SA’s cyberspace is under attack

By Luke Daniel for Business Insider

South Africa’s cyberspace has seen an increasing number of attacks linked to a China-based threat actor known as Mustang Panda that’s targeting telecommunications and banks, sometimes through false recruitment sites.

Attacks on South Africa’s vulnerable cyberspace are increasing. Data gathered by cybersecurity company Trellix shows a sustained surge in threats during the first quarter of 2022, which is not entirely unusual considering the holiday-associated lull in December and January.

The nature of these threats and intentions of the cybercriminals are, however, cause for alarm and extra vigilance. Trellix revealed, during its cyber threat intelligence briefing for South Africa on Wednesday, some of the main actors that have been especially active in 2022 so far.

Chief among these is Mustang Panda, also sometimes referred to as “RedDelta” or “Bronze President”.

The China-linked cyber-espionage group has been active for the last decade, but its attacks have increased significantly since the start of the Covid-19 pandemic. Its primary objective has been to gather intelligence on NGOs, non-profits, religious organisations, and think tanks in the United States and Europe.

In 2021, the McAfee Advanced Threat Research (ATR) Strategic Intelligence team, now Trellix, uncovered an espionage campaign targeting telecommunication companies, dubbed Operation Diànxùn. Trellix believes, “with a moderate level of confidence”, that this specific campaign, attributed to Mustang Panda, “has to do with the ban of Chinese technology in the global 5G roll-out.”

“Mustang Panda is quite prolific in South Africa for the last three months,” said Carlo Bolzonello, South Africa country lead for Trellix, during Wednesday’s briefing.

“From a South African perspective, they’ve been very active in the last three months around the banking and wealth management sector.”

Mustang Panda is believed to support the Chinese government, added John Fokker, head of cyber investigations and principal engineer at Trellix.

“In the past, especially in Europe, there was a big debate around 5G and about replacing 5G technology with specific Chinese-built technology at the core. And from a security perspective, this was a big debate,” said Fokker.

“And what we observed was Mustang Panda targeting telecommunications sectors in countries where this debate was most likely. And how they actually did it… they did actually have a fake career site, so we assume they posed as recruiters trying to recruit individuals with technical knowledge within the telecommunications sector and persuade them to open a file and then infect their computer.”

The ultimate goal of this campaign, according to Fokker, was to determine the position of a specific telecommunications company towards Chinese manufacturers.

Although recently noted for its attacks on South Africa’s banking and wealth management sector, Bolzonello added that attacks on the country’s telecommunication sector were also witnessed during the debate around 5G technology.

“Mustang Panda is there to collect data, stick around, and exfiltrate data out and that data could be used for numerous different things,” said Bolzonello.

“So, the risk is quite high with someone like a Mustang Panda that definitely has a reason to be there, in your environment.”

Mustang Panda generally utilises PlugX – part of the Remote Access Trojan (RAT) malware family – disguised as a legitimate file. Once downloaded, Mustang Panda effectively creates a backdoor for remote control of the victim’s device, with the ability to monitor the user’s activity and access data.


By Karen Singh for IOL

The Department of Public Service and Administration (DPSA) has issued a warning for job-seekers to be careful of a post circulating on social media which claims to come from the department but instead advertises fake positions.

In a statement on Wednesday, director-general Yoliswa Makhasi said the department had noted with concern the social media post circulating adverts for vacancies purporting to be issued by the DPSA.

“The public is warned that the adverts for administrative clerks (x5) and government vacancies (x53) that are making the rounds on social media are false, fake, and the websites are not affiliated with the DPSA,” said Makhasi.

Makhasi said the department advertises government jobs through the Vacancy Circular that can be found on the DPSA website and not through third party websites.

“The DPSA advises the public to be aware that if they use third party websites, they might be exposed to phishing and breaches to their personal information,” she said.

Makhasi urged job-seekers to ignore the fake adverts and access government jobs through the Public Service Vacancy circular.

E-mail attack costs company R100m

By  Myles Illidge for MyBroadband

Email security is becoming an increasingly important aspect of business in South Africa, and in one instance, spoofing resulted in a company losing R100 million to a malicious actor.

In an interview with CliffCentral, e-mail security firm Sendmarc co-founder Sam Hutchinson revealed that a malicious actor’s spoofed email resulted in the funds being paid into the wrong bank account. They have not been recovered.

