The latest of such advisories urged users to be mindful after attackers use Microsoft OneNote attachments in phishing emails that infect victims with remote access malware, which may allow hackers to remotely access vital information on victims’ devices.

According to the statement signed by Reuben Muoka, Director, Public Affairs at NCC, the Team advised users not open files from people they do not know, not to click ‘OK’ and immediately exit the application if they receive a warning that opening an attachment or link can damage their computer or files and to promptly share an unknown email they believe to be genuine with a security or Windows administrator to assist in determining whether the file is secure.

It had recently advised people not to open attachments in suspicious emails and to only purchase or download applications from official websites in response to the discovery of phishing malware that can gain unauthorized access to sensitive user data and download further malware.

The team reported that cybersecurity analysts at ASEC (South Korea’s cybersecurity emergency response centre), discovered a NetSupport RAT malware being distributed by threat actors from a phishing website disguised as a popular Pokemon card game.

The malware is a remote access tool that easily controls its victims’ Personal Computers and may allow the attackers to remotely control the compromised computer’s mouse and keyboard, access the system’s file management and history and even execute commands allowing them to install additional malware.

According to the researcher, the CRAFTED website that spread the malware is still online. It claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.

In a related advisory, following the discovery of several phishing apps on the Google Play Store, NCC-CSIRT had also advised users not to give out sensitive information through untrusted platforms.

NCC-CSIRT’s advisory on the discovery said the apps, which have been downloaded 450, 000 times in total, can be games or investment services, but that they are designed to steal sensitive user information.

While some of the malicious apps have been removed, others are still active on the store, with the affected apps listed as Golden Hunt, Reflector, Seven Golden Wolf Blackjack, Unlimited Score, Big Decisions, Jewel Sea, Lux Fruits Game, Lucky Clover, King Blitz, and Lucky Hammer.

According to the advisory, after installing and opening the app, it will contact a remote server which will reply with instructions on what to do. These instructions typically include phishing pages that will be displayed to unsuspecting users to collect their sensitive information.

Meanwhile, NCC-CSIRT also advised users to update their Galaxy App Store following the discovery of multiple vulnerabilities in the Samsung Galaxy App Store Application can lead to unwanted app installations and code execution. It disclosed that Ken Gannon, a cybersecurity researcher from NCC Group, discovered the vulnerabilities in the Galaxy App Store application on Samsung devices that are running Android 12 and older.

The CSIRT is the telecom sector’s cyber security incidence center set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

The Team suggests that owners of compromised devices take the extreme measure of doing factory resetting of infected devices.

NCC-CSIRT, citing Zscaler ThreatLabz, said, “The Todo: Day Manager hijacks your login info from banking apps, and can even read your SMS messages. It installs a banking trojan malware called Xenomorph that allows the app to intercept your two-factor verification codes (typically delivered over text) to raid your logins – and bank account.

“Xenomorph performs overlay attacks by exploiting accessibility permissions in Android, resulting in the overlaying of fraudulent login screens on banking apps aimed at exfiltrating credentials. The Android app makes itself intentionally difficult to delete. You need to search your phone for it immediately and uninstall it.”

“It starts with asking users to enable access permission. Once provided, it adds itself as a device admin and prevents users from disabling Device Admin, making it un-installable from the phone.  If you haven’t given permission to the app, then you should be able to uninstall it safely. Otherwise, you may have to back up your files and then factory-reset your phone to clear the app completely,” it advised.

In terms of potential solutions to the malware, NCC-CSIRT advised that “Search your phone for the app and uninstall immediately or backup your files and factory reset your phone.

“Only search for an app in the Google Play Store, pay close attention to the search results, look at the apps icons, note that fake apps almost always use the icon from the app they’re faking, then look at the developer’s name and make sure it’s from the right developer.

Also, look at the app’s download count. If the app has a lot of downloads going into millions to hundreds of thousand that’s a clue that it’s the right app.

Then, finally, look at the app’s description and screenshots to ensure that it doesn’t contain multiple spelling or grammar mistakes or otherwise broken English.

“Make use of Google Play Protect, which regularly scans your apps for malware and will alert you to uninstall rogue apps.”

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with Nigeria Cybersecurity Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

In its advisory signed by Reuben Muoka, Director, Public Affairs at NCC, NCC-CSIRT indicated that the vulnerability, which is present in all versions of Windows-based products, presents as Phishing Attacks and Malware threats.
NCC-CSIRT reports that ProxyLife security researcher discovered the new phishing exploit on Windows zero-day vulnerability to drop a Qbot malware without displaying Mark of the Web (MoTW) security warnings.

“To take advantage of the Windows Mark of the Web zero-day vulnerability, threat actors have switched to a new phishing strategy that involves propagating JS files (plain text files that include JavaScript code) signed with forged signatures. The newest phishing attempt begins with an email that contains a password for the file along with a link to an allegedly important document.

