Risk: | high |
Damage: |
high |
Platform(s): |
Microsoft® Windows OS |
Advisory ID: |
ngCERT-2020-010 |
Version: |
1.00 |
CVE: |
NA |
Published: |
May 15, 2017 |
The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s hard drive.
RDP is a protocol on Windows Operating systems that allows remote access and control of the Windows Operating System. This protocol is usually used by systems administrators to control computers running windows operating systems remotely. While the SMB protocol is commonly used by servers to communicate with computers on a domain and also used by computers to share files, printers and so on, on a network.
These protocols are currently being exploited by a Ransomware called WannaCry, to spread and infect computers on a network. When a computer is affected by the worm, the worm encrypts the host computer’s files and request for a ransom of .1784 bitcoin, which is equivalent to approximately $300 and further leaves a threat that, if the ransom is not paid within 3 days, the ransom amount will be doubled and if the ransom is still not paid after 7 days the files will be deleted such that they cannot be recovered forever. Figure A & B below showcases the messages displayed by an infected computer;
Image courtesy:https://www.hackread.com/
Figure A: showing a message popup on an infected computer
Image courtesy:https://www.my-private-network.co.uk/
Figure B: Showing Instructions In a text file on an infected computer
Although Microsoft has released updates since March 2017, however computers that have not been updated remain vulnerable
1. Stakeholders are advised to ensure that computers running Windows 7 and above are up-to-date by checking the windows update center in the control panel. While stakeholders with computers running other variants of the Windows operating system can follow the links below to download the corresponding update for their operating system
b. https://support.microsoft.com/kb/2696547
2. Stakeholders are also advised to upgrade any computer running later versions of the Microsoft Windows Operating System to windows 10 so as to utilize advance update features of the windows 10 operating system. Computer can be updated using the following link below:a. https://www.microsoft.com/en-us/windows/windows-10-upgrade
3. Stakeholders are encouraged to run isolated or remote periodic backups of their critical data and files so as to ensure minimal downtime in the event of incident
4. If an infected computer is identified, power-off the system using the hardware power switch on the computer and unplug the system from the network if the computer is connected to a network and report the incident to ngCERT via phone: 07044642378, email: incident@cert.gov.ng or using the report and incident for on the ngCERT website:www.cert.gov.ng.
ngCERT VMware Tools vulnerability
A vulnerability in VMware Tools is a functionality that was removed from VMware Tools 11.0.0 and it has been determined to affect VMware Tools for Windows version 10.x.y.
The Remote Desktop Protocol (RDP) and a vulnerability in the implementation of the Server Message Block SMB protocol of Microsoft Windows Operating System is currently being exploited by a ransomware called WannaCry worm. The worm encrypts all files on an infected computer’s hard drive.
Multiple Security Vulnerabilities on D-LINK Home Routers
Researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware. The reported vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. There are also likelihood that some of these vulnerabilities are present in newer models of the router because of the similiarities in codebase.
Local Privilege Escalation Vulnerability for VMware
VMware Fusion, VMRC, and Horizon Client contain a local privilege escalation vulnerability due to a Time-of-check Time-of-use (TOC/TOU) issue in the service opener. Furthermore, another local privilege escalation was discovered, which allows the application to blindly executes files from an untrusted location. Both vulnerabilities result in arbitrary code execution as root.
Multiple Security Vulnerabilities for Adobe Products
Adobe has released an update for multiple adobe products in Windows, MacOS, and Linux. The updates resolves critical out-of-bounds Read and Write vulnerabilities that could lead to arbitrary code execution and information disclosure.
SaltStack FrameWork Vulnerabilities in Cisco Products
Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.
Webex Desktop App Vulnerability
A critical vulnerability was discovered in Cisco Webex Meetings Desktop App which might allow a malicious remote attacker to execute programs on affected end-user system. This vulnerability is caused by improper validation of input that is supplied to application URLs. Also, the attacker could exploit this vulnerability by persuading a user to follow a malicious URL.
New EvilQuest Ransomware for macOS Systems
A new ransomware known as EvilQuest has been discovered by security researchers. This ransomware was first spotted to be impersonating the Google Software Update program, and on torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in key. EvilQuest ransomware is discovered to encrypt macOS systems, installs a keylogger and a reverse shell for full control over infected host, and exfiltrates files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and many more) with a variety of extensions (eg .pdf, .doc, .jpg, .txt, .pages, .wallet, .zip, etc).
Cisco Small Business Routers Vulnerabilities
According to Cisco, different categories of vulnerabilities were discovered from different Cisco routers. This vulnerabilities ranges from static default credential, Management interface remote command execution, authentication bypass, arbitrary code execution, and privilege escalation.
Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.
RV Series Routers Command Injection Vulnerabilities
Researchers discovered multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Series Routers and Cisco Small Business RV016, RV042, and RV082 Routers. This vulnerabilities could allow an authenticated, remote attacker with administrative privileges to execute arbitrary commands on an affected device.
