Friday May 30, 2025

Advisory ID:  ngCERT-2025-050005

SUMMARY

ngCERT is aware of Cisco’s declaration of product End-of-Life (EoL) and End-of-Support (EoS) for Cisco Catalyst 1900, 2900, and 3900 series routers. This implies that Cisco no longer sells or supports the affected devices; hence, software/firmware updates, security patches, and bug fixes will cease. Additionally, technical support and warranty services are discontinued, while hardware replacement/services may become unavailable. The continued use of these devices is liable to introduce significant operational and security risks as well as compliance violations to enterprise and government networks. This advisory, therefore, highlights the security risks and consequences associated with the continued use of Cisco Catalyst 1900, 2900, and 3900 Series Routers and provides mitigation strategies for organizations and individuals.

Probability:    High

Damage:        Critical

Platform(s):   Cisco Routers

DESCRIPTION

The Cisco Catalyst 1900, 2900, and 3900 routers, widely deployed in enterprise environments, have long since passed their official EoL milestones, implying that Cisco has discontinued all software updates, security patches, and hardware support for these devices as follows.

  • Catalyst 1900 Series: End-of-Support Date - 31-May-2025
  • Catalyst 2900 Series: End-of-Support Date - 31-Dec-2022
  • Catalyst 3900 Series: End-of-Support Date- 31-Dec-2022.

Organizations with Cisco Catalyst 1900, 2900, and 3900 series routers deployed past their EoL and EoS dates are vulnerable to known exploits such as CVE-1999-1129, CVE-2015-0586, and CVE-2017-6742, making them prime targets for malware, ransomware, and unauthorized access. Troubleshooting becomes difficult without vendor support, scarcity of spare parts, and compatibility with modern protocols are limited. Additionally, as these routers age, the risk of sudden failure increases, potentially disrupting critical operations. The risks of maintaining these legacy systems far outweigh any perceived cost savings, making timely upgrades essential. Furthermore, outdated encryption and weak authentication further expose networks to threats.

CONSEQUENCES

Successful exploitation could lead to:

  1. Unpatched Exploits: These routers do not receive security updates, making them vulnerable to known and zero-day exploits.
  2. Regulatory & Compliance Violations: Non-compliance with standards like PCI DSS, HIPAA, or NIST due to insecure infrastructure. This could lead to fines, audits, or loss of certifications in regulated industries.
  3. Operational Instability: Hardware failure risks increase due to ageing components.
  4. Network Performance Degradation: Poor integration with newer systems or cloud services.
  5. Increased Attack Surface: Devices may be targeted by automated botnets or lateral movement in APT campaigns.

SOLUTION/MITIGATION

ngCERT recommends the following:

  1. Patch Immediate Device Assessment: Inventory all existing Cisco Catalyst 1900/2900/3900 routers and identify devices exposed to external networks or critical infrastructure segments.
  2. Replace and Upgrade to Supported Hardware: Plan and execute migration to currently supported Cisco platforms (e.g., Catalyst 9000 Series, ISR 4000 Series). Choose models that support modern standards or consider alternatives from other vendors.
  3. Network Segmentation & Isolation: If decommissioning is delayed, isolate these devices in a separate VLAN with strict access controls and monitor traffic for anomalies using intrusion detection systems (IDS).
  4. Disable unused services and interfaces: Turn off Telnet, HTTP, SNMPv1/2, and other outdated protocols in favor of SSH, HTTPS, and SNMPv3.
  5. Update Network Policies: Modify procurement and lifecycle management policies to decommission unsupported devices proactively.
  6. Align network hardware lifecycle with cybersecurity and compliance frameworks (e.g., NIST, ISO 27001).

 REFERENCES

Advisory ID:  ngCERT-2025-050007

Probability:    High

Damage:        Critical

Platform(s):   Microsoft Office

SUMMARY

ngCERT warns of a marked intensification in cyber espionage activities by SideWinder (aka Rattlesnake or *T-APT-04*), a state-aligned advanced persistent threat (APT) group. Historically focused on government and military entities, the group has now expanded its operations to target maritime, logistics, telecommunications, and financial institutions across Africa and Asia. This shift underscores heightened risks to critical infrastructure and economic stability in these regions.

