BACKGROUND

Akira is a ransomware group which was first observed in March 2023. Akira ransomware actors typically gain access to victims’ devices by using compromised credentials. Its operators use multi-extortion tactics, steal victims’ critical data and encrypts devices and files before demanding outrageous ransom payments. Victims who fail to comply with their demands will be listed on their TOR-based website along with the stolen data.

BACKGROUND

Ransomware groups including LockBit and Akira are reportedly exploiting a zero-day vulnerability (CVE-2023-20269) in the VPN feature of Cisco’s Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, to gain access to corporate networks.

BACKGROUND

Apple has released security updates for iOS, macOS, iPadOS and watchOS to fix two zero-day vulnerabilities which have been exploited in the wild to compromise Apple products without any interaction from the victim. The exploit allows attackers to target victims with NSO Group’s Pegasus Spyware, without any interaction from the targeted user.

The two known vulnerabilities are tracked as CVE-2023-41064 and CVE-2023-41061. 

IMPACT

BACKGROUND

Apple users are strongly advised to install an urgent Rapid Security Response (RSR) update to address 
a vulnerability that impacts fully patched iPhones, Macs, and iPads. The RSR patches includes updates 
for the latest versions of macOS, iOS, iPadOS, and Safari.

IMPACT

BACKGROUND

Fortinet has issued a warning on a vulnerability affecting several versions of Fortinet FortiOS used in its FortiGate secure socket layer virtual private network (SSL VPN) and firewall products. The security flaw is tracked as CVE-2022-42475 which is rated Critical and assigned a CVSS score of 9.3
out of 10. The attacks are said to be complex and highly targeted at “governmental or government-related targets.”

BACKGROUND
 
Dridex, also known as Bugat and Cridex, is a banking malware that steals sensitive data from infected machines, and also deliver and execute malicious modules. Previously targeting Windows computers, it is now targeting Macs to spread by using email attachments that look like regular documents.
 
MODUS OPERANDI
 

An increasing number of local WhatsApp users have reported their accounts being hacked recently. The user would receive an SMS containing a 6-digit verification code, then someone on WhatsApp will ask for the code. Once the code is shared, the scammer will be able to login to your WhatsApp account, and you will be logged out.

Two new buffer overflow vulnerabilities with the formal assignments of CVE-2022-3602 and CVE-2022-3786 has just been disclosed in Open SSL version 3.0.0 to 3.0.6.

In Brunei, there are over 200 Fortinet devices exposed to the Internet and it is strongly advisable that the affected agencies patch their devices the soonest. 

Zero Day Exchange Vulnerabilities 
CVE-2022-41040 and CVE-2022-41082

BACKGROUND
      
Microsoft security researchers announced two new zero-day vulnerabilities, CVE-2022-41040 and CVE-2022-41082 affecting Microsoft Exchange Server. 
 
The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker.

BACKGROUND
 
BruCERT has received an alarming number of reports from users whose Instagram account has been taken over, with a demand for ransom to be paid in order to regain access to their account. The main targets are Instagram business accounts or personal accounts with many followers and their contact number in their profile.
 

BACKGROUND
      
Cybercriminals are targeting users who search for cracked software by promoting malicious websites to download installers which deploy a malware called NullMixer. This new malware dropper is infecting Windows devices with a dozen malware families simultaneously.
 
These infections range from password-stealing trojans, backdoors, spyware, bankers, fake Windows system cleaners, clipboard hijackers, cryptocurrency miners, and even further malware loaders.
 

BACKGROUND
Researchers have found that add-on spellchecking features added to popular web browsers Google
Chrome and Microsoft Edge have been leaking sensitive information back to their parent companies
Google and Microsoft respectively. The transmitted data includes Personally Identifiable Information
(PII) such as name, address, email, date of birth, contact information, bank and payment information,
username and passwords.
Both browsers have basic built-in spellcheckers enabled by default, which do not transmit data back

A new malware bundle uses victims' YouTube channels to upload malicious video tutorials advertising fake cheats for popular video games. The videos contain links to download the fake cracks and cheats which will actually install a collection of self-spreading malware.

BACKGROUND

More than 80,000 Hikvision cameras have been discovered to be vulnerable to exploitation and
exposed on the public Internet. These vulnerabilities were fixed by Hikvision last year, however there
are still cameras that have not been updated with the latest firmware thus remain unfixed. Hikvision
has released four repair firmware since the first repair.

BACKGROUND
 
An increasing number of local Telegram users have reported to BruCERT since April this year that their accounts had been hacked or taken over. It is suspected that the number of unreported cases could be much higher. 
 
MODUS OPERANDI
•     The user receives a message from Telegram containing a 5-digit login code as a result of the scammer trying to register the user’s phone number.

Cyber threats are expected to increase globally as a result of the current conflict in Europe. All organizations in Brunei Darussalam are advised to increase awareness and strengthen all critical systems to safeguard data against potential cyber-attacks, such as website defacement, distributed denial of service (DDoS), and ransomware attacks. 

