Cybercriminals Using YouTube to Spread Malware. Cybercriminal gangs are using AI-generated YouTube videos to distribute malware. Unsuspecting victims who watch these AI-generated tutorial videos will be duped into clicking on one of the links in the video description, which usually results in the download of data-stealing malware. Since November 2022, the number of YouTube videos containing such links has increased by 200-300% month on month.

• Advisory
• March 23, 2023

Phishing Emails with OneNote Attachments Used to Disseminate RATs. A new method of delivering Remote Access Trojans (RATs) has been discovered using Microsoft OneNote attachments (these use ‘.one’ as an extension). Since the ubiquitous use of malicious Word or Excel documents is now easily identified by users, threat actors are resorting to other means in order to fool unsuspecting victims into downloading malicious files. Microsoft OneNote is a free note-taking software that can either be downloaded online or is included as part of Microsoft’s Office suite of applications.

• Advisory
• January 24, 2023

Security Advisory on Most Commonly Used Passwords in Nigeria. A recent research by Nordpass and a group of independent researchers has revealed the 200 most common passwords in 2022. The methodology used also allowed them to collect information based on country and gender. Discovery suggests that a lot of people around the world do not adhere to password hygiene rules.

• Advisory
• December 9, 2022

Malware-laden Apps Discovered on Google Play Store. The Nigeria Computer Emergency Response Team (ngCERT) has continued to observe and monitor the constant introduction of malicious mobile applications into Google Play Store. Recently, a group of apps created by 'Mobile Apps Group' were discovered to contain Trojans and adware that are harmful to users and their privacy. Mobile apps Group has a history of distributing malware-infected apps through the Google Play store, and the current batch of apps has already been downloaded over a million times.

• Advisory
• November 4, 2022

Multiple Vendor Vulnerabilities Reported on Lenovo Products. According to Lenovo, multiple vulnerabilities have been discovered in Lenovo products. These high-severity vulnerabilities could allow an authenticated local attacker to circumvent security restrictions, gain elevated privileges, execute arbitrary code on the targeted system, gain sensitive information, and exploit this vulnerability by also sending a specially crafted request to the targeted user.

• Advisory
• September 22, 2022

WordPress Websites Compromised With Fake DDoS Protection Page. Threat actors are targeting WordPress-powered websites by injecting a malicious Javascript payload that displays a bogus CloudFare DDoS (Distributed Denial of Service) protection page. Because such DDoS checks have become the norm while browsing the web, unsuspecting internet users will be duped into believing it is genuine, and will be infected with a RAT (Remote Access Trojan) and Information-Stealer as a result.

• Advisory
• August 23, 2022

Luna Ransomware Discovered With Ability To Infect Multiple Platforms. Luna, a rust-based ransomware, has been discovered that can run on Windows, Linux, and ESXi operating systems. This exemplifies the ongoing trend of threat actors developing cross-platform ransomware in order to achieve the broadest possible reach.

• Advisory
• July 28, 2022

MaliBot Trojan Targets Online Banking and Cryptocurrency Wallets. Malibot is an information-stealing Trojan that is being spread in the form of legitimate cryptocurrency apps for Android smartphones. It targets online banking apps and crypto wallets with the aim of pilfering Personally Identifiable Information (PII) and other user credentials. Other functionality of this Trojan include the ability to start and delete apps, web-injections and overlay attacks.

• Advisory
• June 29, 2022

Nigeria Scammers Using Agent Tesla Remote Access Trojan (RAT) In Financial Scams. Interpol recently reported the arrest of Nigerians in financial scams using Agent Tesla during a sting operation conducted by the Economic and Financial Crimes Commission (EFCC). Agent Tesla is a remote access tool (RAT) that enables users to remotely control computers. This tool is available for purchase from its official website, and its developers present it as a legitimate program. As an information-stealer that extracts user credentials stored in web browsers, emails, and File Transfer Protocol (FTP) clients, it has recently surpassed the status of most widely distributed malware. Interpol apprehended three notorious fraudsters in Lagos who used Agent Tesla as part of their Business Email Compromise (BEC) attacks in an operation dubbed "Killer Bee."

• Advisory
• June 3, 2022

Warning on a New Wave of Attacks Distributing Jester Malware. The Ukrainian Computer Emergency Response Team reported that threat actors have been sending phishing emails with the subject line "chemical attack" to their citizens in an attempt to spread the information-stealing malware Jester Stealer. However, subject line could be modified to effectively lure victims into taking urgent actions. This type of attack has previously escaped into the wild and caused widespread damage, and there has been a historical pattern of cyberattacks on Ukraine with international ramifications that have resulted in billions of dollars in damages, thus the need for this advisory.

• Advisory
• May 11, 2022

Hackers Using Fake Windows 11 Upgrade to Install Malware & Steals Information. It has been discovered that through clever manipulation of internet search results, hackers are tricking people into installing a fake malware-infected, information-stealing Windows 11 upgrade. The hackers created a near-exact replica of the Microsoft website but infected it with malicious software. When people search for "Windows 11 upgrade" or something similar, it's possible that one of the top results is the hackers' shady website.

