SR-021.012023: MyCERT Report - MyCERT Quarterly Threat Report Q3 2022

  • 27 Jan 2023
  • Report
  • report, Q3, Summary

MyCERT 3rd Quarter 2022 Summary Report  
 
1.0  Introduction
The MyCERT Quarterly Threat Report provides an overview of computer security incidents handled by the Malaysia Computer Emergency Response Team (MyCERT), a department within CyberSecurity Malaysia. This quarterly report also highlights statistics of incidents handled by MyCERT in Q3 2022 according to categories, as well as the list of security advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by MyCERT, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents handled by MyCERT are those involving IP addresses and domains originating from Malaysia. MyCERT works closely with ISPs, CERTs, Special Interest Groups and LEAs, from local and international, to remediate and mitigate computer security incidents in Malaysia.
 
2.0  Trends Q3 2022
The number of Malaysians using digital devices and connected to the Internet has increased dramatically. As of January 2022, the estimated number of Internet users in Malaysia is 29.55 million out of a total of 32.98 million population. According to the Home Minister, the number of cases recorded associated with cyberbullying, fraud, intrusion, phishing, and email scams had nearly doubled, making cybersecurity one of Malaysia's top concerns in view of the drastic rise in online crimes reported in the country.
In general, MyCERT receives incident reports from local individuals, including Internet users and members of the public, as well as from industries, government, academia and non-profit organisations (NGOs). MyCERT also proactively monitors and gathers insights on cyber threats that could impact national security and critical infrastructure in Malaysia and aids in mitigating these threats.
MyCERT's Cyber999, a cybersecurity incident response centre, received 2,240 incidents from July to September 2022. In comparison, the second quarter (Q2) of 2022 showed a total of 1,977 incidents reported, indicating a 13% increase.


Table 1 below compares the reported incidents for Q2 2022 and Q3 2022 according to incident categories.

Categories of Incidents                  Quarters    Percentage (%)
   Q2 2022    Q3 2022
Content Related           11          18                 64
DoS            7           4               -43
Fraud         1391        1289                 -7
Intrusion         222         203                 -9
Intrusion Attempt          35           73               109
Malicious Codes         248          308                 24
Spam           49          340                594
Vulnerabilities Report           14            5                -64
TOTAL        1977        2240                 13

Table 1: Comparison of total incidents between Q2 2022 and Q3 2022
 

Categories of Incidents       July     Aug       Sept
Content Related         1       10           7
DoS         0         1           3
Fraud       429      294        566
Intrusion         82       45          76
Intrusion Attempt         32       21          20
Malicious Codes         98     124          86
Spam       286       27          27
Vulnerabilities Report         3         2           0
TOTAL       931      524         785

Table 2: Number of incidents based on months in Q3 2022

Figure 1: Breakdown of reported incidents from July to Sept 2022
 

Figure 2: Percentage of reported incidents by classification
 
Based on the above statistics, there is an upward trend in which a few incidents reported to MyCERT increased in Q3 2022 compared to Q2 2022, with two incidents remaining lower. The one incident, malicious code showed an increase of 24%. For the total incident of Q3 2022, the topmost reported incident is a fraud, representing (57.54%) of the total number of reported incidents to MyCERT. This is followed by spam  (15.18%) and malicious code (13.75%). 
Based on the current and past trends, malware-related incidents will most likely continue to grow in Malaysia. They will always be among the top reported incidents to MyCERT if Internet users do not take proper security measures to prevention. This is followed by fraud incidents that could potentially continue to grow in Malaysian cyberspace.
2.1 Top Fraud Incidents Reported by Malaysian Internet Users to MyCERT
Scam activities and fraud continuously prevail within the community, targeting various citizens, from students to professionals. It has become a preferred method of criminals as awareness is still lacking among the public, making them an easier target. A total of 1,289 fraud incidents were handled this quarter, representing a decrease of 7% compared to Q2 2022. All the incidents were received from organisations and individuals. The top fraud incidents reported to MyCERT are as below:
·      Phishing
·      Impersonation and Spoofing         
·      Fraudulent  website
·      Job scam         
·      Bogus email           
·      Business email compromise (BEC)

Based on a report by News Strait Times on 14 March 2022, online scammers managed to gain RM1.6 billion from over 51,631 incidences reported between 2019 and 2021. Therefore, Internet users and organisations must be vigilant when conducting online transactions or performing e-commerce transactions to avoid becoming victims of online fraud.
 