ReVoLTE Networks Vulnerability
Recently, a group of security researchers discovered a new vulnerability named ReVoLTE attack. This vulnerability is due to mobile operators often utilizing similarly encryption key to obtain multiple 4G voice calls that takes place through similarly base station. This vulnerability could allow a malicious attacker to manipulate encrypted content of a recorded Volte call so as to eavesdrop the conversation.
Researchers has discovered critical security risk with Tecno Android phones which has a pre-installed malware called Triada. Malware which signed users up to subscription services without their permission was discovered on thousands of Tecno mobile phones sold in Africa. Anti-fraud firm Upstream found the malicious code on Tecno handsets sold in Ethiopia, Cameroon, Egypt, Ghana and South Africa.
ADVISORY ON SQL INJECTION VULNERABILITY AND OTHER BASIC NETWORK SECURITY MEASURES
An SQL injection is a technique that attackers apply to insert SQL query into input fields to then be processed by the underlying SQL database. These weaknesses are then able to be abused when entry forms allow user-generated SQL statements to query the database directly. The attack results in the unauthorized viewing of user lists, the deletion of database entries and stealing of data.
Advisory on Intended Nationwide Cyber attack
The recent Classification of Nigeria, Kenya and Egypt by Kaspersky lab as easiest Cyberattack target in Africa with about Five Hundred and seventy-seven (577) attempted malware attacks hourly, is a serious wake up call to the government and the stakeholders in the Cybersecurity industry. This was disclosed in the company’s second quarter Spam and phishing 2020 report.
APT Compromise of Orion Platforms
Reports revealed recent compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor which began at least since March 2020. It is expected that removing this threat actor from compromised environments will be highly complex and challenging for organizations hence the need to take proactive actions in the protection of government critical national information infrastructures. The cyber-security firm that identified the large-scale hacking of US government agencies says it "genuinely impacted" around 50 organisations. The US Treasury and departments of homeland security, state and defence are known to have been targeted. Russian Intelligence has been accused by the US for the cyber intrusion. Several other organisations around the world are understood to have been targeted by hackers using the same network management software.
Update Advisory for APT Attacks on the SolarWinds Products
After conducting investigations into the Advanced Persistent Threat Compromise of Government Critical National Infrastructure, and Private Sector Organizations Infrastructures, SolarWinds have released an updated advisory for the Sunburst and the SuperNova backdoor that was discovered while investigating the recent SolarWinds Orion supply-chain attack. It was discovered that the SuperNova backdoor was likely used by a separate threat actor. Several teams of researchers have mentioned the existence of two second-stage payloads after the initial disclosure of the SolarWinds attacks.
Security Advisory on Phishing Attacks
Phishing attacks are the most common and effective cyber security threat to individuals, businesses and organizations. Phishing is the delivery mechanism of choice for ransomware and other malware and it is a critical problem that every organization must address through a variety of means. Most phishing messages indicate immediate action is needed to avoid an unwanted time-sensitive consequence. It is important to be suspicious of all requests, and review messages carefully to determine if the message may be a phishing scam.
Security Advisory on Apple Chips Malware
A new malware has been discovered to be crafting multi-architecture applications so that their code will run natively on Apple’s M1 Silicon chips. This is an attempt by malicious actors to target the company’s latest generation of Macs powered by its own processors. The malware is in the form of a Safari adware extension originally written to run on Intel x86 chips. The malicious extension, called "GoSearch22," is a well-known member of the "Pirrit" Mac adware family.
Advisory on Windows Vulnerabilities
Cybercriminals are actively taking advantage of weaknesses in Windows and deploying malware for nefarious purposes. Windows has been a direct target of attacks by malware, more than 80% of malware detected are from windows according to latest discovery. This amongst others includes two updated versions of LodaRAT malware, TrickBot malware and the Zerologon flaws.
Microsoft Exchange Servers Zero-Day Vulnerability
Microsoft has confirmed the attacks against the Exchange servers aimed at stealing email addresses and installing malware to gain persistence in the target networks. This attacks campaign has been attributed to China-based hacker group called HAFNIUM who were exploiting unknown software bugs in Exchange Server to steal sensitive data from select targets. The vulnerability is being actively exploited in the wild by several cyber espionage groups, including LuckyMouse, Tick, and Calypso targeting servers around the world.
Phishing Attack Using Fake Google reCAPTCHA to Steal Credential from Microsoft Users
A Microsoft-themed phishing campaign is using phony Google reCAPTCHA in an attempt to steal credentials from senior employees of various organizations. At least 2,500 such emails have been sent to senior-level employees, over the past three months. The emails first take recipients to a fake Google reCAPTCHA system page. Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. After filling out the fake reCAPTCHA system, victims are then directed to what appears to be a Microsoft login screen.
