By Rual de Vries for MyBroadband

Chinese authorities are censoring any posts on domestic social media platforms regarding an alleged data leak containing 1 billion citizens’ data, Financial Times reports.

In a post on Breach Forums, user “ChinaDan” claimed they possessed one billion Chinese nationals’ data, including names, addresses, ID numbers, mobile numbers, and any criminal records or case details, BleepingComputer reported.

The hacker named the Shanghai National Police database the leak’s source.

To confirm the claims, The Wall Street Journal’s Karen Hao called five individuals listed, who verified their names and associated case details.

Following news of the leak, hashtags like “Shanghai national security database breach” and “data leak” started to trend on Chinese social media platforms Weibo and WeChat.

However, by Monday, 4 July, the respective platforms had blocked any mention of the leak.

Chinese authorities reportedly invited some Weibo users to discuss their posts and removed a popular cyber security blogger’s post exploring the leak’s implications.

Binance CEO Zhao Chanpeng said its threat intelligence spotted these records for sale on the dark web and added the leak was likely due to a bug in an Elasticsearch deployment by a government agency.

“Apparently, this exploit happened because the gov developer wrote a tech blog on [the Chinese Software Developer Network] and accidentally included the credentials,” Zhao said.

By Alex Mitchley for News24

A former First National Bank employee has been arrested in Limpopo for allegedly stealing over R36-million from a deceased client.

On Friday, the Hawks’ Serious Commercial Crime Investigation Unit arrested the 28 year-old suspect, who worked as a FNB consultant at the Makhado branch.

According to Hawks spokesperson Captain Matimba Maluleke, on 25 April 2022, the suspect allegedly opened a profile without any authorisation of the client who had just died in a vehicle accident a day before.

“It is further alleged that the suspect connived with his accomplice to open a new bank account and linked it to the deceased’s account and started spending all the money from the deceased’s account,” Maluleke said.

“These illegal activities were discovered by the bank and a case of fraud and theft was opened with the Hawks.

“When the suspect was approached by the bank managers about the matter, he reportedly tendered his resignation letter with immediate effect.”

Maluleke said through the investigation, it was discovered that some of the stolen money was used to buy expensive cars and donate to a certain church.

A total of R36 989 051.67 was allegedly stolen.

The suspect was expected to make his first appearance in the Makhado Magistrate’s court on Monday 13 June.

By Rual de Vries for MyBroadband

The Communications Risk Information Centre (Comric) says that relying solely on collecting customers’ biometric data to curb SIM swap fraud won’t do the trick.

Comric is a non-profit organisation established by MTN, Cell C, Telkom, Vodacom, and Liquid Intelligent Technologies.

Its goal is to identify, prevent, and mitigate risks within the South African telecommunications industry.

The Independent Communications Authority of South Africa (Icasa) published draft regulations in March 2022 that would require mobile network operators to collect subscriber biometric data.

Icasa said these regulations would reduce instances of mobile number hijacking via fraudulent SIM swaps and number porting.

The South African Banking Risk Information Centre crime statistics showed that fraudulent SIM swap incidents nearly doubled in 2020 — from 11,646 in 2019 to 22,285 in 2020.

Scammers use these techniques to take control of targets’ cellphone numbers and access their Internet banking applications.

In response to Icasa’s proposed regulations, Comric met all of the country’s mobile network operators to examine the implications and feasibility of biometric data collection.

MyBroadband asked Comric what consensus mobile operators came to during the forum.

“As biometric data is indicated as [Icasa’s] solution [to fraudulent SIM swaps], the telecommunications industry would like to explore alternative solutions,” Comric CEO Vernall Muller said.

“Biometrics is but one of many strategies to use — to require operators to implement only biometrics is taking a single approach solution, which is not the silver bullet.”

Although Comric members agree that SIM swap fraud is a problem, they said that other issues require attention in the short to medium term.

“Less than one percent of SIM swaps performed annually are fraudulent,” Comric said.

“SIM swap is but one problem, whereas identity fraud is much more problematic.”

Comric noted that the telecommunication industry already has a dedicated workstream focused on reducing the number of fraudulent SIM swaps and implementing mitigative measures.

Besides being too limited in scope, Comric said that there are several challenges and limitations to collecting subscriber biometric data.

“For operators who use direct customer touchpoints across South Africa in the informal and rural areas, implementing biometrics will have immense cost implications and logistical challenges,” said Comric.

“Operators that use wholesale channels do not appoint their own agents in the distribution channels, which means they have no control or visibility over the implementation of biometrics,” the association added.

“Should Icasa’s proposed changes get adopted, it will require extensive changes to existing systems and databases.”