DESCRIPTION

The key tactics and exploits include:

 Weaponized Phishing Campaigns:

  • SideWinder distributes spear-phishing emails containing malicious Microsoft Office documents engineered to exploit memory corruption vulnerabilities (CVE-2017-11882, CVSS 7.8 – High; CVE-2018-0802, CVSS 7.8 – High). These documents execute arbitrary code to compromise systems.
  • Open XML (OOXML) File Abuse:
    Malicious OOXML files bypass legacy security controls to deploy payloads.
  • Post-Exploitation Malware:
    After initial access, the group deploys custom tools like StealerBot (data-harvesting malware) and advanced Remote Access Trojans (RATs) to exfiltrate sensitive data, establish persistence, and pivot laterally within networks.

CONSEQUENCES

This could further result in:

  1. Operational Disruption: Compromised systems in logistics or maritime sectors could halt critical supply chains.
  2. Financial Loss: Theft of banking credentials or intellectual property from financial institutions.
  3. National Security Threats: Exfiltration of government/military data or sabotage of telecom infrastructure.

SOLUTION/MITIGATION

ngCERT recommends the following:

 

  1. Patch Legacy Systems: Prioritize updates for Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802).
  2. Block Suspicious OOXML Files: Use email filtering to quarantine documents with macros or unusual metadata.
  3. Enforce Multi-Factor Authentication (MFA): Limit lateral movement via compromised credentials.
  4. Monitor for Lateral Movement: Deploy endpoint detection (EDR) and network traffic analysis tools.
  5. Train Staff: Simulate phishing attacks to raise awareness of malicious document tactics.
  6. Adopt a Zero Trust security framework to verify all access and restrict to the minimum necessary permissions.

 Urgency!!!

With SideWinder’s evolving capabilities and cross-sector targeting, organizations in affected regions face high-severity risks (CVSS 7.8–9.0 contextual scores). Proactive defense is critical to preempt large-scale breaches.

 REFERENCES

Advisory ID: NCC-CSIRT-2025-006

Summary: 

Cybersecurity researchers have identified a new malicious tool named ‘Defendnot’. This tool can disable Microsoft Defender, the built-in antivirus and endpoint protection software on Windows systems, leaving affected machines vulnerable to further compromise. The threat actors behind this tool appear to be leveraging it as a preliminary stage in larger malware campaigns, allowing for stealthy persistence, lateral movement, and data exfiltration. 

Damage/Probability: HIGH/Critical

Product(s): Windows 10, Windows 11, and Windows Server.

Version(s): All supported versions of Windows 10, 11, and Windows Server 2016 and above

Platform(s): Microsoft Windows

Description: 

Threat actors are using the Defendnot to stealthily disable Microsoft Defender on Windows systems. The tool leverages system utilities, registry modifications, and PowerShell scripts to tamper with Defender settings, effectively bypassing endpoint protection. This allows attackers to deploy additional malware and remain undetected on compromised systems. Organizations using Windows platforms are particularly vulnerable if adequate security hardening and monitoring are not enforced. 

Consequences:  

To mitigate the identified threat, the following steps are recommended:

  • Apply the latest security updates from Microsoft.

  • Disable unnecessary scripting and administrative tools on user endpoints.

  • Inform system administrators and security personnel about this threat.

  • Conduct awareness training to recognize suspicious activity or social engineering attempts.

  • Ensure Tamper Protection is enabled in Microsoft Defender.

  • Use Group Policy or Intune to enforce Defender protection settings.

  • Block PowerShell scripts that are unsigned or originate from unknown sources.

  • Scan endpoints using an up-to-date Endpoint Detection and Response solution.

  • Monitor for and alert on PowerShell execution logs (Event ID 4104), and Defender configuration changes (Event ID 5007)

  • Restore any altered Defender settings using centralized policy enforcement.

Solution: 

  • Always install the latest security patches and Android OS updates.

  • Disable NFC functionality when not in use.

  • Only install applications from trusted sources (Google Play Store) and verify app permissions.

  • Deploy reputable mobile security solutions that monitor and block NFC abuse.

  • Be vigilant about unfamiliar or excessive permissions requested by apps.

References:

Advisory ID:  ngCERT-2025-050003

SUMMARY

ngCERT has issued an urgent alert regarding a critical vulnerability (CVE-2024-44276, CVSS 9.1 – Critical) in Apple’s Password App for iOS 18, enabling attackers to hijack user sessions and steal sensitive credentials. The flaw originates from the app’s reliance on an insecure HTTP protocol for data transmission, allowing adversaries on shared networks (e.g., public Wi-Fi) to intercept unencrypted traffic and redirect users to malicious phishing sites. These fraudulent pages mimic legitimate services to harvest login credentials, financial data, and other personal information.