“The largest loss I have dealt with personally is R100 million. That’s like enough money to never have to work again, and it’s just done with email fraud,” Hutchinson said.

“R100 million paid into the wrong bank account, and the money was lost. Gone.”

He added that the two companies involved in the transaction were now in a legal battle with one another to recover the funds.

Hutchinson said that smaller companies aren’t any less likely to be attacked.

“Now, if we talk about the size of an organisation, I deal with conveyancing companies who are three lawyers, and they are losing home transfers, which can be millions of rands,” he said.

“These are small companies using large amounts of money.”

Hutchinson mentioned that the smallest company he had worked with — a two-person travel agent — had their domain impersonated by an attacker, resulting in a school paying funds for a hockey tour into the wrong account.

“The whole under 16A hockey team didn’t go on tour,” he added.

Malicious actors undertake email spoofing to gain sensitive information or hijack transactions by impersonating organisations using forged email addresses.

Hutchinson explained that one of the best ways to prevent being caught out by email spoofing attacks is to implement Domain-based Message Authentication Reporting and Conformance (DMARC).

“If you look at the Gartner Security Report of two or three years ago, they said that email is one of the top five attack vectors for an organisation,” he said.

“If you look at organisations like the Hague … they say that DMARC is one of the top three things that an organisation must implement of any size.”

DMARC is an email validation system used to protect the domains of organisations from being used for email spoofing, phishing, and other cybercrimes.

Hutchinson explained that DMARC is particularly useful as you can look up an organisation globally, and 50% of JSE-listed companies in South Africa have not implemented DMARC.

“DMARC is the global technical standard that stops attackers sending mail from you,” he said.

However, even though half of JSE-listed companies haven’t implemented DMARC, South Africa is making better progress than the EU and the US.

“If we look at the EU: 70%, if we look at the US: 72%. So, South Africa’s actually doing pretty well,” Hutchinson said.

Hutchinson said that he had noticed that specific sectors, such as mining and manufacturing, traditionally fall behind regarding their security measures, resulting in them being attacked a lot.

“[Regarding] certain sectors, it’s just traditional that their security is not necessarily up to scratch. We see it in some of the industrials and the manufacturing, the security has almost been an afterthought, and they actually get attacked a lot,” he said.

“I see the mining sector getting attacked a lot because they have such huge transaction amounts,” he added.


By Penelope Mashego by Fin24

Pharmacy retailer Dis-Chem has launched an investigation into a data hack at one of its third-party service providers that resulted in an “unauthorised person” accessing the personal details of customers.

In a notice on Wednesday, Dis-Chem said its investigation so far showed that the hacker gained access to first names, surnames, email addresses and cellphone numbers belonging to more than 3.6-million people.

The retailer said it was informed about the breach – which took place in April – at the beginning of this month. It has since taken steps to establishing the scope of the breach and restore the “integrity” of its operating system

“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. However, we cannot guarantee that this position will remain the same in future,” Dis-Chem cautioned.

The retailer added that it was continuing to monitor for any publication of the personal information accessed in the breach.

“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database,” Dis-Chem said.

Dis-Chem also asked those possibly affected by the breach to be vigilant by:

  • Not clicking on suspicious links;
  • Not sharing passwords or PINs;
  • Changing passwords often;
  • Having regular anti-virus and malware scans on their devices; and
  • Providing personal information only when there is a legitimate reason.

By  Ravie Lakshmanan for The Hacker News

Three high-impact Unified Extensible Firmware Interface (UEFI) security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices.

Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two “affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks,” ESET researcher Martin Smolár said in a report published today.

“Unfortunately, they were mistakenly included also in the production BIOS images without being properly deactivated,” Smolár added.

Successful exploitation of the flaws could permit an attacker to disable SPI flash protections or Secure Boot, effectively granting the adversary the ability to install persistent malware that can survive system reboots.

UEFI Firmware Vulnerabilities

CVE-2021-3970, on the other hand, relates to a case of memory corruption in the System Management Mode (SMM) of the firm, leading to the execution of malicious code with the highest privileges.

The three flaws were reported to the PC maker on October 11, 2021, following which patches were issued on April 12, 2022. A summary of the three flaws as described by Lenovo is below –

CVE-2021-3970 – A potential vulnerability in LenovoVariable SMI Handler due to insufficient validation in some Lenovo Notebook models may allow an attacker with local access and elevated privileges to execute arbitrary code.
CVE-2021-3971 – A potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify the firmware protection region by modifying an NVRAM variable.
CVE-2021-3972 – A potential vulnerability by a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
The weaknesses, which impact Lenovo Flex; IdeaPads; Legion; V14, V15, and V17 series; and Yoga laptops, add to the disclosure of as many as 50 UEFI firmware vulnerabilities in Insyde Software’s InsydeH2O, HP, and Dell since the start of the year.

