The Nigeria Computer Emergency Response Team has the mission to achieve a safe, secure and resilient cyberspace in Nigeria that provides opportunities for national prosperity. ngCERT is
established to prepare, protect, and secure the Nigerian cyberspace in anticipation of
attacks, problems, or events. ngCERT is saddled with the responsibility of
reducing the volume of future incidents.
Incident Response Plan
What is the Incident?
Contain the Issue immediately
Determine the cause of the incident
Get Rid of the issue
Restore service as fast as possible
Cybercriminals Targeting Federal Government Agencies Through Log4j Vulnerability. Following the publication of the advisory with ID - NGCERT-2021-0062 on the Apache Log4j Remote Code Execution Vulnerability on the 20th of December 2021, a U.S. Federal Government entity's network was compromised by a suspected Iranian threat actor, according to Cybersecurity and Infrastructure Security Agency (CISA). This threat actor took advantage of an unpatched VMware Horizon server to insert malware.
Increased Cases of Accounts Takeover in Nigeria. A series of Account Takeover (ATO) incidents have been reported to Nigeria's ngCERT. An ATO attack occurs when cybercriminals gain access to a user's credentials in order to compromise the user's account. This poses numerous risks to the individual and the organization that he or she represents, as it provides a breeding ground for future attacks for cybercriminals. They frequently change the user credentials once inside, effectively locking the user out.
Beware of Malicious Web Browser Extensions. In the first half of 2022, there was an increase in attempted downloads of malicious web browser extensions. These malicious extensions promise to speed up your browser but instead steal your data by redirecting users to phishing sites and inserting affiliate IDs into eCommerce site cookies. The investigation uncovered five (5) extensions with a total install base of over 1,400,000 and varying degrees of malicious capability.
New HiddenAds Malware on Google Play Store Uncovered. A new type of malware has infiltrated the Google Play Store in the form of several device cleaner or optimization apps. The McAfee Mobile Research Team identified this malware as HiddenAds, and upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.
New Malware Creates a backdoor to Microsoft Exchange servers. Kaspersky Lab researchers uncovered a new malware dubbed SessionManager, which creates a backdoor to Microsoft Exchange servers. This malware is believed to have been in use, undetected, since March 2021, and is aimed at non-governmental organizations (NGOs), governments, and military establishments in Africa, Europe, Asia, and the Middle East. In a cyber espionage campaign spanning multiple continents, Gelsemium, the group allegedly behind this campaign, aims to gain persistent and covert access to the IT infrastructure of several organizations.
New Emotet Malware Stealing Credit Cards Info from Google Chrome users.. Emotet has evolved since its first appearance in 2014, causing significant damage in its wake. From a Trojan that targeted banking apps to one of the first Malware-as-a-Service (MaaS) botnets that infected a large number of devices and then sold access to third parties. It is currently stealing credit card information while evading security measures. The "improved" version of Emotet is engaging in "disturbing" behavior, effectively collecting and using stolen credentials, which are then weaponized to further distribute the Emotet binaries.
Novel Use of Chatbots in Phishing Schemes. Hackers have begun incorporating chatbots into their phishing schemes to provide an air of authenticity to an interaction. Chatbots have become a more common medium of engagement on mainstream company websites, so using it during a phishing attack instills trust in the victim that the interaction is genuine. A chatbot is a program that simulates conversations with human users, allowing businesses to provide customer service around the clock while saving money.
Government-Targeted Attacks Trigger State of Emergency in Costa Rica Due to Sustained Cyberattacks. The Conti Ransomware gang has promised more government-targeted attacks after crippling Costa Rica's treasury, prompting the new leadership of President Rodrigo Chaves to declare a state of national cybersecurity emergency. In April 2022, the group carried out a ransomware attack on the Costa Rican government, severely disrupting the country's foreign trade by disrupting its customs and taxes platforms. The group has described the attack on Costa Rica's government as merely a "Demo Version," emphasizing the need for Nigeria to take proactive measures to protect itself from such attacks.
Iranian Government-Sponsored APT Group Target Government and Commercial Networks. MuddyWater, an Iranian government-sponsored advanced persistent threat (APT) actor, has been observed conducting active cyber espionage and other malicious cyber operations against a variety of government and private-sector organizations in Africa and other continents, including telecommunications, defense, oil and natural gas, and relevant government agencies. This threat group is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Zagros. The APT group was seen employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks.
SMS-Based Malware Infecting Mobile Devices. Recently a notorious FlutBot SMS Android malware that targets mobile devices was reported, but now there is another Android malware called TangleBot that employs more or less similar tactics to gain control of the device. This malware is reported to be far more invasive than the FlutBot malware.
