15
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES 21 st November 2019
NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES
21st November 2019
Summary Headlines
Impact Metric Against Count of Events
Critical High Medium Informative
Regional Highlights 0 0 0 4
Top Stories 0 0 0 5
System vulnerabilities
0 4 0 1
Malware 0 0 0 2
DDoS/Botnets 1 0 0 0
Spam & phishing 0 2 0 0
Web Security 0 2 0 0
Updates & alerts 0 2 14 1
Regional Highlights
Source 1: Business Today ( https://businesstoday.co.ke/ ) https://businesstoday.co.ke/eabl-and-safaricom-launch-smart-fridges-to-track-beer-consumption/ Impact value: Informative ‘Talking Fridges’ to Monitor How Kenyans Consume Alcohol. Safaricom today officially announced a partnership with Kenya Breweries Limited (KBL) to connect and enhance its coolers in a high-tech development expected to transform how Kenyans take their alcohol. https://businesstoday.co.ke/facebook-data-kenyans-targeted-government-freedom-of-speech/ Impact value: Informative Beware! Facebook Posts Could Land You in Trouble with Government. Freedom of speech in Kenya is becoming one of the most abused rights and privileges by the government as it seeks to silence those with dissenting opinions and views. In its latest transparency report, Facebook claims that the Kenya government was on overdrive in the first half of 2019 demanding private information about Kenyan users on five different occasions. Source 2: Standard Digital ( https://www.standardmedia.co.ke/ ) https://www.standardmedia.co.ke/business/article/2001350304/ict-industry-backs-data-law Impact value: Informative Kenya's ICT industry backs data law. ICT fraternity today threw their support behind the recently signed into law data protection bill terming it a good regulation policy framework for the industry. Signed by President Uhuru Kenyatta two weeks ago, the data protection Act will put safeguards against commercialization and misuse of data without approval from the data commissioner and the data subjects.
Regional Highlights
Source 3: Business Daily ( https://www.businessdailyafrica.com/ ) https://www.businessdailyafrica.com/corporate/tech/Insurers-bank-on-virtual-certificates/4258474-5356154-1djj5k/index.html Impact value: Informative Insurers bank on virtual certificates to help curb fraud. This shift to virtual certificates will help curb motor insurance fraud by ensuring that only one motor insurance certificate is issued per vehicle. Cases of double insurance, fake certificates and stolen insurance certificates will be eliminated. The virtual certificates will also save insurance companies the cost of physically delivering the certificates to their customers as they will receive the virtual motor insurance certificate on a digital platform.
Top Stories
Source 1: CYWARE ( https://cyware.com/ ) Impact value: Informative https://cyware.com/news/dns-attacks-cost-global-governments-an-average-of-7-million-each-year-a-new-study-says-eb60ecb6 DNS attacks cost global governments an average of $7 million each years. According to new research from EfficientIP, the government sector is losing nearly $7 million, on average, from DNS attacks each year. The organizations in this sector suffer an average of 12 DNS attacks per year, costing over half a million dollars each. Source 2: U.S Army ( https://www.army.mil/ ) Impact value: Informative https://www.army.mil/article/230055/cyber_strategy_bolsters_allies_partners_ahead_of_2020_election Cyber strategy bolsters allies, partners ahead of 2020 election. The Department of Defense (DOD) Cyber Strategy emphasizes "Defending Forward" in order "to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict," said Col. Andrew Hall, director of the Army Cyber Institute at West Point, New York. Source 3: ZDNet ( https://www.zdnet.com/ ) Impact value: Informative https://www.zdnet.com/article/singapore-firms-take-118-hours-to-detect-contain-cyber-attacks/ Singapore firms take 118 hours to detect, contain cyber attacks. Businesses in Singapore take an average of 118 hours to detect and respond to security breaches, including 63 hours to detect intruders in their network and eight hours before a team is assigned to determine a remedy. They then require 10 hours to fully investigate the breach and another 37 hours to contain and respond to the cybersecurity breach.
