The Nigeria Computer Emergency Response Team has the mission to achieve a safe, secure and resilient cyberspace in Nigeria that provides opportunities for national prosperity. ngCERT is
established to prepare, protect, and secure the Nigerian cyberspace in anticipation of
attacks, problems, or events. ngCERT is saddled with the responsibility of
reducing the volume of future incidents.
Incident Response Plan
What is the Incident?
Contain the Issue immediately
Determine the cause of the incident
Get Rid of the issue
Restore service as fast as possible
Ransomware Attacks. There has been an increase in ransomware attacks targeting government and private networks globally with the latest on the Kaseya VSA products, hence it is necessary to disseminate this security advisory to all Stakeholders and Ministries Departments and Agencies in Nigeria in order to take adequate preventive measures against ransomware attacks. It is noteworthy to know that all the recent ransomware attack on the Solarwinds, McDonald’s, Microsoft exchange server, JBS, US colonial Pipeline Company, etc has been estimated that the number of the ransomware attacks in 2021 may end up to be as high as 100,000 attacks with each one costing an average of $170,000. The ransom paid by Colonial and JBS combined was about $15 million against FBI advice. Therefore, the growing number of such attacks highlights the critical importance of making cyber preparedness a priority and taking the necessary steps to secure our networks against adversaries.
Best Practices for Preventing Business Disruption from Ransomware Attacks. Malicious cyber actors has consistently deployed ransomware against government and private companies with recently trending attack on the US pipeline company’s information technology (IT) network, and the Japanese Conglomerate Toshiba unit by the DarkSide ransomware group. Critical Information asset owners and operators in Nigeria are therefore advised to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this Advisory, including implementing robust network segmentation between IT (Information technology) and OT (Operational Technology) networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections. These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.
Phishing Attack Using Fake Google reCAPTCHA to Steal Credential from Microsoft Users. A Microsoft-themed phishing campaign is using phony Google reCAPTCHA in an attempt to steal credentials from senior employees of various organizations. At least 2,500 such emails have been sent to senior-level employees, over the past three months. The emails first take recipients to a fake Google reCAPTCHA system page. Once victims “pass” the reCAPTCHA test, they are then redirected to a phishing landing page, which asks for their Office 365 credentials. After filling out the fake reCAPTCHA system, victims are then directed to what appears to be a Microsoft login screen.
Update Advisory for APT Attacks on the SolarWinds Products. After conducting investigations into the Advanced Persistent Threat Compromise of Government Critical National Infrastructure, and Private Sector Organizations Infrastructures, SolarWinds have released an updated advisory for the Sunburst and the SuperNova backdoor that was discovered while investigating the recent SolarWinds Orion supply-chain attack. It was discovered that the SuperNova backdoor was likely used by a separate threat actor. Several teams of researchers have mentioned the existence of two second-stage payloads after the initial disclosure of the SolarWinds attacks.
Advisory on Intended Nationwide Cyber attack. The recent Classification of Nigeria, Kenya and Egypt by Kaspersky lab as easiest Cyberattack target in Africa with about Five Hundred and seventy-seven (577) attempted malware attacks hourly, is a serious wake up call to the government and the stakeholders in the Cybersecurity industry. This was disclosed in the company’s second quarter Spam and phishing 2020 report.
Remote Access Vulnerability. Researchers discovered that attackers can access organizations ‘networks through remote access systems to carry out ransomware attack. This is performed through the remote desktop protocol (RDP) and virtual private networks (VPN). The impact of these attacks can be severe on business operations because data are stolen and sold. Also, the recovery from this attacks is very costly to investigate and remediate the compromised network, and restore encrypted files from backup.
SaltStack FrameWork Vulnerabilities in Cisco Products. Researchers discovered numerous critical security vulnerabilities in SaltStack Salt framework – a configuration tool for cloud servers and data centers. Salt is used to monitor and update the state of servers. Each server runs an agent called a "minion" which connects to a "master", a Salt installation that collects state reports from minions and publishes update messages that minions can act on. The vulnerabilities allows attackers to bypass authentication and authorization for arbitrary code execution.
ngCERT Advisory on Scranos Malware. Scranos is a Trojan horse that steals information from the compromised computer. It may also download potentially malicious files. Scranos cloaks itself as cracked software or apps that pose as legitimate programs, such as ebook readers, video players, drivers, and even security products. Upon execution, a rootkit driver is installed to hide the malware.
Windows 10 Task Scheduler Zero-Day Vulnerability. Microsoft Windows Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The exploit "functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.
The Act provides an effective, unified and comprehensive legal, regulatory and institutional framework for...
"Antiphishing.ng Project is a collaborative effort to create a community driven public repository about phishing that works to build additional tools to benefit the security community at large."
"tunCERT is the National CERT of the Tunisian government under the National Agency for Computer Security. tunCERT is one of the CERT that graciously partook in pioneering ngCERT"
"FIRST is a recognized global leader in incident response that brings together a variety of computer security incident response teams from government, commercial, and educational organizations."
"Team Cymru was formed in 1998 to learn the "who and why" of malicious Internet activity. This focus on attribution resulted in the uncovering of the "what, when, where, and how" of online malevolence"