NATIONAL KE-CIRT/CC CYBERSECURITY UPDATES

28th October 2019

Summary Headlines

Impact Metric Against Count of Events

Critical High Medium Informative

Regional Highlights 0 0 0 2

Top Stories 0 0 0 3

System vulnerabilities

0 2 0 0

Malware 0 3 0 0

DDoS/Botnets 0 1 0 0

Spam & phishing 0 2 0 0

Web Security 0 1 0 0

Updates & alerts 0 2 0 0

Regional Highlights

Source 1: Business Today ( https://businesstoday.co.ke/ )https://businesstoday.co.ke/data-protection-laws-in-kenya/Impact value: Informative

Data Protection and the Quest for Privacy. Kenya Parliament is debating the crucial Data Protection Bill. This process must be very transparent and participatory because the Bill has significant effects on the right to privacy of the people of Kenya.

https://businesstoday.co.ke/fraudsters-to-fight-harder-for-vehicle-insurance-cake/Impact value: Informative

Fraudsters to Fight Harder for Vehicle Insurance Cake. Over 25% of Kenya’s insurance industry income is fraudulently claimed leading to insurers incurring heavy losses.To counter this, Kenindia Assurance has taken steps to curb the fraud by incorporating Artificial Intelligence (AI) in its motor insurance claim processes.

Top Stories

Source 1: CYWARE ( https://cyware.com/ )https://cyware.com/news/new-study-warns-that-smart-light-bulbs-could-allow-hackers-to-steal-your-personal-data-dbc53e87Impact value: InformativeNew study warns that smart light bulbs could allow hackers to steal your personal data. A new study has revealed that smart light bulbs can be hacked to steal users’ personal data. The hack misuses the infrared capabilities of the targeted bulb to either steal data or spoof other connected Internet of Things (IoT) devices on the home network.

Source 2: Nextgov ( https://www.nextgov.com/ )https://www.nextgov.com/cio-briefing/2019/10/white-house-tech-chiefs-preview-2020-cyber-initiatives/160857/Impact value: InformativeWhite House Tech Chiefs Preview 2020 Cyber Initiatives. As reported the White House plans to explore in a number of technologies and protocols for keeping unauthorized individuals out of government systems. Over the next year, agencies can expect to see a big push for identity management protocols, network monitoring tools and supply chain security policies.

Source 3: isBuzzNews ( https://www.informationsecuritybuzz.com/ )https://www.informationsecuritybuzz.com/study-research/prepare-for-a-new-cyber-cold-war-in-2020-warns-check-point/Impact value: InformativePrepare For A New Cyber Cold War In 2020, Warns Check Point. Leading cyber-security vendor predicts nation-state sponsored cyber-attacks will escalate against governments, critical infrastructure and high-profile businesses as international tensions increase. Check Point highlights global cybersecurity predictions for 2020 as: an escalation of new cyber cold war, fake news 2.0 at the U.S. 2020 elections and cyber attacks on utilities and critical infrastructures.

System vulnerabilities

Source 1: The Guardian ( https://www.theguardian.com/ )https://www.theguardian.com/technology/2019/oct/25/7-eleven-fuel-app-data-breach-exposes-users-personal-detailsImpact value: High7-Eleven fuel app data breach exposes users' personal details. A technical issue in the popular petrol-buying app run by 7-Eleven has exposed the personal details of customers. The issue allowed customers to view the names, email addresses, mobile numbers and dates of birth of other users. Upon discovery, the firm took the app offline and rectified the issue. 7-Eleven has informed Australian law enforcement agencies about the breach.

Source 2: Dark Reading ( https://www.darkreading.com/ )https://www.darkreading.com/mobile/apple-boots-17-trojan-laden-apps-from-mobile-store/d/d-id/1336168Impact value: HighApple Boots 17 Trojan-Laden Apps From Mobile Store. Apple has removed 17 malicious apps from its App Store after it was reported to be infected with malware. These apps were found containing clicker trojan malware designed to generate revenues for their developers. The list of infected apps included productivity, travel, platform utility, a restaurant finder, and video-editing apps from India-based AppAspect Technologies.

Malware

Source 1: Vice ( https://www.vice.com/ )https://www.vice.com/en_au/article/7x5ddg/malware-that-spits-cash-out-of-atms-has-spread-across-the-worldImpact value: HighMalware That Spits Cash Out of ATMs Has Spread Across the World. A new piece of malware named ‘Cutlet Maker’ designed to make ATMs eject all of the money inside them was found to have helped cybercriminals in stealing over $1.5 million from different ATMs in Germany between February and November 2017. One of the major impacted banks was Santander. The bank used old and slow Windows systems, thus enabling the cybercriminals to hijack ATMs.

Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ )https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/Impact value: HighNew FuxSocy Ransomware Impersonates the Notorious Cerber. A new ransomware has been discovered called FuxSocy that borrows much of its behaviour from the notorious and now-defunct Cerber Ransomware. It attempts to block users from running the ransomware on a virtual machine by looking for given processes and files.