Top Stories
Source 4: PYMNTS ( https://www.pymnts.com/ ) Impact value: Informative https://www.pymnts.com/cryptocurrency/2019/400m-of-ripple-xrp-tokens-linked-to-cybercrime/ Report: $400M Of Ripple’s XRP Tokens Linked To Cybercrime. Cryptocurrency forensics and analysis firm Elliptic found that roughly $400 million worth of XRP tokens on the Ripple payment network is connected to illegal transactions ranging from theft to scams and the sale of stolen credit cards. Source 5: FCW ( https://fcw.com/ ) Impact value: Informative https://fcw.com/articles/2019/11/20/fisma-updates-johnson.aspx Updated FISMA guidance puts new reporting mandates on agencies. The Office of Management and Budget has released updated guidance to federal civilian agencies on complying with the Federal Information Security Management Act, outlining timelines and deliverables for reporting security incidents, information sharing and vulnerability scans of federal systems and websites.
System
vulnerabilities
Source 1: Forbes ( https://www.forbes.com/ ) https://www.forbes.com/sites/daveywinder/2019/11/20/infection-hits-french-hospital-like-its-2017-as-ransomware-cripples-6000-computers/?ss=cybersecurity#14a88a83576e Impact value: High Infection Hits French Hospital Like It’s 2017 As Ransomware Cripples 6,000 Computers. A ransomware attack at the Rouen University Hospital Charles Nicolle in the north of France has impacted all five sites of the hospital. The staff was quick at taking action and immediately shut down the IT systems to prevent the infection from spreading further. Source 2: Coin Telegraph ( https://cointelegraph.com/ ) https://cointelegraph.com/news/gatehub-crypto-wallet-data-breach-compromises-passwords-of-14m-users Impact value: High GateHub hacked. Personal information of as many as 1.4 million user accounts of GateHub cryptocurrency wallet has been dumped online. The stolen information includes registered email addresses, passwords, two-factor authentication keys, mnemonic phrases, and wallet hashes. Source 3: Becker’s Hospital Review ( https://www.beckershospitalreview.com/ ) https://www.beckershospitalreview.com/cybersecurity/indiana-physician-group-warns-3-500-patients-of-data-breach.html Impact value: Informative Indiana physician group warns 3,500 patients of data breach. Select Health Network is notifying 3,582 patients about a data breach that may have exposed their personal health information. Upon investigation, the physician group determined that the employee’s email account was accessed by an unauthorized third party between May 22 and June 13.
System
vulnerabilities
Source 4: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/popular-apps-on-google-play-linked-to-old-remote-code-execution-bugs/ Impact value: High Popular apps on Google Play linked to old remote code execution bugs. Three critical RCE vulnerabilities from 2014, 2015, and 2016, continue to affect the latest versions of popular apps hosted on Google Play. The flaws are tracked as CVE-2014-8962, CVE-2015-8271, and CVE-2016-3062. These flaws affect multiple apps such as Facebook, Facebook Messenger, LiveXLive, Moto Voice BETA, AliExpress, and Video MP3 Converter. Source 5: Threat Post ( https://threatpost.com/ ) https://threatpost.com/windows-uac-flaw-privilege-escalation/150463/ Impact value: High High-Severity Windows UAC Flaw Enables Privilege Escalation. A high-severity flaw in Microsoft Windows can give attackers elevated privileges - ultimately allowing them to install programs, and view, change or delete data. The bug stems from User Account Control (UAC). The vulnerability is identified as CVE-2019-1388 and has a CVSS score of 7.8 out of 10.
Malware
Source 1: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/ransomware-this-free-tool-decrypts-85-variants-of-the-horror-tinged-jigsaw-malware/ Impact value: Informative Ransomware: This free tool decrypts 85 variants of the horror-tinged Jigsaw malware. Emsisoft has released a free tool to unlock files encrypted by Jigsaw ransomware. The decryption tool currently unlocks 85 variants of the malware. Jigsaw uses the AES-128 algorithm to encrypt victims’ files. Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/microsoft-warns-customers-of-doppelpaymer-ransomware-threat/ Impact value: Informative Microsoft Warns Customers of DoppelPaymer Ransomware Threat. The Microsoft Security Response Center (MSRC) is informing customers about a misleading fact on how DoppelPaymer ransomware spreads. There has been information doing the rounds on the internet that says the ransomware’s propagation is connected with BlueKeep exploit. However, the research team has refuted the claim after investigating the matter.
DDoS/Botnets
Source 1: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin/ Impact value: Critical New Roboto botnet emerges targeting Linux servers running Webmin. Security researchers have discovered a new peer-to-peer botnet dubbed Roboto that is targeting Linux servers running unpatched Webmin installs. The botnet supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather bot information, execute system commands, run encrypted files specified in URLs, and DDoS attacks. Roboto spreads by exploiting the Webmin RCE vulnerability tracked as CVE-2019-15107.