Fake LinkedIn Job Offer Malware
A new spear-phishing campaign has been discovered to be targeting professionals on LinkedIn with weaponized job offers in an attempt to infect targets with a sophisticated and dangerous backdoor trojan called "more_eggs." According to researchers, the threat actors are using zip files to trick LinkedIn users into executing the More_eggs backdoor.
Cellebrite Forensic Software Security Vulnerabilities
Signal CEO in a successful hacking of the Cellebrite cellphone hacking and cracking tool revealed that the software lacks industry-standard exploit mitigation defenses, thereby making the software vulnerable to exploitations. This is coming after Cellebrite claimed in 2019 that its new tool unlocks almost any iOS and Android device, and in December 2020, that it could easily crack Signal’s encryption. Marlinspike accused Cellebrite of making a living from undisclosed vulnerabilities hence the decision to play it smart with the company by publicly publishing the vulnerability.
Cybercriminals Using Telegram messaging service to Distribute ToxicEye Malware
Researchers discovered that Telegram instant messaging service is being used by malicious actors to manage a remote access trojan (RAT) called ToxicEye. These cyber criminals are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. More than 130 attacks involving the ToxicEye RAT has been discovered recently, and warning that even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app.
Best Practices for Preventing Business Disruption from Ransomware Attacks
Malicious cyber actors has consistently deployed ransomware against government and private companies with recently trending attack on the US pipeline company’s information technology (IT) network, and the Japanese Conglomerate Toshiba unit by the DarkSide ransomware group. Critical Information asset owners and operators in Nigeria are therefore advised to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Advisory, including implementing robust network segmentation between IT (Information technology) and OT (Operational Technology) networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.
Apple Zero-Day Vulnerabilities
Apple has reported a zero-day vulnerability affecting its iOS, macOS and watchOS operating system being exploited by attackers in the wild to craft malicious web content, which may lead to remote code execution. Apple has therefore, released security patches for the zero-day bugs under active attacks.
Microsoft Edge Browser Vulnerabilities
A Microsoft Edge vulnerability that could allow hackers steal secrets from any website was discovered and thereby prompting Microsoft to release updates for the Edge browser, including a fix. This bypass vulnerability could allow a remote attacker to bypass implemented security restrictions to inject and execute arbitrary code on any website just by sending a message.
Russian GRU Global Brute Force Attacks
The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is reported to be conducting a Global anonymized Brute Force Campaign to Compromise Enterprise and Cloud Environments. This attack is discovered to be targeting government and foreign organizations using brute force access to penetrate government and private sector victim networks.
There has been an increase in ransomware attacks targeting government and private networks globally with the latest on the Kaseya VSA products, hence it is necessary to disseminate this security advisory to all Stakeholders and Ministries Departments and Agencies in Nigeria in order to take adequate preventive measures against ransomware attacks. It is noteworthy to know that all the recent ransomware attack on the Solarwinds, McDonald’s, Microsoft exchange server, JBS, US colonial Pipeline Company, etc has been estimated that the number of the ransomware attacks in 2021 may end up to be as high as 100,000 attacks with each one costing an average of $170,000. The ransom paid by Colonial and JBS combined was about $15 million against FBI advice. Therefore, the growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries.
Several fake portals requesting beneficiaries' account details to get the Federal Government’s 2021 Survival Fund, check the N-Power Batch-C eligibility, and apply for CBN The COVID-19 Loan has been discovered to be circulating on the social media and through email messages to unsuspecting members of the public. These fraudsters parade themselves as operators of the Federal Government’s schemes.
Fortinet Leaked VPN Account Credentials
A malicious actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. These credentials were reported to be obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan.
Browser’s DNS Rebinding Attacks
Cybercriminals have been discovered to be using a technique known as DNS rebinding to compromise internal networks by abusing web-based consoles. This method exposes the attack surface of internal web applications to malicious websites after being launched on victims' browsers. The DNS rebinding attack can use victims' browsers as a proxy to expand the attack surface to private networks.
Facebook, Instagram and WhatsApp global outage
Some social media platforms including Facebook, Instagram and WhatsApp are currently experiencing technical downtime due to unknown causes resulting to a major global outage with many users unable to use the platforms. The outage is affecting every Facebook owned platforms according to data on Downdetector and Twitter. These Facebook owned Platforms are Instagram, Facebook, WhatsApp and Facebook Messenger. The outages appear to have started around 16:40pm and all services on the affected platforms remain inaccessible. The outages generated trends on Twitter as users flocked to the competing social network to see if other users were affected by the downtime. Humorously, the hashtag “#DeleteFacebook” is also trending on Twitter as Facebook battles negative reactions to its current challenge.
OpenOffice and LibreOffice Digital Signature Spoofing Vulnerabilities
Three flaws has been uncovered in OpenOffice and LibreOffice that if successfully exploited could permit an attacker to manipulate the timestamp of signed ODF documents, and worse, alter the contents of a document or self-sign a document with an untrusted signature, which is then tweaked to change the signature algorithm to an invalid or unknown algorithm.
