ANNOUNCEMENT

Introduction

In relation to the previous alert NC4-ALR-2023-000004 dated 26 October 2023, the National Cyber Coordination and Command Centre (NC4) has observed that a threat actor has made an announcement to launch cyber attacks on Malaysian infrastructure in general, which, based on historical campaign data, include web defacement, stealing confidential documents, and network intrusion with or without insider help. In this regard, NC4 would like to remind System Administrators and Network Administrators to immediately implement adequate cyber security measures to ensure the systems and networks are secured at all times.

Impact

Possible information leakage includes personal identifying information (PII) and intellectual property (IP), web defacement, and service disruption.

Impacted Platforms

All operating systems, web servers and online services.

Brief Description

NC4's recent cyber threat intelligence analysis has identified the "R00TK1T ISC CyberTeam" as the threat actor that recently announced their intention to initiate a campaign specifically targeting infrastructure in Malaysia via their Telegram channel on 26 January 2024. Although the exact date and duration of the attacks are unknown, it is believed that the threat actor was part of a retaliation team against the cyber campaign stemming from the Middle East conflict. Historical data reveals that the threat actor has previously targeted various sectors in multiple countries, including education, transportation, healthcare, telecommunications, and ICT services, by exploiting known vulnerabilities and enlisting the assistance of insider threats and disgruntled employees.

Considering the potential duration of this campaign, which could span several weeks, NC4 strongly advises all Malaysian organisations to implement essential preventive measures in order to safeguard against this attack. Failure to do so could result in operational disruptions and compromise the security of the organisation's infrastructure, data, and systems.

Recommendation

Organisations are advised to be vigilant and to take the following actions:

• Monitor your environment closely for any anomalies and mass scanning attempts;
• Ensure critical ICT assets have the latest security fixes and updates. If an update cannot be completed, verify that the asset has adequate control and safeguards to avoid being exploited internally or externally;
• Be wary of unsolicited mails and links with/without attachments;
• Ensure that anti-virus/anti-malware signatures are up to date and functioning;
• Regularly review firewall logs and security devices for any irregularities;
• Regularly review your firewall and security appliance configurations;
• Block or restrict access to every port such as port 3389(RDP), port 5900 (VNC) and port 22 (SSH) and services except for those that should be publicly available;
• Enable and secure system and server logs in different locations;
• Ensure your system password is strong and safe. Change the password if necessary;
• Enforce the Least Privilege policy for users in the environment. Avoid utilising Domain Admin or Super Administrator for remote access;
• Ensure that System Administrators login pages are not publicly accessible;
• Regular backups of essential information can reduce the effect of data or system loss and speed up recovery. Ideally, the backup should be done daily, on a separate medium, and stored offline at an alternate location;
• If you suspect your systems have been compromised, isolate them, reset all users and passwords, and commence incident response procedures;
• Harden all internet-facing applications;
• Report any anomalies happening within your network and enterprise environment to NC4.

29-01-2024