Advisories

MA-993.112023: MyCERT Alert - Cyber Security Best Practices against Ransomware LockBit 3.0

  • 29 Nov 2023
  • Alert
  • lockbit, ransomware

1.0 Introduction

The Cyber999 Incident Response Centre observed an increase in various ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Lately, we have been receiving incidents involving a number of organisations in Malaysia hit by the LockBit 3.0 ransomware. Hence, this advisory is released to alert and advise organisations to apply necessary measures on prevention and mitigations if they are targeted or fall victim.

LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. The attackers associated with the Lockbit 3.0 are believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language, avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.

We have previously released an advisory on Lockbit 3.0 ransomware, available at:

https://www.mycert.org.my/portal/advisory?id=MA-907.012023

Additionally, it was also reported recently by security researchers and security organisations that the infamous LockBit 3.0 ransomware group was observed exploiting a critical unpatched Citrix NetScaler ADC and NetScaler Gateway vulnerability – CVE-2023-4966, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch. Citrix Bleed was disclosed on October 10 2023, as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling unauthorised access to sensitive device information. 

A joint advisory by CISA, FBI, MS-ISAC, and ASD’s ACSC was released on LockBit affiliates exploiting Citrix Bleed, available at:

https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asds-acsc-release-advisory-lockbit-affiliates-exploiting-citrix-bleed

2.0 Impact
The impacts of LockBit 3.0 are:

  • Operations disruption with essential functions coming to a sudden halt.
  • Extortion by the hackers for financial gain.
  • Data theft and illegal publication as blackmail if the victim does not comply. 

3.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to reduce the risk of compromise by LockBit 3.0 ransomware:

1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. 

Note: Devices with local administrative accounts should implement a password policy requiring strong, unique passwords for each administrative account.

2) Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.

3) Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

4) Apply security updates released by Citrix to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

5) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.

6) Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.

7) Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.

8) Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.

9) Maintain offline backups of data and regularly maintain backup and restoration. By implementing this practice, the organisation ensures they will not be severely interrupted, and/or only have irretrievable data.
 

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

Read More

MA-991.112023: MyCERT Advisory - Adobe Releases Security Updates for ColdFusion

  • 24 Nov 2023
  • Advisory
  • adobe, coldfusion, vulnerability, update

1.0 Introduction

On Nov. 14, 2023, Adobe released security updates addressing vulnerabilities affecting unpatched ColdFusion software.

2.0 Impact
Exploitation of some of these vulnerabilities may allow a malicious cyber actor to take control of an affected system.

3.0 Affected Products

ProductUpdate numberPlatform
ColdFusion 2023
 		Update 5 and earlier versions
  		All
ColdFusion 2021
 		Update 11 and earlier versionsAll

4.0 Recommendations
MyCERT urges organizations to review Adobe ColdFusion security bulletin APSB23-52 for more information and to:

Kindly visit https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html for more information.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-990.112023: MyCERT Advisory - Mozilla Releases Security Updates for Firefox and Thunderbird

  • 24 Nov 2023
  • Advisory
  • mozilla, firefox, thunderbird, update

1.0 Introduction

Recently, Mozilla has released security updates to address vulnerabilities in Firefox and Thunderbird.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

  • Firefox iOS
  • Firefox
  • Firefox ESR
  • Thunderbird

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-988.112023: MyCERT Advisory - VMware Releases Security Update for Cloud Director Appliance

  • 21 Nov 2023
  • Advisory
  • vmware, cloud, director, update, vulnerability

1.0 Introduction

Recently, VMware has released a security advisory addressing a vulnerability in VMWare Cloud Director Appliance. 