Google Warn Users of Government-Sponsored Attacks
Google's Threat Analysis Group (TAG) has revealed that it is monitoring over 270 government-backed threat actors from over 50 countries. Since the beginning of 2021, the tech giant has sent approximately 50,000 alerts to customers about state-sponsored phishing or malware attempts.
Flubot Malware Targets Androids With Fake Security Updates and App Installations
A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.
A new Android malware that can gain root access to smartphones, take complete control over infected smartphones and silently modify device settings while simultaneously taking steps to evade detection has been discovered. The malware named “AbstractEmu” has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.
An Iranian threat group known as Lyceum (aka Hexane, Siamesekitten, or Spirlin) has been reported to be targeting Telcoms, ISPs and Ministry of Foreign Affairs (MFA) in Africa in a recent politically motivated attacks with an active focus on cyberespionage. This group is known to be focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). Between July and October, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector. In addition, the APT is responsible for a campaign against an unnamed African ministry of foreign affairs.
Rootkits are one of the most damaging types of malware. They are very difficult to detect & remove and provide the Threat Actors almost complete access to the target computer. A hacker who installs a rootkit into a computer can access & steal data, delete or corrupt files, spy on all system activities, modify programs, etc. Since rootkits remain constantly hidden and avoid detection, most commercially available anti-virus software is ineffective against them.
New Windows Installer Zero-Day Vulnerability
A security researcher discovered and reported a privilege escalation vulnerability in the Windows Installer software component, which was later fixed by Microsoft. The flaw not only allows for the bypass of Microsoft's previous fix, but it also allows for local privilege escalation via the newly discovered zero-day bug. As a result, attackers are actively attempting to exploit the newly disclosed variant of the disclosed vulnerability in order to potentially execute arbitrary code on fully patched systems.
Apache Log4j Remote Code Execution Vulnerability.
On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code. The Apache Log4j 2 utility is a widely deployed Java-based logging utility used for logging requests. Open-source reporting indicates that active scanning and exploitation of this vulnerability have been observed.
Security experts have uncovered a new year scheme employed by a cybercrime group to deliver ransomware to targeted organizations. The group has been mailing out USB thumb drives to many organizations in the hope that recipients will plug them into their PCs and install ransomware on their networks. While businesses are being targeted, criminals could soon begin sending infected USB drives to individuals.
SMS-Based Malware Infecting Mobile Devices
Recently a notorious FlutBot SMS Android malware that targets mobile devices was reported, but now there is another Android malware called TangleBot that employs more or less similar tactics to gain control of the device. This malware is reported to be far more invasive than the FlutBot malware.
Wordpress Themes and Plugins Vulnerabilities
A recent discovery revealed that dozens of WordPress themes and plugins had been backdoored with malicious code in order to infect additional sites. Also disclosed was a security flaw affecting three different WordPress plugins that affected over 84,000 websites and could be exploited by a malicious actor to take over vulnerable sites.
New Variant of BRATA Banking Trojan Infecting Android Devices
New variants of the BRATA banking trojan have been discovered to be targeting global Android devices since November 2021 with advanced features, including the ability to wipe devices after stealing user data, tracking devices via GPS, and novel obfuscation techniques. The remote access trojan (RAT), which targets banks and financial institutions, is now being distributed through a downloader to avoid being detected by antivirus (AV) solutions.
New Zero-Day Chrome Web Browser Vulnerability
The Chrome web browser has eight security flaws that have been discovered and reported, including a high-severity flaw that is actively being exploited in real-world attacks. Google, on the other hand, has released fixes for the Chrome web browser's security flaws, marking the internet giant's first zero-day patch in 2022.
Iranian Government-Sponsored APT Group Target Government and Commercial Networks
MuddyWater, an Iranian government-sponsored advanced persistent threat (APT) actor, has been observed conducting active cyber espionage and other malicious cyber operations against a variety of government and private-sector organizations in Africa and other continents, including telecommunications, defense, oil and natural gas, and relevant government agencies. This threat group is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Zagros. The APT group was seen employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks.
New Browser-In-The Browser (BITB) Phishing Attacks
A coding ruse that is invisible to the naked eye can now be used to trick targets into disclosing sensitive information. The novel phishing technique is known as a browser-in-the-browser (BitB) attack. This type of attack employs bogus popup SSO windows to steal credentials from Google, Facebook, and Microsoft, among others.
Hackers Using Fake Windows 11 Upgrade to Install Malware & Steals Information
It has been discovered that through clever manipulation of internet search results, hackers are tricking people into installing a fake malware-infected, information-stealing Windows 11 upgrade. The hackers created a near-exact replica of the Microsoft website but infected it with malicious software. When people search for "Windows 11 upgrade" or something similar, it's possible that one of the top results is the hackers' shady website.
