Advisory ID : ngCERT-2023-0031

Summary: The Kenyan government, via the Ministry of Interior, claimed that some of the country's online infrastructures had been struck by a wave of Distributed Denial of Service (DDoS) attacks, rendering the country's online platforms unreachable. The attack began on 23 July 2023, just barely four weeks after President Ruto released thousands of government services on the e-citizen platform in an effort to boost efficiency and reduce corruption. This platform hosts services such as passport applications and renewals, e-visa issuance, driver's licences, identification cards, and national health records. Kenya's well-known mobile payment system, M-Pesa, as well as the National Transport and Safety Authority (NTSA), Kenya Power and Lighting Company (KPLC), and Kenya Railways, have all been impacted. Anonymous Sudan has claimed responsibility for the attacks. 

Threat Type(s): DDoS

Damage/Probability: CRITICAL/HIGH

Description: A Distributed Denial of Service (DDoS) assault is intended to disrupt service. This is accomplished by employing many computers to flood a targeted system's bandwidth or resources (such as a web server) with traffic. By overloading the targeted system, it will either crash or fail to function properly. The online platform attack included several efforts to overload the systems with unusual requests with the goal of clogging the system. Anonymous Sudan, a group with apparent ties to Russia, claims responsibility for the strikes due to Kenya's intervention in Sudan's domestic affairs. The group stated that it was aiming for other government digital services.

Consequences: In an increasingly digitalised society, when digital public services become abruptly and suddenly unavailable, it can result in indirect and direct economic and financial losses, as well as physical danger in some circumstances. The following are some of the consequences of the recent attacks:

1. The outage of M-Pesa services paralyzed operations across many sectors including the ability of the government to collect revenues.
2. Disruption of the country’s e-visa issuance resulted in issuing visas on arrivals to all travellers—in what appears to be a temporary visa-on-arrival program due to the attack on e-Citizen platform.
3. The Kenya Power and Lighting Company (KPLC) left thousands of utility prepaid customers stranded and unable to purchase their tokens via their online platform and USSD code.
4. Standard Chartared Bank Kenya was among banks whose digital banking systems were affected.
5. Kenya Railways train services were disrupted announcing that network outage by its service provider affected purchase of tickets.
6. National Transport and Safety Authority (NTSA) also issued a statement indicating that its services had also been attacked, thereby preventing Kenyan residents to apply and pay for driving licenses among others.
7. Media websites were also attacked including that of The Standard Group, Kenya’s oldest newspaper, as well as the website of the government-owned Kenya News Agency.
8. Ten (10) university websites were hit, including the University of Nairobi.
9. Seven (7) hospitals were also targeted.

Solution: Here are some countermeasures that can be implemented to prevent a DDoS attack:

1. Create a DDoS Response Plan.
2. Implement a robust network security with network segmentation, firewalls, IDSs, anti-malware solutions and web security tools.
3. Have server redundancy.
4. Monitor network traffic and be on the lookout for warning signs.
5. Limit network broadcasting.
6. If possible, outsource DDoS prevention by migrating to the cloud.

References:

https://www.bbc.com/news/world-africa-66337573

https://techmonitor.ai/technology/cybersecurity/anonymous-sudan-kenya-ddos-cyberattack-ecitizen

https://cybermagazine.com/application-security/cyberattack-in-kenya-impacts-online-government-platforms

https://phoenixnap.com/blog/prevent-ddos-attacks

Advisory ID NCC-CSIRT-200723-028 

Summary: In three months' time, on October 10, 2023, Microsoft will discontinue support for Windows 11, version 21H2. This includes the Home and Pro editions of Windows 11 21H2 that were released in October 2021. Consequently, after the end-of-service (EOS) date, devices running Windows 11 21H2 with the aforementioned editions will no longer receive security updates and monthly quality updates containing fixes and patches for newly identified vulnerabilities and security concerns. 

Threat Type(s): Vulnerability

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Windows 11

Platform(s): Windows Operating System

Version(s): Windows 11 21H2 for Home, Pro Pro Education, and Pro for Workstations editions released in October 2021.

Description: On October 10, 2023, the support for Windows 11 21H2 Home and Pro editions, which were released in October 2021, will come to an end. Once the end of service (EOS) date is reached, devices running these editions of Windows 11 21H2 will no longer receive important security and quality updates that provide bug fixes and patches to address newly identified security vulnerabilities. It is therefore advised to avoid using such an operating system, particularly for sensitive functions, as it may become more vulnerable to potential risks and threats.   

Consequences: An operating system that lacks support for patches and security updates is susceptible to attacks, as any underlying vulnerabilities that may exist will remain unaddressed. 

Solution: For those who are still using Windows 11 Home and Pro version 21H2, it is recommended to take the following mitigation measures into consideration: 

1.  Upgrade to the latest version of Windows 11.
2. Users should consult the Windows Lifecycle FAQ and utilize the Lifecycle Policy search tool to obtain additional information about the specific end-of-service dates for Windows. 

References:
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-21h2-reaching-end-of-service-in-october/

https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2022

https://learn.microsoft.com/en-us/lifecycle/faq/windows

https://learn.microsoft.com/en-us/lifecycle/products/?terms=windows

Advisory ID: NCC-CSIRT-180723-027

Summary: Numerous vulnerabilities have been detected in the Google Chrome browser. These vulnerabilities could be exploited by a remote attacker who convinces a user to visit a specifically designed web page with malicious intent. 

Threat Type(s): Vulnerability

Impact/Probability: CRITCIAL/HIGH

Product(s): Google Chrome Browser 

Vulnerable Platform(s): Google Chrome Brower

Version(s):  

• Google Chrome prior to  114.0.5735.198/199 (Windows) 
• Google Chrome prior to 114.0.5735.198 (Linux) 
• Google Chrome prior to 114.0.5735.198 (Mac) 

Description:  The vulnerabilities include the following:

• Type Confusion in V8 in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• Use after free in Media in Google Chrome prior to 114.0.5735.198 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
• Use after free in Guest View in Google Chrome prior to 114.0.5735.198 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page

Successful exploitation of the vulnerabilities by hackers could allow for remote code execution, denial of service and data manipulation on the compromised system.

Consquences:  Attackers could exploit these vulnerabilities to trigger remote code execution, denial of service and data manipulation on the compromised system.  

Solution: 

• Before installation of the Google Chrome software, please visit the software vendor website for more details.
• Update to version 114.0.5735.198/199 (Windows) or later.
• Update to version 114.0.5735.198 (Linux) or later.
• Update to version 114.0.5735.198 (Mac) or later 

References: 

https://cert-in.org.in/ 

https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities_20230627 

https://chromereleases.googleblog.com/ 

https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html 

Advisory ID: NCC-CSIRT-140723-026

Summary: The Uptycs threat research team has discovered a new malware called "Meduza Stealer" that targets Windows users. This sophisticated malware aims to steal various types of sensitive data, focusing on Windows browsers and vulnerable extensions like crypto wallets and password managers. Additionally, it can collect system-related information from compromised devices, including hardware specifications, IP address, and usernames. These findings underscore the importance of implementing strong security measures to safeguard against the Meduza Stealer malware and similar threats. 

Vulnerable Platform(s): Windows Operating Systems

Threat Type: Malware

Impact/Probability: CRITCIAL/MEDIUM

Product : Google Chrome, Microsoft\Edge, Opera, Thunderbird, and other prominent Browers. 

Version:  All Version

Description: The research team made a significant discovery by identifying the new Meduza Stealer Malware. Through monitoring dark web forums and Telegram channels, they observed the malware being promoted and distributed to potential cyber-criminals. Unlike typical ransomware, this malware solely focuses on stealing data and continuously evolves with the incorporation of new features. Its primary targets are Windows users and organizations, with the exception of ten specific countries that include Russia, Kazakhstan, Belarus, Georgia, Turkmenistan, Usbekistan, Armenia, Kyrgystan, Moldova, and Tajikistan. 

Once the malware infiltrates a machine, it initiates its operations. It first checks the geolocation of the victim. If the location is within the list of excluded countries, the malware immediately aborts its activities. Similarly, if the attacker's server is inaccessible, the malware terminates its operations. However, if both conditions are favorable, the malware proceeds to collect extensive data. This data is then packaged, uploaded, and sent to the attacker's server, completing the data theft operation on the infected machine. 

Consquences:  Meduza Stealer can lead to severe consequences, such as financial losses and potential large-scale data breaches for affected individuals and organizations. 

Solution: 

• Avoid storing your bank login information in web browsers. 
• Encrypt confidential documents before sending them through compromised web browsers. 
• Regularly install updates for your operating systems and browsers. 
• Only install browser extensions from trusted sources. 
• Employ strong and unique passwords for all your accounts. 
• Install security applications to patch vulnerabilities that malware can exploit. 
• Always scan files using security software before opening them. 

References: 

https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work#exclusionlist 

https://www.infosecurity-magazine.com/news/meduza-stealer-targets-windows/