Advisories

1.0 Introduction

Data breaches refers to an incident where confidential information is leaked or stolen from a system without the knowledge or authorization of the system’s owner. Data breaches often lead to financial losses and a loss of consumer trust for the organisation. In addition, individuals whose personal data have been compromised could be at risk of harm or adverse impact if they do not take steps to protect themselves. For example, hackers can dump the compromise data to underground forum and put it for sale. Figure 1 show the list of compromise databases available for sale and Figure 2 depicted the sample of information available for sale.

Figure 1: List of compromise databases up for sale.

Figure 2: Example of compromise information available on the dark web.

MyCERT also received many cases related to data breach incident for the past 3 years. Figure 3 show the statistic of data breaches incident in Malaysia reported to MyCERT from year 2012-2019. The statistics illustrate gradual decrease of data breach attack between 2012 and 2016, and significant increase in 2017 until 2019.

Figure 3: The statistic of data breaches in Malaysia from year 2012-2019.

Hence it is important for organisations to be accountable towards individuals by preventing and managing data breaches.

2.0 Impact

The impact of a data breach depends on the nature and extent of the breach and the type of information that has been compromised. Some breaches may involve only one or two people while others may affect hundreds or thousands. Larger breaches expose a wider group of people and could require considerable notification and remediation activities.

Serious impacts of a data breach could include:

• Risk to individuals’ safety
• Financial loss to an individual or organisation
• Damage to personal reputation or position
• Loss of public trust in an Agency or the services it provides
• Commercial risk through disclosure of commercially sensitive information to third parties
• Threat to an Agency’s systems, impacting the capacity to provide services
• Impact on Government reputation, finances, interests or operation.
• Loss of data integrity.

3.0 Recommendations and guidelines

Protection of sensitive data is required not only for legal or ethical reasons but for issues related to personal privacy, as well as for safeguarding the reputation of the business. Sensitive data includes personally identifiable information (PII) such as names, credit card numbers, email addresses or phone numbers of customers and employees, as well as intellectual property and trade secrets, industry-specific data and information related to operations and inventory. Hence it is important for organisations to be accountable towards individuals by preventing and managing data breaches. This guideline divides into two section which is the preparation before data breaches happen and how to respond after data breaches happen.

Preparation before data breaches

Data breaches can occur due to various reasons, such as malicious activity, human error or computer system error. It is important for organisations to put in place measures which allow them to  monitor  and  take preventive measure before data breaches occur.

Provide Training on Security Awareness - Employees have an important role in keeping their organizations secure; however, without security awareness and effective training, they can be the weak link in the data security chain and present a major vulnerability.

Good security hygiene - With the emergence of cloud storage tools, IoT devices, and BYOD trends, it is easier than ever to put sensitive data at risk. So, system administrator needs to properly configure databases and cloud repositories to avoid targeted attack by hacking group.

Invest in the Right Security Technology - While it is important to have traditional perimeter and network security like firewalls, intrusion detection, and antivirus systems, businesses should consider using encryption standards and a backup policy to reduce risks.

Patched regularly - Ensuring software is updated and patched regularly is crucial in minimizing network vulnerabilities.

Comply with Data Protection Regulations - The best way to ensure compliance is by creating a data security policy that keeps data safe from risks both inside and outside of the company.

Perform regular vulnerability assessments - Vulnerability assessment is the process intended to identify, classify and prioritize security threats as well as determine the risks they pose to organizations. Regular security audits reveal a clear picture of data and act as a checklist to work towards data protection.

Ensure the principle of least privilege – With the purpose to restrict access to sensitive information to a need to know basis.