“When the link is clicked, a password-protected ZIP folder that includes another zip file and an IMG file is downloaded. Normally, launching the JS file in Windows would result in a Mark of the Web security warning because it is an Internet-based file. However, the forged signature permits the JS script to function and load the malicious QBot program without triggering any Windows security alerts,” the advisory said.

Accordingly, NCC-CSIRT advised that users apply updates per vendor instructions.
The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

Ukrainian cyber experts discovered the attack, which uses Vidar Malware (Vidar Stealer) to steal Telegram session data, which in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim’s telegram account and corporate account or network.

The malware, which exploits unauthorized access to users’ Telegram accounts and corporate accounts to steal data, targets platforms across iOS, Android, Linux, Mac and Windows Operating Systems.

“The Ukrainian CERT alleged that a Somnia Ransomware was created to be used on Telegram that tricks users to download an installer that mimics ‘Advanced IP Scanner’ software, which contains Vidar Malware. The installer infects the system with the Vidar stealer, which steals the victim’s Telegram session data to take control of their account.

“The threat actors abuse the victim’s Telegram account in some unspecified manner to steal VPN connection data (authentication and certificates). If the VPN account is not protected by two-factor authentication passcode, the hackers use it to gain unauthorized access to the victim’s employer’s corporate network”, the alert and advisory states.

“Once inside, the intruders conduct reconnaissance work using tools like Netscan, Rclone, Anydesk, and Ngrok, to perform various surveillance and remote access activities, and then deploy a Cobalt Strike beacon, exfiltrating data using the Rclone program,” the report stated.

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

The advisory, which also recommended using the appropriate software updates that are accessible from the vendor website, followed the identification of multiple vulnerabilities in Cisco Products, especially the Cisco AnyConnect Secure Mobility Client for Windows, which enables employees to access company servers from anywhere without compromising security.

The two vulnerabilities made it possible for a remote attacker exploit to trigger remote code execution and data manipulation on the targeted system.

According to the advisory signed by Mr. Reuben Muoka, Director, Public Affairs at NCC, “The weaknesses in the product include uncontrolled search path and Dynamic Link Library (DLL) hijacking vulnerabilities. The uncontrolled search path vulnerability results from incorrect handling of directory paths. A directory path is a string of characters used to uniquely identify a location in a folder structure.

“This flaw could be exploited by an attacker by generating a malicious file and copying it to a system directory (folder). An exploit could enable the attacker to copy malicious files with system-level privileges to any location. The attacker needs legitimate Windows system credentials to exploit this vulnerability.

“Moreover, to exploit the DLL hijacking vulnerability, the attacker would also need to have valid credentials on the Windows system. The vulnerability was caused by the device’s inadequate run-time resource validation. By sending the AnyConnect process a specially designed IPC message, an attacker might take advantage of this vulnerability.”

The advisory rated the vulnerability high in impact and probability.

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with ngCERT, established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

Prof. Danbatta stated today in his keynote address at the Nigeria Innovation Summit (#NIS2022) held at Oriental Hotel, Lagos.

Delivering the keynote through Engineer Augustine Nwaulune – Director, Digital Economy at NCC, the EVC said the Commission, being the nation’s premier communications regulatory agency under the Federal Ministry of Communications & Digital Economy, has remained resolute on its mandate to work with all stakeholders to ensure a secure cyberspace that is safe for the operators and consumers of communications services and infrastructure in Nigeria.

The EVC said, “NCC also aims to strengthen public confidence in the use of digital technologies. It provides tangible avenues for the protection of digital assets, such as the NCC’s Computer Incidence Response Team (NCC-CSIRT), which protects, detects, prevents, and identifies cyber threats.

“Given the amount of data and information accessible via ICT infrastructure, the partnership between the NCC and the security agencies is invaluable in protecting cyberspace for users, and also for national security. Indeed, the Commission has signed several memoranda of understanding to document partnerships and streamline regulatory overlaps with other Government agencies”.

He added that the Commission is also working on broadening collaboration for the designation of communications infrastructure as critical national ICT infrastructure to strengthen cybersecurity policies and initiatives.

“Furthermore, the Commission has also issued Quality of Service Regulations, Registration of Telephone Subscribers Regulations 2011, SIM Registration Guidelines, Consumer Code of Practice Regulations 2007, Lawful Interception of Communications Regulations 2019, Internet Code of Governance; among others. Through these regulatory instruments, the Commission ensures the protection of consumers from unfair practices through the availability of information and education required to make informed choices in the use of ICT services. Furthermore, in line with the Commission’s mandate to ensure the needs of the disabled and elderly persons are taken into consideration in the provision of communications services, the Commission established the E-Accessibility Project.

“The project is also in tandem with Article 9 of the UN Convention on the Rights of Persons which requires member states to take measures to make available ICT tools and Assistive Technology (AT) to help in improving the quality of life of persons with disabilities”.

The Nigerian Communications Act (NCA) 2003 under section 112 (1), mandates that the Commission considers, designs, and defines a system that promotes the availability, accessibility, and affordability of network and application services throughout Nigeria.

“The Commission acts on this mandate by encouraging the installation of network facilities and providing network and application services to institutions in unserved, underserved areas and underserved groups, within the community.

“Through the establishment of the Universal Service Provision Fund (USPF), the USPF facilitates the achievement of national policy goals for universal service and universal access to information and communication technologies (ICTs) in rural, un-served and under- served areas in Nigeria. One of the successes of the USPF is the School Knowledge Centres (SKCs), which provide platforms for accessing educational resources online and offline.

“It also provides platforms for adopting ICT as a learning tool in public secondary schools. Similarly, the Community Resource Centre (CKC) is an initiative aimed at extending voice, internet, and ICT training and other e-services to unserved communities.

“This is also one of the initiatives of the USPF that bridges the digital divide in our communities,”, the EVC said.

He told hundreds of participants at #NIS2022 that the Commission has a role in ensuring that spectrum and other resources are optimized for efficient delivery of diverse and affordable ICT services. Similarly, the Commission enforces compliance with Quality of Service Key Performance Indicators, type approval tests on communications equipment; etc. to ensure efficient service delivery.

“In order to support the rapid development of our ICT sector, the Commission promotes ICT innovation and investment opportunities to improve the nation’s ability to compete in the global economy through increased investment in youth and promotion of SMEs in ways capable of delivering new business breakthroughs”, he said.

Earlier in his address at #NIS2022, Mr. Tony Ajah, Programme, a Director at Nigeria Innovation Summit, said that over the years, the Summit brings together stakeholders from different sectors of the economy to discuss ground-breaking ideas, trends, opportunities and numerous verticals to accelerate innovation, attain globally competitiveness and explore present innovative approaches to fixing existing problems, redundant economic playbooks, systems and structures.

Since inception, NIS has recorded thousands of participants, cutting across governments, industry leaders, founders, lawmakers, policymakers, C-Suites, foreign diplomats and key stakeholders, who grace the highly remarkable event annually, to steer pertinent  conversations around innovation, research and development, emerging technologies, frontier markets and industrial disruptions occurring in Nigeria and other African countries.

The vulnerabilities primarily affect Lenovo Products (Desktop, Desktop-All in One, Hyperscale, Lenovo Notebook, Smart Office, Storage, ThinkAgile, ThinkPad, ThinkServer, ThinkStation, and ThinkSystem).

The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT), in its recent advisory, rated the probability of the vulnerability as high with an equally high damage potential. It, therefore, urged users of affected products to update their firmware.

The advisory cited the Lenovo report, first published in the second week of this month, indicating that the vulnerabilities are caused by flaws in the System Management Interrupt (SMI) Set BIOS Password SMI Handler, other systems used to configure platform settings over Windows Management Instrumentation (WMI), and a buffer overflow flaw in WMI SMI Handler.

Successful exploitation of the vulnerabilities could allow an authenticated local attacker to bypass security restrictions, gain elevated privileges and execute arbitrary code on the targeted system.

The attacker could also send a specially crafted request to the targeted user to gain sensitive information, which could result in unauthorized Information disclosure, privilege escalation and denial of service on the targeted system.

According to NCC-CSIRT, the solution to addressing the vulnerabilities is for users to update their system firmware to the newer version(s) indicated for their product model.

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

This is part of the countermeasures to lessen the chances of falling for a malicious attack that has been discovered in the browser.

The NCC-CSIRT further advised users of the browser to practise safe Internet browsing habits and to refrain from clicking on links they are unsure of in the face of the malicious attack that has been rated as high in probability and potential damage to systems.

The advisory stated that the malicious advertising campaign, unearthed on the Microsoft Edge Browser News Feed, redirects victims to fraudulent tech support websites and that cybercriminals have resorted to posting bizarre, attention-grabbing stories or advertisements on the Edge news feed to entice users to click on them. The malicious advertisements appear legitimate but contain malware and/or other threats.

According to the advisory, “The Microsoft Edge News Feed is the default page that appears when a new tab is opened, and it displays information such as news, advertisements, weather, and traffic updates. Also, the following are the steps that result in being redirected to a bogus tech support page: The user clicks on a story or advertisement, the Edge browser setting is analysed for various metrics.”

Based on the aforementioned metrics and prior results, the advisory said “if the user is adjudged to be a bot or in a location that is not of interest, the user is redirected to a harmless dummy page that is relevant to the story or advertisement initially clicked on; However, if the user is adjudged a potential victim, then the user is redirected to a tech support scam website for further exploitation.”