Included in the list are six severe flaws in HP’s firmware affecting laptops and desktops that, if successfully exploited, could allow attackers to locally escalate to SMM privileges and trigger a denial-of-service (DoS) condition.

“UEFI threats can be extremely stealthy and dangerous,” Smolár said. “They are executed early in the boot process, before transferring control to the operating system, which means that they can bypass almost all security measures and mitigations higher in the stack that could prevent their OS payloads from being executed.”


TransUnion hacked and held to ransom

Source: Fin24

Credit bureau TransUnion has been hacked and has received a demand for ransom, it said in a statement.

The hackers, who described themselves as a “criminal third party”, gained access to the bureau’s server by misusing an authorised client’s credentials, according to the statement.

“We have received an extortion demand and it will not be paid,” TransUnion said.

The Southern African Fraud Prevention Service (SAFPS) said it appears that TransUnion is battling to retrieve the compromised data from the hackers. TransUnion has not yet confirmed or denied this directly to Fin24.

But the company said it is working with law enforcement and regulators. Its investigation is ongoing, and as it progresses, TransUnion SA will notify and assist those whose personal data may have been affected.

According to TransUnion, it immediately suspended the compromised client’s access, engaged cybersecurity and forensic experts, and began investigating. It is working with law enforcement, it said.

It also took some of its services offline, but these have since resumed.

“We believe the incident impacted an isolated server holding limited data from our South African business. We are working with law enforcement and regulators,” it said.

“We are engaging clients in South Africa about this incident. As our investigation progresses, we will notify and assist individuals whose personal data may have been affected.

“We will be making identity protection products available to impacted consumers free of charge,” TransUnion added.

CEO Lee Naik added that protecting client data was TransUnion’s “top priority”.

“We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected,” said Naik.

Technology site ITWeb earlier reported that the hacker group was going by the name N4aughtysecTU and claimed to come from Brazil. Speaking to ITWeb via Telegram, the hacker group reportedly said it had 4 terabytes of client information and had accessed some 54 million records, including data from over 200 corporates.

The group allegedly threatened to attack TransUnion’s corporate clients if the bureau didn’t cough up. According to ITWeb it wants $15 million (~R223 million) in Bitcoin.

Rising data breach incidents in SA

SAFPS CEO Manie van Schalkwyk said records of 54 million South Africans might have been compromised.

“This alarming news is further indication that every company that holds personal information is a potential target. The consumer desperately needs an extra layer of protection on their identity against criminals who will turn their lives upside down without a second thought,” said SAFPS CEO Manie van Schalkwyk.

SAFPS said cyberattacks and data breaches targeting SA companies have escalated over the past two years.

In 2020, another credit bureau, Experian, suffered a data breach, which potentially exposed the information of 24 million South Africans. In 2021, Debt-IN Consultants, a debt recovery partner to many South African financial services institutions, got a ransomware attack. It is estimated that the personal information of more than 1.4 million South Africans was illegally accessed from its servers.

Banks have not been spared either. Absa announced a data leak in November 2020, and it has been identifying more impacted customers this year, almost a year-and-a-half after the incident. Standard Bank also identified a data breach on its LookSee platform in November last year.

“Data breaches have been on the rise globally, and South Africa has seen unprecedented increases in the number of cyber victims,” said Dalene Deale, the executive head of Secure Citizen, which was created through a collaboration with SAFPS and OneVault to identity theft following online fraud.

Deale said this increase in data breaches means that fraudsters are now armed with more the correct information enabling them to impersonate individuals.

SAFPS said when records of more than 20 million consumers were compromised at another credit bureau – possibly Experian – it saw impersonation rise by more than 300%.

SAP ordered to repay more than R413m

By Jeanette Chabalala for News24

Two multimillion-rand software and support contracts between the Department of Water and Sanitation (DWS) and global giant SAP have been set aside.

On Tuesday, the Special Tribunal declared the contracts, which were signed in 2015 and 2016 respectively, “constitutionally invalid” and set them aside.