2.2 Top Malware Infection in Malaysia
The second most reported incident in this quarter is spam. Most of the spam incidents received from spam feeds include spam relays subcategories. The third top incidents are malicious code. This includes malware hosting, ransomware, malicious APK, backdoor and trojans. Among these incidents, the top reported malware incident is related to malicious APK. This type of incident is typically received from banking users that directly report to local financial institutions. Users must be vigilant and keep systems up to date with the latest patches and security measures to prevent unwanted incidents especially related to mobile phone security. The second top-reported incident within the malware category is malware hosting. This category of malware-hosting on vulnerable servers with IP addresses originates from Malaysia. These incidents usually are received from foreign entities, such as Anti-virus vendors and Special Interest Groups. System Administrators must be vigilant and always keep systems up-to-date with the latest patches and security measures to prevent unwanted incidents.
 
Nevertheless, ransomware incidents decreased in Q3 2022 compared to the previous quarter. Ransomware is malicious software (malware) that infects a computer and restricts access until the requested ransom is paid. Our finding identified that Ransomware incidents frequently occur among business organisations, and the incidents are mostly reported by commercial businesses, consistent with Verizon 2022 DBIR report that organisations, including businesses, are most impacted by ransomware across the globe. It is also considered the costliest attack among other threats, involving the cost of recovering the whole data and rectifying infected machines.
Below we list down the top malware that infected computers belonging to individuals and organisations in Malaysia, as reported to MyCERT:
·      avalanche-andromeda 
·      dltminer
·      sinkhole
·      downadup
·      m0yv
·      sality
·      android.hummer
·      sality-p2p
·      js.worm.bondat
·      necurs
·      lethic
Good backup management and cyber security awareness are essential in combating ransomware and other types of malware. The backup procedure, policy and best practices need to be implemented by everyone. Providing awareness campaigns to ensure users are up to date with the latest cyber threat landscapes and conducting organization-level tabletop exercises to challenge user understanding are among the best efforts to improve an organisation’s cybersecurity.
 
3.0  Security Advisories and Alerts Released in Q3 2022
In Q3 2022, MyCERT issued 17 advisories and nine alerts involving Mozilla, Microsoft, Apple, VMware security updates, etc. The alert and advisory come with descriptions, recommendations, and references. Highlights of advisories and warnings for this quarter are:
1. MA-843.072022: MyCERT Alert - Security Best Practices on Safe Online Transaction and Safeguarding Banking Information
URL: https://www.mycert.org.my/portal/advisory?id=MA-843.072022
2. MA-842.072022: MyCERT Alert - Amalan Terbaik Keselamatan Mengenai Pelanggaran Data
URL: https://www.mycert.org.my/portal/advisory?id=MA-842.072022
3. MA-845.072022: MyCERT Alert - Large-scale Phishing Campaign Bypasses MFA
URL: https://www.mycert.org.my/portal/advisory?id=MA-845.072022
4. MA-846.072022: MyCERT Alert - Alert on Fake Winning Contest Shopee
URL: https://www.mycert.org.my/portal/advisory?id=MA-846.072022
5. MA-847.082022: MyCERT Alert - Peraduan Menang Palsu Shopee 
URL: https://www.mycert.org.my/portal/advisory?id=MA-847.082022
6. MA-848.082022: MyCERT Alert - Merdeka Day Best Practices Alert
URL: https://www.mycert.org.my/portal/advisory?id=MA-835.052022
7. MA-849.082022: MyCERT Alert - Security updates available for Google Chrome (CVE-2022-2856)
URL: https://www.mycert.org.my/portal/advisory?id=MA-849.082022
8. MA-858.092022: MyCERT Alert - IOCs and TTP Associated with Vice Society Actors 
URL: https://www.mycert.org.my/portal/advisory?id=MA-858.092022
9. MA-862.092022: MyCERT Alert - MyPetronas Malicious Application
URL : https://www.mycert.org.my/portal/advisory?id=MA-862.092022
10. MA-865.092022: MyCERT Advisory - Whatsapp Security Advisories for CVE 2022-36934 and CVE-2022-27492
URL : https://www.mycert.org.my/portal/advisory?id=MA-865.092022
 