Victims of the tech support website scam could have their Personally Identifiable Information (PII) and other data harvested or they could be with malware.

The NCC, therefore, urges telecom consumers and other stakeholders in the ecosystem to install up-to-date AntiVirus software and be alert to the wiles of cybercriminals in order not to fall victim to cyber scams.

The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The CSIRT also works collaboratively with the Nigeria Computer Emergency Response Team (ngCERT), established by the Federal Government to reduce the volume of future computer risk incidents by preparing, protecting, and securing Nigerian cyberspace to forestall attacks, and problems or related events.

According to NCC-CSIRT, the five malicious extensions which the McAfee Mobile Research Team earlier discovered are;

1. Netflix Party with 800,000 downloads,

2. Netflix Party 2 with 300,000 downloads,

3. Full Page Screenshot Capture Screenshotting with 200,000 downloads,

4. FlipShope Price Tracker Extension with 80,000 downloads, and

5. AutoBuy Flash Sales with 20,000 downloads.

The NCC-CSIRT said the five google chrome extensions identified have a high probability and damage potential and have been downloaded more than 1.4 million times and serve as access to steal users’ data.

The telecom sector-focused cybersecurity protection team alerted telecom consumers to be cautious when installing any browser extension.

“The users of these chrome extensions are unaware of their invasive functionality and privacy risk. Malicious extensions monitor victims’ visits to e-commerce websites and modify the visitor’s cookie to appear as if they came through a referrer link. Consequently, the extensions’ developers get an affiliate fee for any purchases at electronic shops,” the advisory said.

In addition, the advisory stated that, although the google team removed several browser extensions from its Chrome Web Store, keeping malicious extensions out may be difficult. The NCC-CSIRT, thus, recommended that telecom consumers observe caution when installing any browser extension.

“These include removing all listed extensions from their chrome browser manually. Internet users are to pay close attention to the promptings from their browser extensions, such as the permission to run on any website visited and the data requested before installing it. Although, some extensions are seemingly legit, due to the high number of user downloads, these hazardous add-ons make it imperative for users to ascertain the authenticity of extensions they access.” the advisory stated.

Google Chrome extensions are software programmes that can be installed into Chrome in order to change the browser’s functionality.

This includes adding new features to Chrome or modifying the existing behavior of the program itself to make it more convenient for the user.

They serve purposes such as block ads, integration with password managers and sourcing coupons as items sent to a shopping cart.

The Computer Security Incident Response Team (CSIRT) is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large.

The security firm said it is important that businesses follow basic security principles to stay protected and minimise the potential financial and reputational losses associated with a ransomware attack.

“This is not the first case of Yanluowang’s impudent attacks we have observed throughout the year”, said Yanis Zinchenko, security expert at Kaspersky.

This further collaborate the advisory issued over the weekend by the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) which urged organisations to adopt stronger cybersecurity measures like ensuring their employees use strong, unique passwords for every account and enabling multi-factor authentication (2FA) wherever it is supported to prevent ransomware attacks.

It also advised organizations to ensure regular systems backup.

The NCC-CSIRT’s warning contained in its advisory of August 12, 2022, signed by Mr. Reuben Muoka, Director, Public Affairs at NCC, came after the Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synchronised from their browser.

NCC-CSIRT estimated potential damage from the incident to be critical while predicting that successful exploitation of the ransomware will result in ransomware deployment to compromise computer systems, sensitive products and customers’ data theft and exposure, as well as huge financial loss to organizations by incurring significant indirect costs and could also mar their reputations.

To this end, Yanis Zinchenko said:

“Yanluowang is a relatively new ransomware, which unknown attackers use to target large companies. It was first reported late last year. Although the malware has only been around for a short period, Yanluowang has managed to target companies from all around the world, with victims across the U.S., Brazil, Germany, UAE, China, Turkey and many other countries.

“While the gang announced the Cisco breach on their data leak site, the company claims it found no evidence of ransomware payloads during the attack. This behaviour is typical for many ransomware operators as they try to seize every opportunity to extort money and harm their victims’ reputations. We strongly advise not to encourage ransomware players by paying their ransom – it does not guarantee that they will return the data nor will it stop the attack from happening again. At Kaspersky we are working hard to help companies avoid such outcomes. It is important that businesses follow basic security principles to stay protected and minimise the potential financial and reputational losses associated with a ransomware attack.

“While analysing the Yanluowang malware in April, we discovered that the malicious code was not perfect. The vulnerability discovered in the code allowed us to create a file decryptor with the help of a known-plaintext attack. Our Rannoh Decryptor can analyse encrypted files and helps victims of Yanluowang ransomware recover their information”.