Therefore, the forum attendees agreed they should be allowed to present Icasa with a timeline regarding biometric data implementation.

“The implementation should be done in a flexible manner, where operators are given leeway to decide what is best to accommodate all consumers,” the association said.

“In the interim, the telecommunications industry, Comric, and ICASA should engage further to identify the core of the problem we want to solve, identify temporary solutions, and create a long-term plan to implement biometrics.”


By Alex Scroxton for Computer Weekly

Long-standing vulnerabilities in popular consumer and home office Wi-Fi routers made by the likes of Cisco, D-Link, Netgear and ZyXel are being routinely exploited by threat actors backed by the Chinese government as a means to compromise the wider telco networks behind them, according to an advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) and its partners at the FBI and NSA.

In the advisory, the authorities explain how China-sponsored actors readily exploit routers and other devices such as network attached storage (NAS) devices to serve as access points that they can use to route command and control (C2/C&C) traffic and conduct intrusions on other identities.

“Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of internet-facing services and endpoint devices,” the agency said in its advisory.

CISA said these actors typically conduct their intrusions through servers or “hop points” from China-based IP addresses that resolve to various Chinese ISPs. Most usually they obtain these by leasing them from hosting providers. These are used to register and access operational email accounts, host C2 domains, and interact with their target networks. They also serve as a useful obfuscator when doing so.

The agencies warned the groups behind these intrusions are consistently evolving and adapting their tactics, techniques and procedures (TTPs), and have even been observed monitoring the activity of network defenders and changing things up on the fly to outwit them. They also mix their customised tools with publicly available ones – notably ones native to their target environments – to blend in, and are quick to modify their infrastructure and toolsets if information on their campaigns becomes public.

Many of the vulnerabilities used are well-known ones, some of them dating back four years or more. They include CVE-2018-0171, CVE-2019-1652, CVE-2019-15271, all remote code execution (RCE) bugs in Cisco hardware; CVE-2019-16920, an RCE vulnerability in D-Link hardware; CVE-2017-6682, another RCE vulnerability in Netgear products; and CVE-2020-29583, an authentication bypass vulnerability in Zyxel kit.

Products from DrayTek, Fortinet, MikroTik, Pulse and QNAP are also highlighted as vulnerable in the advisory. Included in the list is CVE-2019-19781, the infamous RCE flaw in Citrix Application Delivery Controller and Gateway products, which caused chaos when it was discovered in 2019 and to this day remains one of the most popularly exploited vulnerabilities by malicious actors.

Given this rapid evolution, CISA is advising defenders to ensure their systems and products are kept updated and patched at all times, as well as enforcing multifactor authentication (MFA) for all users and in particular, given the exploitation of home devices, on VPN connections used by remote users. The full guidance can be read in the advisory here.

ESET global cyber security advisor Jake Moore commented: “Access to telecommunication networks allows more extensive attacks to be elevated from the given platform. Once on board, attackers can target other networks and cause serious damage. Advanced persistent threat groups are increasing in power and sophistication and such targets remain under fire, acting as a hub of potential lines of further attack.

“Reducing lateral movement by taking particular networks offline to segregate them helps mitigate the sideways attacks plus bolstering logon methods to include more robust multifactor authentication also helps reduce this risk.”


By Jan Cronje for Fin24

The Supreme Court of Appeal (SCA) in Bloemfontein has upheld an appeal by the SA Revenue Service (SARS) justifying its decision to seize 19 containers of cheap clothes from China.

“There was no credible explanation for the unbelievably low prices charged by the suppliers of the goods,” the court ruled on Tuesday. “The goods and the containers in which they were imported were liable to forfeiture.”

The ruling means that SARS was within its rights to first seize and then detain the containers. It also overturns a previous high court ruling ordering that the containers be released.

‘Unrealistic and unattainable’

The tax agency confiscated the goods in 2020 on the basis that they had been clearly under-invoiced.

It argued that Gauteng-based clearing agent Dragon Freight and six other importers had been unable to explain how they were able to source the goods at such low prices.

But the revenue collections agency’s seizure order was overturned in December 2020, when Judge Selby Baqwa of the North Gauteng High Court in Pretoria ordered that the containers be released.

Baqwa argued that SARS should have accepted the initial answers given by the importers. The subsequent research it conducted and the follow-up questions it posed were “procedurally unfair” or “irrelevant”.

But the SCA found Baqwa’s decision was flawed.

“The high court erred in disregarding not only the evidence showing that the agreements were false, but also the reasons for the impugned decision, despite quoting those reasons verbatim in its judgment.”

