NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES21st May 2020
SummaryImpact Metric Against Count of Events
Headlines
Critical High Medium Informative
Regional Highlights 0 0 0 0
Top Stories 0 0 1 2
System Vulnerabilities
0 0 1 0
Malware 0 0 1 2
DDoS/Botnets 0 0 0 1
Spam & Phishing 0 0 0 1Web Security 0 0 0 1
Updates & Alerts 0 0 0 2
Top Stories
Source 1 : Nextgov (https://www.nextgov.com/)
https://www.nextgov.com/emerging-tech/2020/05/how-ai-will-soon-change-special-o
perations/165506/
Impact value: Informative
According to experts, AI will play a huge role in special operations forces’ endeavors over the next
several years. As commander of US Special Operations Command, Gen. Richard Clarke found that
US leaders were devoting most of their mental energy to information processing. Clarke stated that
commanders likely spend 60% of their time debating what the Taliban and Afghan population are
thinking and how US actions could influence these thoughts. However, Clarke suggests that AI will
soon change future information warfare efforts.
Source 2 : ZDNet (https://www.zdnet.com/)
https://www.zdnet.com/article/japan-investigates-potential-leak-of-prototype-missile
-design-in-mitsubishi-hack/
Impact value: Medium
The Defense Ministry is investigating a possible leak of details of a new state-of-the-art missile in a
large-scale cyberattack on Mitsubishi Electric Corp, the Asahi Shimbun newspaper reported on
Wednesday. The ministry suspects hackers stole performance requirements that were sent to
several defense-industry companies as part of the bidding process for the project, the Asahi
reported, citing government sources whom it did not identify. Mitsubishi Electric did not win the
bid for the prototype, the newspaper said.
Top Stories
Source 3 : ZDNet (https://www.zdnet.com/)
https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-
wishbone-app/
Impact value: Informative
A hacker is selling information about 40 million users of the social media polling app Wishbone for
Bitcoin, ZDNet reported. The hacker is selling data from the app, which is popular with teenagers,
for 0.85 Bitcoin (around $7,900). The hacked information offered for sale includes phone numbers,
emails, usernames, location, and hashed passwords; the data was hacked in January of this year
and is heretofore unpublished.
System vulnerabilities
Source 1 : ZDNet (https://www.zdnet.com/)
https://www.zdnet.com/article/thousands-of-israeli-sites-defaced-with-code-seeking-
permission-to-access-users-webcams/
Impact value: Medium
A new threat actor group by the name “Hackers of Savoir” has targeted thousands of Israeli
websites, defacing them to display an anti-Israeli message and malicious code that requests access
to site visitors’ webcams. Researchers believe that more than 2,000 websites have been defaced by
the group during the campaign, which is believed to have nine members from various Middle
Eastern and North African countries including Morocco, Turkey, Palestine, and Egypt.
Malware
Source 1 : Naked Security (https://nakedsecurity.sophos.com/)
https://nakedsecurity.sophos.com/2020/05/18/the-raticate-gang-implanting-malwa
re-in-an-industry-near-you/
Impact value: Informative
According to researchers, a new threat group called RATicate is targeting industrial companies
with revolving payloads and is behind several malspam attacks against companies such as
LokiBot, Agent Tesla, Netwire, FormBook, and BetaBot. Researchers have attributed at least six
separate campaigns to the group, with the first starting in November and the most recent in
March. The campaigns all leveraged Nullsoft Scriptable Install Systems (NSIS), to create Windows
installers and eventually drop remote access trojans on targeted systems. NSIS is a legitimate
open-source tool intended to create Windows installers. The most recent campaign capitalizes on
the current COVID-19 pandemic to convince victims to open payloads, representing a shift in
tactics.
Malware
Source 2 : Naked Security (https://nakedsecurity.sophos.com/)
https://nakedsecurity.sophos.com/2020/05/20/beware-of-emails-with-horrible-char
ts-about-covid-19/
Impact value: Informative
Microsoft says a massive COVID-19 themed phishing campaign is underway, as a part of which
attackers install the NetSupport Manager remote access tool to gain remote access. The new
campaign, which was detected by the Microsoft Security Intelligence team, started on May 12.
The malware payload comes through malicious Excel attachments that are being sent by the
attackers via emails. Notably, this isn't the first time when cyber-attackers are using COVID-19 as
an opportunity to hack people. Companies including Google have already warned about the
increase in such phishing attacks.
Source 3 : Bleeping Computer (https://www.bleepingcomputer.com/)
https://www.bleepingcomputer.com/news/security/new-pipemon-malware-uses-wi
ndows-print-processors-for-persistence/
Impact value: Medium
The Winnti hacking group has targeted video game companies again in a new campaign that
utilizes recent malware called PipeMon, a modular backdoor that was identified earlier this year.
PipeMon was discovered on servers belonging to video game developers of games that feature
multiplayer options (massively multiplayer online) games.
Botnets/DDoS
Source 1 : Bleeping Computer (https://www.bleepingcomputer.com/)
https://www.bleepingcomputer.com/news/security/vigilante-hackers-target-scammers-with-
ransomware-ddos-attacks/
Impact value: Informative
A self-appointed group of hacked dubbed as CyberWare is trying to undertake law enforcement in the fight with, as they claim, scammers, fake banks, and fake loan sites. The group resurfaced on the 16th of May when a ransomware researcher GrujaRS detected MilkmanVictory ransomware on the landscape, which turned out to be managed by the CyberWare hackers and used for supposedly targeted attacks over scammers.
Spam &
Phishing
Source 1 : Threat Post (https://threatpost.com/)
https://threatpost.com/crooks-tap-google-firebase-in-fresh-phishing-tactic/155
967/
Impact value: Informative
Researchers have uncovered a new series of phishing campaigns that use Google Firebase storage URLs, stating that the threat actors are leveraging the reputation of cloud infrastructure created by Google to lure victims. The phishing campaign begins with spam emails that prompt victims to click on a Firebase link inside the email that advertises false content. The link then takes the target to a spoofed login page, typically for Office 365, Outlook, or banking apps. The credentials entered at this point are sent to that threat actors. Google Firebase is a web application development platform, while its storage feature provides secure file uploads. Companies use Firebase storage to keep their data in a Google cloud storage bucket.
Web Security
Source 1 : ZDNet (https://www.zdnet.com/)
https://www.zdnet.com/article/startpage-private-search-engine-now-an-option-for-
vivaldi-browser/
Impact value: Informative
The privacy-focused Vivaldi browser has announced a partnership with search engine Startpage to
allow users the ability to control what data is collected when they browse the Internet. Startpage
has grown rapidly to becoming one of the most popular privacy-focused search engines on offer
today. Results provided by the site are not "profiled" according to the user's data, meaning they
cannot be shown targeted adverts or be followed by intrusive price trackers.
Bulletins
Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )
https://www.us-cert.gov/ncas/bulletins/sb20-139Vulnerability Summary for the Week of May 11, 2020. Recorded by National Institute of Standards
and Technology and National Vulnerability.
Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts- 086861.html )https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020; advised action to run available security updates.
https://www.oracle.com/security-alerts/alert-cve-2019-2729.htmlOracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server
exploitable without authentication requirements; advised action to run security updates.
https://www.oracle.com/security-alerts/bulletinoct2019.htmlOracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches.
https://www.oracle.com/security-alerts/linuxbulletinoct2019.htmlOracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes.
https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.htmlMap of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against
known vulnerabilities.
https://www.oracle.com/security-alerts/linuxbulletinoct2019.htmlOracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86
Bulletin fixes.
Updates & Alerts
Source 1 : ZDNet (https://www.zdnet.com/)
https://www.zdnet.com/article/apple-releases-ios-13-5-with-covid-contact-tracin
g-feature-face-id-improvements/
Impact value: Informative
After releasing the golden master to developers earlier this week, Apple is releasing iOS 13.5 to the general public today. The update brings quite a few changes and new features prompted by COVID-19, including the Exposure Notification API, Face ID enhancements, and much more. Apple and Google have been developing the Exposure Notification API with close guidance from public health officials. When a user enables the feature and has an app from a public health authority installed, the device will regularly send out a beacon via Bluetooth that includes a random Bluetooth identifier. From there, the Exposure Notification API will download a list of the keys for the beacons that have been verified as belonging to people confirmed as positive for COVID-19 and check against that list. If there is a match, the user may be notified and advised on next steps.Source 2 : Bleeping Computer (https://www.bleepingcomputer.com/)
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-window
s-10-hyper-v-vhdx-for-arm64-devices/
Impact value: Informative
Windows 10 preview build, the Windows Insider team also made ARM64 VHDX available for
download, which will allow Insiders with Windows 10 on ARM devices to run the Windows 10
Insider build 19624 as a guest host in Hyper-V. Microsoft previously added in the build 19559
from February the ability to install Hyper-V on Windows 10 on ARM devices such as Microsoft’s
Surface Pro X.
www.ke-cirt.go.ke