Advisories & Alerts

[SingCERT] Advisory on Gooligan Malware

On 30 November 2016, security company Check Point reported that an Android malware, Gooligan, has affected Android phone users, compromising over a million Google accounts.

[SingCERT] Advisory on Tech Support Scams

The first reports of tech support scams surfaced around 2008 and these scams gradually gained momentum over the years. Their tactics have also evolved. In the past, these scammers cold called users in their attempt to make victims part with their money. Recently, fake tech support websites have been created and scammers use various techniques to trick users into believing that their computing devices are infected or facing some technical issues. Users may also find their computing devices being held ransom after following instructions provided by the scammer.

[SingCERT] Enhancing the Security of Internet-Connected Devices

Distributed Denial of Service (DDoS) attacks happen when vulnerable internet-connected devices are compromised by malware and used as bots in a DDoS attack. This advisory provides information on DDoS attacks, and how members of public can protect themselves from inadvertently aiding such an attack.

On October 21, 2016, there was a massive DDoS attack targeted at a Domain Name System (DNS) service provider, Dyn, bringing down major Internet platforms and services i.e. Twitter, Reddit, Github, etc. DNS are like telephone books or roadmaps of the Internet, maintaining a directory of domain names and their corresponding IP addresses.

[SingCERT] Advisory on Shadow Brokers Leaked Tools Targeting Popular Network Devices


On 13 August 2016, a group named Shadow Brokers released a large number of hacking tools that were targeting specific network devices. These included Cisco, WatchGuard and Fortinet equipment. The leaked files contain exploits, discovery tools, implants and documentation on how to use the tools. Users and organizations that are using the affected products are advised to assess and patch them immediately.

[SingCERT] Kaspersky Report on Compromised RDP Servers - "The xDedic Marketplace"

On 15 June 2016, Kaspersky released a report on xDedic - an underground market that facilitated the sale of compromised login credentials of Remote Desktop Protocol (RDP) servers in 173 countries including Singapore.

With the login credentials, the buyer will be able to access the server, including all the data on it and use the access to launch further attacks. xDedic appears to be run by a Russian-speaking group of hackers.

The Kaspersky report indicated that Singapore has more than 700 compromised servers and was ranked 29th out of the 173 countries affected.

Kaspersky has shared details of the report with SingCERT. SingCERT is taking action to contact affected companies that have been identified thus far to inform them of the compromise and to extend our assistance where necessary.

[SingCERT] Unsecured Virtual Network Computing (VNC) Configurations

Virtual Network Computing (VNC) is an open-source desktop sharing technology that enables users to access and control their home computers remotely over the Internet. Examples include enabling remote technical support to critical systems, allowing users to work from home, accessing home surveillance systems remotely from workplace, etc. An unsecured VNC configuration results when users use VNC without a password, thus causing them to be vulnerable to attackers who are constantly scanning the internet for loopholes.

[SingCERT] Software Vulnerability in Symantec's Antivirus Engine

Symantec’s Antivirus Engine (AVE) has been reported as vulnerable to memory corruption due to a flaw when parsing a specially crafted Portable Executable (PE) file. On computers that are running Windows operating system, a successful exploitation of the vulnerability will result in a system crash – displaying a blue screen commonly known as Blue Screen of Death. This advisory is provided for users who are currently using Symantec Antivirus Engine on their computers.

[SingCERT] Ransomware

Ransomware is a type of malware that holds a victim’s files, computer system or mobile device ransom, restricting access until a ransom is paid. Operating systems that can be infected include Windows, Mac OS X and Linux. Some ransomware variants are also known to traverse across the network and encrypt all files stored in shared and/or network drives. The more prevalent type of ransomware today encrypts commonly-used files, such as user documents, images, audio, and video files. By encrypting these files with a strong encryption (2048-bit or more), these files are rendered irrecoverable unless a decryption key is obtained.

[SingCERT] Software Vulnerability Discovered by CISCO in their ASA Software

This vulnerability was discovered in the Cisco Adaptive Security Appliance (ASA) software. The Cisco ASA is an IP router which serves as an application-aware firewall, network antivirus, intrusion prevention system, and virtual private network (VPN) server. On 10 Feb 2016, CISCO published a security advisory to address this software vulnerability (CVE-2016-1287).

[SingCERT] Multiple Security Issues with Juniper ScreenOS

Juniper found two security issues with ScreenOS during an internal code review – one that could allow unauthorised control of the affected system and the other which could allow an attacker to decrypt VPN traffic.