massive scale.

The group is known for using spearphishing and watering hole techniques to target

governmental organizations and political parties, educational institutions, as well as

companies from the telecommunications sector, according to a July 24 blog post.

Researchers said the threat actors behind the campaigns have been developing and

updating their range of tools, which consists of various backdoor modules with unique

characteristics and functionalities, throughout the years.

The threat actors own a large C2 infrastructure which comprises more than 200 unique

IP addresses and C2 domains and all the backdoor modules in the APT's toolset are

capable of downloading more files onto the victim's machine, uploading files to the

attacker's servers, and also executing any executable file or any command on the

victim's machine, researchers said.

Source: https://www.scmagazine.com/spring-dragon-targeting-high-profile-entities-around-south-

china-sea/article/677106/

1.9 Variant of Surveillance Malware Fruitfly Targeting Mac Users

In January this year, a dangerous surveillance malware was found targeting Mac and

Linux devices – The malware was discovered by Thomas Reed, an IT security

researcher at Malwarebytes who called it Quimitchin while Apple Inc., labeled it as

Fruitfly malware.

The main purpose of infecting Macs with Fruitfly was to perform spying operations, and

biomedical research institutes were its main targets. When a Mac is infected with Fruitfly,

it acquires information from local networks and all the devices that were connected with

it.

The malware is quite sophisticated since it can compromise the webcam of Mac

machine, capture screenshots, simulate key presses and mouse clicks. It also provides

an attacker the remote control of a targeted device.

Source: https://www.hackread.com/variant-of-surveillance-malware-fruitfly-targeting-mac-users/

2. Cyber crime and Intelligence in the news:

2.1. The source code of SLocker ransomware has been leaked online

The SLocker family is one of the oldest android lock screen and file-encrypting

ransomware and used to impersonate law enforcement agencies to persuade victims to

pay their ransom.

SLocker ransomware was first detected in 2015, it is the first ransomware to encrypt

Android files. It pretends itself as game guides, video players, and so on in order to

attract victims into installing it. When installed for the first time, its icon seems like a

normal game guide or cheating tool. Once the ransomware runs, the application will

change the icon and name, along with the wallpaper of the infected device.

The ransomware source code has been leaked on GitHub by an unknown user called

“fs0c1ety”. The hacker is asking everyone to contribute to the source code and submit

bug reports.

Source: https://latesthackingnews.com/2017/07/24/source-code-slocker-ransomware-leaked-

online/

2.2. Hundreds of companies expose PII, private emails through Google Groups

error

A small settings error has resulted in the exposure of confidential business emails and

employee data, researchers have warned.

On Monday, RedLock revealed in a blog post that companies including IBM's Weather

Company, Fusion Media Group -- the parent firm of companies including Gizmodo, The

Onion, and Lifehacker -- as well as helpdesk support service provider Freshworks and

video ad platform SpotX were affected by the security issue.

According to the team, "hundreds" of Google Groups have publicly exposed messages

containing sensitive information belonging to such companies, all because of a

customer-controlled configuration error in the service.

Google Groups is used by companies as a collaborative tool and communication

platform. Email-based groups are used to maintain communication and control

messages between teams, but when these groups are created with the "public on the

Internet" sharing setting rather than "private" through the "Outside this domain -- access

to groups" tab, messages sent between members can be viewed publicly without the

requirement of being a member of the group.

RedLock researchers found that email addresses, email content, personally identifiable

information (PII) including employee salary compensation, sales pipeline data, customer

passwords, names, and home addresses at hundreds of companies were left online for

the world to see.

Screenshot images viewed by ZDNet verified the exposure of information belonging to

Fusion Media Group and SpotX which included email messages, contact details, and

personal discussions between executives and staff.

Source: http://www.zdnet.com/article/simple-settings-failure-in-google-groups-caused-exposure-

of-private-company-employee-data/

2.3. Veritaseum hack: $8.4m worth Ethereum stolen by hackers in yet another

heist

Hackers hit yet another Ethereum platform, stealing over $8m (£6m) in the second Initial

Coin Offering (ICO) hack in a month. Veritaseum founder Reggie Middleton confirmed

the hack, adding that the hackers stole $8.4m worth of Ethereum and "dumped all of

them within a few hours into a heavy cacophony of demand".

Veritaseum was hacked while it held its ICO over the weekend. ICO allows investors to

purchase the platform's tokens, similar to an IPO. Although the stolen Ethereum was

initially dumped into two wallets, the hackers have since moved the funds into other

accounts.

"We were hacked, possibly by a group. The hack seemed to be very sophisticated, but

there is at least one corporate partner that may have dropped the ball and be liable.

We'll let the lawyers sort that out, if it goes that far," Middleton said.

"At the end of the day, the amount stolen was miniscule (less than 00.07%) although the

dollar amount was quite material," Middleton added. "Without the Veritaseum team, the

tokens are literally wortheless! If someone were to someone confiscate 100% of the

available tokens, all we need to do is refuse to stand behind them and recreate the token

under a new contract. The Veritaseum team is what powers the value behind the Veritas

token. A large theft of those tokens after a fork is as valuable as stealing 90M empty

plastic cups."

