Advisories & Alerts

  • [SingCERT] ShadowPad Backdoor Spreads in Corporate Networks Through Software Update Mechanism 25 August 2017

    On 15 August 2017, Kaspersky Labs reported that they had discovered suspicious DNS requests in a partner's network. Further investigation showed that the source of the suspicious DNS queries was from a software package produced by NetSarang. Kaspersky Labs named the threat ShadowPad. SingCERT understands that the attacks occurred in Hong Kong, but the ShadowPad backdoor could be dormant in many other systems worldwide, if users have not updated to the latest version of the affected software.

  • [SingCERT] Increase in Defacements Affecting Singapore-hosted Websites 09 August 2017

    SingCERT has observed an increase in defacement activities affecting websites hosted in Singapore in early August 2017. A website defacement is an attack on a website that changes the visual appearance of the site or a webpage. This is usually done by exploiting an unpatched vulnerability.

  • [SingCERT] Alert on Apache Struts2 Remote Code Execution Vulnerability 14 July 2017

    Apache Struts is a popular, free, open-source web application framework for developing Java web applications. Struts is well-known for its extensible "plug-in" architecture.

    On 9th July 2017, the Apache Software Foundation announced that a high-risk security vulnerability (S2-048) was discovered in its Apache Struts project, which allows possible remote code execution (RCE) in Struts 2.3.x with Struts 1 plugin and Struts 1 action.

  • [SingCERT] Alert on ISC Bind Vulnerabilities 08 July 2017

    Berkeley Internet Name Domain (BIND) is a DNS implementation solution developed by the Internet Software Consortium (ISC) that is widely used in Unix and Linux operating systems. A Domain Name System or Service or Server (DNS) acts like yellow pages for the Internet. It is used to resolve domain names such as into IP addresses like so that they can be directed to the correct sites.

    Earlier this week, a security researcher reported two severe vulnerabilities in ISC BIND that can be remotely exploited. Details of the reported vulnerabilities are explained in CVE-2017-3142 and CVE-2017-3143 (see links below). As the associated exploit codes have also been posted online, many unpatched Internet-facing ISC BIND DNS servers are at risk.

  • [SingCERT] Technical Advisory on Petya/Petna Ransomware 28 June 2017

    On 27th June 2017, SingCERT was alerted to the occurrence of a Petya variant also known as Petna, which has impacted organisations in Ukraine and other parts of Europe. Petya/Petna works by modifying Window’s Master Boot Record (MBR), causing the system to crash. It uses the ETERNALBLUE exploit tool to accomplish this, which is a similar exploit to that of the WannaCrypt/WannaCry ransomware.

  • [SingCERT] Alert on Global Spread of Ransomware Petya/Petna 28 June 2017

    On 27th June 2017, SingCERT was alerted to a new variant of the Petya malware known as Petna, which spreads via the Microsoft Windows SMB protocol based on the ETERNALBLUE exploit. This is a similar exploit to the WannaCrypt/WannaCry ransomware earlier in May 2017. It was reported globally that multiple organisations, including government agencies and critical information infrastructure operators experienced network outages.

  • [SingCERT] Increase in Occurrence of Phishing Emails from 'Logistics' Companies 23 June 2017

    Recently, SingCERT has noted an increase in the number of reports on phishing emails sent from fake logistics companies.

    Phishing is one of the simplest and more effective ways of obtaining sensitive information from users. The information includes passwords, bank account details and credit card details. A phishing email works by preying on the curiosity of users, convincing them to click on suspicious links or opening file attachments. Phishing emails are becoming increasingly well-written and appear legitimate. Hence, users need to exercise caution.

  • [SingCERT] Fake Mobile Apps 15 June 2017

    With the global wide-spread infection of a ransomware known as “WannaCry” aka WanaCryptor, fake mobile apps in Google Play are emerging to promise protection from the ransomware. However, the “WannaCry” ransomware does not target phones. These fake mobile apps disguised as anti-virus apps actually contain malware.

  • [SingCERT] Educational Platform Edmodo Compromised 02 June 2017

    SingCERT has learned about a data breach of a popular online educational platform – Edmodo (URL: User account details of about 78 million of Edmodo’s customers - including their usernames, email addresses and hashed passwords could have been exposed. Edmodo has issued an advisory to address this.

  • [SingCERT] Technical Advisory for System Administrators on "WannaCry Ransomware" 15 May 2017

    On 12th May 2017, there was a global wide-spread infection of a ransomware known as "WannaCry", aka. WanaCrypt0r. This ransomware exploits a known critical Microsoft Windows Server Message Block 1.0 (SMB) vulnerability (MS17-010), which allows remote code execution, providing a worm-like capability to propagate through a network by scanning for vulnerable systems and infecting them. It then encrypts files on the system, and extorts a bitcoin ransom in exchange for the decryption of files.

    This advisory serves to provide system administrators with technical information to safeguard their networks against this cyber threat.