Kenya Insights

Tag: cybersecurity

  • Microsoft Servers Hacked By Chinese Groups, Firm Says

    Microsoft Servers Hacked By Chinese Groups, Firm Says

    Chinese “threat actors” have hacked Microsoft’s SharePoint document software servers and targeted the data of the businesses using it, the firm has said.

    China state-backed Linen Typhoon and Violet Typhoon as well as China-based Storm-2603 were said to have “exploited vulnerabilities” in on-premises SharePoint servers, the kind used by firms, but not in its cloud-based service.

    The US tech giant has released security updates in response and has advised all on-premises SharePoint server customers to install them.

    “Investigations into other actors also using these exploits are still ongoing,” Microsoft said in a statement.

    The firm said it had “high confidence” the hackers would continue to target systems which have not installed its security updates.

    It added that it would update its website blog with more information as its investigation continues.

    Microsoft said it had observed attacks in which hackers had sent a request to a SharePoint server “enabling the theft of the key material by threat actors”.

    Charles Carmakal, chief technology officer at Mandiant Consulting firm, a division of Google Cloud, told the BBC it was “aware of several victims in several different sectors across a number of global geographies”.

    Carmakal said it appeared that governments and businesses that use SharePoint on their sites were the primary target.

    A number of adversaries who stole material encoded by cryptography were then able to regain ongoing access to the victims’ SharePoint data, he said.

    “This was exploited in a very broad way, very opportunistically before a patch was made available. That’s why this is significant,” Carmakal said.

    Carmakal said the “China-nexus actor” was deploying techniques similar to previous campaigns associated with Beijing.

    Microsoft said Linen Typhoon had “focused on stealing intellectual property, primarily targeting organizations related to government, defence, strategic planning, and human rights” for 13 years.

    It added that Violet Typhoon had been “dedicated to espionage”, primarily targeting former government and military staff, non-governmental organizations, think tanks, higher education, the media, the financial sector and the health sector in the US, Europe, and East Asia.

    Meanwhile, Storm-2603 was “assessed with medium confidence to be a China-based threat actor”.

    (BBC)

  • ‪Telegram Will Now Share IP Addresses And Phone Numbers To Authorities‬

    ‪Telegram Will Now Share IP Addresses And Phone Numbers To Authorities‬

    The messaging app Telegram has said it will hand over users’ IP addresses and phone numbers to authorities who have search warrants or other valid legal requests.

    The change to its terms of service and privacy policy “should discourage criminals”, CEO Pavel Durov said in a Telegram post on Monday.

    “While 99.999% of Telegram users have nothing to do with crime, the 0.001% involved in illicit activities create a bad image for the entire platform, putting the interests of our almost billion users at risk,” he continued.

    The announcement marks a significant reversal for Mr Durov, the platform’s Russian-born co-founder who was detained by French authorities last month at an airport just north of Paris.

    Days later, prosecutors there charged him with enabling criminal activity on the platform. Allegations against him include complicity in spreading child abuse images and trafficking of drugs. He was also charged with failing to comply with law enforcement.

    Mr Durov, who has denied the charges, lashed out at authorities shortly after his arrest, saying that holding him responsible for crimes committed by third parties on the platform was both “surprising” and “misguided.”

    Critics say Telegram has become a hotbed of misinformation, child pornography, and terror-related content partly because of a feature that allows groups to have up to 200,000 members.

    Meta-owned WhatsApp, by contrast, limits the size of groups to 1,000.

    Telegram was scrutinized last month for hosting far-right channels that contributed to violence in English cities.

    Earlier this week, Ukraine banned the app on state-issued devices in a bid to minimise threats posed by Russia.

    The arrest of the 39-year old chief executive has sparked debate about the future of free-speech protections on the internet.

    After Mr Durov’s detention, many people began to question whether Telegram was actually a safe place for political dissidents, according to John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab.

    He says this latest policy change is already being greeted with even more alarm in many communities.

    “Telegram’s marketing as a platform that would resist government demands attracted people that wanted to feel safe sharing their political views in places like Russia, Belarus, and the Middle East,” Mr Scott-Railton said.

    “Many are now scrutinizing Telegram’s announcement with a basic question in mind: does this mean the platform will start cooperating with authorities in repressive regimes?”

    Telegram has not given much clarity on how the company will handle the demands from leaders of such regimes in the future, he added.

    Cybersecurity experts say that while Telegram has removed some groups in the past, it has a far weaker system of moderating extremist and illegal content than competing social media companies and messenger apps.

    Before the recent policy expansion, Telegram would only supply information on terror suspects, according to 404 Media.

    On Monday Mr Durov said the app was now using “a dedicated team of moderators” who were leveraging artificial intelligence to conceal problematic content in search results.

    But making that type of material harder to find likely won’t be enough to fulfill requirements under French or European law, according to Daphne Keller at Stanford University’s Center for Internet and Society.