\\\\\\\\\
Spam & Phishing
Source 1: Quartz ( https://qz.com/ ) https://qz.com/1752282/how-compromised-emails-enable-cybercrime-and-real-estate-scams/ Impact value: High An extra letter “s” enabled a million-dollar real estate scam. The CEO of a Swiss company has been scammed out of nearly $1 million by a multinational fraud ring. The scammers impersonated a known lawyer to dupe the CEO. The matter came to light only after the real lawyer complained of not receiving any amount. The phony email address used by scammers had an extra letter ‘S’ which went unnoticed by the CEO. The spoofed email was deliberately created to deceive the recipient into believing he was communicating with the seller’s attorney.
Web Security
Source 1: CNET ( https://www.cnet.com/ ) https://www.cnet.com/news/exposed-database-left-terabyte-of-travelers-data-open-to-the-public/ Impact value: High Exposed database left terabyte of travelers' data open to the public. An unprotected Elasticsearch database belonging to Gekko Group had exposed more than a terabyte of sensitive data on a public server. The exposed database contained travelers’ information like names, home addresses, lodging, children’s personal information, credit card numbers, and passwords stored in plaintext. Geeko has secured the database upon being notified. Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/ Impact value: High Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin. Admins and owners of WordPress sites are urged to immediately install Jetpack 7.9.1 update to prevent a potential vulnerability that could be abused to launch attacks. The vulnerability affects versions 5.1 and after.
\\\\\\\\\
Spam & Phishing
Source 2: Hot For Security ( https://hotforsecurity.bitdefender.com/ ) https://hotforsecurity.bitdefender.com/blog/irs-phishing-campaign-targeted-100000-people-21812.html Impact value: High IRS Phishing Campaign Targeted 100,000 People. A phishing campaign emulating the US Internal Revenue Service (IRS) to target more than 100,000 people world-wide was identified and tracked by Cloud Delivery Network (CDN) and cloud service Akamai. The campaign, involving 289 domains and 832 URLs, remained active for 47 days, and it started unusually early, in August 2019.
Bulletins
Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )
https://www.us-cert.gov/ncas/bulletins/sb19-322 Vulnerability Summary for the Week of November 11, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability. Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )
https://www.oracle.com/security-alerts/cpuoct2019.html Oracle Critical Patch Update Advisory - October 2019; advised action to run available security updates. https://www.oracle.com/security-alerts/alert-cve-2019-2729.html Oracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates. https://www.oracle.com/security-alerts/bulletinoct2019.html Oracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches. https://www.oracle.com/security-alerts/linuxbulletinoct2019.html Oracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes. https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html Map of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities. https://www.oracle.com/security-alerts/linuxbulletinoct2019.html Oracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.
Updates &
Alerts
Source 1: Cisco Security Advisories & Alerts(http://tools.cisco.com/security/center/publicationListing.x )
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
Impact value: High
Cisco Secure Boot Hardware Tampering Vulnerability. Due to an improper check on the area of code
that manages on premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot
hardware implementation; an attacker could write a modified firmware image to the component.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ftp
Impact value: High
Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service
Vulnerability. Due to a buffer overflow that occurs when an affected device inspects certain FTP traffic;
a remote attacker could cause an affected device to reload.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-webex-
teams-dll
Impact value: Medium
Cisco Webex Teams for Windows DLL Hijacking Vulnerability. Due to insufficient validation of the
resources loaded by the application at run time, a local attacker could perform a Dynamic Link
Libraries (DLL) hijacking attack.
Updates &
Alerts
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-webex-
centers-infodis
Impact value: Medium
Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability. Due to missing
CAPTCHA protection in certain URLs, a remote attacker could guess account usernames.
https://tools.cisco.com/security/center/publicationListing.x
Impact value: 12 Medium
Additional Cisco Security Advisories published on 20th November 2019 with the impact value of
medium.
Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/ublock-origin-now-blocks-sneaky-first-party-trackers-in-firefox/ Impact value: Informative uBlock Origin Now Blocks Sneaky First-Party Trackers in Firefox. uBlock Origin on Firefox can now block
first-party tracking scripts that attempt to bypass filters and rules by utilizing DNS CNAME records to
load scripts from a third-party domain.
www.ke-cirt.go.ke