FBI Warns of BlackCat Ransomware That Breached Over 60 Organisations Worldwide
The U.S. Federal Bureau of Investigation (FBI) has raised the alarm on the BlackCat ransomware-as-a-service (RaaS), which it said victimized at least 60 entities worldwide as of March 2022 since its emergence last November. The FBI disseminated known indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) associated with ransomware variants identified through FBI investigations. BlackCat is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.
Joker Trojan-Infected Android Apps Reappear on Google Play Store
The Joker trojan malware, which targets Android devices, first showed up in 2017 and has resurfaced intermittently ever since. In April 2021, it was embedded in an App that was downloaded over seven hundred thousand (700,000) times before discovery and subsequent removal from the Google Play Store. Its latest emergence has so far triggered the removal of three (3) apps from the Play Store.
Government-Targeted Attacks Trigger State of Emergency in Costa Rica Due to Sustained Cyberattacks
The Conti Ransomware gang has promised more government-targeted attacks after crippling Costa Rica's treasury, prompting the new leadership of President Rodrigo Chaves to declare a state of national cybersecurity emergency. In April 2022, the group carried out a ransomware attack on the Costa Rican government, severely disrupting the country's foreign trade by disrupting its customs and taxes platforms. The group has described the attack on Costa Rica's government as merely a "Demo Version," emphasizing the need for Nigeria to take proactive measures to protect itself from such attacks.
Warning on a New Wave of Attacks Distributing Jester Malware
The Ukrainian Computer Emergency Response Team reported that threat actors have been sending phishing emails with the subject line "chemical attack" to their citizens in an attempt to spread the information-stealing malware Jester Stealer. However, subject line could be modified to effectively lure victims into taking urgent actions. This type of attack has previously escaped into the wild and caused widespread damage, and there has been a historical pattern of cyberattacks on Ukraine with international ramifications that have resulted in billions of dollars in damages, thus the need for this advisory.
Malicious Actors Planting Fileless Malware on target machines using Event Logs
Unknown bad actors have developed a novel method of deploying fileless malware by injecting shellcode directly into Windows event logs. This novel method of payload storage has never been attempted before, emphasizing the importance of remaining vigilant in the face of threats. Fileless malware is a type of malicious activity that executes a cyber attack by utilizing native, legitimate tools built into a system.
Novel Use of Chatbots in Phishing Schemes
Hackers have begun incorporating chatbots into their phishing schemes to provide an air of authenticity to an interaction. Chatbots have become a more common medium of engagement on mainstream company websites, so using it during a phishing attack instills trust in the victim that the interaction is genuine. A chatbot is a program that simulates conversations with human users, allowing businesses to provide customer service around the clock while saving money.
Dangerous Malware Targets Android Devices
Ermac, a dangerous malware that targeted Android devices in 2021, has reappeared as Ermac 2.0. Ermac is a trojan that steals user credentials from banking apps and crypto wallets included in the list of targeted apps and sends them to threat actors. It currently targets 467 apps and is available for rent on the darknet for $5000 per month by threat actors.
Nigeria Scammers Using Agent Tesla Remote Access Trojan (RAT) In Financial Scams
Interpol recently reported the arrest of Nigerians in financial scams using Agent Tesla during a sting operation conducted by the Economic and Financial Crimes Commission (EFCC). Agent Tesla is a remote access tool (RAT) that enables users to remotely control computers. This tool is available for purchase from its official website, and its developers present it as a legitimate program. As an information-stealer that extracts user credentials stored in web browsers, emails, and File Transfer Protocol (FTP) clients, it has recently surpassed the status of most widely distributed malware. Interpol apprehended three notorious fraudsters in Lagos who used Agent Tesla as part of their Business Email Compromise (BEC) attacks in an operation dubbed "Killer Bee."
New Whatsapp OTP Scam Using Call Forwarding Trick
Hackers have devised a method to gain control of a victim's WhatsApp account by exploiting an automated "call forwarding" feature that is activated when a number is busy or engaged. All telecom service providers offer this feature. This method also makes use of WhatsApp's option to send a one-time password (OTP) via phone call.
New Emotet Malware Stealing Credit Cards Info from Google Chrome users.
Emotet has evolved since its first appearance in 2014, causing significant damage in its wake. From a Trojan that targeted banking apps to one of the first Malware-as-a-Service (MaaS) botnets that infected a large number of devices and then sold access to third parties. It is currently stealing credit card information while evading security measures. The "improved" version of Emotet is engaging in "disturbing" behavior, effectively collecting and using stolen credentials, which are then weaponized to further distribute the Emotet binaries.
Android Malware With Over 2 Million Downloads Discovered on Google Play Store
An Android malware that is both an adware and information-stealer has been downloaded over two million times on the Google Play Store. The malware has been masquerading as several legitimate apps, and while most have been removed, five of them are still up on the store with the possibility that some are yet to be identified.