2.0 Impact
Cyber threat actors may exploit this vulnerability to take control of an affected system.

3.0 Affected Products
VMware Cloud Director Appliance (VCD Appliance)

4.0 Recommendations
MyCERT encourages users and administrators to review the following VMware security advisory and apply the recommended updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-987.112023: MyCERT Advisory - Fortinet Releases Security Updates for FortiClient and FortiGate

  • 21 Nov 2023
  • Advisory
  • fortinet, fortigate, forticlient, security, update, vulnerability

1.0 Introduction

Recently, Fortinet has released security advisories addressing vulnerabilities in FortiClient and FortiGate.

2.0 Impact
Cyber threat actors may exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Fortinet FortiClient and FortiGate.

4.0 Recommendations
MyCERT encourages users and administrators to review the following Fortinet security advisories and apply the recommended updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-986.112023: MyCERT Advisory - Microsoft Releases November 2023 Security Updates

  • 21 Nov 2023
  • Advisory
  • microsoft, update, november

1.0 Introduction

Recently, Microsoft has released updates addressing multiple vulnerabilities in Microsoft software.

2.0 Impact
A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft Windows and Software

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s November 2023 Security Update Guide and apply the necessary updates.

Kindly refer to the URL for more information: https://msrc.microsoft.com/update-guide/releaseNote/2023-Nov

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More

MA-985.112023: MyCERT Advisory - Adobe Releases Security Updates for Multiple Products

  • 21 Nov 2023
  • Advisory
  • adobe, security, update

1.0 Introduction

Recently, Adobe has released security updates to address vulnerabilities affecting multiple Adobe products.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of affected system.

3.0 Affected Products

  • Adobe ColdFusion
  • Adobe RoboHelp Server
  • Adobe Acrobat and Reader
  • Adobe InDesign
  • Adobe Photoshop
  • Adobe Bridge
  • Adobe FrameMaker Publishing Server
  • Adobe InCopy
  • Adobe Animate
  • Adobe Dimension
  • Adobe Media Encoder
  • Adobe Audition
  • Adobe Premiere Pro
  • Adobe After Effects

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/11/14/adobe-releases-security-updates-multiple-products

Read More

MA-984.112023: MyCERT Advisory - Cisco Releases Security Advisories for Multiple Products

  • 10 Nov 2023
  • Advisory
  • cisco, update, vulnerability

1.0 Introduction

Recently, Cisco released security advisories for vulnerabilities affecting multiple Cisco products.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

  • Cisco Firepower Management Center Software
  • Cisco Identity Services Engine
  • Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series Firewalls
  • Cisco Firepower Threat Defense Software
  • Cisco Firepower Threat Defense Software and Firepower Management Center Software 
  • Cisco Firepower Management Center Software
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software 

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/11/03/cisco-releases-security-advisories-multiple-products

Read More

MA-983.112023: MyCERT Alert - Cyber Security Best Practices for System Administrators and Internet Users

  • 04 Nov 2023
  • Alert
  • middle east, threats, best practices

1.0 Introduction

The Cyber999 Cyber Incident Response Centre is actively observing any cyber threat campaigns related to the ongoing situations in the Gaza Peninsula presented by the media, including social media, globally. Based on our incident reports, from 7th October 2023 until today, we have neither received any incidents through our incident reporting channels that targeted systems and infrastructure in Malaysia nor any significant surge in the incidents reported to us as a result of the ongoing situations in the Gaza Peninsula. 

A total of 4,381 incidents were received through the Cyber999 Cyber Incident Response Centre between January and September 2023, with the majority of incidents reported are fraud, intrusion, malicious code, and content-related – data breaches. No significant surges or trends in cyber incidents were observed during this time. Figure 1 shows the list of incidents reported to us by category.

A screenshot of a graph Description automatically generated

Figure 1: Cyber Incident Statistics (Jan – Sept 2023)

Despite this, organisations and citizens are advised to be always vigilant and cautious of potential cyber incidents such as web defacement, data breaches, malware infections, hack attempts and denial of service attacks.

