Table of Contents

1. Technology news and Security updates: .............................................................2

1.1 Persistent EITest Malware Campaign Jumps from Angler to Neutrino .......2

1.2 Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day ...2

1.3 Microsoft Intensifies Fight Against Terrorism....................................................3

1.4 GCHQ Infosec group disclosed kernel privilege exploit to Apple ................3

1.5 Govt commits to ICT access in schools ..............................................................4

1.6 iOS Update Causes New Bricking Problem, This Time With iPad Pro 9.7 ..4

1.7 The one thing you must do to avoid being scammed at an ATM in South

Africa 5

1.8 Cyber thieves exploit bank’s faith in SWIFT .......................................................5

1.9 Organizations unprepared for employee-caused security incidents ...........6

2. Cybercrime and Intelligence in the news: ............................................................7

2.1. Drupal websites hacked using SQL injection flaw ............................................7

2.2. China-Linked Attackers Target Indian Embassies Worldwide .......................7

2.3. Attack on Swiss Defense Firm Linked to Turla Cyberspies ...........................8

2.4. Dimension Data eyes Kenya cyber security contracts ....................................8

2.5. Hackers Destroy Fur Affinity Art Gallery Website .............................................9

2.6. Hackers Target Multiple Middle East Banks .......................................................9

3. Technical Security Alerts: ...................................................................................... 11

3.1 Vulnerabilities, Malware and exploits..................................................................... 11

1. Technology news and Security updates:

1.1 Persistent EITest Malware Campaign Jumps from Angler to Neutrino

A two-year-old EITest malware campaign is still going strong, fueled by the fact it has

shifted its distribution technique over time. Now, researchers at the SANS Institute’s

Internet Storm Center, are reporting EITest is morphing again based on analysis of the

malware campaign conducted earlier this month.

According to researcher Brad Duncan, the EITest malware campaign is being refueled

by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.

During its run, I had only noticed the EITest campaign use Angler EK to distribute a

variety of malware payloads. That changed earlier this month, when I noticed an EITest

gate leading to Neutrino EK instead of Angler,” Duncan wrote in an Internet Storm

Center post.

Source: https://threatpost.com/persistent-eitest-malware-campaign-jumps-from-angler-to-

neutrino/118249/

1.2 Three Exploit Kits Spreading Attacks for Recent Flash Player Zero Day

Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been

integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading

compromised computers to different ransomware strains, banking malware, and a

credential-stealing Trojan.

A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has

embedded a working exploit for CVE-2016-4117 while Magnitude has not fully

implemented the exploit.

Kafeine this morning also confirmed that the Angler Exploit Kit has now integrated the

same Flash zero day exploit. The Angler exploits, however, are dropping the Dridex

banking Trojan. Dridex has primarily spread in spam and phishing emails, and used

malicious macros embedded in Office documents to download the Trojan.

Kafeine said that Magnitude is firing exploits for Flash Player up to version 21.0.0.213,

but the payloads are not executing, despite the presence of references to the vulnerable

code. It could be that the exploit was not implemented correctly; Kafeine said that as of

this morning the payloads were not working.

Source: https://threatpost.com/two-exploit-kits-spreading-attacks-for-recent-flash-player-zero-

day/118236/

1.3 Microsoft Intensifies Fight Against Terrorism

Microsoft has detailed some of the steps it is taking to combat terrorism, which include

removing terrorist content from its services and partnering with others to meet the

challenges presented by terrorists’ use of the Internet.

The Internet has proven to be a great channel for terrorist groups to promote violence

and to recruit more people for their causes, and Microsoft is one of the tech companies

to react to this issue. Evolving technology is demanding new measures to combat

terrorism, and Microsoft notes that the Internet has already shown that it can be used for

the worst reasons imaginable.

In a blog post, Microsoft explains that its services are meant to empower people, not

contribute to terrible acts, but that the company is also focused on promoting values

such as privacy, freedom of expression and the right to access information. Thus, one of

the main changes that the company made to its services involves the removal of terrorist

content from its services, including hosting services.

Source: http://www.securityweek.com/microsoft-intensifies-fight-against-terrorism

1.4 GCHQ Infosec group disclosed kernel privilege exploit to Apple

Communications and Electronics Security Group (CESG), the information security arm of

GCHQ, was credited with the discovery of two vulnerabilities that were patched by Apple

last week.