Judge Lebogang Modiba ordered the DWS not to use any of the software licences under the agreements.

She ordered SAP to pay the DWS R413 121 283.40 in respect of both contracts.

She added that within five court days of the date of the order, SAP has to pay the department R263-million.

In September 2018, a proclamation was published for the Special Investigating Unit (SIU) to probe allegations that the purchase of the SAP licences for more than R500 million was not necessary and they were procured without the correct tender process being followed.

There were also allegations that R35 million in kickbacks were paid after the DWS procured the SAP service on 26 July 2016.

The SIU began work in September 2018 and immediately “uplifted” computers and documentation from the department.

The unit found that the contract value was approximately R950 million, excluding value-added tax (VAT), consisting of R450 million for the SAP licence fees, plus maintenance over five years.

It also found that no needs analysis was conducted and that there was no budget for the purchase of the SAP licences.

There was also no “virement” or approval of the payments to SAP.

The State Information Technology Agency (SITA) was not consulted and, in fact, SITA had advised the department against proceeding with the contract, News24 previously reported.

The SIU also found evidence that the 2015 agreement with SAP was irregular and ought to have been set aside.

The unit said it made “disciplinary referrals” to the department against two senior officials.

“The SIU was informed that [a disciplinary hearing] against one senior official has been concluded and judgment is expected within this week, while the DWS is considering disciplinary action against the other official. The SIU has also referred evidence pointing towards criminality to the NPA (National Prosecuting Authority), AFU (Asset Forfeiture Unit) and SARS. The referrals are in line with the SIU Act 74 of 1996,” it said in a statement on Wednesday.”


Source: Bloomberg

Samsung Electronics Co. suffered a cybersecurity breach that exposed internal company data, including source code for the operation of its Galaxy smartphones, the company said.

The statement came after a claim over the weekend that LAPSUS$, a hacking group that stole proprietary information from Nvidia Corp.’s networks, had gained access to Samsung data.

The Korean electronics giant did not identify the attackers who compromised its systems. Measures to prevent further breaches have been put in place, a spokesperson said via text message, and customers’ personal data was not affected.

“There was a security breach relating to certain internal company data,” Samsung said. “According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”

“Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”

The LAPSUS$ hackers posted a 190GB torrent file to their Telegram channel late Friday, claiming it contained confidential Samsung source code that exposed the company’s device security systems.

Among the items listed were algorithms for Samsung smartphone biometric authentication and bootloader source code to bypass some operating system controls.


Source: CNBC

As Russia steps up its cyberattacks on Ukraine alongside a military invasion, governments on both sides of the Atlantic are worried the situation could spill over into other countries, becoming an all-out cyberwar.

Russia has been blamed for a number of cyberattacks targeting Ukraine’s government and banking system in recent weeks.

On Thursday, cybersecurity firm ESET said it had discovered new “wiper” malware targeting Ukrainian organisations. Such software aims to erase data from the systems it targets.

A day earlier, the websites of several Ukrainian government departments and banks were knocked offline by a distributed denial of service (DDoS) attack, which is when hackers overwhelm a website with traffic until it crashes.

It comes after a separate attack last week took down four Ukrainian government websites, which U.S. and U.K. officials attributed to the GRU, the Russian military intelligence agency.

Ukrainian residents also reportedly received fake text messages saying ATMs in the country did not work, which cybersecurity experts say was likely a scare tactic.

For its part, Russia says it “has never conducted and does not conduct any ‘malicious’ operations in cyberspace.”

The onslaught of attacks has led to fears of a wider digital conflict, with Western governments bracing for cyberthreats from Russia — and considering how to respond.

Officials in both the U.S. and Britain are warning businesses to be alert to suspicious activity from Russia on their networks. Meanwhile, Estonian Prime Minister Kaja Kallas on Thursday said European nations should be “aware of the cybersecurity situation in their countries.”

NBC News reported Thursday that President Joe Biden has been presented with options for the U.S. to carry out cyberattacks on Russia to disrupt internet connectivity and shut off its electricity. A White House spokesperson pushed back on the report, however, saying it was “wildly off base.”

Nevertheless, cybersecurity researchers say an online conflict between Russia and the West is indeed a possibility — though the severity of any such event may be limited.

“I think it’s very possible, but I think it’s also important that we reflect on the reality of cyberwar,” John Hultquist, vice president of intelligence analysis at Mandiant, told CNBC.

“It’s easy to hear that term and compare it to real war. But the reality is, most of the cyberattacks we’ve seen have been nonviolent, and largely reversible.”

Toby Lewis, head of threat analysis at Darktrace, said the attacks have so far been largely focused on supporting Russia’s physical invasion of Ukraine.

“It is the physical land and territory that Russia appears to seek rather than economic leverage, for which a cyber-first campaign may be more effective,” he told CNBC.

However, researchers at Symantec said the wiper malware detected in Ukraine also affected Ukrainian government contractors in Latvia and Lithuania, hinting at a potential “spillover” of Russia’s cyberwarfare tactics into other countries.

“This likely shows the beginning of the collateral impact of this cyber-conflict on global supply chains, and there may begin to be some effect on other Western countries that rely on some of the same contractors and service providers,” Lewis said.

Several European Union countries, including Lithuania, Croatia and Poland, are offering Ukraine support with the launch of a cyber rapid-response team.

“We have long theorized that cyberattacks are going to be part of any nation-state’s arsenal and I think what we’re witnessing for the first time frankly in human history is cyberattacks have become the weapon of first strike,” Hitesh Sheth, CEO of Vectra AI, told CNBC’s “Squawk Box Asia” on Friday.

Sheth suggested Russia could launch retaliatory cyberattacks in response to Western sanctions announced earlier this week.

“I would fully expect that, given what we are witnessing with Russia overtly attacking Ukraine with cyberattacks, that they would have covert channels as a way to attack institutions that are being deployed to curtail them in the financial community,” he said.

What happens next?
Russia has long been accused by governments and cybersecurity researchers of perpetrating cyberattacks and misinformation campaigns in an effort to disrupt economies and undermine democracy.

Now, experts say Russia could launch more sophisticated forms of cyberattacks, targeting Ukraine, and possibly other countries, too.

In 2017, an infamous malware known as NotPetya infected computers across the world. It initially targeted Ukrainian organisations but soon spread globally, affecting major corporations such as Maersk, WPP and Merck. The attacks were blamed on Sandworm, the hacking unit of GRU, and caused upward of $10 billion in total damage.

“If they actually focus these types of activity against the West, that could have very real economic consequences,” Hultquist told CNBC.

“The other piece that we’re concerned about is that they go after critical infrastructure.”

Russia has been digging at infrastructure in Western countries like the U.S., U.K. and Germany “for a very long time,” and has been “caught in the act” multiple times, Hultquist said.

“The concern, though, is we’ve never seen them pull the trigger,” Hultquist added. “The thinking has always been that they were preparing for contingency.”

“The question now is, is this the contingency that they have been preparing for? Is this the threshold that they’ve been waiting for to start carrying out disruptions? We’re obviously concerned that this could be it.”

Last year, Colonial Pipeline, a U.S. oil pipeline system, was hit by a ransomware attack that took critical energy infrastructure offline. The Biden administration says it doesn’t believe Moscow was behind the attack. DarkSide, the hacking group responsible, was believed to have been based in Russia.


Blue Label Telecoms uncovers massive fraud

Source: MyBroadband

Blue Label Telecoms has uncovered a large fraudulent scheme, operating since 2015, perpetrated by two former senior executives of a subsidiary company.

The fraudulent transactions were performed primarily outside the course and scope of the subsidiary’s field of commercial dealings.

The senior executives interposed themselves between intermediary companies and the subsidiary for their own benefit.

Blue Label identified transactions that amounted to a theft of funds from the subsidiary, which the executives tried to conceal.

The company signed settlement agreements with the executives in late October 2021, where most of the assets of the executives were signed over to Blue Label.

The value of these assets as of 31 October 2021 amounted to R315 million, which indicates the scale of the fraud.

“Subsequent to the fraud investigation and detailed review of the control environment and business processes within the subsidiary, management has implemented the necessary improvements relating to the existing control environment,” Blue Label said.

The company now holds Powers of Attorney over the assets of these executives. They are listed in the table below.

Commenting on the “immovable properties”, Blue Label said it is not its intention to acquire legal title to the properties or keep the rights long term.

It is, therefore, actively marketing these properties and expects to sell them all within the next twelve months.

All the money found to be held in the bank accounts of the perpetrators has been transferred to Blue Label’s bank accounts.

As of 30 November 2021, properties to the value of R8.5 million have been sold.


Follow us on social media: 


View our magazine archives: 


My Office News Ⓒ 2017 - Designed by A Collective