Advisory ID: NCC-CSIRT-2025-005
Summary:
Researchers from antifraud security vendor Cleafy discovered a new wave of Android malware called "SuperCard” that exploits Near Field Communication (NFC) technology to execute instant cash-out attacks. Once installed, this malware silently initiates unauthorised financial transactions by leveraging NFC-enabled payment services. The sophistication of this malware introduces severe risks to mobile banking, digital wallets, and the broader cashless economy.
Damage/Probability: HIGH/Critical
Product(s): Android devices with NFC capability, Digital wallets (Google Pay, OEM-specific wallets), Banking apps with NFC-integrated payment systems.
Version(s): All types and versions
Platform(s): Android operating System
Description:
According to the researchers, the "SuperCard X" is a Chinese-speaking malware-as-a-service (M-a-a-S). It employs a novel NFC-relay technique, enabling threat actors (TAs) to fraudulently authorize point-of-sale (POS) payments and ATM withdrawals by intercepting and relaying NFC communications from compromised devices. The malware operates by covertly activating the device’s NFC functionality and triggering payment processes without the user's consent. It targets Android devices, especially those with poorly secured NFC configurations or outdated security patches. Once near a legitimate NFC payment terminal, the malware authorizes fraudulent transactions, effectively draining funds within seconds.
Consequences:
-
Financial loss for individuals and businesses.
-
Compromise of personal and financial data.
-
Reputational damage to financial service providers.
- Increased erosion of trust in mobile cashless transactions.
Solution:
-
Always install the latest security patches and Android OS updates.
-
Disable NFC functionality when not in use.
-
Only install applications from trusted sources (Google Play Store) and verify app permissions.
-
Deploy reputable mobile security solutions that monitor and block NFC abuse.
- Be vigilant about unfamiliar or excessive permissions requested by apps.
References:
-
https://www.darkreading.com/threat-intelligence/nfc-android-malware-instant-cash-outs
-
https://cybernews.com/security/android-malware-contactless-card-theft-supercard/
-
https://www.malwarebytes.com/blog/news/2025/04/android-malware-turns-phones-into-malicious-tap-to-pay-machines
-
https://cybersecuritynews.com/new-android-supercard-x-malware-employs-nfc-relay-technique/#google_vignette
-
https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/
Advisory ID: NCC-CSIRT-2025-004
Summary:
Multiple vulnerabilities have been identified in older versions of NTP, which could be exploited to cause Denial of Service, remote code execution, or time spoofing.
Version(s): CVE-2023-26554, CVE-2023-26555, CVE-2023-26556
Damage/Probability: HIGH/HIGH
Product(s): Network Time Protocol Daemon (ntpd)
Version(s): Network Time Protocol Daemon (ntpd)
Platform(s): Unix/Linux systems, BSD, Windows.
Description:
The vulnerabilities stem from memory corruption, improper input validation, and insecure control message handling in NTP. Exploitation could allow attackers to crash services, gain remote access, or manipulate time across devices, affecting logs, certificates, and other security mechanisms.
Consequences:
-
Disruption of network synchronization
- Unauthorized control of system time
- Remote system compromise
- Interruption of time-based authentication systems
Solution:
-
Upgrade to NTP version 4.2.8p16 or later
- Consider migrating to Chrony for secure time synchronization
- Restrict NTP access via firewalls
- Disable unused features like monlist and control mode
- Monitor NTP traffic for anomalies
References:
Advisory ID: NCC-CSIRT-2025-003
Summary:
The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) wishes to inform critical stakeholders and constituents across the telecommunications, maritime, logistics, financial, and public sectors of an escalating cyber threat posed by SideWinder Advanced Persistent Threat (APT) group also known as T-APT-04 or RattleSnake, a sophisticated cyber espionage group operating primarily from the Indian subcontinent.
Damage/Probability: CRITICAL/HIGH
Platform(s): Microsoft Office documents and XML files
Description:
SideWinder employs spear-phishing as its primary attack vector, leveraging malicious Microsoft Office documents and Open Extensible Markup Language (XML) files embedded with exploit code. A known exploit includes the memory corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882).
Their malicious toolkit includes:
- StealerBot – used for credential theft and sensitive data exfiltration.
- Advanced Remote Access Trojans (RATs) – enabling persistent backdoor access to victim systems.
- Command-and-Control (C2) Infrastructure – often hidden via encrypted tunnels and obfuscated traffic.
Consequences:
-
Compromise of sensitive data and classified government information.
-
Disruption of maritime logistics and operational technologies.
-
Threats to national critical infrastructure, including telecommunications and banking networks.
-
Long-term surveillance and unauthorized network access.
Solution:
To mitigate the identified threat, the following steps are recommended:
-
Immediately apply security updates to Microsoft Office applications, particularly to mitigate CVE-2017-11882 and other known vulnerabilities.
-
Use the latest supported versions of all software applications.
-
Deploy advanced email security gateways with attachment and link scanning capabilities.
-
Enable attachment sandboxing and disable automatic execution of macros.
-
Conduct regular employee awareness sessions on phishing identification and reporting procedures.
-
Encourage verification of suspicious emails, especially those requesting credentials or urging urgency.
-
Employ Endpoint Detection and Response (EDR) tools capable of detecting malware signatures associated with StealerBot and RATs.
-
Enable logging and continuous monitoring of endpoint activities.
-
Segment critical networks from general-purpose IT environments.
-
Enforce least-privilege access policies and implement multifactor authentication (MFA).
-
Review and update documented procedures and workflows used during cybersecurity incident response.