Internet users and organisations may refer to the following URL for other advisories and alerts released by MyCERT: 
https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5
 
4.0 Conclusion
Overall, the number of computer security incidents reported to MyCERT. This quarter shows a slight upward trend compared to the previous quarter, with a 13% increase. Though this is a tiny percentage, organisations and individuals must not assume that our cyberspace is now secured but must always ensure readiness and preparedness against potential threats out there. Furthermore, there was no significant or severe incident observed in this quarter. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats and are always advised to take measures to protect their systems and networks from these threats. Hence, MyCERT strongly recommends that all internet users be constantly aware of today's cybercrime trends and adhere to the best cyber hygiene practices. This also includes secure handling emails from unknown sources, secure web browsing, purchasing goods online, and using social media applications. Always check the legibility of the applications, portal, merchants, services, and products before conducting any online transaction. However, as the complexity of cyber threats continues to increase, without proper awareness, organisations and individuals could be potential statistics of reported incidents.
 
Malaysian Internet users and organisations may contact MyCERT for assistance at the below contact:
E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)  
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my
 

SR-020.112022: MyCERT Report - MyCERT Threat Report Q2 2022

  • 07 Nov 2022
  • Report
  • threat, report, Q2

MyCERT 2nd Quarter 2022 Summary Report?
 
1.0  Introduction
The MyCERT Quarterly Threat Report provides an overview of computer security incidents handled by the Malaysia Computer Emergency Response Team (MyCERT), a department within CyberSecurity Malaysia. This quarterly report also highlights statistics of incidents handled by MyCERT in Q2 2022 according to categories as well as the list of security advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by MyCERT, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents handled by MyCERT are those involving IP addresses and domains that originate from Malaysia. MyCERT also works closely with ISPs, CERTs, Special Interest Groups and LEAs, from local and international, to remediate and mitigate computer security incidents in Malaysia.
 
2.0  Trends Q2 2022
The number of Malaysians using digital devices and connected to the Internet has increased dramatically. As of January 2022, the estimated number of Internet users in Malaysia is 29.55 million, out of a total of 32.98 million population. According to a statement from the Home Minister, the number of cases recorded associated with cyberbullying, fraud, intrusion, phishing, and email scams had nearly doubled, making cybersecurity one of Malaysia's top concerns in view of the drastic rise in online crimes reported in the country.
 

In general, MyCERT receives incident reports from local individuals including Internet users and members of the public, as well as from industries, government, academia and non-profit organizations (NGOs). MyCERT also proactively monitor and gather insights on cyber threats that could potentially have an impact on national security and critical infrastructure in Malaysia and aids mitigate these threats. MyCERT's Cyber999, a cybersecurity incident response centre, received a total of 1,977 incidents in Q2 2022, from April to June 2022. In comparison, the first quarter (Q1) of 2022 showed a total of 1,785 incidents reported, indicating an 11% increase.
 

Table 1 below shows the comparison of the number of reported incidents for Q1 2022 and Q2 2022 according to incident categories.

 

Table 1: Comparison of total incidents between Q1 2022 and Q2 2022

          Categories of Incidents              Quarters    Percentage (%)
  Q1 2022  Q2 2022
Content Related         2        11                450
DoS         3         7                133
Fraud      1242     1391                 12
Intrusion        172      222                 29
Intrusion Attempt         31        35                 13
Malicious Codes        304      248               -18
Spam         19        49               156
Vulnerabilities Report         12        14                 17
TOTAL      1785     1977                 11

 

Table 2: Number of incidents based on months in Q2 2022

Categories of Incidents         Apr       May     June
Content Related             2           2          7
DoS             1           4          2
Fraud          396        509      486
Intrusion            74          59        89
Intrusion Attempt              6          15        14
Malicious Codes           103          70        75
Spam             15            7        27
Vulnerabilities Report              4            5          5
TOTAL           601         671      705

 

 

Figure 1: Breakdown of reported incidents from April to June 2022

 

Figure 2: Percentage of reported incidents by classification

 
Based on the above statistics, there is an upward trend in which almost all incidents reported to MyCERT increased in Q2 2022 compared to Q1 2022, with one incident remaining lower. Malicious code incidents showed a decrease of 18%. For the total incident of Q2 2022, the topmost reported incident is fraud, representing (70.36%) of the total number of reported incidents to MyCERT. This is followed by malicious code (12.54%) and intrusion (11.3%). 
Based on the observation of the current and past trends, fraud-related incidents are most likely to continue to grow in Malaysia and will potentially remain the top reported incidents to MyCERT if proper security measures are not taken by Internet users as prevention. This is followed by fraud incidents that could potentially continue to grow in Malaysian cyberspace.