MaliBot Trojan Targets Online Banking and Cryptocurrency Wallets
Malibot is an information-stealing Trojan that is being spread in the form of legitimate cryptocurrency apps for Android smartphones. It targets online banking apps and crypto wallets with the aim of pilfering Personally Identifiable Information (PII) and other user credentials. Other functionality of this Trojan include the ability to start and delete apps, web-injections and overlay attacks.
Malicious Facebook Messenger Chatbots Used to Compromise Facebook Accounts
As a follow-up to the May 23rd advisory on "Novel Use of Chatbots in Phishing Schemes," the use of a chatbot for phishing purposes is gradually gaining traction, particularly with the discovery of a campaign in which it is used to steal Facebook login credentials. The platform's ubiquitous messaging app, Facebook Messenger, is known to have an integrated chatbot feature. This provides threat actors with a large pool of potential victims who are not only familiar with but also believe in the feature.
New Malware Creates a backdoor to Microsoft Exchange servers
Kaspersky Lab researchers uncovered a new malware dubbed SessionManager, which creates a backdoor to Microsoft Exchange servers. This malware is believed to have been in use, undetected, since March 2021, and is aimed at non-governmental organizations (NGOs), governments, and military establishments in Africa, Europe, Asia, and the Middle East. In a cyber espionage campaign spanning multiple continents, Gelsemium, the group allegedly behind this campaign, aims to gain persistent and covert access to the IT infrastructure of several organizations.
Microsoft announced End-of-Support for Windows 8.1
Microsoft has announced that its Windows 8.1 will reach End-of-Support by January 10, 2023. According to Microsoft, after this date, Microsoft will no longer provide updates of any kind to the OS in question, leaving devices (and the networks they may be a part of) vulnerable.
Luna Ransomware Discovered With Ability To Infect Multiple Platforms
Luna, a rust-based ransomware, has been discovered that can run on Windows, Linux, and ESXi operating systems. This exemplifies the ongoing trend of threat actors developing cross-platform ransomware in order to achieve the broadest possible reach.
Messaging Apps Used To Propagate Information-Stealing Malware
Naturally, with the proliferation of messaging apps, some will have gained more traction than others. Discord and Telegram, two of the most popular messaging apps, have a burgeoning community that not only exchanges messages but also develops and shares "bots" - programs that automate a variety of tasks within each platform. Threat actors have exploited this and are now using these platforms to spread information-stealing malware.
New HiddenAds Malware on Google Play Store Uncovered
A new type of malware has infiltrated the Google Play Store in the form of several device cleaner or optimization apps. The McAfee Mobile Research Team identified this malware as HiddenAds, and upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.
Cisco Networks hacked by Yanluowang Ransomware Group
Cisco has reported a security incident on their corporate network. Although, the company has said it did not identify any impact to their business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. However, on August 10 the bad actors published a list of files from this security incident to the dark web.
WordPress Websites Compromised With Fake DDoS Protection Page
Threat actors are targeting WordPress-powered websites by injecting a malicious Javascript payload that displays a bogus CloudFare DDoS (Distributed Denial of Service) protection page. Because such DDoS checks have become the norm while browsing the web, unsuspecting internet users will be duped into believing it is genuine, and will be infected with a RAT (Remote Access Trojan) and Information-Stealer as a result.
SharkBot Malware Infiltrates Google Play Store
A new and improved variant of the SharkBot malware has been discovered in the form of a device optimization and antivirus app on the Google Play Store. This malware is said to be targeting Android users' banking logins via apps with tens of thousands of installations.
Beware of Malicious Web Browser Extensions
In the first half of 2022, there was an increase in attempted downloads of malicious web browser extensions. These malicious extensions promise to speed up your browser but instead steal your data by redirecting users to phishing sites and inserting affiliate IDs into eCommerce site cookies. The investigation uncovered five (5) extensions with a total install base of over 1,400,000 and varying degrees of malicious capability.
Multiple Vulnerabilities Reported in Zoom
Zoom Products have been found to have a number of flaws by the Indian Computer Emergency Response Team (CERT-In). A remote attacker could exploit the vulnerabilities to circumvent implemented security measures and cause a denial of service on the targeted machine.
Multiple Vendor Vulnerabilities Reported on Lenovo Products
According to Lenovo, multiple vulnerabilities have been discovered in Lenovo products. These high-severity vulnerabilities could allow an authenticated local attacker to circumvent security restrictions, gain elevated privileges, execute arbitrary code on the targeted system, gain sensitive information, and exploit this vulnerability by also sending a specially crafted request to the targeted user.
Hackers Using Microsoft Edge Malvertising Campaign To Target Users
A malicious advertising campaign has been unearthed on the Microsoft Edge Browser News Feed that redirects victims to fraudulent tech support websites. Cybercriminals have resorted to posting bizarre, attention-grabbing stories or advertisements on the Edge news feed in order to entice users to click on them. This is a type of malvertising – online advertisements that appear legitimate but contain malware and/or other threats.