Develop a Data Breach Management Plan - Although many companies haven’t developed a breach response plan yet, such a framework has an important role in dealing better with cybersecurity incidents, as well as limiting damages and restoring public and employee trust. A data breach management plan should set out the following;

• A clear explanation of what constitutes a data breach to assist employees in identifying a data breach and respond promptly should one occur.
• How to report a data breach internally – The role of each employee is important in reporting data breaches. When an employee becomes aware of a potential or real data breach, he or she should know how and who to report the data breach to within the organisation.
• How to respond to a data breach – The strategy for containing, assessing and managing data breaches would include roles and responsibilities of the employees and data breach management team. Organisations can also consider preparing contingency plans for possible data breach scenarios and measures to be taken or run regular breach simulation exercises to better prepare themselves for responding to data breaches in a prompt and effective manner.
• Responsibilities of the data breach management team– The composition and the roles and responsibilities of each member of the management team should be clear. This will ensure that the organisation’s response to the data breach will not be unnecessarily delayed.

Responding to Data Breaches

Every data breaches incident requires a quick respond from the organization to prevent further damage to their organization. Early response will be crucial in managing the incident effectively. Generally, the actions taken after a data breach should follow four key steps:

1. Containing the data breach to prevent further compromise of personal data.
2. Assessing the data breach by gathering the facts and evaluating the risks, including the harm to affected individuals. Where assessed to be necessary, continuing efforts should be made to prevent further harm even as the organisation proceeds to implement full remedial action
3. Lodge a Police report and reporting to Jabatan Perlindungan Data Peribadi (JPDP) for their further investigation.
4. Evaluating the organisation’s response to the data breach incident and consider the actions which can be taken to prevent future data breaches. Remediation efforts may continue to take place at this stage

Generally, MyCERT advises the users of the devices and software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

4.0    References

• https://www.channelnewsasia.com/news/singapore/sephora-data-breach-customer-records-for-sale-dark-web-11772722
• https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/
• https://www.ipc.nsw.gov.au/data-breach-guidance
• https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf
• https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052
• https://www.endpointprotector.com/blog/5-best-practices-for-data-breach-prevention-in-2019/
• https://www.metacompliance.com/blog/five-best-practices-to-deal-with-a-data-breach/

MyCERT 1^st Quarter 2019 Summary Report

9^th August 2019

Introduction

The MyCERT Quarterly Summary Report provides an overview of activities carried out by the Malaysia Computer Emergency Response Team (hereinafter referred to as MyCERT), a department within CyberSecurity Malaysia. These activities are related to computer security incidents and trends based on security incidents handled by MyCERT. This summary report highlights statistics of incidents handled by MyCERT in quarter 1 (Q1) 2019 according to categories, security advisories and other activities carried out by MyCERT personnel. The statistics provided in this report reflect only the total number of incidents handled by MyCERT and not elements such as monetary value or repercussions of the incidents.

Computer security incidents handled by MyCERT are those that occur or originate within the Malaysian constituency. MyCERT works closely with other local and global entities to resolve computer security incidents.

Incident Trends Q1 2019

Reported incidents to MyCERT are from various parties within the constituency as well as outside of Malaysia. These parties include home users, private sectors, government sectors, security teams from abroad, foreign CERTs, Special Interest Groups (SIG) including MyCERT's proactive monitoring on several cyber incidents.

From Jan to March 2019, MyCERT via its Cyber999 service handled a total of 4517 incidents. This represents -48.59% decrease of the total incidents compared to quarter 4 (Q4) 2018 which received 1453 incidents. The increase incidents from previous quarter are fraud, intrusion attempt and malicious code.

Table 1 below illustrates the comparison of number of incidents reported according to the Categories of Incidents for Q4 2018 and Q1 2019.

Table 1: Comparison of number of incidents between Q4 2018 and Q1 2019

Table 2: Number of incidents reported in the months of Q1 2019

Figure 1: Breakdown of reported incidents in Jan to March 2019

Figure 2: Percentage of reported incidents by classification

In Q1 2019, the most reported incident is fraud, representing 65.29% of the total reported incidents to MyCERT. A total of 1516 fraud incidents were received in this quarter, from organizations and home users. By looking at the current trend and scenario, it is most likely fraud incident will continue to grow and always be among the most reported incidents in our constituency. Because of that, MyCERT advised Internet users to be precautious and always adhere to best practices when they received email from unknown sources, purchase goods online, and using social media application. Users must ensure that the dealing is made with trusted parties and never simply transfer money to seller without prior checking on the status of the sender.

