NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES

25th November 2019

Summary Headlines

Impact Metric Against Count of Events

Critical High Medium Informative

Regional Highlights 0 0 0 5

Top Stories 0 0 0 6

System vulnerabilities

0 1 0 1

Malware 1 0 0 1

DDoS/Botnets 1 0 0 0

Spam & phishing 0 1 0 0

Web Security 0 1 0 0

Updates & alerts 0 1 1 0

Regional Highlights

Source 1: Business Today ( https://businesstoday.co.ke/ ) https://businesstoday.co.ke/the-most-affordable-way-of-sending-money-to-tanzania-rwanda-from-kenya/ Impact value: Informative The Most Affordable Way of Sending Money to Tanzania, Rwanda from Kenya. According to Rachel Balsham of MFS Africa, the costs of sending money to Africa average 9% of the transfer amount and costs of sending money between African countries average 10%, but they can exceed 15%. Mobile money has proven to be a game-changer if the regulatory conditions are right. M-Pesa is the lowest cost channel for sending money from Kenya to Tanzania and Rwanda at around 3% of the transaction value today. https://businesstoday.co.ke/eabl-and-safaricom-launch-smart-fridges-to-track-beer-consumption/ Impact value: Informative ‘Talking Fridges’ to Monitor How Kenyans Consume Alcohol. Safaricom today officially announced a partnership with Kenya Breweries Limited (KBL) to connect and enhance its coolers in a high-tech development expected to transform how Kenyans take their alcohol. https://businesstoday.co.ke/facebook-data-kenyans-targeted-government-freedom-of-speech/ Impact value: Informative Beware! Facebook Posts Could Land You in Trouble with Government. Freedom of speech in Kenya is becoming one of the most abused rights and privileges by the government as it seeks to silence those with dissenting opinions and views. In its latest transparency report, Facebook claims that the Kenya government was on overdrive in the first half of 2019 demanding private information about Kenyan users on five different occasions.

Regional Highlights

Source 2: Standard Digital ( https://www.standardmedia.co.ke/ ) https://www.standardmedia.co.ke/business/article/2001350780/uber-banned-in-london Impact value: Informative Uber banned in London as authority cracks down on taxi app. Uber has been stripped of its London operating licence by Transport for London (TfL) this morning. TfL said it reached its decision after "several breaches that placed passengers and their safety at risk" were identified. Source 3: Business Daily ( https://www.businessdailyafrica.com/ ) https://www.businessdailyafrica.com/corporate/tech/Insurers-bank-on-virtual-certificates/4258474-5356154-1djj5k/index.html Impact value: Informative Insurers bank on virtual certificates to help curb fraud. This shift to virtual certificates will help curb motor insurance fraud by ensuring that only one motor insurance certificate is issued per vehicle. Cases of double insurance, fake certificates and stolen insurance certificates will be eliminated. The virtual certificates will also save insurance companies the cost of physically delivering the certificates to their customers as they will receive the virtual motor insurance certificate on a digital platform.

Top Stories

Source 1: NBC News ( https://www.nbcnews.com/ ) Impact value: Informative https://www.nbcnews.com/tech/tech-news/venezuela-s-economy-struggles-some-its-citizens-turn-lucrative-gig-n1089701 As Venezuela's economy struggles, some of its citizens turn to a lucrative gig: Cybercrime. Cybercrime is flourishing in Venezuela as the country’s deepening economic and political crisis drives thousands into the underground criminal world, according to a report released Thursday by IntSights, a global threat intelligence company. Source 2: National Post ( https://nationalpost.com/ ) Impact value: Informative https://nationalpost.com/pmn/news-pmn/canada-news-pmn/cyberattack-prompts-indigenous-child-welfare-agency-in-manitoba-to-call-rcmp Cyberattack prompts Indigenous child welfare authority in Manitoba to call RCMP. An Indigenous child welfare authority in Manitoba has called in the RCMP after being hit by a cyberattack that’s corrupted its computer files and potentially compromised the privacy of its clients. Source 3: Bleeping Computer ( https://www.bleepingcomputer.com/ ) Impact value: Informative https://www.bleepingcomputer.com/news/security/livingston-school-district-in-new-jersey-hit-with-ransomware/ Livingston School District in New Jersey Hit With Ransomware. According to an email sent to parents on Friday and obtained by Bleeping Computer, the New Jersey school district was affected by a ransomware attack on November 21st, 2019. They had an outside security company do a full assessment of their systems. Based upon what they found, they can now confirm that their servers were hacked by an outside entity and infected with Ransomware, which is designed to encrypt data.

