1.0 Introduction
The Cyber Incident Quarterly Summary Report Q2 2024 provides an overview of computer security incidents handled by the Cyber999 Incident Response Centre of CyberSecurity Malaysia in Q2 2024. This quarterly Cyber Incident Report also highlights statistics of incidents dealt with by Cyber999 Incident Response Centre in Q2 2024 according to their categories and security alerts and advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by the Cyber999 Incident Response Centre, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents dealt with by the Cyber999 Incident Response Centre involved IP addresses and domains from Malaysia. CyberSecurity Malaysia works closely with ISPs, CERTs, Special Interest Groups (SIGs) and Law Enforcement Agencies (LEAs), from local and international, to remediate and mitigate computer security incidents affecting Malaysia's organisations and the general public.
Trends Q2 2024
Malaysian Internet users increased to 33.59 million at the start of 2024.[1] As of January 2024, Malaysia’s estimated number of social media users is 28.68 million, equating to 83.1 percent of the total population. In general, the Cyber999 Incident Response Centre receives incident reports from Internet users, members of the public, home users, small and medium enterprises (SMEs), industries, government, academia, and non-profit organisations (NGOs). We also proactively seek and gather insights on cyber threats that could impact Internet users and organisations in Malaysia and aid in mitigating these threats. The Cyber999 Incident Response Centre received 1,481 incidents in Q2 2024, compared to 1,555 incidents in Q1 2024. This indicates a 5% decrease in incidents in Q2 2024.
Table 1: Comparison of Incidents Reported in Q1 2024 and Q2 2024
| Denial of Service | |||
| Intrusion | |||
| Content Related (Data Breach) | |||
| Intrusion Attempt | |||
| Vulnerabilities Report | |||
| Malicious Codes | |||
| Fraud | |||
| Spam | |||
| TOTAL | |||
Table 2: Breakdown of Incidents Based on Months in Q2 2024
| Denial of Service | |||
| Intrusion | |||
| Content Related (Data Breach) | |||
| Intrusion Attempt | |||
| Vulnerabilities Report | |||
| Malicious Codes | |||
| Fraud | |||
| Spam | |||
| TOTAL |
Table 3: Breakdown of categories and sub-categories of incidents in Q2 2024
Denial of Service Denial of Service – DoS |
|||
Fraud Fraud – Bogus Email Fraud – Business Email Compromise Fraud – Fraud Site Fraud – Impersonation & Spoofing Fraud – Job Scam Fraud – Love/Parcel Scam Fraud – Phishing |
4 9 20 1 0 245 |
1 16 73 2 2 240 |
1 10 52 3 3 248 |
Vulnerabilities Report Vulnerabilities Report – Misconfiguration Information Disclosure Vulnerabilities Report -- System Vulnerabilities Report -- Web |
0 3 |
0 0 |
2 1 |
Intrusion Intrusion – Account Compromise Intrusion -- Defacement |
23 |
5 |
13 |
Intrusion Attempt Intrusion Attempt – Login Brute Force Intrusion Attempt – Login Brute Force Intrusion Attempt – Vulnerability Probes |
0 2 |
0 15 |
0 23 |
Malicious Codes Malicious Codes – Botnet C&C Malicious Codes – Bots Malicious Codes – Malware Malicious Codes – Malware Hosting |
51 10 2 |
48 6 0 |
42 4 0 |
Content Related Content Related – Data Breach |
|||
Spam |
|||
TOTAL |
Figure 1: Breakdown of incidents based on months in Q2 2024
Figure 1 illustrates and provides an overview of the incidents reported in Q2 2024 in a chart. Figure 2 illustrates the percentage of incidents based on their classification.
Figure 2: Percentage of incidents reported by categories in Q2 2024
Based on the above statistics, four categories of incidents (Denial of Service, Intrusion, Intrusion Attempts and Spam) reported to us have increased in Q2 2024 compared to Q1 2024, and another four have decreased (Vulnerabilities Report, Data Breach, Malicious Codes and Fraud). The data breach incident decreased to 18% from Q1 2024. In Q2 2024, the most reported incident was fraud, representing (63.94%) of the total reported incidents to us. This is followed by malicious codes (11.01%) and data breaches (7.90%).
Based on the current trends, fraud incidents will most likely continue to grow in Malaysia in 2024. Even though data breach incidents have slightly decreased for this quarter, organisations and Internet users are urged to take proper security measures to prevent data breaches.
Meanwhile, for fraud incidents other than phishing URLs, new tactics and techniques in online scams that concatenate social engineering and malicious code could potentially continue to grow in Malaysian cyberspace.
2.1 Top Fraud Incidents Reported in Q2 2024
Fraud continuously prevails within the community, targeting various citizens, from students to professionals. It has become a preferred method of criminals as awareness is still lacking among the public, making them an easier target. Nine hundred forty-seven fraud incidents were handled this quarter, representing an 8% decrease compared to Q1 2024. All the fraud incidents were received from organisations and public users. The top fraud incidents reported to the Cyber999 Incident Response Centre are as follows:
| Phishing |
| Impersonation and Spoofing |
| Fraudulent Website |
| Job Scam |
| Bogus Email |
| Business Email compromised – BEC scam |
Table 4: Top Fraud Incidents Reported in Q2 2024
According to the Royal Malaysia Police’s (PDRM) Bukit Aman's Commercial Crime Investigation Department (CCID) director, Datuk Seri Ramli Mohamed Yoosuf, described the 95.2 per cent increase as a highly alarming escalation over five years. Online fraud cases in Malaysia were reported to have doubled from 17,668 cases in 2019 to 34,495 cases in 2023[2]. Therefore, Internet users and organisations must be vigilant when conducting online transactions or performing e-commerce transactions to avoid becoming victims of online fraud.
2.2 Top Malware Incidents Reported in Q2 2024
The top malware incidents include malware hosting, ransomware, malicious APK, backdoors, and trojans. The top reported malware incidents are related to malicious APKs. This type of incident is typically received from Internet banking users and sometimes from local financial institutions.
| Shopping APK |
| BNM APK |
| Easy Cleaning APK |
| Max TAG APK |
| Jemputan Majlis APK |
| Shopee APK |
| Hydelivery APK |
Table 5: Types of Malicious APKs Reported in Q2 2024
The second top-reported incident within the malware category is malware hosting. Malware hosting primarily targeted vulnerable servers with outdated security patches and updates. These incidents are usually received from foreign entities, such as Anti-virus vendors and Special Interest Groups, regarding servers in Malaysia hosting malware. System Administrators must be vigilant and keep systems up to date with the latest patches and security updates to prevent servers from being compromised and hosting malware.
Ransomware incidents increased in Q2 2024 compared to the previous quarter. For Q1 2024, we received 17 incidents, while for Q2 2024, we received 26 incidents, indicating an increase of 53% compared to Q1 2024. Ransomware is malicious software (malware) that infects a computer and restricts access until the requested ransom is paid. Our finding identified that businesses are most impacted by ransomware incidents in Malaysia, consistent across the globe. It is also considered one of the costliest attacks, as the cost of recovering all the data and rectifying infected machines is enormous.
Based on the current trends, ransomware incidents will continue to grow in Malaysia in 2024. Organisations and Internet users must always take proper security measures against ransomware incidents. Good backup management, password security and cyber security awareness are essential in combating ransomware and other types of malware. Implementing the backup procedure, policy, and best practices among organisations and individuals is crucial.
| Lockbit Ransomware |
| APT Inc Attacks |
| Virus-encoders |
| MedusaLocker |
| Makop Ransomware |
| Synology Ransomware |
| Estate Ransomware |
Table 6: Ransomware Variants Reported in Q2 2024
Apart from ransomware, we also handled incidents involving botnets that infected computers in Malaysia. Below is the list of top botnets that infected computers, primarily belonging to individuals and organisations in Malaysia, as reported to the Cyber999 Incident Response Centre in Q2 2024:
| tsifiri |
| cobaltstrike |
| 911-socks5-proxy |
| smokeloader |
| ranbyus |
| nymaim |
| nobelium,cobalt-strike |
| avalanche |
| avalanche-ranbyus |
| sality2 |
Table 7: Types of Botnet Reported in Q2 2024
Apart from ransomware, botnets and malware hosting, we also handled incidents related to infostealer in Q2 2024. Infostealer is malicious software created to breach computer systems and steal sensitive information—including login details. Generally, data from the infostealers contained login credentials from various sources, including information saved on web browsers (such as passwords and credit logins), auto-filled logins, FTP clients, email apps, instant messaging clients, and VPNs. Below is a list of infostealers associated with data breach reported to us in Q2 2024:
| Anubis Stealer Log |
| Redline Stealer Log |
Table 8: Info stealers reported in Q2 2024
2.3 Data Breach Incidents Still Prevail in Malaysia
Data breach incidents continue to prevail in Malaysia each month. Although there is a slight percentage decrease in reported incidents this quarter, serious measures must consistently be implemented to prevent and mitigate data breaches, especially for personal data. We are also observing a trend where perpetrators exfiltrate or steal sensitive data belonging to organisations and hold the data hostage. Perpetrators will then threaten the organisation to release or sell the data on the dark web unless the organisation pays ransom within a timeframe set by the perpetrators. In the case of extortion by perpetrators, we always advise organisations to refer the matter to the LEAs, such as the police, for assistance.
