Advisory ID:   ngCERT-2025-110004

SUMMARY

ngCERT is aware of a high-severity vulnerability which combines elements of CWE-287 (Improper Authentication) with a privilege escalation path identified in Microsoft Exchange Server hybrid deployments. This deployment connects on-premises Exchange servers to Exchange Online within Microsoft 365. The flaw dubbed CVE-2025-53786 arises from weak authentication trust established between the two environments through a shared service principal. Attackers could exploit this weakness if they already hold administrative privileges on-premises and abuse this trust relationship to escalate privileges into the connected cloud environment. Consequently, individuals and organisations are advised to take immediate steps to protect their systems from exploitation by threat actors.

Damage:      Critical

Probability:  High 

Platform(s): Microsoft Exchange Server (Hybrid Deployments)

DESCRIPTION

CVE-2025-53786 stems from improper authentication handling in hybrid Microsoft Exchange Server environments that link on-premises servers with Exchange Online. The flaw affects hybrid Microsoft Exchange setups and combines elements of CWE-287 (Improper Authentication) with a privilege escalation path. Threat actors with elevated privileges on the on-premises Exchange environment can exploit these weaknesses to request or forge tokens, thereby elevating their effective privileges in the cloud and gaining access to cloud services. This movement may occur without typical logging or controls catching the activity, complicating detection and response. Affected systems include Exchange Server 2016, 2019, and Subscription Edition that have not applied Microsoft’s April 2025 hybrid configuration update. Organisations are advised to apply the April 2025 or later Exchange Server hotfix to avoid being vulnerable to cross-environment privilege escalation.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Privilege escalation
2. System compromise
3. Persistence across environments
4. Unauthorised cloud account access/takeover
5. Data Exfiltration
6. Lateral movement across a connected cloud environment
7. Data tampering
8. Reputational Damage

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Install the April 2025 or later Exchange Server hotfix on all on-premises servers in hybrid environments.
2. Reconfigure the hybrid deployment to use a dedicated hybrid application in Entra ID instead of the legacy shared service principal model.
3. Implement Microsoft’s Service Principal Clean-Up Mode to revoke and regenerate hybrid service principal credentials.
4. Audit on-premises Exchange settings for hybrid status, update levels, shared principal use, admin access, and abnormal authentication activity.
5. Restrict administrative privileges with the least privilege, enforce MFA, and monitor for suspicious admin activity.
6. Implement logging and alerting for suspicious token requests, credential changes, and cross-environment access anomalies.
7. If immediate patching isn’t possible, apply compensating controls like isolating the Exchange server, limiting outbound traffic, and monitoring hybrid token flows.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
• https://www.cisa.gov/news-events/alerts/2025/08/06/microsoft-releases-guidance-high-severity-vulnerability-cve-2025-53786-hybrid-exchange-deployments
• https://techcommunity.microsoft.com/blog/vulnerability-management/mdvm-guidance-for-cve-2025-53786-exchange-hybrid-privilege-escalation/4442337
• https://thehackernews.com/2025/08/microsoft-discloses-exchange-server.html

Advisory ID:   ngCERT-2025-110002

SUMMARY

ngCERT is aware of widespread malicious activities linked to the Prometei botnet affecting multiple network infrastructures within Nigeria’s cyberspace. Prometei is a modular malware that targets Windows and Linux servers for credential theft, cryptocurrency mining, and proxy exploitation. Reports indicate that the malware exploits unpatched systems, weak authentication, and exposed services such as Server Message Block (SMB) and Remote Desktop Protocol (RDP). Notably, infections have been observed across finance, education, telecommunications and energy sectors, with implications for prolonged network compromise, large-scale credential harvesting, and use of infected systems as proxies for further attacks. Consequently, organisations are urged to strengthen patching routines, improve authentication security, and monitor for unusual system resource usage.