    “Anything that Telegram employees look at and can recognize with reasonable certainty is illegal, they should be removing entirely,” Ms Keller said.

    In some countries, they also need to notify authorities about particular kinds of seriously illegal content such as child sexual abuse material, she added.

    Ms Keller questioned whether the company’s changes would be enough to satisfy authorities seeking information about targets of investigations, including who they are communicating with and the content of those messages.

    “It sounds like a commitment that is likely less than what law enforcement wants,” Ms Keller said.

    By BBC

  • How Hackers Are Stealing Billions From Kenya’s Banks And Getting Away With It

    How Hackers Are Stealing Billions From Kenya’s Banks And Getting Away With It

    Barclay’s Bank, Kenya branches, lost a combined sum of sh11 Miillion over Easter this year.

    Polish cyber security firm, OnNet Services had warned Barclay’s Kenya via a tweet published on 17th of April, stating that ‘SILENTCARDS’ group of hackers were planning to hack into their ATMs.

    OnNet services had also published on their blog a fortnight ago that they believe the hacking threat from SilentCards is still active in many other institutions.

    OnNet Service Chief Technician and Innovator Stephanie Neringa told the investigators of this site that they are creating a global community awareness to minimize the loss of both finances and most important, the customers of local financial institutions.

    Stephen said their are having a hard time to accomplish their goals because most of our banks have poor or backdoor security loopholes that make them easy targets from SilentCards.

    OnNet Services Group innovator also said they have server information used by SilentCards hackers to loot over sh 450Million from a local Bank.

    Our efforts to get the details or the name of the Bank were fruitless due to nonexisting tech advisory contract between the Bank and OnNet Services.

    This is not the first time our local banking sector is losing billions of money to group(s) of hackers.

    March last year, National Bank of Kenya confirmed to have been successfully hacked. The hackers went away with key security details and a loss of over sh 29 million.

    Microsoft’s Cloud chief strategist Rudiger Dorn, said that cyber criminals looted over 800 million dollars globally in the past year.

    Earlier this year, CBK and Visa held a successful cyber security workshop that exposed how rogue bank officers collude with hackers swindle illiterate customers and ATM induced cash-outs.

    Visa sub-Saharan Africa Head of Risk and management Bevan Smith said hacker get hold of genuine cards that give them quick and easy backdoor access into banking system.

    Increased cyber threats prompted CBK to introduce cyber security guidance and guidelines in July 2017.

    Local Banks were required to file, compiled annual reports to CBK on their cyber security system and how they are curbing the threats facing their systems.

    These security guidelines were also imposed on mobile money transfer networks. With Safaricom’s M Pesa services being on top, they are legally required to notify CBK of any cyber security glitches within a period of 24 hours.

    Back to the elephant in the house, SilentsCards, are local Cyber criminals members of what was formally known as Forkbombo.

    These cyber crooks were named Forkbombo in 2016 by government cyber watchdogs because they used [email protected] to electronically get hold of keyloggers data.

    Kenya Revenue Authority, Banking Fraud Unit and Cyber Crime Unit of the DCI formally CID dismantled Forkbombo after the criminals 2 years of contacting cyber crime.

    In 2017, The DCI arrested
    Calvin Otieno Ogalo, a 35 year old former police officer and bank employee who was said to be the Forkbombo leader.

    Calvin Otieno was arrested alongside minor members and two American citizens. They were both charged and the two Americans deported.

    The cybercrime department of DCI said that Kenya lost over sh 17 Billions to hackers in 2016-2017.

    Last year, DCI detectives said that majority of cyber criminals in their custody had deep international connections with local and international Politicians.

    This international deep political connections of the hackers saw Kenya ranked 69 out of 127 most vulnerable countries by the Global Threat Index.

    OnNet services says that SilentCards regrouped in 2017 after obtaining the original keyloggers data from remaining members of forkbombo.

    “The latest code used in several banks after reversing has the main Def as OnKeyBoardEvent() and the files are usually saved as tech_kg.py,’’ OnNet Chief said.

    According to OnNet services, Silentcards attackers use these three passwords as their first attempts to enter into banking systems;
    a) admin123
    b) secret123
    c) welcome1

    Further investigations from OnNet indicate that Silentcards
    attacks copy and evaluate audit information from main data servers.

    OnNet service says that Forkbombo used to have money mules whereas SilentCards uses a well connected web of foreigners who get quick international backdoor wired transactions that later withdraw in a coordinated plan.

    Silentcards hackers are specialized in Python Scripts and also use advanced hacking
    tools like Empire, Metasploit, DeathStar, Bloodhound, CrackMapExec, Aesshell, XmultiShell, CHAOS and Katoolin.

    OnNet investigators said that they are following up a tip that GrapZone international hackers are now working with Silentcards to fully regroup Forkbombo and their viscous cyber attacks.