MA-934.042023: MyCERT Advisory - Cisco Releases Security Advisories for Multiple Products
1.0 Introduction
Recently, Cisco has released security updates for vulnerabilities affecting Industrial Network Director (IND), Modeling Labs, StarOS Software, and BroadbandWorks Network Server.
2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
3.0 Affected Products
- Industrial Network Director (IND)
- Modeling Labs
- StarOS Software
- BroadbandWorks Network Server.
4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates.
- Industrial Network Director cisco-sa-ind-CAeLFk6V : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ind-CAeLFk6V
- Modeling Labs cisco-sa-cml-auth-bypass-4fUCCeG5 : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cml-auth-bypass-4fUCCeG5
- IOS and IOS XE cisco-sa-20170629-snmp : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp
- StarOS cisco-sa-staros-ssh-privesc-BmWeJC3h : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-staros-ssh-privesc-BmWeJC3h
- BroadWorks Network Server cisco-sa-bw-tcp-dos-KEdJCxLs : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-tcp-dos-KEdJCxLs
For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
https://www.cisa.gov/news-events/alerts/2023/04/21/cisco-releases-security-advisories-multiple-products
MA-933.042023: MyCERT Advisory - VMware Releases Security Update for Aria Operations for Logs
1.0 Introduction
Recently, VMware has released a security update to address multiple vulnerabilities in Aria Operations for Logs (formerly vRealize Log Insight).
2.0 Impact
A cyber threat actor could exploit these vulnerabilities to take control of an affected system.
3.0 Affected Products
VMware Aria Operations for Logs (formerly vRealize Log Insight)
4.0 Recommendations
MyCERT encourages users and administrators to review VMware Security Advisory VMSA-2023-0007 and apply the necessary updates.
Kindly refer to: https://www.vmware.com/security/advisories/VMSA-2023-0007.html
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-932.042023: MyCERT Alert - Festive Season and Holiday Alert
1.0 Introduction
As the Malaysian holiday for “Hari Raya Aidilfitri” approaches over the weekend and many of us will be leaving for holiday break, we would like to alert System Administrators and Internet users to ensure sufficient measures had been implemented to secure their systems and networks before leaving for the holidays.
A total of 1,307 incidents were received through the Cyber999 service between January and March 2023 with majority of incidents reported are related to fraud, malicious code, intrusion and spam. Figure 1 below shows the list of incidents by category.
Figure 1: Statistics of incidents by category
There had been several security incidents since early this year such as Lockbit 3.0, Black Cat and Royal Ransomware, Fake fraud apps and banking trojan that distributed through fake cleaning service websites campaign, data breach, Shopee fake winning contest and large-scale phishing campaign that bypass MFA which we had released Alert & Advisory to address these issues. Other than that, we had also produced advisories on software vulnerabilities as well as product updates for Microsoft. Below are the URLs for some of the mentioned advisories:
- https://www.mycert.org.my/portal/advisory?id=MA-921.042023
- https://www.mycert.org.my/portal/advisory?id=MA-915.032023
- https://www.mycert.org.my/portal/advisory?id=MA-912.022023
- https://www.mycert.org.my/portal/advisory?id=MA-908.022023
- https://www.mycert.org.my/portal/advisory?id=MA-907.012023
- https://www.mycert.org.my/portal/advisory?id=SR-021.012023
Thus, we highly recommend System Administrators and Malaysian Internet users to refer to our Alerts and Advisories to practice necessary steps to prevent security incidents and minimize impacts or risks to a certain extent with preventive measures in place.
2.0 Affected System and Devices
System Administrators should practice additional precautions against any possibilities of intrusions, DDoS, phishing attacks, and malware activities such as ransomware during the festive season, by implementing proper preventive measures against the threats. Data Centers and Web Hosting Companies should also take extra precautions against any software or third party add-ons they're running by applying the latest patches or upgrades to prevent intrusions that may exploit unpatched applications.
Financial Institutions must also be vigilant against any possibilities of phishing and fraudulent activities that target Internet banking. Customers must be advised adequately on avoiding themselves becoming victims of phishing and fraudulent activities by applying safe browsing, safe email practice and safe Internet banking practice. Organizations must ensure contact information of System Administrators is made available in the event of a security incident that occurs at or originate from your site.
System Administrators and Internet users must be aware of these threats and vulnerabilities by applying necessary patches and updates by referring to MyCERT released on Alerts and Advisories on current threats and vulnerabilities.
3.0 Recommendations
Listed below are some recommendations for System Administrators:
- Make sure systems, applications and third party add-ons are updated with latest upgrades and security patches.
- If you're running older versions of operating systems or software, make sure they are upgraded to the latest versions as older versions may have some vulnerability that can be manipulated by intruders. Aside from that, please make sure that your web-based applications and network-based appliances are patched accordingly.
- Refer to your respective vendors' websites for the latest patches, service packs and upgrades. Otherwise, you may also refer to MyCERT’s website for latest advisories on patches, service packs and upgrades.
- Make sure Anti-virus software that are running on hosts and email gateways are updated with the latest signature files and are enabled to scan all files.
- Make sure that your systems are configured properly in order to avoid incidents such as information disclosure, directory listing that are caused by system misconfiguration.
- Make sure loggings of systems and servers are always enabled.
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, the backup must be done daily, on a separate media and stored offline at an alternate site.
- Organizations are recommended to apply defense in depth strategy in protecting their networks. Firewalls, intrusion prevention systems (IPS), network and host-based intrusion detection systems (IDS) can prevent and log most of the generic attacks.
Following some recommendations some recommendations for home users:
- Make sure your PCs and browsers are up to date with the latest upgrades and security patches.
- Install Anti-Virus software on your PCs to scans and blocks any malware to the PC. The Anti-virus should be regularly updated with the latest signature files in order to detect new worms/viruses.
- Do not simply click on links and attachments that they receive via social networking sites or emails. Extra precautions must be taken when opening the links and attachments.
- Do not fall victim to online scams. Take precautions against online scams that target Internet users.
- Users are recommended the following tips and guidelines on safe Internet at our CyberSAFE website.
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, the backup must be done on daily basis and this data should be kept on a separate device, stored offline at an alternate site.
Please take note that our physical office will be closed on 24th April 2023 respectively as they are declared as public holidays. However, incidents can be reported to Cyber999 through our other reporting channels as below and our staff is on duty to respond to the incidents. If you need to report critical incident, you can call Cyber999 via the 24x7 On Call Incident Reporting channel.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
MA-931.042023: MyCERT Alert - RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads
1.0 Introduction
The popularity of generative AI platforms like Google Bard and OpenAI’s ChatGPT has captured audiences worldwide. Google Bard is an artificial intelligence (AI) language model developed by Google that uses deep learning techniques to generate poetry and lyrical verses. It leverages large amounts of text data to compose original and creative poems in various styles and forms, such as sonnets, haikus, and free verse. Google Bard's output is known for its coherence, rhythm, and imagery. It is a valuable tool for writers, poets, and artists seeking inspiration or looking to enhance their creative works with evocative language. Also, ChatGPT is a large language model developed by OpenAI based on the GPT-3.5 architecture. It is an advanced AI chatbot trained to understand and generate human-like text responses. ChatGPT can interact with users on various topics, providing information, answering questions, and generating text-based responses. It is designed to understand context, contextually respond to user queries, and provide detailed and coherent responses. ChatGPT has been trained on a vast amount of text data, allowing it to generate fluent and coherent text, and making it a powerful tool for various applications, including customer service, content creation, and virtual assistance.
Security experts uncovered a new campaign to spread the RedLine Stealer malware strain by taking advantage of the popularity of these AI platforms. The malware was first spotted in March 2020, Redline Stealer is a piece of malware that specifically targets end users. Distributed through compromised software downloads, phishing, and drive by downloads. RedLine Stealer is a type of malware sold as ‘malware-as-a-a-service’ (MaaS), which can be purchased on underground forums. It is designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software. The malware can upload and download files, execute commands, and regularly send information about the infected computer to the perpetrators.
2.0 Impact
Successful execution of the malware at victims’ computers allows sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data will be stolen from the victims’ computers. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software.
3.0 Technical Details
The MaaS ecosystem is supported by online discussion boards that serve as markets for hackers to sell their malware and stolen information. Access to viruses, stolen data, and even hacking tools are just a few of these forums' services. Sometimes, forum moderators serve as a middleman between buyers and sellers and receive a revenue cut.
Figure 2: Screenshot of the RedLine Stealer Malware Ad, used for the Open AI campaign in Dark Web Marketplace
On the dark web, malware employed in the attacks can be sold for $100 to $150. One-time purchases or monthly subscriptions are the two ways it is offered for sale.
Figure 3: The different Malware bundles available to purchase
After acquiring and using the malware, hackers sell the stolen information to other hackers specialising in online fraud in dark web forums, allowing them to concentrate on their illegal business model. They primarily utilise the messaging service Telegram to buy and disseminate RedLine Stealer malware since it offers more secrecy and encryption for their operations.
3.1 Modus Operandi - Using Facebook
The modus operandi of the RedLine Stealer malware is stealing login credentials from popular Facebook communities or company profiles with thousands of followers. The perpetrators then spread sponsored posts encouraging users to download free the “alleged” ChatGPT or Google Bard files, as shown in Figures 4 and 5.
Figure 4: Facebook post advertising to download ChatGPT-V4