Advisory ID:   ngCERT-2026-010003-1

SUMMARY/DESCRIPTION

ngCERT is aware of a potential router implant campaign targeting Cisco Catalyst and IOS-based routers via weak SNMP, outdated firmware, and unsecured management services. Cisco Catalyst switches and IOS‑based routers are being targeted globally by Advanced Persistent Threat (APT) groups seeking to utilize Cisco Catalyst switches and IOS-based routers by abusing weak or misconfigured SNMP settings for tasking, control, and device modification. The implant can enable unauthorized access, configuration changes, credential theft, and data exfiltration. The implant may also maintain long-term persistence while avoiding detection, indicating a sophisticated threat actor skilled in exploiting network infrastructure. Its TTPs include SNMP‑based reconnaissance, exploitation of outdated IOS firmware, misuse of open or misconfigured services (HTTP, Telnet, SNMP), credential harvesting through insecure HTTP Basic Authentication, and data exfiltration over unencrypted channels. Organisations and users are advised to apply the mitigation detailed in this advisory to strengthen device security and resolve exploitable weaknesses..

Damage:      Critical 

Probability:  High

Platform(s):  Cisco Catalyst switches and IOS-based routers. (1900, 2900, and 3900 series devices).

CONSEQUENCES

The observed activity may lead to a range of potential impacts, such as:

1. Unauthorized access to network infrastructure.
2. Manipulation of routing and network traffic.
3. Theft of credentials.
4. Long-term persistence on devices.
5. Data leakage or exfiltration.
6. Potential service disruption or outages.

SOLUTION/MITIGATION

The following are recommended to mitigate this exploitable weakness:

1. Harden SNMP using SNMPv3, strong credentials, and restricted access.
2. Update and patch Cisco firmware, removing legacy or unpatched versions.
3. Disable insecure services and rely on encrypted management (HTTPS, SSH).
4. Improve access controls, segment management networks, and enforce strong passwords.
5. Monitor SNMP activity, log configuration changes, and watch for traffic anomalies.
6. Rotate credentials regularly and conduct incident response with configuration review and device rebuilding if needed.

HYPERLINK

• https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis?utm_source
• https://cert.gov.ng/advisories/risks-associated-with-end-of-life-cisco-catalyst-1900-2900-and-3900-series-routers
• https://www.cisa.gov/sites/default/files/2023-04/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers.pdf

Advisory ID:   ngCERT-2026-010003

SUMMARY/DESCRIPTION

ngCERT is aware of a potential router implant campaign targeting Cisco Catalyst and IOS-based routers via weak SNMP, outdated firmware, and unsecured management services. Cisco Catalyst switches and IOS‑based routers are being targeted globally by Advanced Persistent Threat (APT) groups seeking to utilize Cisco Catalyst switches and IOS-based routers by abusing weak or misconfigured SNMP settings for tasking, control, and device modification. The implant is capable of enabling unauthorized access, configuration changes, credential theft, and data exfiltration. The implant may also maintain long-term persistence while avoiding detection, indicating a sophisticated threat actor skilled in exploiting network infrastructure.Its TTPs include SNMP‑based reconnaissance, exploitation of outdated IOS firmware, misuse of open or misconfigured services (HTTP, Telnet, SNMP), credential harvesting through insecure HTTP Basic Authentication, and data exfiltration over unencrypted channels. Organisations and users are advised to apply mitigation detailed in this advisory to strengthen device security and resolve exploitable weaknesses.

Damage:      Critical 

Probability:  High

Platform(s):  Cisco Catalyst switches and IOS-based routers.

CONSEQUENCES

The observed activity may lead to a range of potential impacts, such as:

1. Unauthorized access to network infrastructure.
2. Manipulation of routing and network traffic.
3. Theft of credentials.
4. Long-term persistence on devices.
5. Data leakage or exfiltration.
6. Potential service disruption or outages.

SOLUTION/MITIGATION

The following are recommended to mitigate this exploitable weakness:

1. Harden SNMP using SNMPv3, strong credentials, and restricted access.
2. Update and patch Cisco firmware, removing legacy or unpatched versions.
3. Disable insecure services and rely on encrypted management (HTTPS, SSH).
4. Improve access controls, segment management networks, and enforce strong passwords.
5. Monitor SNMP activity, log configuration changes, and watch for traffic anomalies.
6. Rotate credentials regularly and conduct incident response with configuration review and device rebuilding if needed.

HYPERLINK

• https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis?utm_source
• https://cert.gov.ng/advisories/risks-associated-with-end-of-life-cisco-catalyst-1900-2900-and-3900-series-routers
• https://www.cisa.gov/sites/default/files/2023-04/apt28-exploits-known-vulnerability-to-carry-out-reconnaissance-and-deploy-malware-on-cisco-routers.pdf

Advisory ID:   ngCERT-2026-010002

SUMMARY/DESCRIPTION

ngCERT alerts organisations and users to an actively exploited zero-day vulnerability affecting Microsoft Windows Desktop Window Manager (DWM). DWM is a core Windows service responsible for managing visual effects, window composition, and graphical rendering in the operating system. The Vulnerability tracked as CVE-2026-20805 arises from improper handling of Advanced Local Procedure Call (ALPC) messages within the DWM service. An attacker with local access can send crafted ALPC requests that trigger memory disclosure, returning internal pointers and heap/base address details. While it does not directly permit remote code execution or privilege escalation in isolation, it can be leveraged to bypass core exploit mitigations such as Address Space Layout Randomization (ASLR). This significantly increases the reliability of subsequent exploit chains. This advisory provides details on the issue, its impact and recommended solutions.