Notably, we have also constantly produced security advisories on software vulnerabilities as well as product updates such as Microsoft, Cisco, Adobe, and Apple, as well as other cyber threats, which can be found in the following URL:

https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5

We highly recommend System Administrators and Internet users refer to our Security Alerts and Advisories and follow the cyber security best practices. System Administrators and Internet users must be aware of these vulnerabilities and threats by applying necessary patches and updates. This is to help prevent cyber incidents as much as possible and minimise the impacts or risks associated with the incidents.

2.0 Recommendations

2.1 The following are some recommendations for System Administrators:

  • Ensure systems, applications and third-party add-ons are updated with the latest upgrades and security patches. If you are running older versions of operating systems or software, upgrade it to the latest version, as older versions are vulnerable and easily manipulated by intruders. Also, patch your web-based applications and network-based appliances accordingly.
  • Refer to your respective vendors' websites for the latest patches, service packs and upgrades. Otherwise, you may also refer to MyCERT’s website for the latest advisories on patches, service packs and upgrades as below:
  • Update the Anti-virus software that is running on hosts and email gateways with the latest signature files and ensure the settings to scan all files are enabled.
  • Configure systems properly to avoid incidents such as information disclosure and directory listing due to system misconfiguration.
  • Always enable logging systems and server activities and keep them in a sufficient period of time.
  • Backup critical information regularly to limit the impact of data or system loss and to help expedite the recovery process. Ideally, backup daily on a separate media and store offline at an alternate site.
  • Organisations are recommended to apply an defence in-depth strategy in protecting their networks. Firewalls, intrusion prevention systems (IPS), and network and host-based intrusion detection systems (IDS) can prevent and log most of the generic attacks.
  • Data Centres and Web Hosting Companies should beware of any software or third-party add-ons they are running by applying the latest patches or upgrades to prevent intrusions that may exploit unpatched applications.
  • Organizations must ensure the contact information of System Administrators is made available in the event of a security incident at or originating from your site.
  • Financial Institutions must be vigilant against any possibilities of phishing and fraudulent activities that target Internet banking. Customers must be advised adequately to avoid becoming victims of these scams by applying safe browsing, safe email practices and safe Internet banking practices.
  • System Administrators must immediately report any suspicious activities they observe in systems and networks under their administrations to relevant authorities and seek assistance. Incidents can be reported to the Cyber999 Incident Response Centre through our reporting channels, as listed at the end of the page, and we will respond accordingly. To report any critical incident, call Cyber999 via the 24x7 On Call Incident Reporting channel.

2.2 The following are some best practices for home users:

  • Update your computer and browsers with the latest upgrades and security patches.
  • Install Anti-Virus software on your PC to scan and block any malware. Update Anti-virus regularly with the latest signature files to detect new worms/viruses.
  • Take extra precautions when clicking on links and downloading attachments received via social networking sites or emails.
  • Do not fall victim to online scams. Take precautions against online scams that target Internet users.
  • Users are recommended to practice the following tips and guidelines to browse the Internet safely:
  • Backup critical information regularly to limit the impact of data or system loss and to help expedite the recovery process. Ideally, backup daily and keep data on a separate device, offline at an alternate site.
  • Incidents can be reported to Cyber999 through our reporting channels, as listed at the end of the page, and we will respond accordingly. To report any critical incident, call Cyber999 via the 24x7 On Call Incident Reporting channel.

Generally, we advise users to be updated with the latest security announcements by vendors and follow best security practices to determine which updates should be applied.

For further enquiries, please contact the Cyber999 Incident Response Centre through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

Read More

MA-981.112023: MyCERT Advisory - Microsoft's Monthly (Oct 2023) consolidated tech and security patches update

  • 02 Nov 2023
  • Advisory
  • microsoft, update, october

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Multiple Microsoft software/products and Windows Operating Systems

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s October 2023 Security Update Guide and apply the necessary updates. Kindly refer to the following link:
https://msrc.microsoft.com/update-guide/releaseNote/2023-oct

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

Read More
Showing 1-10 of 379 items.
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
Popular Advisories
Archives