The second and third incident categories reported are malicious code and intrusion with 14.69% and 11.07% respectively. Malicious codes incidents decrease to -64.37% for this quarter, representing a total of 341 incidents. Malicious code generally involved botnet C&C, bots, malware and malware hosting. In this quarter, we did not observe any significant or massive botnet and malware attacks in our constituency.

Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. We received 18 incidents of ransomware in Q1 this year that has decreased compared to the previous quarter to 9 incidents.  Individual users, commercial business and government sectors were reported the ransomware incidents. Majority of the ransomware incidents received are related to  .adobe, GandCrab, jigsaw, dharma, rumba, phobos, and a few related to other variants. Users, administrators, and government sectors are advice to take the preventive measures to protect their computer networks from ransomware infection.

Ransomware Alerts:

https://www.mycert.org.my/en/services/advisories/mycert/2018/main/detail/1321/index.html

Advisories and Alerts

In Q1 2019, MyCERT issued a total of 2 advisories and 6 alert, which involved DNS hijacking,

The Alert and Advisory comes with descriptions, recommendations and references. Highlights of Alert for this quarter are:

1) MA-710.012019: MyCERT Alert – Best Practices on Safeguarding Email Credential

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1326/index.html

2) MA-711.012019: MyCERT Alert – New Threadkit Office Builder

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1327/index.html

3) MA-712.012019: MyCERT Advisory – Best Practices to Avoid DNS Hijacking

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1328/index.html

4) MA-713.012019: MyCERT Advisory – DNS Flag Day

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1329/index.html

5) MA-714.022019: MyCERT Alert - PHP Pear Vulnerability

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1330/index.html

6) MA-715.022019: MyCERT Alert – Android February 2019 Security Update

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1331/index.html

7)MA-716.03022019: MyCERT Alert – Google Chrome Zero-Day RCE Vulnerability (CVE-2019-5786)

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1333/index.html

8) MA-717.032019: MyCERT Alert – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2019-0763)

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/detail/1334/index.html

Readers can visit the following URL on advisories and alerts released by MyCERT at: 

https://www.mycert.org.my/en/services/advisories/mycert/2019/main/index.html

Conclusion

In conclusion, the number of computer security incidents reported to MyCERT this quarter had decreased by 48.59% compared to previous quarter. No severe incidents were reported to MyCERT in this quarter and MyCERT did not observed any crisis or outbreak in our constituencies. Nevertheless, users and organizations must be constantly vigilant of the latest computer security threats and are advised to always take measures to protect their systems and networks from these threats.

For further enquiries, please contact MyCERT through the following channels:

Malaysian Internet users and organizations may contact MyCERT for assistance at the below contact:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

Please refer to MyCERT's website for latest updates of this Quarterly Summary.

1.0 Introduction

Recently, MyCERT received information from valid resources about exploits in phpMyAdmin. Exploit known to be as cross-site request forgery (CSRF) that will force authorized users to execute unwanted actions on web application. The flaw was identified as severe rating as its action only allows attacker to remove any configured setup page of phpMyAdmin panel on user’s server. However, this exploit has its limit as it does not grant to delete any database or table stored on server. PhpMyAdmin is an opensource tool to handle administration of MySQL and MariaDB on websites that widely utilize by individual, e-commerce, government, educational and etc.

2.0 Impact

The attacker will craft a malicious URL and sent out to targeted web administrators who has access to their phpMyAdmin panel on the same browser, tricking them to click on the link and it will remove the configured server unconsciously.

3.0 Affected Products

• phpMyAdmin <= 4.9.0.1

4.0 Recommendations

• Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.
• Avoid clicking any suspicious links until maintainers release patch to the public.
• Web admin requires to be aware with latest patch information from authorized maintainers and apply the patch as soon its release.
• IP whitelisting on trusted IP address or IP range only. If web admin does not utilize phpMyAdmin, we recommend to remove from web servers.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 - 8008 7000 (Office Hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12922
• https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html
• https://www.exploit-db.com/exploits/47385