Damage:      Critical 

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Successful exploitation of this vulnerability could lead to:

1. SLR Bypass: Leaking memory layout information directly undermines ASLR, a fundamental memory-hardening technique used to defend against buffer overflows and ROP attacks.
2. Facilitated Exploitation: By revealing internal addresses, attackers can craft reliable exploits for other locally or remotely accessible vulnerabilities, increasing the likelihood of full system compromise.
3. Exploit Chaining: It initiates multi-stage exploit chains, particularly in post-compromise lateral movement, privilege escalation, or persistence scenarios.
4. Enterprise Risk: In corporate environments where attackers may already have footholds (e.g., via phishing or compromised credentials), this vulnerability strengthens the adversary’s ability to deepen access.
5. Active Exploitation: Public reporting confirms active exploitation in the wild before patch deployment, underscoring real-world risk.

SOLUTION/MITIGATION

The following are recommended:

1. Apply security updates immediately: Microsoft’s January 2026 Patch Tuesday updates for CVE-2026-20805 should be applied immediately to remediate the flaw.
2. Restrict Local Access: Limit user accounts with local login to trusted personnel and use endpoint access controls to reduce exploit opportunities.
3. Harden Processes: Employ Endpoint Detection and Response (EDR) with ALPC/DWM monitoring rules to detect suspicious interactions with DWM.
4. Least Privilege: Review and enforce least privilege for all user accounts and services.
5. Behavioural Monitoring: Monitor systems for unusual ALPC traffic patterns or unauthorized inter-process communications with dwm.exe
6. ASLR-Aware Protections: Ensure other Microsoft security features, such as Virtualisation-Based Security (VBS) and Hypervisor Enforcement Code Integrity (HVCI), are enabled where supported.
7. Patch Management: Incorporate timely patch deployment and vulnerability scanning into standard operations.

HYPERLINK

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20805
• Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited
• https://www.rapid7.com/blog/post/em-patch-tuesday-january-2026/

Advisory ID: NCC-CSIRT-2026-006

Summary: 

Security researchers have identified an active spearphishing campaign in which threat actors are using Windows screensaver (.scr) files as delivery mechanisms to install legitimate Remote Monitoring & Management (RMM) tools for covert remote access and persistent control. The campaign begins with business-themed phishing (e.g., invoice or project summaries) that directs users to download and execute a .scr file from cloud storage. Because .scr screensavers are portable executable (PE) binaries that can run arbitrary code but are often overlooked by defenders, this vector allows attackers to bypass traditional detection controls and deploy RMM software to maintain access.

Once executed, the malicious screensaver silently installs the RMM agent, which establishes an encrypted remote connection to attacker-controlled infrastructure, enabling interactive remote sessions. Follow-on actions may include credential theft, lateral movement, data exfiltration, and staging for ransomware or other high-impact malware.

Damage/Probability: High/High

Product(s): 

• Microsoft Windows operating systems and endpoints
• Remote Monitoring & Management (RMM) tools and agents (e.g., JWrapper-based SimpleHelp or similar)
• Cloud storage hosting services used to deliver malicious files

Version(s): 

Not version-specific, affects Windows installations where users are tricked into executing Windows screensaver file types (.scr) without appropriate controls or restrictions.

Platform(s): 

• Enterprise and corporate Windows workstations
• Laptops
• Servers with user-interactive endpoints capable of executing screensaver files.

Description: 

Windows screensaver files (.scr) are portable executables capable of running arbitrary code, yet are often perceived by users as harmless. In the observed campaign, attackers embed remote monitoring and management (RMM) installers within .scr files hosted on trusted cloud platforms and distribute them via phishing emails using business-themed lures (e.g., “InvoiceDetails.scr”), increasing the likelihood of execution.

When run, the .scr file installs an RMM agent, establishes persistence in system directories, and initiates outbound connections to attacker-controlled servers for remote access. Because RMM tools are commonly used for legitimate administration, their activity blends into normal network behavior, making detection difficult; researchers note this technique is highly adaptable across cloud providers, lures, and RMM variants, limiting the effectiveness of signature-based defenses alone.

Threat Types: 

• Spearphishing & social engineering: phishing emails with links to .scr files disguised as benign documents.
• Abuse of executable screensaver files: .scr files executing arbitrary code to install RMM software.
• RMM tool deployment for access & persistence: use of legitimate remote administration software as covert remote access tools.
• Living-off-the-land & defense evasion: use of trusted tools and filetypes to lower detection and raise stealth.

Impacts: 

• Attackers gain persistent remote access and control over compromised hosts.
• Remote access allows capture of sensitive user credentials and intellectual property.
• With RMM agents in place, threat actors can propagate to adjacent systems and escalate privileges.
• The foothold may be used to position ransomware, RATs, or other destructive payloads.
• Because scouting and execution leverage legitimate infrastructure and filetypes, traditional signature-based tools may fail to alert.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Block .scr execution via AppLocker/WDAC.
• Quarantine endpoints with unauthorized RMM tools.
• Filter and inspect suspicious cloud-hosted email links.
• Scan and hunt for rogue RMM services and processes.
• Train users on .scr and uncommon-extension phishing.
• Enforce least-privilege to prevent unauthorized installs.
• Detect living-off-the-land abuse with behavior analytics.

References:

• https://www.darkreading.com/application-security/attackers-use-screensavers-drop-malware-rmm-tools

• https://www.linkedin.com/pulse/windows-screensaver-hijacked-remote-access-rmm-tool-deployment-imeoc/

• https://www.darkreading.com/application-security/attackers-use-screensavers-drop-malware-rmm-tools

• https://webboard-nsoc.ncsa.or.th/user/ncsa_thaicert/posts