Increased Cases of Accounts Takeover in Nigeria
A series of Account Takeover (ATO) incidents have been reported to Nigeria's ngCERT. An ATO attack occurs when cybercriminals gain access to a user's credentials in order to compromise the user's account. This poses numerous risks to the individual and the organization that he or she represents, as it provides a breeding ground for future attacks for cybercriminals. They frequently change the user credentials once inside, effectively locking the user out.
Unofficial WhatsApp Android app Stealing User’s Accounts
A Triada Trojan was discovered in a version of the YoWhatsApp app (version 2.22.11.75) that was being distributed. YoWhatsApp is an unofficial modification of the world's most popular messenger app, WhatsApp, and its popularity stems from the additional features it offers, such as a customisable interface and chat blocking. Triada is a mobile Trojan that actively uses root privileges to replace system files and employs several clever techniques to remain almost invisible.
Malware-laden Apps Discovered on Google Play Store
The Nigeria Computer Emergency Response Team (ngCERT) has continued to observe and monitor the constant introduction of malicious mobile applications into Google Play Store. Recently, a group of apps created by 'Mobile Apps Group' were discovered to contain Trojans and adware that are harmful to users and their privacy. Mobile apps Group has a history of distributing malware-infected apps through the Google Play store, and the current batch of apps has already been downloaded over a million times.
Cloud9 Botnet Hijacking Web Browsers and Compromising Windows Operating System
Two Cloud9 malware variants have been discovered in the wild, one of which is a significantly improved version of the other (with added features and bug fixes) that affects web browsers. Cloud9 is a malicious web browser extension that targets a variety of browsers. It can introduce malware into a device and functions similarly to a Remote Access Trojan (RAT), allowing the threat actor to remotely control a device.
Cybercriminals Targeting Federal Government Agencies Through Log4j Vulnerability
Following the publication of the advisory with ID - NGCERT-2021-0062 on the Apache Log4j Remote Code Execution Vulnerability on the 20th of December 2021, a U.S. Federal Government entity's network was compromised by a suspected Iranian threat actor, according to Cybersecurity and Infrastructure Security Agency (CISA). This threat actor took advantage of an unpatched VMware Horizon server to insert malware.
TikTok Challenge Used To Circulate Information-Stealing Malware
Threat actors have taken advantage of a viral TikTok challenge, known as the Invisible Challenge, to disseminate an information-stealing malware known as the WASP (or W4SP) stealer. WASP stealer is a persistent malware hosted on discord that its developer claim is undetectable.
Security Advisory on Most Commonly Used Passwords in Nigeria
A recent research by Nordpass and a group of independent researchers has revealed the 200 most common passwords in 2022. The methodology used also allowed them to collect information based on country and gender. Discovery suggests that a lot of people around the world do not adhere to password hygiene rules.
Multiple Vulnerabilities in EDRs and Anti-Virus Software Exploited To Turn Them into Data Wipers
SafeBreach researchers discovered a number of zero-day vulnerabilities in various Endpoint Detection and Response (EDR) and Anti-virus solutions. These flaws can be exploited to turn millions of such solutions in use around the world into data wipers capable of deleting any file on a device and causing it to fail to boot. This wiper runs as an unprivileged user but has the ability to wipe almost any file on a system, including system files, and render a computer unbootable. It does all that without implementing code that touches the target files, making it fully undetectable.
Legacy Windows Operating Systems to No Longer Get Support from January 2023
This is a reminder that Microsoft will no longer support Windows 8.1 as from January 10, 2023. The Extended Security Update (ESU) programme for Windows 7 Professional and Enterprise versions will also end January 10, 2023 – meaning these versions of Windows 7 will no longer be receiving security updates to patch critical vulnerabilities.
Increasing Cases of Wiperware Infection
There is heightened risk of getting infected with wiper malware (or wiperware) which often masquerade as ransomware, but are arguably more lethal as they erase or corrupt data permanently – providing no means of recovering the affected data. Increased prevalence of wiperware is likely due to its use in the ongoing war in Eastern Europe; however, there have been noteworthy incidences of its use going back a decade. Threat actors who deploy wiperware do so without expectation of financial gain – which is probably why it has taken the backseat to its cousin, ransomware, over the years.
Phishing Emails with OneNote Attachments Used to Disseminate RATs
A new method of delivering Remote Access Trojans (RATs) has been discovered using Microsoft OneNote attachments (these use ‘.one’ as an extension). Since the ubiquitous use of malicious Word or Excel documents is now easily identified by users, threat actors are resorting to other means in order to fool unsuspecting victims into downloading malicious files. Microsoft OneNote is a free note-taking software that can either be downloaded online or is included as part of Microsoft’s Office suite of applications.