Damage:      Critical

Probability:  High 

Platform(s): Windows and Linux Servers

DESCRIPTION

Prometei is a sophisticated, self-updating botnet with modular plugins that enable the targeting of both Windows and Linux environments. Initial access is achieved by exploiting exposed services, primarily Microsoft Exchange Server vulnerabilities (ProxyLogon/ProxyShell chains) and weak or default RDP/SSH credentials, among others. Also, brute-force attacks against SMB, RDP, and MSSQL are common vectors. Successful Prometei infiltration exploitation will deliver executable files such as (svchost.exe or systemd-journald) disguised as legitimate system files to escalate privileges using exploits like PrintNightmare or EternalBlue variants, and disable security tools. The malware uses domain generation algorithms (DGA), HTTP/HTTPS over non-standard ports mimicking legitimate traffic, and in newer variants, routes communication through Tor. Furthermore, it aggressively steals credentials, spreads laterally across networks and simultaneously turns infected systems into high-performance Monero miners. It also installs SOCKS5/HTTP proxies for resale on underground markets, and exfiltrates browser passwords and VPN configurations.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Severe performance degradation.
2. Data breach.
3. System compromise.
4. Financial losses.
5. Exposure of national networks to global cybercrime operations.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Apply critical patches; disable legacy services like SMBv1.
2. Enforce MFA and strong password policies.
3. Segment networks and limit administrative access.
4. Deploy EDR/XDR to detect abnormal processes and C2 traffic.
5.  Monitor for CPU spikes, mining processes, and failed login attempts. 
6. Conduct regular audits and access reviews.
7. Isolate infected hosts and reset exposed credentials.
8. Train staff on identifying early indicators of compromise.

HYPERLINK

• https://any.run/malware-trends/prometei/
• https://cybersecuritynews.com/prometei-botnet-attacking-linux-servers/
• https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/

Advisory ID: NCC-CSIRT-2025-026

Summary: 

Security researchers (eSentire, The Hacker News coverage) have identified a November 2025 campaign, tracked as EVALUSION, that uses the ClickFix social-engineering technique to trick users into executing commands which lead to the installation of the Amatera Stealer (packed with PureCrypter) and the follow-on deployment of NetSupport RAT. The attack chain injects a packed Amatera DLL into MSBuild.exe, harvests browser and wallet data, then executes PowerShell to fetch and run NetSupport for persistent remote access.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

IOCs change rapidly. Pull up-to-date lists from vendor CTI and your telemetry before actioning.

• Run/explorer.exe spawning msbuild.exe with injected DLLs.
• Unknown DLLs loaded into msbuild.exe or other trusted developer processes.
• PureCrypter artifacts and PowerShell one-liners contacting suspicious domains.
• NetSupport RAT beacons or console connections to unknown endpoints.
• Outbound connections to vendor-flagged malicious download/C2 domains.

Product(s): 

• Microsoft Windows endpoints (workstations and servers)
• Browsers and browser-stored credentials (Chrome, Edge, Firefox) and password managers
• NetSupport RAT (remote access tooling abused as payload)
• Amatera Stealer (infostealer family) and PureCrypter (loader/crypter)

Version(s): 

Not version-specific, it affects Windows systems where users execute the staged payloads; detection and remediation depend on endpoint protections and configuration.

Platform(s): 

• Enterprise and unmanaged Windows hosts
• Remote workers’ machines
• Environments where MSBuild.exe and PowerShell are allowed to run.

Description: 

The campaign begins with phishing, malvertising, or compromised pages that present a ClickFix-style visual or instruction prompting the user to run a command (the “ClickFix” interaction), often via the Windows Run box or a similarly trivial user action. ClickFix is an interactive social-engineering technique designed to coax users into executing commands that would normally be blocked or inspected. Once the user follows the prompt, the chain drops a PureCrypter-packed Amatera DLL, which the actor injects into MSBuild.exe to evade detection. The stealer harvests browser credentials, cookies, crypto wallets and system artifacts, then executes a PowerShell stage that downloads and installs NetSupport RAT to provide remote control to the attacker.

Threat Types: 

• Infostealer (Amatera): credential, cookie and crypto-wallet harvesting.
• Remote Access Trojan (NetSupport): full remote control and lateral movement.
• Social-engineering vector: ClickFix (interactive user trick that bypasses some security controls).
• Crypter/loader use (PureCrypter) to evade detection. (Proofpoint)

Impacts: 

• Theft of browser passwords, cookies, form data, and crypto wallets.
• NetSupport RAT enables remote access and data exfiltration.
• Crypter packing and DLL injection evade signature-based detection.
• Unmanaged endpoints with corporate resources increase operational risk.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Hunt exe for unknown DLLs or unusual process chains.
• Monitor PowerShell for download-execute or encoded scripts.
• Check browsers for unexpected children or credential access.
• Block & alert on domains/IPs linked to PureCrypter, Amatera, NetSupport.
• Sandbox suspicious attachments/pages with interactive Run patterns.
• Quarantine endpoints and block known malicious domains from CTI feeds.
• Enforce execution controls: restrict msbuild.exe, constrain PowerShell, block unsigned scripts.
• Rotate credentials, force reauthentication, and reset MFA if compromised.

