national ke-cirt/cc cybersecurity updates 2nd january … · you should never print your boarding...
TRANSCRIPT
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES
2nd January 2020
Summary Headlines
Impact Metric Against Count of Events
Critical High Medium Informative
Regional Highlights 0 0 0 2
Top Stories 0 0 0 3
System vulnerabilities
0 2 0 1
Malware 0 2 0 0
DDoS/Botnets 0 1 0 0
Spam & phishing 0 0 0 1
Web Security 0 2 0 0
Updates & alerts 0 2 1 1
Regional Highlights
Source 1: Standard Digital ( https://www.standardmedia.co.ke/ ) https://www.standardmedia.co.ke/business/article/2001354909/microsoft-seizes-web-domains-used-by-north-korean-hackers Impact value: Informative Microsoft seizes web domains used by North Korean hackers. The US technology giant said a federal court allowed it to take control of 50 domains operated by a group dubbed Thallium, which tricked online users by fraudulently using Microsoft brands and trademarks. Based on victim information, the targets included government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the US, as well as Japan and South Korea. https://www.standardmedia.co.ke/business/article/2001354826/huawei-gets-india-nod-to-participate-in-5g-trials Impact value: Informative China's Huawei gets India nod to participate in 5G trials. The Indian government has allowed Chinese telecom company Huawei Technologies Co to participate in trials for 5G networks despite the United States lobbying allies not to use Huawei’s network equipment in their 5G networks.
Top Stories
Source 1: GCN ( https://gcn.com/ ) https://gcn.com/articles/2019/12/24/software-defined-perimeter-iot-dr.aspx Impact value: Informative How agencies can bake data security into IoT and disaster recovery. Many enterprise organizations are now leveraging a new class of data security software-defined perimeters. In 2020, government agencies will combine RasPi with SDP, to create highly secure low-cost IoT networks. For those that wish to harness its power, SDP software will improve the security of data flows between devices by removing an IoT device's network presence, eliminating any potential attack surfaces created by using a traditional network perimeter. Source 2: NZ Herald ( https://www.nzherald.co.nz/ ) https://www.nzherald.co.nz/travel/news/article.cfm?c_id=7&objectid=12291174 Impact value: Informative You should never print your boarding pass, here's why. According to a new Forbes report, travelers who don't carefully dispose of their paper boarding pass or who share it online are making it easy for hackers to crack into their frequent flyer accounts that only need your name, your booking reference number and your frequent flyer number in order to steal points that are hugely lucrative on the black market. Source 3: Security Magazine ( https://www.securitymagazine.com/ ) https://www.securitymagazine.com/articles/91442-security-predictions-for-2020 Impact value: Informative Security Predictions for 2020. In this year’s Cyber Security Predictions, the WatchGuard Threat Lab has imagined the top cyber attacks we’ll see in 2020 and has provided tips for simplifying your approach to stopping them. The highlighted issues include: ransomware targets the cloud, GDPR comes to the US, Voter registration system targeted during the 2020 elections, 25% of All breaches will happen outside the perimeter, The cybersecurity skills gap widens, Multi-Factor Authentication (MFA) Becomes standard for mid-sized companies and Attackers will find new vulnerabilities in the 5G/Wi-Fi Handover to access the Voice and or Data of 5G Mobile phones.
System
vulnerabilities
Source 1: SC Magazine ( https://www.scmagazine.com/ ) Impact value: High https://www.scmagazine.com/home/security-news/data-breach/school-software-vendor-active-network-suffers-data-breach/ School software vendor Active Network suffers data breach. Active Network’s Blue Bear Software platform had reported an unauthorized activity in its network earlier this year. This had resulted in customers’ PII being exposed. The information possibly accessed included names, payment card expiration dates, security codes, and Blue Bear login credentials. However, the attackers did not access Social Security numbers, driver license numbers or government ID card numbers. Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) Impact value: High https://www.bleepingcomputer.com/news/security/special-olympics-new-york-hacked-to-send-phishing-emails/ Special Olympics New York Hacked to Send Phishing Emails. Special Olympics of New York had its email server hacked around this year’s Christmas holiday and was later used to launch a phishing campaign against previous donors. The hack only affected the communications system that stored contact information and no financial data. The phishing email was camouflaged as an alert of an impending donation transaction ($1,942.49) which would be automatically deducted from the target’s account within two hours. Source 3: Security Affairs ( https://securityaffairs.co/ ) Impact value: Informative https://securityaffairs.co/wordpress/95825/laws-and-regulations/irish-national-cyber-security-strategy.html Irish National Cyber Security Strategy warns of attacks on Irish data centres. The Irish government has published its National Cyber Security Strategy, it is an update of the country’s first Strategy which was published in 2015.