Probability:    High

Damage:        Critical

Platform(s):   iOS, iPadOS

DESCRIPTION

The vulnerability in Apple’s password manager App was identified as an insecure data transmission protocol weakness susceptible to compromise by threat actors. Particularly, the App used unencrypted HTTP connections, as opposed to a more secure HTTPS, to fetch logos and icons while opening password reset pages. Attackers with privileged access, mostly connected to the same network as the user (i.e. Starbucks, airport, or hotel Wi-Fi), could intercept the HTTP request and redirect the user to a phishing website. Thereafter, threat actors can easily gather login credentials from victims and utilize them for other malicious activities. Nonetheless, Apple addressed the problem in a security update in its iOS 18.2 version..

CONSEQUENCES

Exploitation of the flaw could lead to phishing attacks and theft of login credentials. This could further result in:

  1. Malware infiltrations.
  2. Financial losses through fraudulent transactions.
  3. Identity theft occasioned by stolen sensitive data.
  4. Emotional distress.
  5. Disruption of critical services leading.

SOLUTION/MITIGATION

While Apple has addressed the vulnerability in recent updates, ngCERT strongly advises all iOS 18 users to:

  1. Install the latest security patch immediately via Settings > General > Software Update.
  2. Avoid using the Password App on public or untrusted networks until updates are confirmed.
  3. Enable HTTPS-only mode in browser settings to block insecure connections.

 REFERENCES

Advisory ID:  ngCERT-2025-050001

SUMMARY

ngCERT is aware of Microsoft Corporation’s announcement of the End-of-Support (EOS) for Windows 10 on October 14, 2025. After this date, Microsoft will no longer provide security updates, technical support, or bug fixes for the Windows 10 operating system (OS). This advisory highlights the security risks associated with the continued use of Windows 10 post-EOS and provides mitigation strategies for organizations and individuals.

Probability:    High

Damage:        Critical

Platform(s):   Windows

DESCRIPTION

Microsoft follows a lifecycle policy for its products, after which extended support is discontinued. Windows 10, a widely used OS in both enterprise and consumer environments, will reach its end of support in October 2025. Post-EOS, the OS will no longer receive:

  • Security patches for newly discovered vulnerabilities.
  • Technical assistance from Microsoft.
  • Bug fixes or performance improvements.

    This discontinuation poses significant cybersecurity risks, as unpatched systems will be vulnerable to exploits targeting newly discovered flaws.

CONSEQUENCES

  1. Loss of Productivity & Business DisruptionSystem crashes, compatibility issues with newer software, and a lack of vendor support may disrupt operations.
  2. Increased Vulnerability to Cyberattacks as attackers may exploit unpatched security flaws, leading to malware infections, ransomware, and data breaches. Legacy systems running Windows 10 may become prime targets for cybercriminals.
  3. Higher Long-Term Costs, as maintaining outdated systems may require costly custom support agreements or emergency migration efforts.
  4. Non-Compliance with Regulatory Standards.

SOLUTION/MITIGATION

The following should be considered:

  1. Upgrade to Windows 11 or a supported OSEnsure hardware compatibility and migrate to Windows 11 or another supported OS before EOS.
  2. Develop a Migration PlanInventory all Windows 10 devices and prioritize upgrades based on criticality. Ensure to test applications for compatibility before migration.
  3. Consider Extended Security Updates (ESUs)If migration is delayed, enrol in Microsoft’s Extended Security Update (ESU) program (paid) for critical patches (limited duration)
  4. Implement Strong Security ControlsDeploy Endpoint Detection & Response (EDR) solutionsenforce network segmentation to isolate legacy systems while also applying strict firewall rules and application whitelisting.
  5. Switch to a Supported Alternative such as a Linux-based OS
  6. Enhance Security Posture by using reputable antivirus/anti-malware solutions, as well as enabling multi-factor authentication (MFA) and regular backups.

 REFERENCES

  1. SOLARWINDS SERV-U FILE TRANSFER AND MANAGEMENT SOFTWARE
  2. Android Malware Leverages NFC to Enable Unauthorized POS and ATM Withdrawals
  3. Multiple Vulnerabilities in Network Time Protocol (NTP)
  4. SideWinder Espionage Group Targeting Nigerian Maritime, Government, Telecommunications, and Financial Sectors

Page 1 of 24