References:

• https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html

• https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix

• https://www.proofpoint.com/au/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication

• https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/  

Advisory ID: NCC-CSIRT-2025-025

Summary: 

Cybercriminals are abusing trusted Remote Monitoring & Management (RMM) tools, notably LogMeIn/GoTo Resolve and PDQ Connect, to disguise malware as legitimate programs. Attackers distribute seemingly normal installers (hosted on convincing websites or delivered via phishing) that install RMM agents (or leverage their installers) and then deploy secondary malicious payloads, granting attackers remote control and persistence while blending in with legitimate administrative software.

Damage/Probability: High/High

Indicators of Compromise (IOCs): 

• Fake download URLs/domains posing as legitimate vendor pages.
• MSI files mimicking PDQ Connect/LogMeIn installers that trigger unusual outbound activity.
• Unauthorized RMM agents installed on endpoints.
• Outbound C2 or remote-access connections appearing soon after an RMM agent is installed.

Product(s): 

• LogMeIn/GoTo Resolve – remote access and support tool.
• PDQ Connect – remote software deployment and management tool.
• Other RMM tools (e.g., ScreenConnect, SimpleHelp, ConnectWise) were used in similar attacks.

Version(s): 

Not version-specific, it affects environments where RMM agents can be installed or coerced into running with administrative privileges. Confirm vendor-specific advisories for the exact affected builds.

Platform(s): 

• Windows Endpoints
• Servers
• Corporate Workstations
• Unmanaged systems where RMM agents are installed or can be side-loaded.

Description: 

Recent incidents show attackers hosting convincing “software” pages or sending phishing lures that cause victims to download and run installers which either: (a) install legitimate RMM agents (PDQ Connect MSI, LogMeIn/GoTo Resolve installers) that the attacker controls or misuses; or (b) bundle an RMM installer together with a secondary malicious payload. Once the RMM agent is present with elevated privileges, the attacker uses the tool’s remote-access and management features to move laterally, execute arbitrary commands, and persist. In several reported cases, the final payloads included information-stealers and remote access frameworks. Security vendors, including AhnLab and IBM X-Force, have published analyses describing the distribution patterns and attack chains.

Notable operational details observed across reports: vendors’ legitimate agents (or their installers) are often used to lower suspicion; MSI installers are a recurring delivery artefact; attackers may combine social engineering (fake update/meeting invites) with poisoned landing pages; and sectors affected include logistics, transportation, and enterprise services.

Threat Types: 

• Use of legitimate RMM tools for initial access and persistence.
• Delivery of malware through fake vendor sites or compromised installers.
• Full remote control or code execution once the RMM agent runs with admin privileges.
• Data theft, lateral movement, and deployment of additional tools (e.g., Cobalt Strike).

Impacts: 

• Attackers gain remote admin control, allowing full system access, credential theft, and further malware deployment.
• Compromise of operational environments where RMM is common, enabling fraud, manipulation, or service disruption.
• Malicious actions blend with legitimate RMM activity, evading detection and bypassing simple allow-lists.

Solutions:  

NCC-CSIRT recommend the following mitigation steps:

• Track all RMM installations and alert on any unauthorized agents.
• Detect installers creating new services or persistence.
• Monitor for abnormal remote-management activity or connections.
• Use EDR to flag suspicious installer-to-agent process chains.
• Block malicious installers and sandbox MSI files before approval.
• Treat any unexpected RMM installation as a high-priority incident.
• Enforce strict change-control and approvals for RMM tools.
• Include RMM-abuse scenarios in tabletop and IR playbooks.
• Work with vendors to verify installer integrity and monitor distribution channels.
• Use application allow-listing and require admin approval for new RMM tools.
• Keep an approved RMM vendor list and continuously monitor remote-access channels.

References:

• https://cybersecuritynews.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect/

• https://asec.ahnlab.com/en/90968/

• https://exchange.xforce.ibmcloud.com/osint/guid:bf65bd6af1cb45939d562c07edd316ae

• https://www.cyber.nj.gov/Home/Components/News/News/1771/214

• https://simplysecuregroup.com/hackers-exploiting-rmm-tools-logmein-and-pdq-connect-to-deploy-malware-as-a-normal-program/

• https://www.thaicert.or.th/en/2025/11/05/hackers-use-remote-monitoring-and-management-rmm-tools-to-breach-transportation-companies-and-control-cargo-shipments/

• https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics