BruCERT was established in May 2004 with the vision of enhancing the security of Brunei ICT through proactive prevention and effective response. BruCERT became the nation’s most trusted one-stop referral agency dealing with computer-related security incidents in Brunei Darussalam.
Cyber threats are expected to increase globally as a result of the current conflict in Europe. All organizations in Brunei Darussalam are advised to increase awareness and strengthen all critical systems to safeguard data against potential cyber-attacks, such as website defacement, distributed denial of service (DDoS), and ransomware attacks.
RECOMMENDATIONS
BruCERT recommends that the following immediate actions should be taken.
System hardening
BACKGROUND
Instagram is one of the most popular social media used in Negara Brunei Darussalam, with almost half of the population is using it for communicating. Losing access to your account can be a nightmare scenario for users.
TIPS FOR STAYING SAFE WHILE ON INSTAGRAM
BACKGROUND
Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers. Email is getting stuck in the queue, and these errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scanning engine and attempting to store the date in a signed int32 variable.
BACKGROUND
Malicious text messages are being spammed to mobile users, containing a link which redirects Android users to download FluBot malware. The language and wording of the text message can vary, such as:
• You have a voicemail message.
• Your parcel is out for delivery. Click the link to track your parcel.
• Someone would like to share a photo album with you.
• Your Android device is infected with malware. You must install this security update to remove the malware.
BruCERT has received reports of a phishing email that claims to be from "BIBD Bank Darussalam Brunei" offering a COVID-19 relief fund to its customers.

BACKGROUND
BruCERT has received a report of a phishing scam involving Brunei Postal Services Department. An SMS message which appears to be from "Brunei Post" informs the recipient that their package has been relocated to a post office branch due to unpaid postage fees. The message includes a shortened link that will redirect the user to a fake website post-bn.com where they will be asked to enter their full name and credit card details.
IMPACT
BACKGROUND
BACKGROUND
Apple has released security updates for iPhones, iPads, Apple Watches and Mac computers to address vulnerabilities (CVE-2021-30860 and CVE-2021-30858) that were being exploited by Pegasus spyware.
The bug allowed for a "zero-click" install of the spyware which is capable of stealing data, passwords, and activating a phone's microphone or camera.
IMPACT
May lead to arbitrary code execution on affected products.
SYSTEM AFFECTED
Apple devices running iOS, macOS and watchOS.
BACKGROUND
BACKGROUND
Due to the challenging pandemic situation in Brunei Darussalam where the population is advised to stay at home, cybercriminals are taking the opportunity to phish sensitive and confidential information by creating a fake website for well-known fast-food chains.
Example:
https:// bn-mcdelivery .ru
This website appears to be hosted in Russia, and offers meals at a very low price, with many menu items that are not available in Brunei outlets.
Modus Operandi
BACKGROUND
Attackers are now actively exploiting Microsoft Exchange Servers using ‘ProxyShell’ vulnerability to install backdoors for later access, which uses three chained MS vulnerabilities to perform unauthenticated, remote code execution. These chained vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.
The three chained vulnerabilities used in ‘ProxyShell’ attacks are:
BACKGROUND
In view of the recent directive for organizations to activate their business continuity plan (BCP) protocols, most organizations are requiring employees to work from home (WFH). Remote working creates additional opportunities for cyber threat actors to perform malicious cyber activities by exploring open vulnerabilities in less secured networks, thus gaining access to users’ data or the organization's network.
RECOMMENDATIONS
Below are some security measures that can be applied:
BACKGROUND
Researchers have identified a new Android trojan named FlyTrap, which has affected more than 10,000 victims in over 140 countries since March. It has been able to spread through social media hijacking, third-party app stores, and sideloaded applications.
The malware uses social engineering tricks to compromise Facebook accounts, seemingly offering free Netflix coupon codes, Google AdWords coupon codes, or voting for the best football team.
BACKGROUND
PetitPotam is a newly uncovered security flaw in the Windows operating system which can be used to attack remote Windows servers including Domain Controllers, to authenticate with a malicious destination, allowing an attacker to stage an NTLM relay attack and completely take over a Windows domain.
MODUS OPERANDI
BACKGROUND
MosaicLoader is a Trojan horse-style malware that is being delivered through paid ads in search results designed to lure users looking for cracked software. Links to the malware will appear at the top of search results when people search for cracked versions of popular software.
BACKGROUND
Known vulnerabilities in Windows Print Spooler service can allow a total compromise of Windows systems. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on.
BACKGROUND
Hacking group Nobelium which has caused concern for a lot of companies all over the world due to its ongoing malicious activity and sophisticated phishing attacks, is once again targeting IT and government organizations in various countries.
Information-stealing malware was found on a device belonging to one of Microsoft's employees with access to account information for a small number of their customers, and the attacker has used the information in some cases to launch highly targeted attacks as part of a broader campaign.
BACKGROUND
BruCERT has recently received a number of reports on a scam called “MARISEWABANK”. The scammer contacts victims via SMS containing a WhatsApp link. Once the link is clicked, the victim would be lured into online gambling by promising a profit of 100% to 350% depending on the bank that the victim deposits their money into. The victim will then be asked for their personal and banking details, namely:
• Bank
• Name of account holder
• Account number
• Online banking username & password
BACKGROUND
BruCERT has received several complaints recently about a tele-survey phone scam allegedly from a company named Prolific, asking people for their personal email address purportedly to send a survey through email. However, the real purpose is to collect sensitive and personal information.
MODUS OPERANDI
BACKGROUND
According to a study, 91% of cyber-attacks start with an email. Scammers hack email accounts so that they can send messages from a trusted email address in hopes of getting the recipients to take action. Their main goal is to get these email contacts to send money, reveal personal information, or click on a link that installs malware, spyware, or a virus.
IMPACT
BACKGROUND
Trickbot is a malware-as-a-service botnet that is often described as one of the world's largest. It first appeared as banking malware in 2016, used to steal online banking credentials, and is designed to stealthily infiltrate a victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
BACKGROUND
Emotet started as a banking trojan in 2014 and has recently returned as a more dangerous malware targeting local government agencies. It acts as a downloader/dropper to deliver trojans and malicious code to infect devices. Emotet typically spreads through phishing emails or spam that contain Microsoft Word attachments or links along with zip files in order to bypass security filters (i.e. antivirus) to lure victims to click on the link or file.
IMPACT
BACKGROUND
The latest phishing attack has caused a wave of business email account takeovers.
Once an email account is compromised, the account credentials are sent to a remote bot which would then sign into the account and analyse recent emails. For each unique email thread, it would then reply to the most recent email, sending a link to a phishing page to capture credentials. Since the phishing emails are being sent as replies to genuine emails between suppliers, customers, and colleagues, this makes the emails appear trustworthy.
Background
A technical support scam is a form of fraud, utilizing social engineering and fear tactics to fool victims into divulging useful and confidential information or paying for unnecessary support services due to alleged technical error or software problems.
There are 2 common methods of tech support scams: via a phone call and scareware.
Phone call
BACKGROUND
BruCERT has recently received a number of complaints from the public regarding phone scammers impersonating legitimate banks. The scammers contact victims through unofficial channels such as apps like WhatsApp or Viber, usually calling from an international number. They claim to be calling to check all customers’ cards and pressure the victim to reveal personal and financial information.
IMPACT
Background
A technical support scam is a form of fraud, utilizing social engineering and fear tactics to fool victims into divulging useful and confidential information or paying for unnecessary support services due to alleged technical error or software problems.
There are 2 common methods of tech support scams: via a phone call and scareware.
Phone call
BACKGROUND
A way for employees to access corporate devices is by using Remote Desktop Protocol (RDP). Remote Desktop is a remote management tool which allows you to connect to any computer and take over the desktop. It’s like you are sitting and looking at your own computer, only remotely. It is highly used especially during this pandemic situation, for those who have moved to work from home. If poorly configured, it might be vulnerable to attacks.
IMPACT
Background:
A novel hack called “Hover with Power” allows an attacker to create a mouse-over in a PowerPoint file which would trigger the download of malware when a user hovers over a link in the presentation. Utilizing an element of social engineering, the user would then have to accept a pop-up dialogue box to run or install the program. The executable file can also be run from a remote server by using the ‘HyperLink To” action. This attack affects .ppsx files which are designed to play presentations and can’t be edited.
Impact:
Background Description:
As most organizations have started Working from Home (WFH) as part of their Business Continuity Planning (BCP) initiatives, implementing a VPN is one of the ways to have a secure connection over the internet.
Background
With the ongoing COVID-19 outbreak and in view of Brunei's Ministry of Health advisory to implement social distancing measures, many organizations are encouraging or requiring staff to work from home for an indeterminate amount of time.
However, remote working creates additional opportunities for cyber threat actors to perform malicious cyber activities by exploring open vulnerabilities in less secured networks, thus gaining access to users’ data or the organization's network.