New Phishing Apps Discovered on Google Play Store
Several phishing apps have recently been discovered on the Google Play Store. These apps can be games or investment services; however, they are designed to steal sensitive user information. The apps have been downloaded 450, 000 times in total.
Malicious Advertising Campaign Distributing FormBook Info-Stealer Malware
Cybercriminals are constantly seeking and coming up with new ways to distribute malware – with the latest method being through malicious advertisements. These malicious advertising, or malvertising campaign are used to spread .NET loaders, known as MalVirt, that deploy the FormBook information-stealing malware unto unsuspecting devices.
Increasing Watering Hole Attacks in Nigeria
ngCERT recently observed several cases of watering hole attacks that target groups of people who are somehow connected - whether they work for the same company, belong to the same social club, or have a common interest/background. The goal of this attack is to compromise as many of these users' devices as possible and, in some cases, gain access to their organization's network. In other words, a watering hole attack occurs when cyber criminals use skills such as hacking and social engineering to target individuals, groups, or organizations on a website they frequent. Alternatively, the attacker can direct the victim(s) to a website that they have compromised.
Cybercriminals Using YouTube to Spread Malware
Cybercriminal gangs are using AI-generated YouTube videos to distribute malware. Unsuspecting victims who watch these AI-generated tutorial videos will be duped into clicking on one of the links in the video description, which usually results in the download of data-stealing malware. Since November 2022, the number of YouTube videos containing such links has increased by 200-300% month on month.
Multiple Vulnerabilities in EDRs and Anti-Virus Software Exploited To Turn Them into Data Wipers
SafeBreach researchers discovered a number of zero-day vulnerabilities in various Endpoint Detection and Response (EDR) and Anti-virus solutions. These flaws can be exploited to turn millions of such solutions in use around the world into data wipers capable of deleting any file on a device and causing it to fail to boot. This wiper runs as an unprivileged user but has the ability to wipe almost any file on a system, including system files, and render a computer unbootable. It does all that without implementing code that touches the target files, making it fully undetectable.
Legacy Windows Operating Systems to No Longer Get Support from January 2023
This is a reminder that Microsoft will no longer support Windows 8.1 as from January 10, 2023. The Extended Security Update (ESU) programme for Windows 7 Professional and Enterprise versions will also end January 10, 2023 – meaning these versions of Windows 7 will no longer be receiving security updates to patch critical vulnerabilities.
Increasing Cases of Wiperware Infection
There is heightened risk of getting infected with wiper malware (or wiperware) which often masquerade as ransomware, but are arguably more lethal as they erase or corrupt data permanently – providing no means of recovering the affected data. Increased prevalence of wiperware is likely due to its use in the ongoing war in Eastern Europe; however, there have been noteworthy incidences of its use going back a decade. Threat actors who deploy wiperware do so without expectation of financial gain – which is probably why it has taken the backseat to its cousin, ransomware, over the years.
Phishing Emails with OneNote Attachments Used to Disseminate RATs
A new method of delivering Remote Access Trojans (RATs) has been discovered using Microsoft OneNote attachments (these use ‘.one’ as an extension). Since the ubiquitous use of malicious Word or Excel documents is now easily identified by users, threat actors are resorting to other means in order to fool unsuspecting victims into downloading malicious files. Microsoft OneNote is a free note-taking software that can either be downloaded online or is included as part of Microsoft’s Office suite of applications.
New Phishing Apps Discovered on Google Play Store
Several phishing apps have recently been discovered on the Google Play Store. These apps can be games or investment services; however, they are designed to steal sensitive user information. The apps have been downloaded 450, 000 times in total.
Malicious Advertising Campaign Distributing FormBook Info-Stealer Malware
Cybercriminals are constantly seeking and coming up with new ways to distribute malware – with the latest method being through malicious advertisements. These malicious advertising, or malvertising campaign are used to spread .NET loaders, known as MalVirt, that deploy the FormBook information-stealing malware unto unsuspecting devices.
Increasing Watering Hole Attacks in Nigeria
ngCERT recently observed several cases of watering hole attacks that target groups of people who are somehow connected - whether they work for the same company, belong to the same social club, or have a common interest/background. The goal of this attack is to compromise as many of these users' devices as possible and, in some cases, gain access to their organization's network. In other words, a watering hole attack occurs when cyber criminals use skills such as hacking and social engineering to target individuals, groups, or organizations on a website they frequent. Alternatively, the attacker can direct the victim(s) to a website that they have compromised.
Cybercriminals Using YouTube to Spread Malware
Cybercriminal gangs are using AI-generated YouTube videos to distribute malware. Unsuspecting victims who watch these AI-generated tutorial videos will be duped into clicking on one of the links in the video description, which usually results in the download of data-stealing malware. Since November 2022, the number of YouTube videos containing such links has increased by 200-300% month on month.
