Advisory ID : ngCERT-2023-0031
Summary: The Kenyan government, via the Ministry of Interior, claimed that some of the country's online infrastructures had been struck by a wave of Distributed Denial of Service (DDoS) attacks, rendering the country's online platforms unreachable. The attack began on 23 July 2023, just barely four weeks after President Ruto released thousands of government services on the e-citizen platform in an effort to boost efficiency and reduce corruption. This platform hosts services such as passport applications and renewals, e-visa issuance, driver's licences, identification cards, and national health records. Kenya's well-known mobile payment system, M-Pesa, as well as the National Transport and Safety Authority (NTSA), Kenya Power and Lighting Company (KPLC), and Kenya Railways, have all been impacted. Anonymous Sudan has claimed responsibility for the attacks.
Threat Type(s): DDoS
Damage/Probability: CRITICAL/HIGH
Description: A Distributed Denial of Service (DDoS) assault is intended to disrupt service. This is accomplished by employing many computers to flood a targeted system's bandwidth or resources (such as a web server) with traffic. By overloading the targeted system, it will either crash or fail to function properly. The online platform attack included several efforts to overload the systems with unusual requests with the goal of clogging the system. Anonymous Sudan, a group with apparent ties to Russia, claims responsibility for the strikes due to Kenya's intervention in Sudan's domestic affairs. The group stated that it was aiming for other government digital services.
Consequences: In an increasingly digitalised society, when digital public services become abruptly and suddenly unavailable, it can result in indirect and direct economic and financial losses, as well as physical danger in some circumstances. The following are some of the consequences of the recent attacks:
- The outage of M-Pesa services paralyzed operations across many sectors including the ability of the government to collect revenues.
- Disruption of the country’s e-visa issuance resulted in issuing visas on arrivals to all travellers—in what appears to be a temporary visa-on-arrival program due to the attack on e-Citizen platform.
- The Kenya Power and Lighting Company (KPLC) left thousands of utility prepaid customers stranded and unable to purchase their tokens via their online platform and USSD code.
- Standard Chartared Bank Kenya was among banks whose digital banking systems were affected.
- Kenya Railways train services were disrupted announcing that network outage by its service provider affected purchase of tickets.
- National Transport and Safety Authority (NTSA) also issued a statement indicating that its services had also been attacked, thereby preventing Kenyan residents to apply and pay for driving licenses among others.
- Media websites were also attacked including that of The Standard Group, Kenya’s oldest newspaper, as well as the website of the government-owned Kenya News Agency.
- Ten (10) university websites were hit, including the University of Nairobi.
- Seven (7) hospitals were also targeted.
Solution: Here are some countermeasures that can be implemented to prevent a DDoS attack:
- Create a DDoS Response Plan.
- Implement a robust network security with network segmentation, firewalls, IDSs, anti-malware solutions and web security tools.
- Have server redundancy.
- Monitor network traffic and be on the lookout for warning signs.
- Limit network broadcasting.
- If possible, outsource DDoS prevention by migrating to the cloud.
References:
https://www.bbc.com/news/world-africa-66337573
https://techmonitor.ai/technology/cybersecurity/anonymous-sudan-kenya-ddos-cyberattack-ecitizen
Advisory ID NCC-CSIRT-200723-028
Summary: In three months' time, on October 10, 2023, Microsoft will discontinue support for Windows 11, version 21H2. This includes the Home and Pro editions of Windows 11 21H2 that were released in October 2021. Consequently, after the end-of-service (EOS) date, devices running Windows 11 21H2 with the aforementioned editions will no longer receive security updates and monthly quality updates containing fixes and patches for newly identified vulnerabilities and security concerns.
Threat Type(s): Vulnerability
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Windows 11
Platform(s): Windows Operating System
Version(s): Windows 11 21H2 for Home, Pro Pro Education, and Pro for Workstations editions released in October 2021.
Description: On October 10, 2023, the support for Windows 11 21H2 Home and Pro editions, which were released in October 2021, will come to an end. Once the end of service (EOS) date is reached, devices running these editions of Windows 11 21H2 will no longer receive important security and quality updates that provide bug fixes and patches to address newly identified security vulnerabilities. It is therefore advised to avoid using such an operating system, particularly for sensitive functions, as it may become more vulnerable to potential risks and threats.
Consequences: An operating system that lacks support for patches and security updates is susceptible to attacks, as any underlying vulnerabilities that may exist will remain unaddressed.
Solution: For those who are still using Windows 11 Home and Pro version 21H2, it is recommended to take the following mitigation measures into consideration:
- Upgrade to the latest version of Windows 11.
- Users should consult the Windows Lifecycle FAQ and utilize the Lifecycle Policy search tool to obtain additional information about the specific end-of-service dates for Windows.
https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2022
https://learn.microsoft.com/en-us/lifecycle/faq/windows
https://learn.microsoft.com/en-us/lifecycle/products/?terms=windows
Advisory ID: NCC-CSIRT-180723-027
Summary: Numerous vulnerabilities have been detected in the Google Chrome browser. These vulnerabilities could be exploited by a remote attacker who convinces a user to visit a specifically designed web page with malicious intent.
Threat Type(s): Vulnerability
Impact/Probability: CRITCIAL/HIGH
Product(s): Google Chrome Browser
Vulnerable Platform(s): Google Chrome Brower
Version(s):
- Google Chrome prior to 114.0.5735.198/199 (Windows)
- Google Chrome prior to 114.0.5735.198 (Linux)
- Google Chrome prior to 114.0.5735.198 (Mac)
Description: The vulnerabilities include the following:
- Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- Use after free in Media in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
- Use after free in Guest View in Google Chrome prior to 114.0.5735.198 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page
Successful exploitation of the vulnerabilities by hackers could allow for remote code execution, denial of service and data manipulation on the compromised system.
