Advisory

Fake Fast Food Delivery Website

BACKGROUND

Due to the challenging pandemic situation in Brunei Darussalam where the population is advised to stay at home, cybercriminals are taking the opportunity to phish sensitive and confidential information by creating a fake website for well-known fast-food chains.

Example:
https:// bn-mcdelivery .ru

This website appears to be hosted in Russia, and offers meals at a very low price, with many menu items that are not available in Brunei outlets.

Modus Operandi

Microsoft Exchange Server Vulnerability 'ProxyShell'

BACKGROUND
      
Attackers are now actively exploiting Microsoft Exchange Servers using ‘ProxyShell’ vulnerability to install backdoors for later access, which uses three chained MS vulnerabilities to perform unauthenticated, remote code execution. These chained vulnerabilities are exploited remotely through Microsoft Exchange's Client Access Service (CAS) running on port 443 in IIS.
 
The three chained vulnerabilities used in ‘ProxyShell’ attacks are:

STAYING CYBER SAFE WHEN WORKING FROM HOME

BACKGROUND
 
In view of the recent directive for organizations to activate their business continuity plan (BCP) protocols, most organizations are requiring employees to work from home (WFH). Remote working creates additional opportunities for cyber threat actors to perform malicious cyber activities by exploring open vulnerabilities in less secured networks, thus gaining access to users’ data or the organization's network.
 
RECOMMENDATIONS
 
Below are some security measures that can be applied:

ANDROID TROJAN ‘FLYTRAP’

BACKGROUND
      
Researchers have identified a new Android trojan named FlyTrap, which has affected more than 10,000 victims in over 140 countries since March. It has been able to spread through social media hijacking, third-party app stores, and sideloaded applications.
 
The malware uses social engineering tricks to compromise Facebook accounts, seemingly offering free Netflix coupon codes, Google AdWords coupon codes, or voting for the best football team.
 

PETITPOTAM ATTACK

BACKGROUND

PetitPotam is a newly uncovered security flaw in the Windows operating system which can be used to attack remote Windows servers including Domain Controllers, to authenticate with a malicious destination, allowing an attacker to stage an NTLM relay attack and completely take over a Windows domain.

MODUS OPERANDI

PrintNightmare Bug (CVE-2021-1675 and CVE-2021-34527)

BACKGROUND

Known vulnerabilities in Windows Print Spooler service can allow a total compromise of Windows systems. The print spooler is an executable file that manages the printing process. Management of printing involves retrieving the location of the correct printer driver, loading that driver, spooling high-level function calls into a print job, scheduling the print job for printing, and so on.

Nobelium cyberattacks targeting IT and government organizations

BACKGROUND

Hacking group Nobelium which has caused concern for a lot of companies all over the world due to its ongoing malicious activity and sophisticated phishing attacks, is once again targeting IT and government organizations in various countries.
Information-stealing malware was found on a device belonging to one of Microsoft's employees with access to account information for a small number of their customers, and the attacker has used the information in some cases to launch highly targeted attacks as part of a broader campaign.

“MariSewaBank” Scam

BACKGROUND
 
BruCERT has recently received a number of reports on a scam called “MARISEWABANK”. The scammer contacts victims via SMS containing a WhatsApp link. Once the link is clicked, the victim would be lured into online gambling by promising a profit of 100% to 350% depending on the bank that the victim deposits their money into. The victim will then be asked for their personal and banking details, namely:
•    Bank 
•    Name of account holder 
•    Account number 
•    Online banking username & password