BACKGROUND
Zeus Sphinx trojan first appeared in August 2015. Also known as Zloader or Terdot, it resurfaced in December 2019 and became aggressive in March 2020. Like other banking trojans, Sphinx’s main ability is to collect credentials for online banking sites and the newer version is looking to cash in on interest in government relief efforts around the Covid- 19 pandemic.
Background
Microsoft has warned public that Windows code-execution zero day is under active exploit. The vulnerability consists of two code-execution flaws that can be triggered from improper handling of maliciously crafted master fonts in the Adobe Type 1 Postscript format. Attackers can exploit them by convincing a target to open a specially crafted document or viewing it in the Windows preview pane.
Impact
Background
Last month, a cybersecurity firm discovered that this malware can now steal 2FA codes from Google Authenticator app and doing a simple technique by screenshotting the Authenticator app's interface.
Android banking trojan namely "Cerberus" malware has the capability to steal One-Time Password (OTP) generated through Google Authenticator app that's used as 2FA for many online accounts.
Impact
• Possible loss of sensitive information especially your bank account credentials
Security News
-
12 hours 13 minutes agoThe hacktivist group is ramping up its activities and ready to assault governments and businesses with escalating capabilities.Nathan Eddy, Contributing Writer, Dark Reading
-
CISA Adds One Known Exploited Vulnerability to Catalog
12 hours 27 minutes agoOriginal release date: July 1, 2022CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates.
Note: CISA previously added and then removed today’s addition, CVE-2022-26925, to the KEV Catalog after determining that remediations associated with this vulnerability would break certificate authentication for many federal agencies. Details:
- CVE-2022-26925 was mitigated by Microsoft’s June 2022 Patch Tuesday update.
- The Microsoft update also includes remediations for CVE-2022-26923 and CVE-2022-26931, which change the way certificates are mapped to accounts in Active Directory. These changes break certificate authentication for many federal agencies.
- For this reason, CISA has also published a Knowledge Article that provides critical steps that must be followed to prevent service outages. Agencies should review this Knowledge Article carefully before beginning the mitigation process.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.This product is provided subject to this Notification and this Privacy & Use policy.
CISA
-
A Guide to Surviving a Ransomware Attack
1 day 15 hours agoOliver Tavakoli, CTO at Vectra AI, gives us hope that surviving a ransomware attack is possible, so long as we apply preparation and intentionality to our defense posture.Oliver Tavakoli
-
Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration
1 day 12 hours agoAn unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.Nathan Eddy, Contributing Writer, Dark Reading
-
Study Reveals Traditional Data Security Tools Have a 60% Failure Rate Against Ransomware and Extortion
1 day 10 hours agoTitaniam’s ‘State of Data Exfiltration & Extortion Report’ also finds that while over 70% of organizations had heavy investments in prevention, detection, and backup solutions, the majority of victims ended up giving into attackers' demands.
-
A Fintech Horror Story: How One Company Prioritizes Cybersecurity
1 day 10 hours agoA password link that didn't expire leads to the discovery of exposed personal information at a payments service.Cesar Cerrudo, Chief Research Officer, Strike
-
NXM Announces Platform That Protects Space Infrastructure and IoT Devices From Cyberattacks
1 day 10 hours agoNXM Autonomous Security protects against network-wide device hacks and defends against critical IoT vulnerabilities.
-
#StopRansomware: MedusaLocker
1 day 10 hours agoOriginal release date: June 30, 2022CISA, the Federal Bureau of Investigation (FBI), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory (CSA), #StopRansomware: MedusaLocker, to provide information on MedusaLocker ransomware. MedusaLocker actors target vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. Note: this joint #StopRansomware CSA is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.
CISA, FBI, Treasury and FinCEN encourage network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:
- Prioritize remediating known exploited vulnerabilities.
- Train users to recognize and report phishing attempts.
- Enable and enforce multifactor authentication.
See #StopRansomware: MedusaLocker to learn about MedusaLocker actors' tactics, techniques, and procedures and the recommended mitigations. Additionally, review the U.S. government resource StopRansomware.gov for more guidance on ransomware protection, detection, and response.
This product is provided subject to this Notification and this Privacy & Use policy.
CISA
-
18 Zero-Days Exploited So Far in 2022
1 day 7 hours agoIt didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.Tara Seals, Managing Editor, News, Dark Reading
-
Shifting the Cybersecurity Paradigm From Severity-Focused to Risk-Centric
2 days 13 hours agoEmbrace cyber-risk modeling and ask security teams to pinpoint the risks that matter and prioritize remediation efforts.Ran Abramson, Threat Intelligence Analyst, Skybox Security