Consquences: Attackers could exploit these vulnerabilities to trigger remote code execution, denial of service and data manipulation on the compromised system.
Solution:
- Before installation of the Google Chrome software, please visit the software vendor website for more details.
- Update to version 114.0.5735.198/199 (Windows) or later.
- Update to version 114.0.5735.198 (Linux) or later.
- Update to version 114.0.5735.198 (Mac) or later
References:
https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20230627
https://chromereleases.googleblog.com/
https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html
Advisory ID: NCC-CSIRT-140723-026
Summary: The Uptycs threat research team has discovered a new malware called "Meduza Stealer" that targets Windows users. This sophisticated malware aims to steal various types of sensitive data, focusing on Windows browsers and vulnerable extensions like crypto wallets and password managers. Additionally, it can collect system-related information from compromised devices, including hardware specifications, IP address, and usernames. These findings underscore the importance of implementing strong security measures to safeguard against the Meduza Stealer malware and similar threats.
Vulnerable Platform(s): Windows Operating Systems
Threat Type: Malware
Impact/Probability: CRITCIAL/MEDIUM
Product : Google Chrome, Microsoft\Edge, Opera, Thunderbird, and other prominent Browers.
Version: All Version
Description: The research team made a significant discovery by identifying the new Meduza Stealer Malware. Through monitoring dark web forums and Telegram channels, they observed the malware being promoted and distributed to potential cyber-criminals. Unlike typical ransomware, this malware solely focuses on stealing data and continuously evolves with the incorporation of new features. Its primary targets are Windows users and organizations, with the exception of ten specific countries that include Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Usbekistan, Armenia, Kyrgystan, Moldova, and Tajikistan.
Once the malware infiltrates a machine, it initiates its operations. It first checks the geolocation of the victim. If the location is within the list of excluded countries, the malware immediately aborts its activities. Similarly, if the attacker's server is inaccessible, the malware terminates its operations. However, if both conditions are favorable, the malware proceeds to collect extensive data. This data is then packaged, uploaded, and sent to the attacker's server, completing the data theft operation on the infected machine.
Consquences: Meduza Stealer can lead to severe consequences, such as financial losses and potential large-scale data breaches for affected individuals and organizations.
Solution:
- Avoid storing your bank login information in web browsers.
- Encrypt confidential documents before sending them through compromised web browsers.
- Regularly install updates for your operating systems and browsers.
- Only install browser extensions from trusted sources.
- Employ strong and unique passwords for all your accounts.
- Install security applications to patch vulnerabilities that malware can exploit.
- Always scan files using security software before opening them.
References:
https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work#exclusionlist
https://www.infosecurity-magazine.com/news/meduza-stealer-targets-windows/
Advisory ID: NCC-CSIRT-120723-025
Summary: A tool named TeamsPhisher has been uncovered by a researcher from the U.S. Navy's red team. This tool exploits a security vulnerability in Microsoft Teams, enabling attackers to bypass file-sending restrictions and deliver malware from an external account. If successfully exploited, this vulnerability allows attackers to bypass restrictions on incoming files from users outside of a targeted organization, known as external tenants.
Vulnerable Platform(s): Microsoft Teams
Threat Type: Malware
Impact/Probability: CRITICAL/HIGH
Product : Microsoft Teams
Version: All Version
Description: The researcher explains that the Microsoft Teams application has client-side protections that can be deceived, treating an external user as an internal one simply by altering the ID in the POST request of a message. To carry out this attack, a Python-based tool called "TeamsPhisher" has been developed, offering a fully automated approach.
TeamsPhisher performs several steps to execute the attack successfully. It first verifies the target user's existence and their ability to receive external messages, which is a crucial requirement for the attack to proceed. It then creates a new thread with the target user and sends them a message containing a Sharepoint attachment link. This thread becomes visible in the sender's Teams interface, potentially allowing for manual interaction.
Initially, TeamsPhisher requires users to have a Microsoft Business account, including a valid Teams and Sharepoint license, which is commonly found in many large companies. The tool also offers a "preview mode" to help users verify the target lists and ensure the appearance of messages from the recipient's perspective. Additionally, TeamsPhisher provides other features such as sending secure file links that can only be accessed by the intended recipient, specifying delays between message transmissions to bypass rate limiting, and generating log files to record outputs.
Consquences: TeamsPhisher tool can allow sending a malicious payload directly to a target Microsoft Teams' inbox.
Solution: At present, there is no specific solution as Microsoft has not made a decision regarding corrective actions for this vulnerability. However, the following measures are recommended:
- Microsoft Teams users should adopt safe online computing practices, such as being cautious when clicking on web page links, opening unfamiliar files, or accepting file transfers.
- Organizations are strongly advised to disable external tenant communications if not required.
- Organizations should establish an allow-list comprising trusted domains to minimize the risk of exploitation.
References:
https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/
https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allows-malware-delivery-from-external-accounts/
https://www.hkcert.org/security-news?item_per_page=10&year%5B%5D=2023&month%5B%5D=06&month%5B%5D=07
- NodeStealer Malware Targeting Saved Usernames and Passwords on Gmail, Outlook and Facebook Business Accounts
- Hackers Use New 'LOBSHOT' Malware to Hijack Infected Windows Devices
- Command Injection Vulnerability on TP-Link Routers
- Android Malware "Goldoson" infiltrates 60 Google Play Apps with 100M installs