NC4 Public1

National Cyber Threat Level

Low

Moderate

Caution

High

Critical

NC4-ALR-2024-000002

Heightened Alert for Cyber Activities Targeting Infrastructures in Malaysia

Introduction

In relation to the previous alert NC4-ALR-2023-000004 dated 26 October 2023, the National Cyber Coordination and Command Centre (NC4) has observed that a threat actor has made an announcement to launch cyber attacks on Malaysian infrastructure in general, which, based on historical campaign data, include web defacement, stealing confidential documents, and network intrusion with or without insider help. In this regard, NC4 would like to remind System Administrators and Network Administrators to immediately implement adequate cyber security measures to ensure the systems and networks are secured at all times.

Impact

Possible information leakage includes personal identifying information (PII) and intellectual property (IP), web defacement, and service disruption.

Brief Description

NC4's recent cyber threat intelligence analysis has identified the "R00TK1T ISC CyberTeam" as the threat actor that recently announced their intention to initiate a campaign specifically targeting infrastructure in Malaysia via their Telegram channel on 26 January 2024. Although the exact date and duration of the attacks are unknown, it is believed that the threat actor was part of a retaliation team against the cyber campaign stemming from the Middle East conflict. Historical data reveals that the threat actor has previously targeted various sectors in multiple countries, including education, transportation, healthcare, telecommunications, and ICT services, by exploiting known vulnerabilities and enlisting the assistance of insider threats and disgruntled employees.

 

Considering the potential duration of this campaign, which could span several weeks, NC4 strongly advises all Malaysian organisations to implement essential preventive measures in order to safeguard against this attack. Failure to do so could result in operational disruptions and compromise the security of the organisation's infrastructure, data, and systems.

System Affected

All operating systems, web servers, and online services. 

Recommendation

Organisations are advised to be vigilant and to take the following actions:

  1. Monitor your environment for anomalies and mass scanning attempts;
  2. Ensure critical ICT assets have the latest security fixes and updates. If an update cannot be completed, verify that the asset has adequate control and safeguards to avoid being exploited internally or externally;
  3. Conduct cyber awareness campaigns and send reminders to the entire organisation;
  4. Be wary of unsolicited emails and links with or without attachments; 
  5. Ensure anti-virus/malware signatures are up-to-date and functional;
  6. Regularly review firewall logs and security devices for any irregularities;
  7. Regularly review your firewall and security appliance configurations;
  8. Block or restrict access to all ports (e.g., 3389 for RDP, 5900 for VNC, and 22 for SSH) and services except those that should be public;
  9. Enable and secure system and server logs in different locations;
  10. Ensure your system password is strong and safe. Change the password if necessary;
  11. Enforce the Least Privilege policy for users in the environment. Avoid utilising Domain Admin or Super Administrator for remote access;
  12. Ensure that System Administrators login pages are not publicly accessible;
  13. Regular backups of essential information can reduce the effect of data or system loss and speed up recovery. Ideally, the backup should be done daily, on a separate medium, and stored offline at an alternate location;
  14. If you suspect your systems have been compromised, isolate them, reset all users and passwords, and commence incident response procedures; 
  15. Harden all internet-facing applications;  
  16. Report any anomalies happening within your network and enterprise environment to NC4.

References


  https://twitter.com/DailyDarkWeb/status/1750866521079926798


  https://izoologic.com/region/central-asia/r00tk1t-hacking-group-threatens-malaysia-in-its-latest-post/

Insert title here