Malware
Source 1: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/microsoft-takes-down-50-domains-operated-by-north-korean-hackers/ Impact value: High Microsoft takes down 50 domains operated by North Korean hackers. Microsoft has successfully taken down 50 web domains of the North Korean government-backed Thallium hacking group. The seized domains were used by the group in different cyberattacks. The domains were used to send phishing emails and host phishing pages. Most targets were based in the U.S., Japan, and South Korea. The goal of many of these attacks was to infect victims with malware such as KimJongRAT and BabyShark. Source 2: Fox Business ( https://www.foxbusiness.com/ ) https://www.foxbusiness.com/technology/major-us-companies-breached-robbed-and-spied-on-by-chinese-hackers Impact value: High Major US companies breached, robbed, and spied on by Chinese hackers. A new investigation has revealed that the infamous Cloud Hopper attack lead by the China-based APT10 hacking group has targeted far beyond the 14 unnamed companies and is still active on several companies’ networks. The latest list of victim organizations has at least a dozen cloud service providers including CGI Group Inc., Tieto Oyj, and IBM Corp. The attack against managed service providers had started around late 2016.
\\\\\\\\\
Spam & Phishing
Source 1: Dark Reading ( https://www.darkreading.com/ ) Impact value: Informative https://www.darkreading.com/application-security/fraud-in-the-new-decade/a/d-id/1336671?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple Fraud in the New Decade. Notable fraud developments in the next decade include: demand for marketing data will fuel complex fraud, account takeover will evolve to account access-as-a-service, old breaches will resurface in data compilation and synthetic identities come home to roost.
DDoS/Botnets
Source 1: CYWARE ( https://cyware.com/news/ ) https://cyware.com/news/bluehero-botnet-found-scanning-the-internet-to-infect-systems-with-xmrig-miner-and-gh0st-rat-cfc3d7d9 Impact value: High BlueHero botnet found scanning the internet to infect systems with XMRig miner and Gh0st RAT. BlueHero botnet derives its name from the domain bluehero[.]in found in its binary. The botnet leverages a variety of web exploits to intrude into unpatched web servers. It also contains several other exploits to spread across the network. To initiate the infection process, the botnet actively scans for IP addresses with ports 80 and 3389. It then uses Mimikatz to dump passwords from infected hosts into a Results.txt file.
Web Security
Source 1: Security Affairs ( https://securityaffairs.co/ ) https://securityaffairs.co/wordpress/95857/breaking-news/shitcoin-wallet-chrome-extension.html Impact value: High Shitcoin Wallet Chrome extension steals crypto-wallet private keys and passwords. Security expert discovered a Google Chrome extension named Shitcoin Wallet that steals passwords and wallet private keys. https://securityaffairs.co/wordpress/95826/security/starbucks-api-key-exposed-online.html Impact value: High Expert finds Starbucks API Key exposed online. Developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.
Bulletins
Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )
https://www.us-cert.gov/ncas/bulletins/sb19-364 Vulnerability Summary for the Week of December 23, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability. Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )
https://www.oracle.com/security-alerts/cpuoct2019.html Oracle Critical Patch Update Advisory - October 2019; advised action to run available security updates. https://www.oracle.com/security-alerts/alert-cve-2019-2729.html Oracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates. https://www.oracle.com/security-alerts/bulletinoct2019.html Oracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches. https://www.oracle.com/security-alerts/linuxbulletinoct2019.html Oracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes. https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html Map of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities. https://www.oracle.com/security-alerts/ovmbulletinoct2019.html Oracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.
Updates &
Alerts
Source 1: Cisco Security Advisories & Alerts(http://tools.cisco.com/security/center/publicationListing.x )
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce
Impact value: High
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code
Execution Vulnerability. Due to insufficient restrictions on the allowed Lua function calls within the
context of user-supplied Lua scripts; a remote attacker could execute arbitrary code with root
privileges on the underlying Linux operating system of an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
Impact value: High
Cisco Wireless LAN Controller HTTP Parsing Engine Denial of Service Vulnerability. Due to a failure of
the HTTP parsing engine to handle specially crafted URLs, a remote attacker could cause a Denial of
Service (DoS) condition on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-ise-xss
Impact value: Medium
Cisco Identity Services Engine Cross-Site Scripting Vulnerability. Due to improper validation of user-
supplied input; a remote attacker could conduct a cross-site scripting (XSS) attack against a user of the
web-based management interface of an affected device.
Updates &
Alerts
Source 2: Asian Review ( https://asia.nikkei.com/ )
https://asia.nikkei.com/Business/Markets/Currencies/China-s-digital-yuan-takes-shape-with-new-encryption-law
Impact value: Informative
China's digital yuan takes shape with new encryption law. China rolls out new rules governing online
encryption Wednesday, paving the way for a digital version of the yuan and taking greater control over
cyberspace. The national cryptography law, established in October, makes government responsible for
setting encryption standards covering both the state and industries.
www.ke-cirt.go.ke