The flaws could allow hackers to corrupt memory and cause a denial of service through

a crafted app or execute arbitrary code in a privileged context.

The memory handling vulnerabilities (CVE-2016-1822 and CVE-2016-1829) affect OS X

El Capitan v10.11 and later operating systems, according to Apple's 2016-003 security

update. The memory corruption vulnerabilities allowed hackers to execute arbitrary code

with kernel privileges.

The disclosure raises questions about the use of zero day exploits by the U.K.'s GCHQ,

and intelligence agencies internationally. Security information professionals see

competing priorities from intelligence agencies in how they make use of vulnerabilities.

Source: http://www.scmagazine.com/gchq-infosec-group-disclosed-kernel-privilege-exploit-to-

apple/article/498288/

1.5 Govt commits to ICT access in schools

Government is determined to ensure the country's schools have access to smart

technologies to facilitate training for learners and teachers in critical ICT skills. This is the

word from telecoms minister Siyabonga Cwele, who noted South Africans need to

understand ICT has become an enabler of economic development and social inclusion.

Cwele's comments follow the handing over of a connected mobile ICT lab to the Dennis

A Mokoma Secondary School in Mabopane, Tshwane.

"This modern mobile ICT lab will enable our learners to access educational content,

provide them with connectivity to the Internet and assist with facilitating training and

learning," according to Cwele. "Our former president Nelson Mandela understood we

need to ensure all our people have access to an Internet connection, particularly those

who come from the townships and rural areas.

Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=152827:Govt-

commits-to-ICT-access-in-schools

1.6 iOS Update Causes New Bricking Problem, This Time With iPad Pro 9.7

Apple has pulled back a recent update to its iOS 9 operating system after some iPad Pro

9.7 owners reported disabled tablets after their machines underwent updates to the

company's iOS 9.3.2 software release.

An Apple spokesman confirmed the problem and the pullback of the iOS update in a

May 23 reply to an email inquiry from eWEEK.

"We're working on a fix for an issue impacting a small number of iPad units that are

receiving an error when trying to update the software," the spokesman told eWEEK.

"We'll issue an update as quickly as possible."

The iOS 9.3.2 update was causing owners of some iPad Pro 9.7 tablets to lose the use

of their devices, which were essentially "bricked," or left useless after the patch was

installed. Apple initially said it was looking into the issue after receiving "a small number

of reports" about the problem.

Source: http://www.eweek.com/mobile/ios-update-causes-new-bricking-problem-this-time-with-

ipad-pro-9.7.html

1.7 The one thing you must do to avoid being scammed at an ATM in South Africa

The South African Banking Risk Information Centre (Sabric) has warned that the

prevelance of cybercrime is increasing, and that people are defrauded of millions each

year.

“It affects business sectors and consumers, and this has called on security measures to

be put in place to protect assets and important information,” said Kalyani Pillay, Sabric

CEO.

“The responsibility of protecting yourself against cybercrime and increasing your

cybersecurity lies with every single one of us.”

FNB, Capitec, and Nedbank provided advice on how to avoid falling prey to criminals

targeting ATMs, and all stated that you should never allow anyone near you, your bank

card, or the ATM while you are withdrawing money.

Source: http://mybroadband.co.za/news/banking/164860-the-one-thing-you-must-do-to-avoid-

being-scammed-at-an-atm-in-south-africa.html

1.8 Cyber thieves exploit bank’s faith in SWIFT

Shortly after 7pm on 12 January 2015, a message from a secure computer terminal at

Banco del Austro (BDA) in Ecuador instructed San Francisco-based Wells Fargo to

transfer money to bank accounts in Hong Kong. Wells Fargo complied. Over 10 days,

Wells approved a total of at least 12 transfers of BDA funds requested over the secure

SWIFT system.

The SWIFT network – which allows banks to process billions of dollars in transfers each

day – is considered the backbone of international banking. In all, Wells Fargo transferred

$12 million of BDA's money to accounts across the globe.

Both banks now believe those funds were stolen by unidentified hackers, according to

documents in a BDA lawsuit filed against Wells Fargo in New York this year.