Source: http://www.ibtimes.co.uk/veritaseum-hack-8-4m-worth-ethereum-stolen-by-hackers-yet-

another-heist-1631745

2.4. Hackers Breach Casino After Compromising a Smart Fish Tank

A casino in the United States was compromised after hackers managed to infiltrate into

its network and steal undisclosed data after first breaking into a smart fish tank

connected to the Internet.

In case you wondering why a fish tank needs to be connected to the Internet, it’s

because the casino wanted to do everything remotely, with employees using a remote

connection to feed the fish and get all the information instantly, such as water

temperature.

But it was this connection that exposed the fish tank, and eventually, the entire casino, to

hackers, as an unnamed group of attackers managed to infiltrate into the network and

upload data on a server in Finland. The breach was eventually discovered, and the flaw

was fixed, but there still are a few questions that need to be answered before connecting

smart devices to the Internet.

Source: http://news.softpedia.com/news/hackers-breach-casino-after-compromising-a-smart-fish-

tank-517134.shtml

2.5. Sweden transport agency slips up, leaks top secret data

Believing it was moving sensitive data to the cloud under a 2015 outsourcing agreement

with IBM, Sweden's Transport Agency inadvertently sent information on every vehicle

nationwide to marketers that subscribed to it and then allegedly covered up the leak,

with only a slap on the wrist to the agency's director.

“Sweden's Transport Agency moved all of its data to ‘the cloud,' apparently unaware that

there is no cloud, only somebody else's computer,” Pirate Party Founder Rik Falkvinge,

who heads up privacy at Private Internet Access, a VPN provider, wrote in a blog post.

“In doing so, it exposed and leaked every conceivable top secret database: fighter pilots,

SEAL team operators, police suspects, people under witness relocation. Names, photos,

and home addresses: the list is just getting started.”

Falkvinge derided the punishment meted out by Swedish courts. “The responsible

director has been found guilty in criminal court of the whole affair, and sentenced to the

harshest sentence ever seen in Swedish government: she was docked half a month's

paycheck,” he said of the agency's former director-general, Maria Ågren.

Even after discovering that the database had been sent to marketers in clear text, the

agency simply asked them to delete the list and sent out a new list. Not only was the

information available to those who received the email but could be accessed to IBM

employees without security clearance working in the Czech Republic, TheLocal

reported, citing an article in Dagens Nyheter, a Swedish newspaper, which allegedly had

viewed documents from a probe by the Swedish Security Service, Säpo.

Source: https://www.scmagazine.com/sweden-transport-agency-slips-up-leaks-top-secret-

data/article/677078/

2.6. Newcastle University spoofed in phishing scam

Cybercriminals went to extreme lengths to clone the Newcastle University website going

as far as to create dozens of sub-pages explaining different programs offered by the

university.

While the fraudsters committed a few errors in phony site, those unfamiliar with the

actual site, such as foreign exchange students might easily mistake it for real. The

hackers incorrectly referred to the school on the phishing site as the "Newcastle

International University" instead of as "Newcastle University" in both the URL and

throughout the site.

Hackers also used the incorrect coat of arms for the school. Despite the flaws, it is

possible that some have been duped into disclosing their information on the phony

applications though it's unclear how many and the University has acknowledged the

scam. The fake site request payment card data and other personally identifiable

information.

Source: https://www.scmagazine.com/newcastle-university-site-spoofed-to-steal-

pii/article/676920/

3. Technical Security Alerts:

Technical security alerts are the current security issues, vulnerabilities, malware and exploits provided proactively to provide timely

information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their

infrastructure environments.

3.1 Vulnerabilities, Malware and exploits

The table below lists the recent vulnerabilities, malware and exploits identified by ICT Security Monitoring Services team for today.

Name

Description

Propagation

Technologies and

Software’s affected

Remedy

Severity

Schneider Electric PowerSCADA Anywhere and Citect Anywhere State-Change Request Cross-Site Request Forgery Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=54555 Vendor Announcements Schneider Electric has released security notifications at the following links: Citect Anywhere - May 19, 2017 and SEVD-2017-173-01 ICS-CERT has released a security advisory at the

A vulnerability in the secure

gateway component of

Schneider Electric

PowerSCADA Anywhere

and Citect Anywhere for

multiple state-changing

requests could allow an

unauthenticated, remote

attacker to conduct a cross-

site request forgery (CSRF)

attack.

The vulnerability is due to a

lack of CSRF protections by

an affected device. An

attacker could exploit this

vulnerability by convincing a

user to follow a malicious

link. A successful exploit

could allow the attacker to

perform arbitrary actions on

the affected device on behalf

of the targeted user.

Schneider Electric : Citect Anywhere 1.0 (.0) PowerSCADA Anywhere 1.0 (.0) PowerSCADA Expert 8.1 (.0) | 8.2 (.0)

Schneider Electric has released software updates at the following links:

PowerSCADA Anywhere version 1.1

Citect Anywhere version 1.1

High risk

following link: ICSA-17-201-01

Corel CorelDRAW X8 EMF Parser Code Execution Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=54559

A vulnerability in the

Enhanced Meta File (EMF)

parsing functionality of

Corel CorelDRAW X8 could

allow an attacker to

execute arbitrary code.

The vulnerability is due to

improper parsing of EMF files

by the affected software. An

attacker could exploit this

vulnerability by persuading a

targeted user to open a

crafted EMF file.

CorelDRAW X8 (18.1.0.661)

Corel has not publicly confirmed the vulnerability and software updates are not available.

High risk

End: