NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES

18th October 2019

Summary Headlines

Impact Metric Against Count of Events

Critical High Medium Informative

Regional Highlights 0 0 0 2

Top Stories 0 0 0 4

System vulnerabilities

2 2 0 1

Malware 0 2 0 0

DDoS/Botnets 0 2 0 0

Spam & phishing 0 1 0 0

Web Security 0 1 1 0

Updates & alerts 1 1 0 2

Regional Highlights

Source 1: National KE-CIRT/CC ( https://twitter.com/KeCIRT ) https://twitter.com/KeCIRT/status/1184353273953902592 Impact value: Informative CA Cybersecurity Conference 2019 from 23rd to 25th October at Safari Park Hotel, Nairobi. Source 2: Business Today ( https://businesstoday.co.ke/ ) https://businesstoday.co.ke/firms-serianu-and-instinctwave-target-governments-in-cybersecurity-awareness/ Impact value: Informative Firms Move to Seal Cybersecurity Loopholes in Public Sector. Pan African cybersecurity consultancy, Serianu, has signed a memorandum of understanding with Ghana’s InstinctWave to enhance awareness and uptake of cybersecurity by public sector institutions.

Top Stories

Source 1: ITPro ( https://www.itpro.co.uk/ ) https://www.itpro.co.uk/security/34660/hackers-are-no-longer-winning-says-kpmg-cyber-chief Impact value: Informative Hackers 'are no longer winning', says KPMG cyber chief. Hackers are 'no longer winning the cyber crime war' following years of public and private investment and cross-industry collaboration, according to KPMG's global head of cyber futures David Ferbrache. The nation's cyber resilience against hackers has improved over the past two years, with joint operations between law enforcement and the private sector frustrating opportunities for criminals to profit from cyber crime. Source 2: Computer Weekly ( https://www.computerweekly.com/ ) https://www.computerweekly.com/news/252472525/Huge-rise-in-rogue-banking-apps-driving-fraud-attacks Impact value: Informative Huge rise in rogue banking apps driving fraud attacks. Online fraud attacks originating from fake mobile applications that appear to be from legitimate banks almost doubled in the first six months of 2019, according to RSA’s Fraud and Risk Intelligence (FRI) team. Source 3: CYWARE ( https://cyware.com/ ) https://cyware.com/news/over-100-million-attacks-were-detected-on-iot-devices-in-h1-2019-c37842ab Impact value: Informative Over 100 Million Attacks Were Detected on IoT Devices in H1 2019. Kaspersky’s honeypots detected 105 million attacks on IoT devices from 276,000 unique IP addresses in the first half of 2019. Such attacks have increased by nine times than the numbers (about 12 million) recorded in H1 2018.

Top Stories

https://cyware.com/news/rise-in-payment-fraud-techniques-should-be-everyones-concern-now-8b796cc0 Impact value: Informative Rise in Payment Fraud Techniques Should Be Everyone’s Concern Now. Over 23 million stolen credit cards were put up for sale on the dark web in the first half of 2019. This acts as a catalyst for criminals conducting payment fraud attacks. Payment frauds are a low-risk, high-profit criminal activity. Highlighted fraudulent techniques include: Card Not Present (CNP) fraud, Skimming Fraud, Jackpotting Fraud and Loyalty Fraud.

System

vulnerabilities

Source 1: CYWARE ( https://cyware.com/ ) https://cyware.com/news/uc-browser-puts-over-500-million-android-users-at-risk-by-violating-google-play-store-policies-31169c02/l Impact value: Critical UC Browser Puts Over 500 Million Android Users at Risk by Violating Google Play Store Policies. UC Browser and UC Browser Mini Android apps had exposed over 500 million Android users to Man-in-the-Middle (MITM) attacks. This was because the browser violated Google Play Store policy and downloaded additional APK from a third party store through an unprotected channel. Upon being informed, UCWeb had updated and fixed the issue in both apps. Source 2: SC Magazine ( https://www.scmagazine.com/ ) https://www.scmagazine.com/home/network-security/vmware-patches-critical-bug-in-harbor-container-registry-for-pcf/ Impact value: Critical VMware patches critical bug in Harbor Container Registry for PCF. VMware has issued a security advisory for a critical ‘broken access control’ vulnerability found in its Cloud Foundation and Harbor Container Registry for Pivotal Cloud Foundry (PCF). The vulnerability is designated with an ID of CVE-2019-16919 and impacts versions 1.8x of the Harbor product. The issue has been fixed with the release of v1.8.4. However, a patch is still pending for VMware Cloud Foundation. https://www.scmagazine.com/home/security-news/cloud-security/open-aws-buckets-expose-more-than-200k-cvs-at-two-online-recruitment-firms/ Impact value: High Open AWS buckets expose more than 200K CVs at two online recruitment firms. Unsecured AWS servers belonging to two online recruitment firms have exposed more than 250,000 CVs of job candidates. The two victim companies are Authentic Jobs and Sonic Jobs in the UK. The potentially exposed information includes names, addresses, job histories, and phone numbers of individuals.

System

vulnerabilities

Source 3: Paloalto Networks ( https://blog.paloaltonetworks.com/ ) https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/ Impact value: Informative Analysis of Two Newly Patched Kubernetes Vulnerabilities. The Kubernetes team has released new builds that patch Kubernetes vulnerabilities CVE-2019-16276 and CVE-2019-11253. The vulnerabilities posed a risk under some of the Kubernetes configurations. It is recommended to upgrade to Kubernetes builds 1.14.8, 1.15.5, or 1.16.2 to address the issues. Source 4: ars Technica ( https://www.cbronline.com/ ) https://arstechnica.com/information-technology/2019/10/unpatched-linux-flaw-may-let-attackers-crash-or-compromise-nearby-devices/ Impact value: High Unpatched Linux bug may open devices to serious attacks over Wi-Fi. A potentially serious vulnerability in RTLWIFI driver can trigger an overflow in Linux kernel when a machine with a Realtek Wi-Fi chip is within the radio range of a malicious device. The vulnerability is tracked as CVE-2019-17666.

Malware

Source 1: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/european-airport-systems-infected-with-monero-mining-malware/ Impact value: High European Airport Systems Infected With Monero-Mining Malware. More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer. The cryptominer is linked to the Anti-CoinMiner campaign which was spotted during August 2018. Researchers were able to detect the infection because the threat actors repeatedly launched PAExec, a redistributable version of the legitimate Microsoft tool PsExec. https://www.bleepingcomputer.com/news/security/stripe-users-targeted-in-phishing-attack-that-steals-banking-info/ Impact value: High Stripe Users Targeted in Phishing Attack That Steals Banking Info. AA phishing campaign using fake and invalid account Stripe support alert targeted customers in an attempt to steal account info and login credentials. The attackers behind the campaign used an HTML-based trick to redirect Stripe customers to their phishing page designed to collect users’ credentials, bank account numbers, and phone numbers.

DDoS/Botnets

Source 1: The Hacker News ( https://thehackernews.com/ ) https://thehackernews.com/2019/10/phorpiex-botnet-sextortion-emails.html Impact value: High Phorpiex Botnet Sending Out Millions of Sextortion Emails Using Hacked Computers. A large-scale “sextortion” campaign is making use of a network of more than 450,000 hijacked computers to send aggressive emails. The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin. Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/new-sdbot-remote-access-trojan-used-in-ta505-malspam-campaigns/ Impact value: High New SDBot Remote Access Trojan Used in TA505 Malspam Campaigns. Researchers discovered two new malware strains distributed via phishing campaigns carried out by the TA505 hacking group during the last two months, a new downloader dubbed Get2 and an undocumented remote access Trojan (RAT) named SDBbot. Attackers used this new downloader to deliver other malware payloads including FlawedGrace, FlawedAmmyy, Snatch, and the new SDBbot RAT as second-stage payloads to compromised systems.