Top Stories

Source 4: New America ( https://www.newamerica.org/ ) Impact value: Informative https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-cybersecurity-threat-information-publication-management-measures-draft-comment/ Translation: China's 'Cybersecurity Threat Information Publication Management Measures (Draft for Comment)'. China's top cyberspace regulatory body, the Cyberspace Administration of China (CAC), on November 20 published a draft regulation on how Chinese businesses, organizations, and individuals are to handle cybersecurity threat disclosure. Source 5: Business Insider ( https://www.businessinsider.com/ ) Impact value: Informative https://www.businessinsider.com/authorities-arrested-member-of-chuckling-squad-hacked-jack-dorsey-2019-11/?IR=T A member of the gang suspected of hacking Jack Dorsey's Twitter has been arrested. The alleged member was involved with the "Chuckling Squad," a group of hackers, and their takeover of Twitter CEO Jack Dorsey's account that resulted in offensive posts that included racial slurs, bomb threats, and anti-Semitism. One of the leaders of the group, who goes by the handle Debug, told Motherboard that the member was arrested approximately two weeks ago. Source 6: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/renewed-calls-for-dedicated-australian-cyber-minister-and-cyber-leadership/ Impact value: Informative Renewed calls for dedicated Australian cyber minister and cyber leadership. The Australian

government should reinstate the position of Minister for Cybersecurity, according to multiple

public submissions to the review of the nation's Cyber Security Strategy 2020.

System

vulnerabilities

Source 1: Security Week ( https://www.securityweek.com/ ) https://www.securityweek.com/dozens-vulnerabilities-found-open-source-vnc-systems Impact value: Informative Dozens of Vulnerabilities Found in Open Source VNC Systems. Kaspersky researchers have identified dozens of vulnerabilities in four popular open source virtual network computing (VNC) systems, but fortunately the majority of them have been patched. Source 2: CYWARE ( https://cyware.com/ ) https://cyware.com/news/waterloo-brewing-admits-to-having-lost-21-million-in-a-social-engineering-attack-73c15cf5 Impact value: High Waterloo Brewing admits to having lost $2.1 million in a social engineering attack. The incident, which the company has described as a ‘social engineering cyberattack’, occurred early this month. The scammers behind the attack had impersonated a creditor employee and raised a fraudulent transfer request. The Kitchener-based beer maker Waterloo Brewing disclosed that it has lost $2.1 million in a recent cyberattack and there are no assurances that the company will recover all or even a portion of the fund.

Malware

Source 1: Unit 42 ( https://unit42.paloaltonetworks.com/ ) https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/ Impact value: Informative Trickbot Updates Password Grabber Module. This module retrieves login credentials stored in a victim’s browser cache, and it also obtains login credentials from other applications installed on a victim’s host. The password grabber and some other Trickbot modules send stolen data using unencrypted HTTP over TCP port 8082 to an IP address used by Trickbot. Source 2: Krebs on Security ( https://krebsonsecurity.com/ ) https://krebsonsecurity.com/2019/11/110-nursing-homes-cut-off-from-health-records-in-ransomware-attack/ Impact value: Critical 110 Nursing Homes Cut Off from Health Records in Ransomware Attack. A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

DDoS/Botnets

Source 1: ZDNet ( https://www.zdnet.com/ ) https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin/ Impact value: Critical New Roboto botnet emerges targeting Linux servers running Webmin. Security researchers have discovered a new peer-to-peer botnet dubbed Roboto that is targeting Linux servers running unpatched Webmin installs. The botnet supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather bot information, execute system commands, run encrypted files specified in URLs, and DDoS attacks. Roboto spreads by exploiting the Webmin RCE vulnerability tracked as CVE-2019-15107.

\\\\\\\\\

Spam & Phishing

Source 1: Bleeping Computer ( https://www.bleepingcomputer.com/ ) https://www.bleepingcomputer.com/news/security/silly-phishing-spotlight-login-to-unblock-microsoft-excel/ Impact value: High Silly Phishing Spotlight: Login to Unblock Microsoft Excel. As part of an ongoing series to educate users about some of the more silly phishing scams out there, Bleeping Computer brings a new one that states Excel is blocked unless you login and verify your details.

Web Security

Source 1: Wired ( https://www.wired.com/ ) https://www.wired.com/story/billion-records-exposed-online/ Impact value: High 1.2 Billion Records Found Exposed Online in a Single Server. In October, dark web researcher Vinny Troia found a trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information about 1.2 billion records in all. It contains profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.

Bulletins

Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )

https://www.us-cert.gov/ncas/bulletins/sb19-322 Vulnerability Summary for the Week of November 11, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability. Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )

https://www.oracle.com/security-alerts/cpuoct2019.html Oracle Critical Patch Update Advisory - October 2019; advised action to run available security updates. https://www.oracle.com/security-alerts/alert-cve-2019-2729.html Oracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates. https://www.oracle.com/security-alerts/bulletinoct2019.html Oracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches. https://www.oracle.com/security-alerts/linuxbulletinoct2019.html Oracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes. https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html Map of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities. https://www.oracle.com/security-alerts/linuxbulletinoct2019.html Oracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.

Updates &

Alerts

Source 1: Cisco Security Advisories & Alerts(http://tools.cisco.com/security/center/publicationListing.x )

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-iosxr-ssh-bypass

Impact value: Medium

Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability. Due to a missing check in

the NETCONF over SSH Access Control List (ACL); a successful exploit could allow an attacker to

connect to the device on the NETCONF port.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-

rce

Impact value: High

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code

Execution Vulnerability. Due to insufficient restrictions on the allowed Lua function calls within the

context of user-supplied Lua scripts, a remote attacker could execute arbitrary code with root

privileges on the underlying Linux operating system of an affected device.

www.ke-cirt.go.ke