In its case, SARS had relied on evidence provided by textile expert Dr Jaywant Irkhede, who noted that the importers claimed they were able to source clothes for just $0.21 or around R3 per item.

While the importers disputed Irkhede’s calculations, the court found that his evidence “makes it clear that the prices declared by the importers were unrealistic and unattainable”.

Johann Baard of the SA Apparel Association welcomed the SCA verdict.

“We sincerely hope that this sends a strong message to those who do not play by the rules,” he said. “Illegal imports and illicit trade pose a significant threat to the sustainability of compliant clothing manufacturers who employ many thousands of people domestically.”

Ramaphosa’s personal data hacked

Source: Cape Town etc

President Cyril Ramaphosa was recently hacked, with sensitive details exposed by the group “SpiderLog$”.

According to the Sunday Times, his home address, ID and cellphone numbers, as well as a loan Ramaphosa took out back in the early 2000s, were accessed.

The data was reportedly obtained from an earlier breach as TransUnion contested.

The aim of the hack was to expose how much of a “playground” South Africa is for hackers, as the group said to Sunday Times, with whom they also supplied screenshots that inferred access to military intelligence datasets.

MyBroadband reports that part of the vulnerabilities ‘secured’ by the government, is the DigiTech app store, which showed an “inability to properly secure online system.”

Although it may come as a shock to some that our president was hacked, the gaping holes in security at the top echo what appears to be the gaping limitations of data security in SA.

SA’s cyberspace is under attack

By Luke Daniel for Business Insider

South Africa’s cyberspace has seen an increasing number of attacks linked to a China-based threat actor known as Mustang Panda that’s targeting telecommunications and banks, sometimes through false recruitment sites.

Attacks on South Africa’s vulnerable cyberspace are increasing. Data gathered by cybersecurity company Trellix shows a sustained surge in threats during the first quarter of 2022, which is not entirely unusual considering the holiday-associated lull in December and January.

The nature of these threats and intentions of the cybercriminals are, however, cause for alarm and extra vigilance. Trellix revealed, during its cyber threat intelligence briefing for South Africa on Wednesday, some of the main actors that have been especially active in 2022 so far.

Chief among these is Mustang Panda, also sometimes referred to as “RedDelta” or “Bronze President”.

The China-linked cyber-espionage group has been active for the last decade, but its attacks have increased significantly since the start of the Covid-19 pandemic. Its primary objective has been to gather intelligence on NGOs, non-profits, religious organisations, and think tanks in the United States and Europe.

In 2021, the McAfee Advanced Threat Research (ATR) Strategic Intelligence team, now Trellix, uncovered an espionage campaign targeting telecommunication companies, dubbed Operation Diànxùn. Trellix believes, “with a moderate level of confidence”, that this specific campaign, attributed to Mustang Panda, “has to do with the ban of Chinese technology in the global 5G roll-out.”

“Mustang Panda is quite prolific in South Africa for the last three months,” said Carlo Bolzonello, South Africa country lead for Trellix, during Wednesday’s briefing.

“From a South African perspective, they’ve been very active in the last three months around the banking and wealth management sector.”

Mustang Panda is believed to support the Chinese government, added John Fokker, head of cyber investigations and principal engineer at Trellix.

“In the past, especially in Europe, there was a big debate around 5G and about replacing 5G technology with specific Chinese-built technology at the core. And from a security perspective, this was a big debate,” said Fokker.

“And what we observed was Mustang Panda targeting telecommunications sectors in countries where this debate was most likely. And how they actually did it… they did actually have a fake career site, so we assume they posed as recruiters trying to recruit individuals with technical knowledge within the telecommunications sector and persuade them to open a file and then infect their computer.”

The ultimate goal of this campaign, according to Fokker, was to determine the position of a specific telecommunications company towards Chinese manufacturers.

Although recently noted for its attacks on South Africa’s banking and wealth management sector, Bolzonello added that attacks on the country’s telecommunication sector were also witnessed during the debate around 5G technology.

“Mustang Panda is there to collect data, stick around, and exfiltrate data out and that data could be used for numerous different things,” said Bolzonello.

“So, the risk is quite high with someone like a Mustang Panda that definitely has a reason to be there, in your environment.”

Mustang Panda generally utilises PlugX – part of the Remote Access Trojan (RAT) malware family – disguised as a legitimate file. Once downloaded, Mustang Panda effectively creates a backdoor for remote control of the victim’s device, with the ability to monitor the user’s activity and access data.


By Karen Singh for IOL

The Department of Public Service and Administration (DPSA) has issued a warning for job-seekers to be careful of a post circulating on social media which claims to come from the department but instead advertises fake positions.