Spam & Phishing

Source 1: Personal Finance ( https://www.iol.co.za/ ) https://www.iol.co.za/personal-finance/my-money/banking/banking-scams-becoming-more-sophisticated-35279484 Impact value: High Banking scams becoming more sophisticated. According to the South African Banking Risk Information Centre (Sabric), reported incidents of digital banking crimes increased by 75 percent between 2017 and 2018, amounting to a total of R262.8 million lost in digital, mobile and app banking crimes last year alone. Cyber criminals are becoming smarter in their attempts to steal and will use technology in conjunction with social engineering to try to defraud people. Highlighted techniques include: phishing, vishing and SIM swapping.

Web Security

Source 1: Health IT Security ( https://healthitsecurity.com/ ) https://healthitsecurity.com/news/malicious-code-on-mission-health-store-website-undetected-for-3-years Impact value: High Malicious Code on Mission Health Store Website Undetected for 3 Years. The website of Mission Health was under malware attack for three long years. This allowed hackers to gain unauthorized access to payment information of customers from store.mission-health.org and shopmissionhealth.org. According to reports, the theft was conducted using malware that was first installed in March 2016. It remained undetected till June 2019. Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/fake-wordpress-plugin-comes-with-cryptocurrency-mining-function/ Impact value: Medium Fake WordPress Plugin Comes with Cryptocurrency Mining Function. Researchers have uncovered a fake version of the ‘WordPress Framework’ plugin that was used by attackers to gain unauthorized access to sites and mine cryptocurrencies. Despite being removed from the WordPress public repository, the plugin still has more than 400 active installations.

Bulletins

Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ ) https://www.us-cert.gov/ncas/bulletins/sb19-287 Vulnerability Summary for the Week of October 7, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability. Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html ) https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Oracle Critical Patch Update Pre-Release Announcement - October 2019; advised action to run available security updates. https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html Oracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates. https://www.oracle.com/technetwork/topics/security/bulletinoct2019-5781621.html Oracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches. https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2019-5781618.html Oracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes. https://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html Map of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities. https://www.oracle.com/technetwork/topics/security/ovmbulletinoct2019-5781619.html Oracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.

Updates & Alerts

Source 1: Cisco Security Advisories &

Alerts(http://tools.cisco.com/security/center/publicationListing.x )

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-

rest-auth-bypass

Impact value: Critical

Cisco REST API Container for IOS XE Software Authentication Bypass Vulnerability. Due to an

improper check performed by the area of code that manages the REST API authentication service,

a remote attacker could bypass authentication on the managed Cisco IOS XE device.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-

rce

Impact value: High

Cisco Firepower Management Center Remote Code Execution Vulnerability. Due to insufficient

input validation an attacker could execute arbitrary commands within the affected device.

Source 2: Info Security ( https://www.infosecurity-magazine.com/ ) https://www.infosecurity-magazine.com/opinions/secure-behavioral-biometrics Impact value: Informative How Secure Is Behavioral Biometrics? Behavioural biometrics analyse traits and micro-habits like

voice, keystrokes when typing, navigational patterns, engagement patterns etc. Behavioral

biometric authentication methods have risen in popularity because they provide a mechanism to

passively authenticate people without their knowledge.

Updates & Alerts

Source 3: CISA Cyber Infrastructure ( https://www.us-cert.gov/ )

https://www.us-cert.gov/ncas/alerts/aa19-290a

Impact value: Informative

Microsoft Ending Support for Windows 7 and Windows Server 2008 R2. On January 14, 2020,

Microsoft will end extended support for their Windows 7 and Windows Server 2008 R2 operating

systems. After this date, these products will no longer receive free technical support, or software

and security updates.

www.ke-cirt.go.ke