-
Ensure rapid communication channels with NCC-CSIRT for threat reporting and coordination.
- Proactively monitor for Indicators of Compromise (IoC) associated with SideWinder campaigns.
References:
-
https://cyberpress.org/sidewinder-apt-hackers-attack-military-government/
-
https://thehackernews.com/2025/03/sidewinder-apt-targets-maritime-nuclear.html
-
https://www.group-ib.com/media-center/press-releases/sidewinder-apt-report/
-
https://securityonline.info/sidewinder-apt-a-decade-of-evolution-and-global-expansion/
-
https://undercodenews.com/sidewinder-apt-expanding-operations-with-enhanced-cyberattack-tactics/
-
https://cybersecuritynews.com/sidewinder-apt-group-attacking-military-government-entities/
-
https://rewterz.com/threat-advisory/sidewinder-apt-targets-maritime-nuclear-and-it-sectors-across-asia-the-middle-east-and-africa-active-iocs
Advisory ID: NCC-CSIRT-2025-002
CVE: CVE-2025-2783
Probability: High
Impact: High
Product (s): Google Chrome
Version (s): Multiple (prior to patched version addressing CVE-2025-2783)
Platform (s): Windows, macOS, Linux
Threat Type (s): Zero-Day Exploit, Remote Code Execution, Advanced Persistent Threat (APT)
Summary
A sophisticated zero-day vulnerability in Google Chrome (CVE-2025-2783) is being exploited in the wild, allowing attackers to bypass browser sandbox protections via malicious links..
Consequences
Remote Code Execution, System Compromise, Espionage, and Unauthorized Access.
Description
Kaspersky has identified an advanced Chrome zero-day exploit (CVE-2025-2783) used in targeted espionage operations. The vulnerability allows attackers to bypass sandbox protections using a specially crafted link, requiring only a user click to compromise the system. This attack has been linked to an APT group targeting government, media, and educational institutions in Russia. Although the campaign was geographically focused, similar techniques may be deployed elsewhere. The exploit's complexity and stealth make it a serious threat.
Solution
Google has released a patch to address CVE-2025-2783. All users are strongly advised to immediately update their Chrome browsers to the latest version to mitigate this vulnerability. System administrators should also ensure automatic updates are enabled and monitored across endpoints..
References
https://securelist.com/operation-forumtroll/115989/
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
Advisory ID: NCC-CSIRT-2025-001
Summary
The Mirai malware is actively spreading in Nigeria’s cyberspace, targeting IoT devices with weak security settings. Once infected, these devices become part of a botnet used for large-scale DDoS attacks and other malicious activities. Organizations and individuals using IoT devices must take immediate steps to secure their infrastructure.
CVEs: CVE-2016-10401, CVE-2017-17215, CVE-2018-10088, CVE-2019-9580, CVE-2024-45163
Probability: High
Impact: Severe – Potential for large-scale botnet attacks, DDoS campaigns, and system compromise
Product (s): IoT Devices, Routers, DVRs, IP Cameras, Networked Devices
Version (s): Various firmware versions vulnerable to default or weak credentials
Platform (s): Linux-based IoT devices and embedded systems
Summary
The NCC-CSIRT has identified that the Mirai malware is active in Nigeria’s cyberspace, targeting IoT devices with weak security settings. Once infected, these devices become part of a botnet used for large-scale DDoS attacks and other malicious activities. Organizations and individuals using IoT devices must take immediate steps to secure their infrastructure.
Threat Type (s): Botnet, Malware, Distributed Denial-of-Service (DDoS), Credential Exploitation
Consequences
- Devices compromised and controlled by attackers.
- Participation in large-scale DDoS attacks affecting critical services.
- Unauthorized access to sensitive networks and data.
- Potential for further malware propagation within affected networks.
Description
Mirai is a self-propagating malware that infects IoT devices by exploiting weak/default credentials and unpatched vulnerabilities. Once infected, the device joins a botnet controlled by threat actors to launch massive DDoS attacks or other malicious activities. The malware continuously scans for additional vulnerable devices, increasing its attack surface. Reports indicate a rise in Mirai-related incidents in Nigeria, highlighting the urgent need for preventive measures.
Solution
- Change default credentials: Immediately update factory-set usernames and passwords on all IoT devices.
- Apply firmware updates: Ensure devices are running the latest firmware with security patches.
- Disable unnecessary services: Turn off remote management features that are not required.
- Implement network segmentation: Isolate IoT devices from critical networks to limit exposure.
- Use strong authentication: Enable multi-factor authentication (MFA) where possible.
- Monitor network traffic: Regularly check for unusual outbound traffic that may indicate botnet activity.
References
https://www.cisa.gov/news-events/alerts/2016/10/14/heightened-ddos-threat-posed-mirai-and other-botnets
https://www.quorumcyber.com/wp-content/uploads/2023/06/Quorum-Cyber-_Mirai-Botnet-Report.pdf
https://darktrace.com/fr/blog/mirai-malware-infects-cctv-camera
- ngCERT SECURITY ADVISORY ON REMOTE COMMAND EXECUTION VULNERABILITY IN ZIMBRA COLLABORATION SUITE
- ngCERT SECURITY ADVISORY ON CRITICAL FORTINET OPERATING SYSTEMS & FORTIPROXY AUTHENTICATION BYPASS VULNERABILITY
- ngCERT SECURITY ADVISORY ON INCREASED ANDROID.VO1D MALWARE INFECTIONS
- SPREAD OF NYMAIM MALWARE INFECTION