Source: http://news.softpedia.com/news/african-hacker-phished-his-way-into-2-million-worth-of-

airline-tickets-504353.shtml

1.9 Organizations unprepared for employee-caused security incidents

While employee-related security risks are the number-one concern for security

professionals, organizations are not taking adequate steps to prevent negligent

employee behavior, according to a new Ponemon Institute study.

The study, Managing Insider Risk Through Training & Culture, asked more than 600

individuals at companies that currently have a data protection and privacy training

program to weigh in on the topic of negligent and malicious employee behaviors, as well

as the consequences of poor security conduct and the effectiveness of training.

The study found that 55 percent of companies surveyed have already experienced a

security incident due to a malicious or negligent employee. However, despite investment

in employee training and other efforts to reduce careless behavior in the handling of

sensitive and confidential information, the majority of companies do not believe that their

employees are knowledgeable about the company’s security risks.

Source: https://www.helpnetsecurity.com/2016/05/23/employee-caused-security-incidents/

2. Cybercrime and Intelligence in the news:

2.1. Drupal websites hacked using SQL injection flaw

Hackers have attacked hundreds of Drupal websites, installing ransomware that hijacks

the website’s main page. Softpedia reported that the attackers exploited a two-year-old

vulnerability in Drupal for the SQL injection attacks.

Drupal website owners said their websites were locked, with the message:

“Website is locked. Please transfer 1.4 BitCoin to address

3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content.”

“The attacker’s scanning bot extracts the Drupal site’s version, then uses the CVE-2014-

3704 vulnerability to break into the affected websites and change the admin user’s

password,” reported Softpedia.

Source: http://mybroadband.co.za/news/security/165852-drupal-websites-hacked-using-sql-

injection-flaw.html

2.2. China-Linked Attackers Target Indian Embassies Worldwide

A threat group first analyzed more than two years ago has continued to improve its

malware arsenal and was recently observed targeting personnel at Indian embassies

worldwide.

The actor’s activities were brought to light in late 2013 by FireEye. The security firm had

analyzed a campaign aimed at foreign affairs ministries in Europe, which it dubbed

“Operation Ke3chang.”

FireEye linked the attackers to China and determined that they had been active since at

least 2010. At the time of the initial analysis, the group had been using three pieces of

malware named by researchers BS2005, BMW, and MyWeb.

Source: http://www.securityweek.com/china-linked-attackers-target-indian-embassies-worldwide

2.3. Attack on Swiss Defense Firm Linked to Turla Cyberspies

The recent cyber espionage attack aimed at Swiss defense firm RUAG was carried out

by the Russia-linked threat group known as Turla, according to a report commissioned

by the Swiss government.

RUAG is a Bern-based technology company owned by the Swiss government. The

organization specializes in aviation, space and defense with products ranging from

satellite equipment to ammunition.

News of a cyberattack on RUAG came to light earlier this month when Switzerland’s

Defense Minister Guy Parmelin revealed that his ministry was targeted by malicious

actors in January while he was attending the World Economic Forum. Parmelin said at

the time that the government was investigating a possible connection between the attack

on the country’s Department of Defense and an attack on RUAG.

Source: http://www.securityweek.com/attack-swiss-defense-firm-linked-turla-cyberspies

2.4. Dimension Data eyes Kenya cyber security contracts

South Africa IT infrastructure firm Dimension Data is offering remote security services to

Kenyan companies such as banks and others that handle high-risk data, Business Daily

reported. It has launched its Managed Security Services (MSS), which eliminates the

need for its clients to invest heavily in internal security experts, and helps them to

establish regulatory compliance.

MD of Dimension Data East Africa, Joseph Kairigo, said rates depend on the number of

machines or servers that are remotely monitored, and the sensitivity of the data. The

company will rely on its professional security service team across the Middle East and

Africa to deliver the service from its Security Operation Centres (SOCs). to keep off

competition.

MSS is able to capture live logs and send alerts of manipulation of electronic files and

any attempts to circumvent IT controls. This service offloads the burden of network

monitoring, advanced security analysis, and global intelligence correlation.

Source: http://www.telecompaper.com/news/dimension-data-eyes-kenya-cyber-security-contracts-

2--1144714

2.5. Hackers Destroy Fur Affinity Art Gallery Website

Hackers target Fur Affinity art gallery website delete everything — Thanks to the backup

the site is up and running once again!

A well-known and widely followed online hub of furries community called Fur Affinity

disappeared from the web. The furries community is a group of people having a keen

interest in anthropomorphic animal characters like foxes and wolves. The hackers wiped

off all sorts of content including art submissions and user profiles from Fur Affinity

website, which actually is an online gallery that allows users to upload music, art, and

written content.

It is quite possible that they also stole email addresses and hashed passwords. The

website’s self-proclaimed Director of Operations, who uses the nickname Chase, stated

in an announcement on the site’s discussion forum that “the attackers [gained] access to

personal user data, such as encrypted passwords and email addresses.”

Source: https://www.hackread.com/hackers-destroy-fur-affinity-website/

2.6. Hackers Target Multiple Middle East Banks

Hackers have been found scoping out banks throughout the Middle East in an apparent

reconnaissance mission ahead of a major offensive.

According to FireEye researchers, in the first week of May 2016, FireEye’s DTI identified

a wave of emails containing malicious attachments being sent to multiple banks in the

Middle East region. The ultimate payload is scripting used to collect important

information from the infected system, including the currently logged on user, the

hostname, network configuration data, user and group accounts, local and domain

administrator accounts, running processes and other data.

It’s likely this information will be used to architect and mount a wider and more damaging

campaign.

The attackers sent multiple emails containing macro-enabled Excel spreadsheet files to

employees. The themes of the messages used in the attacks are related to IT

Infrastructure, such as a log of “Server Status Reports” or a list of Cisco Iron Port

Appliance details. Interestingly, the macro will run successfully only on Windows Vista

and subsequent versions of the operating system.

“In one case, the content of the email appeared to be a legitimate email conversation

between several employees, even containing contact details of employees from several

banks,” FireEye noted. “This email was then forwarded to several people, with the

malicious Excel file attached.”

Source: http://www.infosecurity-magazine.com/news/hackers-target-multiple-middle/

3. Technical Security Alerts:

Technical security alerts are the current security issues, vulnerabilities, Malware and exploits provided proactively to provide timely

information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their

infrastructure environments.

3.1 Vulnerabilities, Malware and exploits

The table below lists all the recent Vulnerabilities, Malware and exploits identified by ICT Security Monitoring Services team for

today.

Name

Description

Propagation

Technologies and

Software’s affected

Remedy

Severity

Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager JSON Privilege Escalation Vulnerability Source: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160523-pi-epnm

A vulnerability in the

application programming

interface (API) web interface

of the Cisco Prime

Infrastructure and Cisco

Evolved Programmable

Network Manager could allow

an authenticated, remote

attacker to perform privilege

escalation on the affected

device.

The vulnerability is due to

incorrect role-based access

control (RBAC) evaluation

when a low-privileged user

requests a web page or

service that should be

restricted. An attacker could

exploit this vulnerability by

performing reconnaissance

attacks to the application

web pages and services to

identify potential devices of

interest.

The following Cisco products are affected: Cisco Prime Infrastructure prior to version 3.1 Cisco Evolved Programmable Network Manager prior to version 1.2.4

Cisco has released software updates that address this vulnerability.

Medium Risk

Adobe Flash Player and AIR MSIMB32.dll DLL Load Remote Code Execution Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=46342 Vendor Announcements Red Hat has released multiple CVE statements and a security advisory for bug 1335058 at the following link: CVE-2016-4116 and RHSA-2016-1079.

A vulnerability in Adobe Flash

Player and AIR could allow

an unauthenticated, remote

attacker to execute arbitrary

code.

An unauthenticated remote

attacker could exploit this

vulnerability by persuading

a user to access a

malicious link designed with

crafted flash content.

Processing such flash

content could allow an

attacker to cause the

MSIMB32.dll library to load

an arbitrary DLL file, which

could allow the attacker to

execute arbitrary code on

the system in the context of

the browser.

The following Adobe products are vulnerable:

Flash Player Desktop Runtime versions 21.0.0.226 and prior for Windows and Macintosh

Flash Player Extended Support Release versions 18.0.0.343 and prior for Windows and Macintosh

Flash Player versions 11.2.202.616 and prior for Linux

AIR Desktop Runtime versions 21.0.0.198 and prior

AIR SDK versions 21.0.0.198 and prior

AIR SDK & Compiler versions 21.0.0.198 and prior

Adobe has released software updates.

Critical Risk

End: