Table of Contents
1. Technology news and Security updates: ............................................................. 2
1.1 Security starts with you ............................................................................................ 2
1.2 G Suite customers leak internal data via Groups .............................................. 2
1.3 China crams spyware on phones in Muslim-majority province .................... 3
1.4 Pathetic patching leaves over 70,000 Memcached servers still up for
grabs 3
1.5 Bitdefender: Organizations must empower IT staff to mitigate cyber
threats 4
1.6 Qualys unveils CloudView app framework for public cloud security .......... 5
1.8 600+ samples of Spring Dragon APT malware spotted ................................... 6
1.9 Variant of Surveillance Malware Fruitfly Targeting Mac Users ...................... 7
2. Cyber crime and Intelligence in the news: ........................................................... 8
2.1. The source code of SLocker ransomware has been leaked online .............. 8
2.2. Hundreds of companies expose PII, private emails through Google
Groups error ............................................................................................................................. 8
2.3. Veritaseum hack: $8.4m worth Ethereum stolen by hackers in yet another
heist 9
2.4. Hackers Breach Casino After Compromising a Smart Fish Tank ...............10
2.5. Sweden transport agency slips up, leaks top secret data ............................10
2.6. Newcastle University spoofed in phishing scam ............................................11
3. Technical Security Alerts: .......................................................................................13
3.1 Vulnerabilities, Malware and exploits .....................................................................13
1. Technology news and Security updates:
1.1 Security starts with you
A storm of cyber threats is hitting South Africa in the form of increased malware attacks,
primarily on businesses. Organisations around the world – and in South Africa – have
been crippled in the latest attacks. In view of the numerous recent incidents, one must
conclude that cyber security is as much a priority as physical security, says Parsec
Senior Product Manager Jaco Botha.
From a business or personal point of view, the theft of personal, financial and health
records is disturbing, however, the business impact of a ransomware or similar denial of
service attack could be devastating. It's now more vital than ever that businesses and
their employees should be educated about the importance of being secure against
attacks.
Botha says: "Simply put, cyber security is around protecting everything while you're
online, including people, devices, assets, data and pretty much everything that's
connected, against all sorts of threats that are present in a hyper-connected world."
Source:
http://www.itweb.co.za/index.php?option=com_content&view=article&id=163575:Security-starts-
with-you&catid=234
1.2 G Suite customers leak internal data via Groups
Tick a box configuration mistake. A simple configuration mistake has seen hundreds of
companies using Google's G Suite productivity platform publish internal information to
the internet, researchers have found.
G Suite provides the Google Groups sharing and messaging service, which was
originally designed as a gateway to Usenet newsgroups.
In an advisory, security vendor RedLock said several companies have allowed outside
access to messages posted on their Google Groups forums, potentially exposing
sensitive internal data to anyone on the internet.
The information leaked was in some cases sensitive personal data such as employee
email and home addresses and phone numbers.
Among the companies listed by RedLock as having exposed private information are
IBM-owned The Weather Company and helpdesk provider Freshworks.
Publisher Fusion Media Group, the parent company of well-known sites such as
Gizmodo, Lifehacker, The Onion, Kotaku, io9 and others, has also inadvertently leaked
organisational data.
Source: https://www.itnews.com.au/news/g-suite-customers-leak-internal-data-via-groups-469182
1.3 China crams spyware on phones in Muslim-majority province
The Chinese government is requiring citizens in Xinjiang province to install spyware on
their mobile phones and is enforcing the policy with police spot-checks, according to
several online reports.
Reflecting a country-wide clampdown on internet usage, users of WeChat in the regional
capital of Urumqi received a message on their phones earlier this month instructing them
to install an app called Jing Wang – "clean internet" in Chinese.
Those who do not install the app face up to 10 days in detention, the noticed warned.
And the police have been following up on that threat, according to several online posts.
One news article reported that 10 Kazakh women in the region were arrested after a
group chat discussion about immigrants was picked up by censors. And at the weekend,
a widely shared Twitter post showed a police checkpoint where citizens were forced to
hand over their phones to be checked for the spyware.