2.1 Top Fraud Incidents Reported by Malaysian Internet Users to MyCERT
Scam activities and fraud continuously prevail within the community, targeting the various level of citizens from students to professionals. It has become a preferred method of cyber criminals now as awareness is still lacking among the public, hence making them an easier target. A total of 1,391 fraud incidents were handled in this quarter, representing an increase of 12% compared to Q1 2022. All the incidents were received from organizations and individuals. The top fraud incidents reported to MyCERT are as below:                                                                                      
·      Phishing
·      Impersonation and spoofing
·      Fraudulent website
·      Job scam
·      Bogus email 
·      Parcel/Love scam
·      Lottery scam
·      Business email compromised (BEC)

Based on a report by News Strait Times on 14 March 2022, online scammers managed to gain RM1.6 billion from over 51,631 incidences reported between 2019 and 2021. Therefore, Internet users and organizations must be vigilant when conducting online transactions or performing e-commerce transactions, so as not to become victims of online fraud.


2.2 Top Malware Infection in Malaysia
The second most reported incident in this quarter is malware. This includes malware hosting, ransomware, malicious APK, backdoor and trojans. Among these incidents, the top reported malware incident is related to malicious APK. This type of incident is normally received from banking users that directly report to local financial institutions. Users must be vigilant and always keep systems up to date with the latest patches and security measures to prevent unwanted incidents especially related to mobile phone security. The second top-reported incident within the malware category is malware hosting. This category of malware-hosting on vulnerable servers with IP addresses originates from Malaysia. These incidents are normally received from foreign entities, such as Anti-virus vendors and Special Interest Groups. System Administrators must be vigilant and always keep systems up-to-date with the latest patches and security measures to prevent unwanted incidents.
 

Nevertheless, ransomware incidents increased in Q2 2022 as compared to the previous quarter. Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until the requested ransom is paid. Our finding identified Ransomware incidents frequently occurred among business organizations and the incidents are mostly reported by commercial businesses, consistent with Verizon 2022 DBIR report that organizations including businesses are most impacted by ransomware across the globe. It is also considered the costliest attack among other categories of threats, involving the cost to recover the whole data and rectify infected machines.
Below we list down the top malware that infected computers belonging to individuals and organisations in Malaysia, as reported to MyCERT:
·      avalanche-andromeda 
·      dltminer
·      sinkhole
·      downadup
·      m0yv
·      sality
·      android.hummer
·      js.worm.bondat
·      sality-p2p
·      necurs
·      flubot
·      qakbot


In general, regular patches and upgrades, good backup and cyber security awareness are essential in combating ransomware and other types of malware. The backup procedure, policy and best practices need to be implemented by everyone. Providing awareness campaigns to ensure users are up to date with the latest cyber threat landscapes and conducting organization-level tabletop exercises to challenge user understanding are one of the best efforts to improve an organization’s cybersecurity.
 
3.0  Security Advisories and Alerts Released in Q2 2022
In Q2 2022, MyCERT issued a total of 8 advisories and 6 alerts, which involved Microsoft security updates. The alert and advisory come with descriptions, recommendations, and references. Highlights of advisories and alerts for this quarter are:


1. MA-828.042022: MyCERT Advisory - Microsoft March 2022 Security Updates
URL: https://www.mycert.org.my/portal/advisory?id=MA-828.042022

2. MA-829.042022: MyCERT Advisory - VMware Carbon Black App Control Security Updates
URL: https://www.mycert.org.my/portal/advisory?id=MA-829.042022

3. MA-830.042022: MyCERT Advisory - Security Updates for "Spring4Shell" and Spring Cloud Function Vulnerabilities
URL: https://www.mycert.org.my/portal/advisory?id=MA-830.042022

4. MA-831.042022: MyCERT Advisory - Microsoft April 2022 Security Updates
URL: https://www.mycert.org.my/portal/advisory?id=MA-831.042022

5. MA-832.042022: MyCERT Alert - Festive Season and Holiday Alert
URL: https://www.mycert.org.my/portal/advisory?id=MA-832.042022

6. MA-833.052022: MyCERT Advisory - Microsoft Releases Advisory to Address Vulnerability in Azure Data Factory and Azure Synapse pipelines [CVE-2022-29972]
URL: https://www.mycert.org.my/portal/advisory?id=MA-833.052022

7. MA-835.052022: MyCERT Advisory - Microsoft May 2022 Security Updates
URL: https://www.mycert.org.my/portal/advisory?id=MA-835.052022

8. MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential
URL: https://www.mycert.org.my/portal/advisory?id=MA-834.052022

9. MA-837.062022: MyCERT Alert - BIG-IP iControl REST Critical Vulnerability
URL: https://www.mycert.org.my/portal/advisory?id=MA-837.062022

10. MA-838.062022: MyCERT Advisory - Drupal Releases Security Updates
URL: https://www.mycert.org.my/portal/advisory?id=MA-838.062022

11. MA-839.062022: MyCERT Advisory - Microsoft Releases Workaround Guidance for MSDT Follina Vulnerability
URL: https://www.mycert.org.my/portal/advisory?id=MA-839.062022

12. MA-840.062022: MyCERT Alert - Kempen SMSSpy bagi Mencuri Maklumat Peribadi Perbankan Pengguna Internet Malaysia 
URL: https://www.mycert.org.my/portal/advisory?id=MA-840.062022

13. MA-841.062022: MyCERT Alert - Security Best Practices on Data Breach
URL: https://www.mycert.org.my/portal/advisory?id=MA-841.062022

14. MA-841.062022: MyCERT Alert - Security Best Practices on Data Breach
URL: https://www.mycert.org.my/portal/advisory?id=MA-841.062022


Internet users and organizations may refer to the following URL for other advisories and alerts released by MyCERT: 
https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5
 
 4.0 Conclusion
Overall, the number of computer security incidents reported to MyCERT in this quarter shows an upward trend compared to the previous quarter, with an 11% increase. Though the increase is not significant, organizations and individuals must not assume that our cyberspace is now secured but must always ensure readiness and preparedness against potential threats out there. Furthermore, there was no significant or severe incident observed in this quarter. Nevertheless, users and organizations must be constantly vigilant of the latest computer security threats and are advised to always take measures to protect their systems and networks from these threats. Hence, MyCERT strongly advises that all internet users be constantly aware of today's cybercrime trends and adhere to the best cyber hygiene practices. This also includes secure handling of emails from unknown sources, secure web browsing, purchasing goods online, and using social media applications. Always check the legibility of the applications, portal, merchants, services, and products before conducting any online transaction. As the complexity of cyber threats continues to increase, without proper awareness, any organizations and individuals could be a potential statistic of reported incidents.
 
Malaysian Internet users and organizations may contact MyCERT for assistance at the below contact:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)  
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my
 


 

 

 

MA-882.102022: MyCERT Alert - Microsoft Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

  • 30 Oct 2022
  • Alert
  • exchange, server, zero day, vulnerability

1.0 Introduction
Two zero-day vulnerabilities affecting Microsoft Exchange Server were reported recently this week. As of writing, Microsoft is already aware of the issue and is working on releasing a fix soon and providing temporary workarounds in the meantime. 

The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. 

2.0 Impact
CVE-2022-41040 can enable an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks. While CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to exploit either of the two vulnerabilities successfully. 

3.0 Affected System and Devices
The affected Microsoft products are Microsoft Exchange Server 2013, 2016, and 2019.

4.0 Recommendations
Users and administrators of the affected Microsoft Exchange products are advised to follow and apply the mitigation steps based on the guide below while waiting for a patch to be released by Microsoft. Microsoft Exchange Online Customers do not need to take any action. On-premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports. 

The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. 

Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains. The steps are as below:

  • Open the IIS Manager. 
  • Expand the Default Web Site. 
  • Select Autodiscover. 
  • In the Feature View, click URL Rewrite. 

  • In the Actions pane on the right-hand side, click Add Rules.  

  • Select Request Blocking and click OK. 

  • Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.