RECOMMENDATIONS

BruCERT recommends that the following immediate actions should be taken. 

S​ystem hardeni​ng

BACKGROUND

Instagram is one of the most popular social media used in Negara Brunei Darussalam, with almost half of the population is using it for communicating. Losing access to your account can be a nightmare scenario for users.

TIPS FOR STAYING SAFE WHILE ON INSTAGRAM

BACKGROUND
 
Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers. Email is getting stuck in the queue, and these errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scanning engine and attempting to store the date in a signed int32 variable.

BACKGROUND

Malicious text messages are being spammed to mobile users, containing a link which redirects Android users to download FluBot malware. The language and wording of the text message can vary, such as: 
•    You have a voicemail message.
•    Your parcel is out for delivery. Click the link to track your parcel.
•    Someone would like to share a photo album with you.
•    Your Android device is infected with malware. You must install this security update to remove the malware.

BACKGROUND

BruCERT has received reports of a phishing email that claims to be from "BIBD Bank Darussalam Brunei" offering a COVID-19 relief fund to its customers.

BACKGROUND

BruCERT has received a report of a phishing scam involving Brunei Postal Services Department. An SMS message which appears to be from "Brunei Post" informs the recipient that their package has been relocated to a post office branch due to unpaid postage fees. The message includes a shortened link that will redirect the user to a fake website post-bn.com where they will be asked to enter their full name and credit card details.

IMPACT

BACKGROUND

BACKGROUND

Apple has released security updates for iPhones, iPads, Apple Watches and Mac computers to address vulnerabilities (CVE-2021-30860 and CVE-2021-30858) that were being exploited by Pegasus spyware.
The bug allowed for a "zero-click" install of the spyware which is capable of stealing data, passwords, and activating a phone's microphone or camera.

IMPACT

May lead to arbitrary code execution on affected products.

SYSTEM AFFECTED 

Apple devices running iOS, macOS and watchOS.

BACKGROUND

BACKGROUND

Due to the challenging pandemic situation in Brunei Darussalam where the population is advised to stay at home, cybercriminals are taking the opportunity to phish sensitive and confidential information by creating a fake website for well-known fast-food chains.

Example:
https:// bn-mcdelivery .ru

This website appears to be hosted in Russia, and offers meals at a very low price, with many menu items that are not available in Brunei outlets.

Modus Operandi

BACKGROUND
      
Attackers are now actively exploiting Microsoft Exchange Servers using ‘ProxyShell’ vulnerability to install backdoors for later access, which uses three chained MS vulnerabilities to perform unauthenticated, remote code execution. These chained vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.
 
The three chained vulnerabilities used in ‘ProxyShell’ attacks are:

BACKGROUND
 
In view of the recent directive for organizations to activate their business continuity plan (BCP) protocols, most organizations are requiring employees to work from home (WFH). Remote working creates additional opportunities for cyber threat actors to perform malicious cyber activities by exploring open vulnerabilities in less secured networks, thus gaining access to users’ data or the organization's network.
 
RECOMMENDATIONS
 
Below are some security measures that can be applied:

BACKGROUND
      
Researchers have identified a new Android trojan named FlyTrap, which has affected more than 10,000 victims in over 140 countries since March. It has been able to spread through social media hijacking, third-party app stores, and sideloaded applications.
 
The malware uses social engineering tricks to compromise Facebook accounts, seemingly offering free Netflix coupon codes, Google AdWords coupon codes, or voting for the best football team.
 

BACKGROUND

PetitPotam is a newly uncovered security flaw in the Windows operating system which can be used to attack remote Windows servers including Domain Controllers, to authenticate with a malicious destination, allowing an attacker to stage an NTLM relay attack and completely take over a Windows domain.

MODUS OPERANDI

BACKGROUND
    
MosaicLoader is a Trojan horse-style malware that is being delivered through paid ads in search results designed to lure users looking for cracked software. Links to the malware will appear at the top of search results when people search for cracked versions of popular software.

BACKGROUND

Known vulnerabilities in Windows Print Spooler service can allow a total compromise of Windows systems. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on.

BACKGROUND

Hacking group Nobelium which has caused concern for a lot of companies all over the world due to its ongoing malicious activity and sophisticated phishing attacks, is once again targeting IT and government organizations in various countries.
Information-stealing malware was found on a device belonging to one of Microsoft's employees with access to account information for a small number of their customers, and the attacker has used the information in some cases to launch highly targeted attacks as part of a broader campaign.

BACKGROUND
 
BruCERT has recently received a number of reports on a scam called “MARISEWABANK”. The scammer contacts victims via SMS containing a WhatsApp link. Once the link is clicked, the victim would be lured into online gambling by promising a profit of 100% to 350% depending on the bank that the victim deposits their money into. The victim will then be asked for their personal and banking details, namely:
•    Bank 
•    Name of account holder 
•    Account number 
•    Online banking username & password 

BACKGROUND

BruCERT has received several complaints recently about a tele-survey phone scam allegedly from a company named Prolific, asking people for their personal email address purportedly to send a survey through email. However, the real purpose is to collect sensitive and personal information.

MODUS OPERANDI

BACKGROUND
 
According to a study, 91% of cyber-attacks start with an email. Scammers hack email accounts so that they can send messages from a trusted email address in hopes of getting the recipients to take action. Their main goal is to get these email contacts to send money, reveal personal information, or click on a link that installs malware, spyware, or a virus.

IMPACT
 

BACKGROUND
Trickbot is a malware-as-a-service botnet that is often described as one of the world's largest. It first appeared as banking malware in 2016, used to steal online banking credentials, and is designed to stealthily infiltrate a victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.

BACKGROUND

Emotet started as a banking trojan in 2014 and has recently returned as a more dangerous malware targeting local government agencies. It acts as a downloader/dropper to deliver trojans and malicious code to infect devices. Emotet typically spreads through phishing emails or spam that contain Microsoft Word attachments or links along with zip files in order to bypass security filters (i.e. antivirus) to lure victims to click on the link or file.

 
IMPACT

BACKGROUND

The latest phishing attack has caused a wave of business email account takeovers.

Once an email account is compromised, the account credentials are sent to a remote bot which would then sign into the account and analyse recent emails. For each unique email thread, it would then reply to the most recent email, sending a link to a phishing page to capture credentials. Since the phishing emails are being sent as replies to genuine emails between suppliers, customers, and colleagues, this makes the emails appear trustworthy.

BACKGROUND

Background

A technical support scam is a form of fraud, utilizing social engineering and fear tactics to fool victims into divulging useful and confidential information or paying for unnecessary support services due to alleged technical error or software problems.

There are 2 common methods of tech support scams: via a phone call and scareware.

Phone call

BACKGROUND
 
BruCERT has recently received a number of complaints from the public regarding phone scammers impersonating legitimate banks. The scammers contact victims through unofficial channels such as apps like WhatsApp or Viber, usually calling from an international number. They claim to be calling to check all customers’ cards and pressure the victim to reveal personal and financial information.

IMPACT

Background

A technical support scam is a form of fraud, utilizing social engineering and fear tactics to fool victims into divulging useful and confidential information or paying for unnecessary support services due to alleged technical error or software problems.

There are 2 common methods of tech support scams: via a phone call and scareware.

Phone call

BACKGROUND
    
A way for employees to access corporate devices is by using Remote Desktop Protocol (RDP). Remote Desktop is a remote management tool which allows you to connect to any computer and take over the desktop. It’s like you are sitting and looking at your own computer, only remotely. It is highly used especially during this pandemic situation, for those who have moved to work from home. If poorly configured, it might be vulnerable to attacks.

IMPACT

Background:

A novel hack called “Hover with Power” allows an attacker to create a mouse-over in a PowerPoint file which would trigger the download of malware when a user hovers over a link in the presentation. Utilizing an element of social engineering, the user would then have to accept a pop-up dialogue box to run or install the program. The executable file can also be run from a remote server by using the ‘HyperLink To” action. This attack affects .ppsx files which are designed to play presentations and can’t be edited.

Impact:

Background Description:

As most organizations have started Working from Home (WFH) as part of their Business Continuity Planning (BCP) initiatives, implementing a VPN is one of the ways to have a secure connection over the internet.

Background

With the ongoing COVID-19 outbreak and in view of Brunei's Ministry of Health advisory to implement social distancing measures, many organizations are encouraging or requiring staff to work from home for an indeterminate amount of time.

However, remote working creates additional opportunities for cyber threat actors to perform malicious cyber activities by exploring open vulnerabilities in less secured networks, thus gaining access to users’ data or the organization's network.

BACKGROUND

Zeus Sphinx trojan first appeared in August 2015. Also known as Zloader or Terdot, it resurfaced in December 2019 and became aggressive in March 2020. Like other banking trojans, Sphinx’s main ability is to collect credentials for online banking sites and the newer version is looking to cash in on interest in government relief efforts around the Covid- 19 pandemic.

Background
Microsoft has warned public that Windows code-execution zero day is under active exploit. The vulnerability consists of two code-execution flaws that can be triggered from improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a specially crafted document or viewing it in the Windows preview pane.

Impact

Background
Last month, a cybersecurity firm discovered that this malware can now steal 2FA codes from Google Authenticator app and doing a simple technique by screenshotting the Authenticator app's interface.

Android banking trojan namely "Cerberus" malware has the capability to steal One-Time Password (OTP) generated through Google Authenticator app that's used as 2FA for many online accounts.

Impact
•    Possible loss of sensitive information especially your bank account credentials