Source 3: Security Affairs ( https://securityaffairs.co/ )https://securityaffairs.co/wordpress/93040/malware/trialworks-ransomware-attack.htmlImpact value: HighRansomware hit TrialWorks, law firms and lawyers were not able to access court documents. TrialWorks, one of the most established providers of legal case management software for law firms and attorneys, was hit by ransomware.

DDoS/Botnets

Source 1: My Broadband ( https://mybroadband.co.za/ )https://mybroadband.co.za/news/security/324955-massive-ddos-attack-affects-afrihost.htmlImpact value: High

Massive DDoS attack affects Afrihost. A large Distributed Denial Of Service attack (DDoS) is impacting Afrihost and other Internet service providers in South Africa. The latest DDoS attack follows a large attack on local banks which caused service disruptions in some cases. Afrihost said its own technical staff and those from Echoteland Liquid Telecom are working on mitigating this attack as effectively and quickly as possible.

Spam & Phishing

Source 1: Yahoo Finance ( https://finance.yahoo.com/ )https://finance.yahoo.com/news/scammers-fake-jeremy-clarkson-ad-150049196.htmlImpact value: HighScammers use fake Jeremy Clarkson ad in Bitcoin scam. Fraudsters are using ads featuring a fake Jeremy Clarkson endorsement as part of a Bitcoin scam. The adverts plug a company called Bitcoin Revolution and are designed to look like a news article about people who have had enormous success trading crypto.

Source 2: Bleeping Computer ( https://www.bleepingcomputer.com/ )https://www.bleepingcomputer.com/news/security/cash-app-scammers-deal-their-cons-on-twitter-instagram-youtube/Impact value: HighCash App Scammers Deal Their Cons on Twitter, Instagram, YouTube. Scammers are taking advantage of the legitimate ‘ free money’ campaigns for the Cash App peer-to-peer payment service to target Twitter, Instagram, and YouTube users. The scam works with fake promises to users of financial gains. They ask Cash App users to send small amounts between $10 and $1000 with a pledge of returning huge sums which are even ten times higher. The scammers leverage the #CashApp hashtag to promote their scam. Apart from money, the scam also works with gift cards.

Web Security

Source 1: TNW ( https://thenextweb.com/ )https://thenextweb.com/dd/2019/10/27/hackers-are-using-a-bug-in-php7-to-remotely-hijack-web-servers/Impact value: High

Hackers are using a bug in PHP7 to remotely hijack web servers. The remote code execution vulnerability identified as CVE-ID of 2019-11043 enables an attacker to force a remote web server to execute their own arbitrary code simply by accessing a crafted URL. The attacker only needs to add “?a=” to the website address, followed by their payload.

Bulletins

Source 1: US-CERT - Security Bulletin Mailing List ( http://www.us-cert.gov/cas/bulletins/ )https://www.us-cert.gov/ncas/bulletins/sb19-294Vulnerability Summary for the Week of October 14, 2019. Recorded by National Institute of Standards and Technology and National Vulnerability.

Source 2: Oracle Security Bulletins ( http://www.oracle.com/technetwork/topics/security/alerts-086861.html )

https://www.oracle.com/security-alerts/cpuoct2019.htmlOracle Critical Patch Update Pre-Release Announcement - October 2019; advised action to run available security updates.

https://www.oracle.com/security-alerts/alert-cve-2019-2729.htmlOracle Security Alert Advisory - CVE-2019-2729. Decentralization vulnerability in Oracle WebLogic Server exploitable without authentication requirements; advised action to run security updates.

https://www.oracle.com/security-alerts/bulletinoct2019.htmlOracle Solaris Third Party Bulletin - October 2019; advised action to apply necessary patches.

https://www.oracle.com/security-alerts/linuxbulletinoct2019.htmlOracle Linux Bulletin - October 2019; advised action to apply necessary Oracle Linux Bulletin fixes.

https://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.htmlMap of CVE to Advisory/Alert; advised action to apply the critical patch update for protection against known vulnerabilities.

https://www.oracle.com/security-alerts/ovmbulletinoct2019.htmlOracle VM Server for x86 Bulletin - October 2019; advised action to apply necessary Oracle VM Server for x86 Bulletin fixes.

Updates & Alerts

Source 1: Cisco Security Advisories &

Alerts(http://tools.cisco.com/security/center/publicationListing.x )

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-

rce

Impact value: High

Cisco Firepower Management Centre Remote Code Execution Vulnerability. Due insufficient input

validation, an attacker could execute arbitrary commands within the affected device.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191002-fmc-

com-inj

Impact value: High

Cisco Firepower Management Centre Command Injection Vulnerability. Due to insufficient

validation of user-supplied input to the web UI, a remote attacker could inject arbitrary

commands that are executed with the privileges of the root user of the underlying operating

system.

www.ke-cirt.go.ke