Advisory ID: NCC-CSIRT-2026-014

Summary: 

Damage: Critical

Probability: High

Product(s)

• Enterprise IT Systems
• Government Databases
• Healthcare Information Systems
• Web Applications and Network Infrastructure

Version(s):

• All unpatched or improperly configured systems
• Systems with weak authentication mechanisms

Platform(s): 

• Windows
• Linux
• Cloud-based environments
• On-premise enterprise networks

Description: 

Impacts: 

• Large-scale data breaches involving sensitive information
• Financial loss due to ransom payments and remediation costs
• Disruption of critical services and operations
• Reputational damage and loss of public trust
• Regulatory and legal implications

Threat Types: 

• Ransomware (Double Extortion)
• Data Exfiltration
• Unauthorized Network Access
• Exploitation of System Vulnerabilities

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Apply timely security patches and updates across all systems
• Conduct regular vulnerability assessments and penetration testing
• Enforce Multi-Factor Authentication (MFA)
• Implement strong password policies
• Adopt least-privilege access principles
• Segment critical networks
• Deploy Intrusion Detection and Prevention Systems (IDS/IPS)
• Monitor for unusual network activity
• Maintain regular, secure, and offline backups
• Test backup restoration procedures periodically
• Implement Security Information and Event Management (SIEM) solutions
• Establish and regularly update incident response plans
• Conduct regular cybersecurity awareness training
• Educate users on phishing and social engineering risks

References:

• https://redpiranha.net/news/threat-intelligence-report-march-3-march-9-2026

• https://www.upguard.com/news/statistics-south-africa-data-breach-2026-03-31

• https://databreaches.net/2026/03/30/south-african-government-agency-and-spanish-psychological-software-provider-victims-of-cyberattacks-by-xp95/

• https://witness.co.za/news/2026/03/30/stats-sa-confirms-data-breach-hackers-demand-ransom/

• https://helm.news/2026-03-30/stats-sa-confirms-ransomware-attack-hr-database-group-xp-demanding-ransom.html

• https://app.megazone.fm/news/c/0/i/95713595/stats-sa-hit-ransomware-attack-over-450000-files-compromised
  
  

Advisory ID: NCC-CSIRT-2026-012

Summary: 

Damage: Critical

Probability: High

Product(s)/Platform(s): 

The campaign does not target a specific vendor product but rather infrastructure commonly used in telecommunications environments, including:

• Linux Servers and Web Servers
• Edge Network Devices
• Telecom Core Network Systems
• Subscriber Databases
• Call Data Record (CDR) Systems
• Network Management Systems
• Cloud Infrastructure and SaaS Platforms

Indicators of Compromise (IOCs): 

• Suspicious connections to Google Sheets API or unusual SaaS API traffic
• Unknown system services (e.g., xapt.service)
• Unauthorized SSH lateral movement
• Use of SoftEther VPN connections
• Unknown service accounts
• Persistent malware in /usr/sbin directories
• Unusual outbound encrypted connections
• Cloud API traffic from servers that normally do not use cloud services

Description: 

Impacts: 

• Gain persistent access to telecom networks
• Monitor communications and subscriber data
• Access call data records and SMS metadata
• Conduct surveillance on targeted individuals
• Move laterally across telecom infrastructure
• Maintain long-term undetected access
• Compromise government communications
• Access lawful interception systems

Threat Types: 

• Cyber Espionage
• Advanced Persistent Threat (APT)
• Backdoor Malware
• Command and Control (C2)
• Data Exfiltration
• Network Intrusion
• Persistence / Unauthorized Access

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Patch and secure all public-facing web servers and edge devices.
• Strictly monitor outbound connections to cloud services such as Google Sheets, Google Drive, and other SaaS platforms.
• Implement network segmentation within telecom infrastructure.
• Monitor for unauthorized system services and persistence mechanisms.
• Audit service accounts and SSH access logs.
• Deploy Endpoint Detection and Response (EDR) solutions on critical servers.
• Implement multi-factor authentication for administrative accounts.
• Monitor VPN usage and block unauthorized VPN tools such as SoftEther.
• Conduct threat hunting for advanced persistent threats.
• Review access to subscriber databases and call data record systems.

References:

• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign

• https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html
• https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/https://industrialcyber.co/ransomware/china-linked-unc2814-exploited-google-sheets-api-for-stealth-c2-targeting-telecom-government-networks/
• https://www.reuters.com/sustainability/boards-policy-regulation/google-disrupts-chinese-linked-hackers-that-attacked-53-groups-globally-2026-02-25/
• https://therecord.media/china-cyber-espionage-google-disrupt
• https://www.ampcuscyber.com/shadowopsintel/global-telecommunications-and-govt-agencies-intrusion-by-unc2814/

Advisory ID: NCC-CSIRT-2026-013

Summary: 

Damage: Critical

Probability: High

Product(s): 

Linux-based enterprise servers

Version(s): 

No specific version; affects general Linux distros

Platform(s):

Linux (Ubuntu, Debian, CentOS, RHEL); virtualized cloud instances

Indicators of Compromise (IOCs): 

Organizations are advised to cross-check the following IoCs with their SIEM and endpoint monitoring tools:

• Unexpected kernel modules loaded on Linux servers
• Unauthorized system services or startup scripts
• Outbound connections to unusual cloud storage APIs from critical servers
• Unauthorized file changes in system directories (/etc, /usr/bin)
• Anomalous processes running with root privileges

Description: 

Impacts: 

• Compromise of Sensitive Data
• Unauthorized System Control
• Lateral Network Compromise
• Operational Disruption
• Long-Term Surveillance
• Reputational and Regulatory Impact
• Financial Consequences

Threat Types: 

• Advanced Persistent Threat (APT)
• Kernel-Level Malware / Rootkit
• Data Exfiltration / Espionage
• Unauthorized Access / Privilege Escalation
• Command-and-Control (C2) Abuse
• Lateral Movement
• Telecom / Infrastructure Disruption

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Isolate compromised systems from the network
• Conduct full system integrity checks and Memory Forensics
• Monitor unusual outbound connections to cloud services
• Apply the latest OS and kernel security updates and disable unused services and accounts
• Restrict administrative and root access
• Implement network and host-based anomaly detection
• Monitor for abnormal process execution and kernel module loading
• Review system logs for unauthorized access events
• Implement UEFI Secure Boot where possible to prevent the loading of unsigned malicious kernel modules

References:

• https://industrialcyber.co/ransomware/china-linked-unc2814-exploited-google-sheets-api-for-stealth-c2-targeting-telecom-government-networks/

• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign

• https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html

• https://www.reuters.com/sustainability/boards-policy-regulation/google-disrupts-chinese-linked-hackers-that-attacked-53-groups-globally-2026-02-25/

• https://www.csoonline.com/article/4137834/china-linked-hackers-used-google-sheets-to-spy-on-telecoms-and-governments-across-42-countries.html

Advisory ID: NCC-CSIRT-2026-011

Summary: 

Apple has released security updates to fix a vulnerability in WebKit, the browser engine that powers Safari and all browsers on iOS devices. The vulnerability could allow a malicious website to bypass browser security controls and access sensitive data from other websites open in the same browser session.

The vulnerability is tracked as CVE-2026-20643 and has been addressed through Apple’s new Background Security Improvement update mechanism, which allows Apple to deploy urgent security fixes without requiring full operating system updates.

Damage: High

Probability: Medium

Product(s): 

• iPhone (iOS)
• iPad (iPadOS)
• Mac computers (macOS)
• Apple Safari browser
• All browsers on iOS and iPadOS that use WebKit

Version(s): 

• iPhone (iOS) Earlier than iOS 17.4
• iPad (iPadOS) Earlier than iPadOS 17.4
• Mac computers (macOS), earlier than macOS Sonoma 14.4
• Apple Safari browser, earlier than Safari 17.4
• All browsers on iOS and iPadOS that use WebKit Versions before the March 2026 security update

Platform(s): 

• iOS
• iPadOS
• macOS
• Safari browser
• WebKit browser engine

Indicators of Compromise (IOCs): 

• Unexpected account logins or session hijacking.
• Suspicious browser redirects.
• Unauthorized access to web applications.
• Abnormal browser activity after visiting unknown websites.
• Unusual authentication alerts from online services.

Description: 

The vulnerability exists in Apple’s WebKit browser engine, specifically involving a cross-origin security issue in the browser navigation component. This flaw could allow malicious web content to bypass the Same-Origin Policy, a fundamental browser security control that prevents one website from accessing data belonging to another.

If exploited, a malicious website could potentially access sensitive information from other websites open in the same browser session, including login data, browsing information, session tokens, or other private content. The vulnerability could be triggered simply by visiting a specially crafted malicious website.

The vulnerability affects Apple devices because all browsers on iOS and iPadOS must use WebKit, meaning the issue impacts Safari as well as third-party browsers such as Chrome or Firefox running on iPhones and iPads.

Apple has addressed the issue by improving input validation and access restrictions in the WebKit engine and has recommended that all users update their devices immediately to receive the security fix.

Impacts: 

• Access sensitive user data from other websites.
• Steal authentication session tokens.
• Access login information or browsing history.
• Conduct account hijacking attacks.
• Perform targeted surveillance or espionage attacks.
• Deploy further malware through browser exploitation.

Threat Types: 

• Information Disclosure
• Cross-Site Data Leakage
• Session Hijacking
• Account Takeover
• Privacy Breach

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Update Apple devices immediately to the latest versions of iOS, iPadOS, and macOS.
• Enable automatic updates on Apple devices.
• Avoid visiting untrusted websites or clicking suspicious links.
• Use multi-factor authentication (MFA) for online accounts.
• Clear browser sessions after accessing sensitive platforms such as banking or corporate systems.
•  Organizations should implement mobile device management (MDM) policies to enforce device updates.
• Monitor for suspicious login activity across enterprise systems.

References:

• https://www.malwarebytes.com/blog/news/2026/03/apple-patches-webkit-bug-that-could-let-sites-access-your-data

• https://support.apple.com/en-us/126604

• https://www.esentry.io/articles/apple-fixes-webkit-vulnerability-that-could-let-websites-access-your-data

• https://www.linkedin.com/pulse/apple-deploys-security-patch-address-critical-webkit-8ycqe/