Rootkits Malware Attacks. Rootkits are one of the most damaging types of malware. They are very difficult to detect & remove and provide the Threat Actors almost complete access to the target computer. A hacker who installs a rootkit into a computer can access & steal data, delete or corrupt files, spy on all system activities, modify programs, etc. Since rootkits remain constantly hidden and avoid detection, most commercially available anti-virus software is ineffective against them.
Google Warn Users of Government-Sponsored Attacks. Google's Threat Analysis Group (TAG) has revealed that it is monitoring over 270 government-backed threat actors from over 50 countries. Since the beginning of 2021, the tech giant has sent approximately 50,000 alerts to customers about state-sponsored phishing or malware attempts.
Fortinet Leaked VPN Account Credentials. A malicious actor has leaked a list of almost 500,000 Fortinet VPN login names and passwords that were allegedly scraped from exploitable devices last summer. These credentials were reported to be obtained from systems that remained unpatched against FG-IR-18-384 / CVE-2018-13379 at the time of the actor's scan.
Microsoft Edge Browser Vulnerabilities. A Microsoft Edge vulnerability that could allow hackers steal secrets from any website was discovered and thereby prompting Microsoft to release updates for the Edge browser, including a fix. This bypass vulnerability could allow a remote attacker to bypass implemented security restrictions to inject and execute arbitrary code on any website just by sending a message.
Cybercriminals Using Telegram messaging service to Distribute ToxicEye Malware. Researchers discovered that Telegram instant messaging service is being used by malicious actors to manage a remote access trojan (RAT) called ToxicEye. These cyber criminals are increasingly abusing Telegram as a "command-and-control" system to distribute malware into organizations that could then be used to capture sensitive information from targeted systems. More than 130 attacks involving the ToxicEye RAT has been discovered recently, and warning that even when Telegram is not installed or being used, the system allows hackers to send malicious commands and operations remotely via the instant messaging app.
Advisory on Windows Vulnerabilities. Cybercriminals are actively taking advantage of weaknesses in Windows and deploying malware for nefarious purposes. Windows has been a direct target of attacks by malware, more than 80% of malware detected are from windows according to latest discovery. This amongst others includes two updated versions of LodaRAT malware, TrickBot malware and the Zerologon flaws.
Security Advisory on Phishing Attacks. Phishing attacks are the most common and effective cyber security threat to individuals, businesses and organizations. Phishing is the delivery mechanism of choice for ransomware and other malware and it is a critical problem that every organization must address through a variety of means. Most phishing messages indicate immediate action is needed to avoid an unwanted time-sensitive consequence. It is important to be suspicious of all requests, and review messages carefully to determine if the message may be a phishing scam.
Tecno Phones Vulnerability. Researchers has discovered critical security risk with Tecno Android phones which has a pre-installed malware called Triada. Malware which signed users up to subscription services without their permission was discovered on thousands of Tecno mobile phones sold in Africa. Anti-fraud firm Upstream found the malicious code on Tecno handsets sold in Ethiopia, Cameroon, Egypt, Ghana and South Africa.
New EvilQuest Ransomware for macOS Systems. A new ransomware known as EvilQuest has been discovered by security researchers. This ransomware was first spotted to be impersonating the Google Software Update program, and on torrent sites, injected in installers wrapping pirated versions of popular macOS software such as Little Snitch, Ableton Live, and Mixed in key. EvilQuest ransomware is discovered to encrypt macOS systems, installs a keylogger and a reverse shell for full control over infected host, and exfiltrates files that contain valuable information (keys to cryptocurrency wallets, code-signing certificates, and many more) with a variety of extensions (eg .pdf, .doc, .jpg, .txt, .pages, .wallet, .zip, etc).
Multiple Security Vulnerabilities on D-LINK Home Routers. Researchers discovered six new vulnerabilities in D-Link wireless cloud routers running their latest firmware. The reported vulnerabilities were found in the DIR-865L model of D-Link routers, which is meant for home network use. There are also likelihood that some of these vulnerabilities are present in newer models of the router because of the similiarities in codebase.
Windows 10 Task Scheduler Zero-Day Vulnerability. Microsoft Windows Task Scheduler is a set of Microsoft Windows components that allows for the execution of scheduled tasks. The exploit "functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.
The Act provides an effective, unified and comprehensive legal, regulatory and institutional framework for...
"Antiphishing.ng Project is a collaborative effort to create a community driven public repository about phishing that works to build additional tools to benefit the security community at large."
"tunCERT is the National CERT of the Tunisian government under the National Agency for Computer Security. tunCERT is one of the CERT that graciously partook in pioneering ngCERT"
"FIRST is a recognized global leader in incident response that brings together a variety of computer security incident response teams from government, commercial, and educational organizations."
"Team Cymru was formed in 1998 to learn the "who and why" of malicious Internet activity. This focus on attribution resulted in the uncovering of the "what, when, where, and how" of online malevolence"