| Personal Identifier Information (PII) | Full name, identity card numbers, home address, age, handphone number, date of birth, and salary. |
| Account Credential | Username and password of email accounts, username and password of Internet banking accounts. |
| Appliances Credential | Admin panel access, Joomla, wordpress, ftp access, wp-admin access and etc. |
Table 9: Data Breaches Reported in Q2 2024
3.0 Security Advisories and Alerts Released in Q2 2024
In Q2 2024, the Cyber999 Incident Response Centre issued 32 Security Advisories and two Alerts, each with descriptions, mitigation steps, and recommendations for organisations and Internet users to follow. The security advisories involved Mozilla, Microsoft, Apple, VMware, and several other CVEs listed in Table 10. The security alerts concern online fraud and malware activities that we identified trending in Malaysia.
| CVE-2024-21611 | High-Severity Vulnerability in Juniper Networks Junos OS A memory leak in Juniper Networks Junos OS and Evolved causes Denial of Service (DoS) in jFlow scenarios with BGP route updates, leading to rpd crashes. Affected versions are earlier than 21.4R3, 22.1R3, and 22.2R3. Versions before 21.4R1 are unaffected. |
| CVE-2024-21887 | Exploited two zero-day vulnerabilities in Ivanti Connect Secure VPN A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. |
| CVE-2024-21410 | Exploited as Zero Day – Microsoft Exchange Critical Vulnerability Successful exploitation of the flaw could permit an attacker to relay a user's leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user |
| CVE-2024-24695 | High-Severity Vulnerability in Zoom Products Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access |
| CVE-2024-31497 | PuTTY SSH Client Vulnerable to Key Recovery Attack A vulnerability in PuTTY versions 0.68 to 0.80 allows attackers to recover a user's NIST P-521 private key using around 60 signatures, potentially leading to supply-chain attacks. This flaw can be exploited through publicly available signed messages or by a rogue SSH server. It also affects other tools like FileZilla, WinSCP, TortoiseGit, and TortoiseSVN. |
| CVE-2024-4761 | Google Chrome Zero-Day Vulnerability Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-27822 | macOS Root Access Exploit Vulnerability A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sonoma 14.5. An app may be able to gain root privileges. |
| CVE-2024-28995 | Vulnerability in SolarWinds Serv-U SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. |
| CVE-2024-5805 | Critical Vulnerabilities in MOVEit Products Improper Authentication vulnerability in Progress MOVEit Gateway (SFTP modules) allows Authentication Bypass.This issue affects MOVEit Gateway: 2024.0.0. |
Internet users and organisations may refer to the following URL for security advisories and alerts released by the Cyber999 Incident Response Centre: https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5
4.0 Conclusion
Overall, the number of computer security incidents reported to the Cyber999 Incident Response Centre in Q2 2024 was 1,481 incidents. Although the reported incidents decreased, organisations and individuals must not assume that cyberspace is now secure; they must always ensure readiness with preventive and mitigation steps against potential threats. Furthermore, neither significant nor severe incident was observed this quarter. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats and are always advised to take measures to protect their systems and networks from these threats. Hence, we strongly recommend that all internet users be constantly aware of today's cybercrime trends and adhere to the best cyber hygiene practices. This also includes secure handling of emails from unknown sources, safe web browsing, purchasing goods online, and using social media applications. Users must be vigilant and keep systems up to date with the latest security patches and updates to prevent their computers from being compromised or infected with malware. Always check the legibility of the applications, portal, merchants, services, and products before conducting any online transaction. However, as the complexity of cyber threats continues to increase, organisations and individuals could be potential targets of cyber incidents without proper awareness. Providing awareness campaigns to ensure users are up to date with the latest cyber threat landscapes and conducting organisation-level tabletop exercises to challenge user understanding are among the best efforts to improve an organisation’s cybersecurity.
Malaysian Internet users and organisations may contact us to report cyber security incidents at the below contact:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
5.0 References
- [1]https://datareportal.com/reports/digital-2024-malaysia
- [2]https://www.nst.com.my/news/crime-courts/2024/03/1020542/online-fraud-cases-msia-doubled-over-5-years-ccid-director-warns