Source: http://www.theregister.co.uk/2017/07/24/china_installing_mobile_spyware/
1.4 Pathetic patching leaves over 70,000 Memcached servers still up for grabs
If you're running the caching service Memcached, and particularly if you're exposing it to
the public internet for some reason, please make sure you've patched it. Tens of
thousands of vulnerable systems haven't.
Back in October, researchers at Cisco’s Talos security team found three major security
vulnerabilities that would allow hackers easy access to running installations of version
1.4.31 of Memcached and earlier, with a critical flaw in the binary protocol and Simple
Authentication and Security Layer (SASL) code. The holes were fixed, and users
including big names like Facebook and Reddit were advised to get patching.
But from scans of the public internet, it seems that some people weren't listening very
hard. In February, Cisco did a sweep and found that: more than 85,000 public-facing
instances were still unpatched and vulnerable, only 22 per cent required any
authentication for access, and of that 22 per cent, all but one per cent of the
authenticated servers were not secure because patches hadn’t been properly installed.
“We made queries for all IP addresses to get contact emails for responsible
organizations in order to send a notification with a simple explanation and suggestions to
remedy this issue,” Cisco said. “This resulted in about 31 thousand unique emails which
are pending notifications.”
Source: http://www.theregister.co.uk/2017/07/24/70000_memcached_servers_exposed/
1.5 Bitdefender: Organizations must empower IT staff to mitigate cyber threats
With the WannaCry ransomware and Petya malware attack recently causing damage to
organizations worldwide, even halting chocolate production at Cadbury's Hobart factory,
security firm Bitdefender has urged organizations to assist IT teams in preparing for, and
mitigating against, future attacks.
According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, organizations
need to have mitigation in mind as it's a matter of when an attack happens, not if.
Speaking with ZDNet while visiting Sydney from Romania, Botezatu said organizations
first need to understand what type of security they need and not overlook any aspect,
while also trying to see through the noise, such as marketing buzzwords and an over-
saturated cybersecurity industry.
"An enterprise has a diverse range of technologies ... all these are potential threats," he
explained. "It's no use for you to have the best end-point security solution if your
payment processor in the cloud is left open."
Botezatu said a standard IT team finds itself constantly under fire, and it's important that
the responsibility doesn't just lie with them.
Source: http://www.zdnet.com/article/bitdefender-organisations-must-empower-it-staff-to-mitigate-
cyber-threats/
1.6 Qualys unveils CloudView app framework for public cloud security
Qualys has launched CloudView, a solution designed to keep public cloud infrastructure
secure.
On Monday, Qualys said that CloudView is designed to control and monitor security
policies applied to public cloud services on Amazon Web Services (AWS), Microsoft's
Azure and the Google Cloud Platform.
The cloud security and services provider said the new app framework in the Qualys
Cloud Platform "comprehensive and continuous protection of cloud infrastructure,
delivering InfoSec and DevSecOps teams a "single pane of glass" view of security and
compliance across cloud infrastructures."
The initial release of Qualys CloudView includes two apps, the Cloud Inventory (CI) app,
and the Cloud Security Assessment (CSA) application.
The CI app integrates with native APIs from public cloud providers to discover
resources, connections, and monitor systems for security issues related to industry
standards and architectural best practices and also provides topological views of the
infrastructure and relationships across cloud resources.
IT staff can search through these views to analyse locations, layouts, and security
groups to reach the root of any security problems.
Source: http://www.zdnet.com/article/qualys-unveils-cloudview-app-framework-for-public-cloud-
security/
1.7 Ubiquiti firmware patch stomps nasty redirect bug from login screen
Popular wireless networking hardware vendor Ubiquiti patched a couple of serious
vulnerabilities back in March and April – without telling the people who reported the
bugs.
If sysadmins weren't paying attention, they might not have noticed the importance of the
patches.
The bug patched in firmware version 6.0.3 was an open redirect at the administrative
login, found independently by SEC Consult and a bounty-hunter. Both filed the big with
HackerOne.
An exploit would be fairly straightforward, since all the attacker needed to do was
append their own site as the login page's target:
http://<IP-of-Device>/login.cgi?uri=https://www.sec-consult.com
Affected products include AirRouter, the TS-8-PRO switch, and various transceivers in
the LBE, NBE, PBE, and RM2-Ti access points.
The other bug affected the company's EdgeRouter products. An initialisation error in
/files/index created a reflected cross-site-scripting vulnerability that would let an attacker
hijack a user's session.
Source: http://www.theregister.co.uk/2017/07/25/ubiquiti_firmware_patch/
1.8 600+ samples of Spring Dragon APT malware spotted
The Chinese speaking ATP group Spring Dragon, a.k.a., LotusBlossom, has increased
attacks against high-profile organizations around the South China Sea.
Kaspersky researchers managed to collect more than 600 samples of malware from the
group suggesting they are operating on a massive scale.
The group is known for using spearphishing and watering hole techniques to target
governmental organizations and political parties, educational institutions, as well as
companies from the telecommunications sector, according to a July 24 blog post.
Researchers said the threat actors behind the campaigns have been developing and
updating their range of tools, which consists of various backdoor modules with unique
characteristics and functionalities, throughout the years.
The threat actors own a large C2 infrastructure which comprises more than 200 unique
IP addresses and C2 domains and all the backdoor modules in the APT's toolset are
capable of downloading more files onto the victim's machine, uploading files to the
attacker's servers, and also executing any executable file or any command on the
victim's machine, researchers said.
Source: https://www.scmagazine.com/spring-dragon-targeting-high-profile-entities-around-south-
china-sea/article/677106/
1.9 Variant of Surveillance Malware Fruitfly Targeting Mac Users
In January this year, a dangerous surveillance malware was found targeting Mac and
Linux devices – The malware was discovered by Thomas Reed, an IT security
researcher at Malwarebytes who called it Quimitchin while Apple Inc., labeled it as
Fruitfly malware.
The main purpose of infecting Macs with Fruitfly was to perform spying operations, and
biomedical research institutes were its main targets. When a Mac is infected with Fruitfly,
it acquires information from local networks and all the devices that were connected with
it.
The malware is quite sophisticated since it can compromise the webcam of Mac
machine, capture screenshots, simulate key presses and mouse clicks. It also provides
an attacker the remote control of a targeted device.
Source: https://www.hackread.com/variant-of-surveillance-malware-fruitfly-targeting-mac-users/
2. Cyber crime and Intelligence in the news:
2.1. The source code of SLocker ransomware has been leaked online
The SLocker family is one of the oldest android lock screen and file-encrypting
ransomware and used to impersonate law enforcement agencies to persuade victims to
pay their ransom.
SLocker ransomware was first detected in 2015, it is the first ransomware to encrypt
Android files. It pretends itself as game guides, video players, and so on in order to
attract victims into installing it. When installed for the first time, its icon seems like a
normal game guide or cheating tool. Once the ransomware runs, the application will
change the icon and name, along with the wallpaper of the infected device.
The ransomware source code has been leaked on GitHub by an unknown user called
“fs0c1ety”. The hacker is asking everyone to contribute to the source code and submit
bug reports.
Source: https://latesthackingnews.com/2017/07/24/source-code-slocker-ransomware-leaked-
online/
2.2. Hundreds of companies expose PII, private emails through Google Groups
error
A small settings error has resulted in the exposure of confidential business emails and
employee data, researchers have warned.
On Monday, RedLock revealed in a blog post that companies including IBM's Weather
Company, Fusion Media Group -- the parent firm of companies including Gizmodo, The
Onion, and Lifehacker -- as well as helpdesk support service provider Freshworks and
video ad platform SpotX were affected by the security issue.
According to the team, "hundreds" of Google Groups have publicly exposed messages
containing sensitive information belonging to such companies, all because of a
customer-controlled configuration error in the service.
Google Groups is used by companies as a collaborative tool and communication
platform. Email-based groups are used to maintain communication and control
messages between teams, but when these groups are created with the "public on the
Internet" sharing setting rather than "private" through the "Outside this domain -- access
to groups" tab, messages sent between members can be viewed publicly without the
requirement of being a member of the group.
RedLock researchers found that email addresses, email content, personally identifiable
information (PII) including employee salary compensation, sales pipeline data, customer
passwords, names, and home addresses at hundreds of companies were left online for
the world to see.
Screenshot images viewed by ZDNet verified the exposure of information belonging to
Fusion Media Group and SpotX which included email messages, contact details, and
personal discussions between executives and staff.
Source: http://www.zdnet.com/article/simple-settings-failure-in-google-groups-caused-exposure-
of-private-company-employee-data/
2.3. Veritaseum hack: $8.4m worth Ethereum stolen by hackers in yet another
heist
Hackers hit yet another Ethereum platform, stealing over $8m (£6m) in the second Initial
Coin Offering (ICO) hack in a month. Veritaseum founder Reggie Middleton confirmed
the hack, adding that the hackers stole $8.4m worth of Ethereum and "dumped all of
them within a few hours into a heavy cacophony of demand".
Veritaseum was hacked while it held its ICO over the weekend. ICO allows investors to
purchase the platform's tokens, similar to an IPO. Although the stolen Ethereum was
initially dumped into two wallets, the hackers have since moved the funds into other
accounts.
"We were hacked, possibly by a group. The hack seemed to be very sophisticated, but
there is at least one corporate partner that may have dropped the ball and be liable.
We'll let the lawyers sort that out, if it goes that far," Middleton said.
"At the end of the day, the amount stolen was miniscule (less than 00.07%) although the
dollar amount was quite material," Middleton added. "Without the Veritaseum team, the
tokens are literally wortheless! If someone were to someone confiscate 100% of the
available tokens, all we need to do is refuse to stand behind them and recreate the token
under a new contract. The Veritaseum team is what powers the value behind the Veritas
token. A large theft of those tokens after a fork is as valuable as stealing 90M empty
plastic cups."
Source: http://www.ibtimes.co.uk/veritaseum-hack-8-4m-worth-ethereum-stolen-by-hackers-yet-
another-heist-1631745
2.4. Hackers Breach Casino After Compromising a Smart Fish Tank
A casino in the United States was compromised after hackers managed to infiltrate into
its network and steal undisclosed data after first breaking into a smart fish tank
connected to the Internet.
In case you wondering why a fish tank needs to be connected to the Internet, it’s
because the casino wanted to do everything remotely, with employees using a remote
connection to feed the fish and get all the information instantly, such as water
temperature.
But it was this connection that exposed the fish tank, and eventually, the entire casino, to
hackers, as an unnamed group of attackers managed to infiltrate into the network and
upload data on a server in Finland. The breach was eventually discovered, and the flaw
was fixed, but there still are a few questions that need to be answered before connecting
smart devices to the Internet.
Source: http://news.softpedia.com/news/hackers-breach-casino-after-compromising-a-smart-fish-
tank-517134.shtml
2.5. Sweden transport agency slips up, leaks top secret data
Believing it was moving sensitive data to the cloud under a 2015 outsourcing agreement
with IBM, Sweden's Transport Agency inadvertently sent information on every vehicle
nationwide to marketers that subscribed to it and then allegedly covered up the leak,
with only a slap on the wrist to the agency's director.
“Sweden's Transport Agency moved all of its data to ‘the cloud,' apparently unaware that
there is no cloud, only somebody else's computer,” Pirate Party Founder Rik Falkvinge,
who heads up privacy at Private Internet Access, a VPN provider, wrote in a blog post.
“In doing so, it exposed and leaked every conceivable top secret database: fighter pilots,
SEAL team operators, police suspects, people under witness relocation. Names, photos,
and home addresses: the list is just getting started.”
Falkvinge derided the punishment meted out by Swedish courts. “The responsible
director has been found guilty in criminal court of the whole affair, and sentenced to the
harshest sentence ever seen in Swedish government: she was docked half a month's
paycheck,” he said of the agency's former director-general, Maria Ågren.
Even after discovering that the database had been sent to marketers in clear text, the
agency simply asked them to delete the list and sent out a new list. Not only was the
information available to those who received the email but could be accessed to IBM
employees without security clearance working in the Czech Republic, TheLocal
reported, citing an article in Dagens Nyheter, a Swedish newspaper, which allegedly had
viewed documents from a probe by the Swedish Security Service, Säpo.
Source: https://www.scmagazine.com/sweden-transport-agency-slips-up-leaks-top-secret-
data/article/677078/
2.6. Newcastle University spoofed in phishing scam
Cybercriminals went to extreme lengths to clone the Newcastle University website going
as far as to create dozens of sub-pages explaining different programs offered by the
university.
While the fraudsters committed a few errors in phony site, those unfamiliar with the
actual site, such as foreign exchange students might easily mistake it for real. The
hackers incorrectly referred to the school on the phishing site as the "Newcastle
International University" instead of as "Newcastle University" in both the URL and
throughout the site.
Hackers also used the incorrect coat of arms for the school. Despite the flaws, it is
possible that some have been duped into disclosing their information on the phony
applications though it's unclear how many and the University has acknowledged the
scam. The fake site request payment card data and other personally identifiable
information.
Source: https://www.scmagazine.com/newcastle-university-site-spoofed-to-steal-
pii/article/676920/
3. Technical Security Alerts:
Technical security alerts are the current security issues, vulnerabilities, malware and exploits provided proactively to provide timely
information about their impact, propagation and remediation. This information is sourced to provide to technical teams to protect their
infrastructure environments.
3.1 Vulnerabilities, Malware and exploits
The table below lists the recent vulnerabilities, malware and exploits identified by ICT Security Monitoring Services team for today.
Name
Description
Propagation
Technologies and
Software’s affected
Remedy
Severity
Schneider Electric PowerSCADA Anywhere and Citect Anywhere State-Change Request Cross-Site Request Forgery Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=54555 Vendor Announcements Schneider Electric has released security notifications at the following links: Citect Anywhere - May 19, 2017 and SEVD-2017-173-01 ICS-CERT has released a security advisory at the
A vulnerability in the secure
gateway component of
Schneider Electric
PowerSCADA Anywhere
and Citect Anywhere for
multiple state-changing
requests could allow an
unauthenticated, remote
attacker to conduct a cross-
site request forgery (CSRF)
attack.
The vulnerability is due to a
lack of CSRF protections by
an affected device. An
attacker could exploit this
vulnerability by convincing a
user to follow a malicious
link. A successful exploit
could allow the attacker to
perform arbitrary actions on
the affected device on behalf
of the targeted user.
Schneider Electric : Citect Anywhere 1.0 (.0) PowerSCADA Anywhere 1.0 (.0) PowerSCADA Expert 8.1 (.0) | 8.2 (.0)
Schneider Electric has released software updates at the following links:
PowerSCADA Anywhere version 1.1
Citect Anywhere version 1.1
High risk
following link: ICSA-17-201-01
Corel CorelDRAW X8 EMF Parser Code Execution Vulnerability Source: https://tools.cisco.com/security/center/viewAlert.x?alertId=54559
A vulnerability in the
Enhanced Meta File (EMF)
parsing functionality of
Corel CorelDRAW X8 could
allow an attacker to
execute arbitrary code.
The vulnerability is due to
improper parsing of EMF files
by the affected software. An
attacker could exploit this
vulnerability by persuading a
targeted user to open a
crafted EMF file.
CorelDRAW X8 (18.1.0.661)
Corel has not publicly confirmed the vulnerability and software updates are not available.
High risk
End: