NC4 Public1

National Cyber Threat Level

Low

Moderate

Caution

High

Critical

NC4-ALR-2023-000004

Heightened Alert for Cyber Activities Targeting Domains and Infrastructures in Malaysia

Introduction

In light of recent developments in the Middle East, the National Cyber Coordination and Command Centre (NC4) is closely monitoring the cyber campaign centred around this conflict. Multiple hacktivists have reportedly gathered and launched cyber attacks which, based on historical data, include web defacement, document leaks, and distributed denial of service (DDOS) attacks. NC4 would like to remind System Administrators and Network Administrators to implement adequate cyber security measures to ensure systems and networks are always secure.

Impact

Possible information leakage includes personal identifying information (PII), web defacement and service disruption.

Brief Description

Since the outbreak of hostilities on 7 October 2023, around 100 threat actors have gathered and focused their cyber activities on entities connected to Palestine and Israel, primarily using DDoS attacks. Notable tactics involve the leaking of credentials for Israeli websites and systems, the publication of stolen data, the launching of DDoS attacks, and one of the latest Tactics, Techniques, and Procedures (TTPs) involves the hijacking of application programming interfaces (APIs) to send fake alerts on mobile apps. It is important to note that this campaign will also rely heavily on social media psychological warfare. As of now, there are approximately 77 threat actors who support the Palestinian cause, while 20 threat actors align themselves with Israel. Additionally, there are 3 threat actors who remain neutral. Several Pro-Israeli threat actors have been identified with a history of launching cyber attacks against Critical National Information Infrastructure (CNII) sectors in Malaysia in the past.

 

Based on NC4's most recent cyber threat intelligence analysis, there has been an increase in cyber activities observed in Malaysia over the past 30 days, particularly malware and DDoS.  These activities have witnessed a significant surge, reaching a peak of 40 million events by 25 October 2023. In the upcoming weeks, it is anticipated that there will be an increase in activity by Pro-Israel threat actors due to the fact that current cyber activities have expanded beyond the two conflicting sides and are now affecting other countries that support either side, whether openly or historically. One example of the spillover effect is the new operation called #OpSingapore, which was initiated by a threat actor in the SEA region.

 

Therefore, it is crucial for organisations to take immediate action to safeguard against potential attacks that could disrupt daily operations.

Affected Product

All operating systems, web servers and online services. 

Recommendation

Organisations are advised to be vigilant and to take the following actions: 

  1. Monitor your environment closely for any anomalies and mass scanning attempts;
  2. Update your critical ICT assets with the latest security patches and updates;
  3. Be wary of unsolicited mails and links with/without attachments; 
  4. Ensure that anti-virus/anti-malware signatures are up to date and functioning;
  5. Review your firewall logs and other security devices for anomalies from time to time;
  6. Review your firewall and other security appliance configurations from time to time;
  7. Block or restrict access to every port such as port 3389(RDP), port 5900 (VNC) and port 22 (SSH) and services except for those that should be publicly available;
  8. Make sure loggings of systems and servers are always enabled;
  9. Make sure your system password is strong and secured. Change the password if needed;
  10. Make sure that you did not publicly made login pages for System Administrators accessible;
  11. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, the backup must be done daily, on a separate media and stored offline at an alternate site;
  12. If you suspected that your servers have been compromised, isolate your server, reset all usernames and passwords and initiate incident handling;  
  13. Perform hardening on all your Internet facing applications;
  14. Report any anomalies happening within your network and enterprise environment to NC4. 

Insert title here