• Advisory
• April 20, 2022

New Variant of BRATA Banking Trojan Infecting Android Devices. New variants of the BRATA banking trojan have been discovered to be targeting global Android devices since November 2021 with advanced features, including the ability to wipe devices after stealing user data, tracking devices via GPS, and novel obfuscation techniques. The remote access trojan (RAT), which targets banks and financial institutions, is now being distributed through a downloader to avoid being detected by antivirus (AV) solutions.

• Advisory
• January 28, 2022

Apache Log4j Remote Code Execution Vulnerability.. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code. The Apache Log4j 2 utility is a widely deployed Java-based logging utility used for logging requests. Open-source reporting indicates that active scanning and exploitation of this vulnerability have been observed.

• Advisory
• December 20, 2021

New Android Rooting Malware. A new Android malware that can gain root access to smartphones, take complete control over infected smartphones and silently modify device settings while simultaneously taking steps to evade detection has been discovered. The malware named “AbstractEmu” has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.

• Advisory
• November 3, 2021

Facebook, Instagram and WhatsApp global outage. Some social media platforms including Facebook, Instagram and WhatsApp are currently experiencing technical downtime due to unknown causes resulting to a major global outage with many users unable to use the platforms. The outage is affecting every Facebook owned platforms according to data on Downdetector and Twitter. These Facebook owned Platforms are Instagram, Facebook, WhatsApp and Facebook Messenger. The outages appear to have started around 16:40pm and all services on the affected platforms remain inaccessible. The outages generated trends on Twitter as users flocked to the competing social network to see if other users were affected by the downtime. Humorously, the hashtag “#DeleteFacebook” is also trending on Twitter as Facebook battles negative reactions to its current challenge.

• Advisory
• October 4, 2021

Ransomware Attacks. There has been an increase in ransomware attacks targeting government and private networks globally with the latest on the Kaseya VSA products, hence it is necessary to disseminate this security advisory to all Stakeholders and Ministries Departments and Agencies in Nigeria in order to take adequate preventive measures against ransomware attacks. It is noteworthy to know that all the recent ransomware attack on the Solarwinds, McDonald’s, Microsoft exchange server, JBS, US colonial Pipeline Company, etc has been estimated that the number of the ransomware attacks in 2021 may end up to be as high as 100,000 attacks with each one costing an average of $170,000. The ransom paid by Colonial and JBS combined was about $15 million against FBI advice. Therefore, the growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries.

• Advisory
• July 7, 2021

Best Practices for Preventing Business Disruption from Ransomware Attacks. Malicious cyber actors has consistently deployed ransomware against government and private companies with recently trending attack on the US pipeline company’s information technology (IT) network, and the Japanese Conglomerate Toshiba unit by the DarkSide ransomware group. Critical Information asset owners and operators in Nigeria are therefore advised to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Advisory, including implementing robust network segmentation between IT (Information technology) and OT (Operational Technology) networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.

• Advisory
• May 15, 2021

Phishing Attack Using Fake Google reCAPTCHA to Steal Credential from Microsoft Users. A Microsoft-themed phishing campaign is using phony Google reCAPTCHA in an attempt to steal credentials from senior employees of various organizations. At least 2,500 such emails have been sent to senior-level employees, over the past three months. The emails first take recipients to a fake Google reCAPTCHA system page. Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. After filling out the fake reCAPTCHA system, victims are then directed to what appears to be a Microsoft login screen.

• Advisory
• March 16, 2021

Update Advisory for APT Attacks on the SolarWinds Products. After conducting investigations into the Advanced Persistent Threat Compromise of Government Critical National Infrastructure, and Private Sector Organizations Infrastructures, SolarWinds have released an updated advisory for the Sunburst and the SuperNova backdoor that was discovered while investigating the recent SolarWinds Orion supply-chain attack. It was discovered that the SuperNova backdoor was likely used by a separate threat actor. Several teams of researchers have mentioned the existence of two second-stage payloads after the initial disclosure of the SolarWinds attacks.

• Advisory
• January 4, 2021

Advisory on Intended Nationwide Cyber attack. The recent Classification of Nigeria, Kenya and Egypt by Kaspersky lab as easiest Cyberattack target in Africa with about Five Hundred and seventy-seven (577) attempted malware attacks hourly, is a serious wake up call to the government and the stakeholders in the Cybersecurity industry. This was disclosed in the company’s second quarter Spam and phishing 2020 report.

• Advisory
• October 15, 2020

Remote Access Vulnerability. Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.

• Advisory
• July 22, 2020

SaltStack FrameWork Vulnerabilities in Cisco Products. Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.

• Advisory
• June 19, 2020

ngCERT Advisory on Scranos Malware. Scranos is a Trojan horse that steals information from the compromised computer. It may also download potentially malicious files. Scranos cloaks itself as cracked software or apps that pose as legitimate programs, such as ebook readers, video players, drivers, and even security products. Upon execution, a rootkit driver is installed to hide the malware.

• Advisory
• February 10, 2020

ngCERT VMware Tools vulnerability. A vulnerability in VMware Tools is a functionality that was removed from VMware Tools 11.0.0 and it has been determined to affect VMware Tools for Windows version 10.x.y.

• Advisory
• January 16, 2020

Windows 10 Task Scheduler Zero-Day Vulnerability. Microsoft Windows Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The exploit "functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.

• Vulnerability
• February 10, 2020