In a statement on Wednesday, director-general Yoliswa Makhasi said the department had noted with concern the social media post circulating adverts for vacancies purporting to be issued by the DPSA.

“The public is warned that the adverts for administrative clerks (x5) and government vacancies (x53) that are making the rounds on social media are false, fake, and the websites are not affiliated with the DPSA,” said Makhasi.

Makhasi said the department advertises government jobs through the Vacancy Circular that can be found on the DPSA website and not through third party websites.

“The DPSA advises the public to be aware that if they use third party websites, they might be exposed to phishing and breaches to their personal information,” she said.

Makhasi urged job-seekers to ignore the fake adverts and access government jobs through the Public Service Vacancy circular.

E-mail attack costs company R100m

By  Myles Illidge for MyBroadband

Email security is becoming an increasingly important aspect of business in South Africa, and in one instance, spoofing resulted in a company losing R100 million to a malicious actor.

In an interview with CliffCentral, e-mail security firm Sendmarc co-founder Sam Hutchinson revealed that a malicious actor’s spoofed email resulted in the funds being paid into the wrong bank account. They have not been recovered.

“The largest loss I have dealt with personally is R100 million. That’s like enough money to never have to work again, and it’s just done with email fraud,” Hutchinson said.

“R100 million paid into the wrong bank account, and the money was lost. Gone.”

He added that the two companies involved in the transaction were now in a legal battle with one another to recover the funds.

Hutchinson said that smaller companies aren’t any less likely to be attacked.

“Now, if we talk about the size of an organisation, I deal with conveyancing companies who are three lawyers, and they are losing home transfers, which can be millions of rands,” he said.

“These are small companies using large amounts of money.”

Hutchinson mentioned that the smallest company he had worked with — a two-person travel agent — had their domain impersonated by an attacker, resulting in a school paying funds for a hockey tour into the wrong account.

“The whole under 16A hockey team didn’t go on tour,” he added.

Malicious actors undertake email spoofing to gain sensitive information or hijack transactions by impersonating organisations using forged email addresses.

Hutchinson explained that one of the best ways to prevent being caught out by email spoofing attacks is to implement Domain-based Message Authentication Reporting and Conformance (DMARC).

“If you look at the Gartner Security Report of two or three years ago, they said that email is one of the top five attack vectors for an organisation,” he said.

“If you look at organisations like the Hague … they say that DMARC is one of the top three things that an organisation must implement of any size.”

DMARC is an email validation system used to protect the domains of organisations from being used for email spoofing, phishing, and other cybercrimes.

Hutchinson explained that DMARC is particularly useful as you can look up an organisation globally, and 50% of JSE-listed companies in South Africa have not implemented DMARC.

“DMARC is the global technical standard that stops attackers sending mail from you,” he said.

However, even though half of JSE-listed companies haven’t implemented DMARC, South Africa is making better progress than the EU and the US.

“If we look at the EU: 70%, if we look at the US: 72%. So, South Africa’s actually doing pretty well,” Hutchinson said.

Hutchinson said that he had noticed that specific sectors, such as mining and manufacturing, traditionally fall behind regarding their security measures, resulting in them being attacked a lot.

“[Regarding] certain sectors, it’s just traditional that their security is not necessarily up to scratch. We see it in some of the industrials and the manufacturing, the security has almost been an afterthought, and they actually get attacked a lot,” he said.

“I see the mining sector getting attacked a lot because they have such huge transaction amounts,” he added.


By Penelope Mashego by Fin24

Pharmacy retailer Dis-Chem has launched an investigation into a data hack at one of its third-party service providers that resulted in an “unauthorised person” accessing the personal details of customers.

In a notice on Wednesday, Dis-Chem said its investigation so far showed that the hacker gained access to first names, surnames, email addresses and cellphone numbers belonging to more than 3.6-million people.

The retailer said it was informed about the breach – which took place in April – at the beginning of this month. It has since taken steps to establishing the scope of the breach and restore the “integrity” of its operating system

“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. However, we cannot guarantee that this position will remain the same in future,” Dis-Chem cautioned.

The retailer added that it was continuing to monitor for any publication of the personal information accessed in the breach.

“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database,” Dis-Chem said.

Dis-Chem also asked those possibly affected by the breach to be vigilant by:

  • Not clicking on suspicious links;
  • Not sharing passwords or PINs;
  • Changing passwords often;
  • Having regular anti-virus and malware scans on their devices; and
  • Providing personal information only when there is a legitimate reason.

Follow us on social media: 


View our magazine archives: 


My Office News Ⓒ 2017 - Designed by A Collective