Advisories & Alerts

  • [SingCERT] Apache Struts2 Possible Remote Code Execution 09 March 2017

    Background

    On 7th March 2017, Apache Software Foundation issued an emergency security alert for CVE-2017-5638 (Apache Struts2 S2-045).

    Apache Struts is an open source project of the Apache Foundation Jakarta project team which adopts a MVC framework for developers to develop Java web applications.

    Apache Struts is exposed to a high-risk remote command execution (RCE) vulnerability. It has been reported that the vulnerability is being actively exploited on a wide scale since it is relatively easy to exploit. SingCERT has found numerous unpatched Apache Struts websites in Singapore that are affected. There are potentially many more websites that have not been patched and are therefore vulnerable.

  • [SingCERT] Threat Alert on Cloudflare CloudBleed 24 February 2017

    Last updated on 7 March 2017, 15:13

    On 18 February 0032 GMT, a critical system vulnerability caused by a parser bug was reported to Cloudflare. On 18 February 0722, Cloudflare determined the root cause and turned off three of its features (namely Email Obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were using the same HTML parser chain which caused the leak.

  • [SingCERT] Threat Alert: Compromised WordPress Websites due to Outdated WordPress Versions 08 February 2017

    Over the past 3 days, SingCERT has observed an increase in defacements affecting websites hosted in Singapore as well as .sg websites hosted both locally and overseas on WordPress version 4.7.1 and earlier versions. Based on an initial investigations by SingCERT, this was a result of exploitation of a Wordpress vulnerability

  • [SingCERT] Advisory on Gooligan Malware 01 December 2016

    On 30 November 2016, security company Check Point reported that an Android malware, Gooligan, has affected Android phone users, compromising over a million Google accounts. Android phone users can perform a self-check at https://gooligan.checkpoint.com/ to find out if they are infected with Gooligan.

  • [SingCERT] Advisory on Tech Support Scams 17 November 2016

    The first reports of tech support scams surfaced around 2008 and these scams gradually gained momentum over the years. Their tactics have also evolved. In the past, these scammers cold called users in their attempt to make victims part with their money. Recently, fake tech support websites have been created and scammers use various techniques to trick users into believing that their computing devices are infected or facing some technical issues. Users may also find their computing devices being held ransom after following instructions provided by the scammer.

  • [SingCERT] Enhancing the Security of Internet-Connected Devices 26 October 2016

    Distributed Denial of Service (DDoS) attacks happen when vulnerable internet-connected devices are compromised by malware and used as bots in a DDoS attack. This advisory provides information on DDoS attacks, and how members of public can protect themselves from inadvertently aiding such an attack.

    On October 21, 2016, there was a massive DDoS attack targeted at a Domain Name System (DNS) service provider, Dyn, bringing down major Internet platforms and services i.e. Twitter, Reddit, Github, etc. DNS are like telephone books or roadmaps of the Internet, maintaining a directory of domain names and their corresponding IP addresses.

  • [SingCERT] Advisory on Shadow Brokers Leaked Tools Targeting Popular Network Devices 01 September 2016

    Background

    On 13 August 2016, a group named Shadow Brokers released a large number of hacking tools that were targeting specific network devices. These included Cisco, WatchGuard and Fortinet equipment. The leaked files contain exploits, discovery tools, implants and documentation on how to use the tools. Users and organizations that are using the affected products are advised to assess and patch them immediately.

  • [SingCERT] Kaspersky Report on Compromised RDP Servers - "The xDedic Marketplace" 18 June 2016

    On 15 June 2016, Kaspersky released a report on xDedic - an underground market that facilitated the sale of compromised login credentials of Remote Desktop Protocol (RDP) servers in 173 countries including Singapore.

    With the login credentials, the buyer will be able to access the server, including all the data on it and use the access to launch further attacks. xDedic appears to be run by a Russian-speaking group of hackers.

    The Kaspersky report indicated that Singapore has more than 700 compromised servers and was ranked 29th out of the 173 countries affected.

    Kaspersky has shared details of the report with SingCERT. SingCERT is taking action to contact affected companies that have been identified thus far to inform them of the compromise and to extend our assistance where necessary.

  • [SingCERT] Unsecured Virtual Network Computing (VNC) Configurations 23 May 2016

    Virtual Network Computing (VNC) is an open-source desktop sharing technology that enables users to access and control their home computers remotely over the Internet. Examples include enabling remote technical support to critical systems, allowing users to work from home, accessing home surveillance systems remotely from workplace, etc. An unsecured VNC configuration results when users use VNC without a password, thus causing them to be vulnerable to attackers who are constantly scanning the internet for loopholes.

  • [SingCERT] Software Vulnerability in Symantec's Antivirus Engine 19 May 2016

    Symantec’s Antivirus Engine (AVE) has been reported as vulnerable to memory corruption due to a flaw when parsing a specially crafted Portable Executable (PE) file. On computers that are running Windows operating system, a successful exploitation of the vulnerability will result in a system crash – displaying a blue screen commonly known as Blue Screen of Death. This advisory is provided for users who are currently using Symantec Antivirus Engine on their computers.