Zambia Computer Incident Response Team

Zambia Computer Incident Response Team ZMCIRT is a Cybersecurity division within Zambia ICT Authority.

ZMCIRT helps prevent, detect, respond and recover from Cybersecurity incidents on behalf of the Zambian Government.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware ExploitMicrosoft has released its monthly set...
24/04/2023

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Microsoft has released its monthly set of security updates to fix a total of 97 flaws, seven of which are rated critical and 90 are rated important in severity. The security flaw that has come under active exploitation is CVE-2023-28252, a privilege escalation bug in the Windows Common Log File System (CLFS) Driver that could grant SYSTEM privileges to the attacker. CISA has added this Windows zero-day to its catalog of Known Exploited Vulnerabilities and has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023. Additionally, the security updates address critical remote code ex*****on flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ). The MSMQ bug, tracked as CVE-2023-21554, could lead to unauthorized code ex*****on and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

New Python-Based "Legion" Hacking Tool Emerges on TelegramA new Python-based credential harvester and hacking tool calle...
21/04/2023

New Python-Based "Legion" Hacking Tool Emerges on Telegram

A new Python-based credential harvester and hacking tool called Legion is being marketed on Telegram as a means for threat actors to gain access to a variety of online services for further exploitation. According to Cado Labs, Legion contains modules designed to exploit unpatched versions of Apache, conduct remote code ex*****on attacks, enumerate vulnerable SMTP servers, and brute-force cPanel and WebHost Manager (WHM) accounts. The malware is similar to another malware family known as AndroxGh0st, part of an AlienFox toolset offered to threat actors to steal API keys and secrets from cloud services. The Legion malware appears to be part of a new generation of cloud-focused credential harvester and spamming utilities. It is designed to retrieve credentials for a variety of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal, among others. The primary goal of the malware is to enable threat actors to hijack these services and weaponize the infrastructure for follow-on attacks, such as mounting mass spam and phishing campaigns. The origins of the threat actor behind the tool are unknown, although the presence of Indonesian-language comments in the source code indicates that the developer may be Indonesian or based in the country.

RTM Locker: Emerging Cybercrime Group Targeting Businesses with RansomwareSecurity firm Trellix has reported that a risi...
20/04/2023

RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware
Security firm Trellix has reported that a rising cybercriminal gang called "Read The Manual" (RTM) Locker functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. The group, which originated in 2015 as a banking malware targeting businesses in Russia, has since evolved to deploy a ransomware payload on compromised hosts. The group deliberately avoids high-profile targets to avoid attention and is bound by strict rules that forbid affiliates from leaking the samples. The group's ransomware payload is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies before commencing its encryption procedure.

Google Launches New Cybersecurity Initiatives to Strengthen Vulnerability ManagementGoogle has announced a set of initia...
19/04/2023

Google Launches New Cybersecurity Initiatives to Strengthen Vulnerability Management

Google has announced a set of initiatives to improve the vulnerability management ecosystem and establish greater transparency measures around exploitation. The company is forming a Hacking Policy Council with Bugcrowd, HackerOne, Intel, Intigriti, and Luta Security to ensure new policies and regulations support best practices for vulnerability management and disclosure. Google also committed to publicly disclosing incidents when it finds evidence of active exploitation of vulnerabilities across its product portfolio. It is instituting a Security Research Legal Defense Fund to provide seed funding for legal representation for individuals engaging in good-faith research to find and report vulnerabilities in a manner that advances cybersecurity. The goal is to prioritize secure software development practices to eliminate entire classes of threats and block potential attack avenues.

Severe Android and Novi Survey Vulnerabilities Under Active ExploitationThe US Cybersecurity and Infrastructure Security...
18/04/2023

Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog, which are actively being exploited by threat actors. The first flaw, CVE-2023-20963, is an Android Framework Privilege Escalation vulnerability, which allows for privilege escalation after updating an app to a higher Target SDK. The vulnerability has been reportedly weaponized as a zero-day by China's Pinduoduo to steal sensitive data, inflate its daily and monthly active users, and access user contacts, calendars, and photo albums. The second vulnerability, CVE-2023-29492, is an insecure deserialization flaw in Novi Survey software that allows remote attackers to execute code on the server in the context of the service account. Federal Civilian Executive Branch agencies are advised to apply the necessary patches by May 4, 2023, to mitigate the risks posed by these vulnerabilities.

WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover AttacksWhatsApp has introduced a new sec...
17/04/2023

WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover Attacks

WhatsApp has introduced a new security feature called "Device Verification" to protect user accounts from being hijacked by malware. The aim is to prevent attackers from stealing WhatsApp authentication keys to impersonate users and send spam or phishing links to other contacts. The security token is stored locally on the device and is updated every time it fetches an offline message from the server. It requires the client to send the security token every time it connects to the server, which detects any suspicious connections. An authentication challenge acts as an "invisible ping" from the server to the user's device and connection is blocked if there is no response from the client. The feature has been rolled out to all Android users and is being rolled out to iOS users.

Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day VulnerabilityGoogle has released an out-of-band ...
17/04/2023

Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

Google has released an out-of-band update to address a high-severity zero-day vulnerability in its Chrome web browser. The vulnerability, tracked as CVE-2023-2033, is described as a type confusion issue in the V8 JavaScript engine and was reported by Clement Lecigne of Google's Threat Analysis Group. According to the National Vulnerability Database, a remote attacker could potentially exploit heap corruption via a crafted HTML page. While Google acknowledged that an exploit for the vulnerability exists in the wild, it did not provide technical specifics or indicators of compromise. Users are advised to update their Chrome browser to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats.

Over 1 Million WordPress Sites Infected by Balada Injector Malware CampaignOver a million WordPress websites have been i...
12/04/2023

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Over a million WordPress websites have been infected with malware called Balada Injector since 2017. The attackers use known and recently discovered theme and plugin vulnerabilities to breach WordPress sites. They use techniques like String.fromCharCode obfuscation, freshly registered domain names, and redirecting users to fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages to send spam ads. The malware generates fake WordPress admin users, harvests data stored on the hosts, and leaves backdoors for persistent access. The attackers also search for writable directories belonging to other sites that share the same server account and file permissions. WordPress users are advised to keep their software up-to-date, remove unused plugins and themes, and use strong passwords. A similar malicious JavaScript injection campaign recently affected over 51,000 websites.

Estonian National Charged in U.S. for Acquiring Electronics and Metasploit Pro for Russian MilitaryAn Estonian national ...
11/04/2023

Estonian National Charged in U.S. for Acquiring Electronics and Metasploit Pro for Russian Military

An Estonian national named Andrey Shevlyakov has been indicted with 18 counts of conspiracy and other charges for purchasing U.S.-made electronics on behalf of the Russian government and military. Court documents reveal that Shevlyakov operated front companies to import sensitive electronics from U.S. manufacturers and shipped them to Russia, bypassing export restrictions. The purchased items included analog-to-digital converters and low-noise pre-scalers and synthesizers that are found in defense systems. Shevlyakov is also accused of attempting to acquire hacking tools like Rapid7 Metasploit Pro. Although he was placed in Entity List in 2012 by the U.S. government, he is said to have used false names and a web of front companies to sidestep the regulations and run an intricate logistics operation involving frequent smuggling trips across the Russian border. Shevlyakov is estimated to have exported at least $800,000 worth of items from U.S. electronics manufacturers and distributors between October 2012 and January 2022 through his shell companies like Yaxart, Anmarna, and Marnik. If found guilty, he faces up to 20 years in prison.

Hackers Flood NPM with Bogus Packages Causing a DoS AttackThe npm package repository for Node.js, a popular programming ...
11/04/2023

Hackers Flood NPM with Bogus Packages Causing a DoS Attack

The npm package repository for Node.js, a popular programming language, was flooded with fake packages that caused temporary website crashes. Hackers did this by creating fake websites and uploading fake packages with links to those websites. They did this because open-source packages usually have a good reputation on search engines, making them easy for unsuspecting users to find. The hackers' goal was to infect victims' computers with viruses or make money by referring them to shopping websites. To prevent this, the npm repository needs to add more security measures to stop hackers from creating fake accounts and uploading fake packages.

Microsoft has patched a misconfiguration issue in Azure Active Directory that exposed high-impact applications to unauth...
04/04/2023

Microsoft has patched a misconfiguration issue in Azure Active Directory that exposed high-impact applications to unauthorized access, including the content management system that powers Bing.com. Cloud security firm Wiz reported the vulnerability to Microsoft in January and February 2022, and the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. The vulnerability allowed external parties to obtain read and write access to Microsoft's own internal apps, including Bing Trivia, which Wiz exploited to alter search results and manipulate content on the homepage. The exploit could trigger a cross-site scripting attack on Bing.com and extract sensitive data from millions of users.

Threat actors are exploiting critical security flaws in Cacti, Realtek, and IBM Aspera Faspex to target unpatched system...
03/04/2023

Threat actors are exploiting critical security flaws in Cacti, Realtek, and IBM Aspera Faspex to target unpatched systems. The CVE-2022-46169 and CVE-2021-35394 vulnerabilities have been abused to deliver MooBot and ShellBot, which can orchestrate distributed denial-of-service attacks and feature backdoor capabilities to carry out file uploads/downloads and launch a reverse shell. A critical YAML deserialization issue in IBM's Aspera Faspex file exchange application, CVE-2022-47986, has also been actively exploited by cybercriminals in ransomware campaigns associated with Buhti and IceFire. Rapid7 has recommended taking the affected service offline if a patch cannot be installed immediately.

Address

Zicta
Livingstone
10101

Opening Hours

Monday 08:00 - 17:00
Tuesday 08:00 - 17:00
Wednesday 08:00 - 17:00
Thursday 08:00 - 17:00
Friday 08:00 - 17:00

Website

Alerts

Be the first to know and let us send you an email when Zambia Computer Incident Response Team posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to Zambia Computer Incident Response Team:

Shortcuts

Share

Category