Advisory ID: NCC-CSIRT-170924-010

Summary: 

PlugX is a sophisticated Remote Access Trojan (RAT) known for targeting critical infrastructure, including telecommunications. It enables attackers to remotely control infected systems, infiltrate sensitive data, disrupt network operations, and maintain long-term access to telecom systems. The malware typically spreads through phishing campaigns and exploited vulnerabilities.

Damage/Probability: CRTICAL/HIGH

Platform(s): Windows, Linux, Network Devices, and Telecom Infrastructure systems

Description: 

PlugX malware is typically deployed via phishing emails containing malicious attachments or by exploiting network vulnerabilities. These emails are crafted to deceive users into opening infected files or clicking on links that exploit unpatched vulnerabilities within network systems. In addition to phishing, PlugX can be spread through watering hole attacks, drive-by downloads, or by leveraging network security flaws, making it a versatile and highly adaptable threat.

Once deployed, it allows threat actors to remotely control infected systems, steal data, disrupt services, and create backdoors for future attacks. Its stealth and persistence make it challenging to detect, posing a significant risk to critical telecom infrastructure.

Consequences: 

If the threat occur, the following outcomes may occur:

• Data Exfiltration:Loss of sensitive user and corporate data.
• Service Disruption:Downtime or interruptions to telecom services.
• Network Manipulation: Unauthorized control of network devices and systems.

Solution: 

To mitigate this threat, you are advise to carry out the following:

• Apply security patches to all network devices and systems regularly.
• Enhance endpoint security and network monitoring for suspicious activities.
• Implement email filtering to block phishing emails.
• Conduct regular cybersecurity awareness training for staff.
• Enforce network segmentation and access controls.
• Perform vulnerability assessments and incident response drills.

References:

• https://www.cisa.gov/news-events/alerts/2017/04/27/intrusions-affecting-multiple-victims-across-multiple-sectors

• https://attack.mitre.org/software/S0013/

• https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27409

• https://darktrace.com/blog/plugx-malware-a-rats-race-to-adapt-and-survive

Advisory ID: ngCERT-2024-0034

Summary: 

ngCERT is issuing an urgent security alert regarding the dangers and risks associated with expired Secure Socket Layer (SSL) certificates, which are increasingly observed within Nigerian cyberspace. SSL is essential for web services as it ensures end-to-end encrypted communication between client and server over the Internet. However, if an SSL certificate on the server side expires, this secure communication is compromised, exposing users to cyber threats. Malicious actors can exploit this vulnerability to execute phishing attacks and Man-in-the-Middle (MitM) attacks, among others, leading to data breaches, data theft, reputational damage, financial losses, and Denial of Service (DoS) attacks. Given these risks, users are advised to renew expired SSL certificates and implement other recommended mitigation steps.

Threat Type(s): Vulnerability

Impact/Vulnerability: CRITICAL/HIGH

Product(s): SSL Certificates

Platform(s): Web Applications

Version(s): All Versions

Description: 

SSL certificates verify the identity of a website owner while enabling secure and encrypted connections for users accessing the server. When an SSL certificate expires, it can no longer ensure a secure connection, exposing organizations to potential attack vectors. Expired SSL certificates are particularly vulnerable to Man-in-the-Middle (MitM) attacks, where an attacker intercepts and eavesdrops on client-server communications, potentially hijacking requests to the web application. This could lead to the theft or alteration of sensitive data. Additionally, cybercriminals might create phishing websites that imitate legitimate sites with expired SSL certificates, using similar URLs to deceive unsuspecting users into divulging sensitive information for malicious purposes.

Consequences: 

Exploitation of the aforesaid flaw could result in:

1. Unauthorized access
2. Data breaches and exfiltration
3. Financial losses
4. Denial of Service (DoS) attack
5. Reputational damage 

Solution:  

To mitigate this risk, the following actions are recommended:

• Immediate Renewal: Renew the expired SSL certificate and install it on the server to re-enable secure communication.
• Implement Certificate Monitoring: Deploy an automated SSL certificate monitoring system that alerts administrators 30, 15, and 7 days before certificate expiration. This ensures ample time for renewal.
• Establish Renewal Procedures: Set up a robust process for SSL certificate management, with clear timelines and ownership to avoid missed renewals in the future. Consider using certificate management tools or platforms that automate renewals.
• Conduct Regular Security Audits: Schedule periodic audits of all SSL certificates across the system to identify any upcoming expirations and ensure all certificates are up to date.
• User Notification and Trust Restoration: Notify affected users of the issue, informing them that the SSL certificate has been renewed and that secure access has been restored.
• Review Compliance Requirements: Verify that the expired SSL certificate did not result in any non-compliance issues with relevant security regulations or industry standards. Update documentation and records as necessary to demonstrate renewed compliance.

References:

• https://www.crowdstrike.com/en-us/blog/the-risks-of-expired-ssl-certificates/

• https://securitytrails.com/blog/risks-expired-ssl-certificates

• https://www.encryptionconsulting.com/why-to-fix-expired-ssl-certificates/

• https://sematext.com/glossary/ssl-certificate-expiration/ 

Advisory ID: ngCERT-2024-0014

Summary: 

Vulnerability assessment revealed the presence of a security flaw in SSH transport protocol found in versions of OpenSSH older than 9.6 and other products. The weakness could allow remote attackers to bypass integrity checks, leading to downgraded or disabled security features within a client and server connection, also known as a Terrapin Attack. This could lead to unauthorized access to sensitive information or compromise of network security. Accordingly, users and systems administrators are advised to take proactive steps to guard against exploits by threat actors.

Threat Type(s): Terrapin Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): OpenSSH, LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto

Platform(s): SSH Transport Protocol 

Version(s): OpenSSH before 9.6 and All versions of SSH software and libraries

Description: 

The SSH transport protocol found in OpenSSH before 9.6 and other SSH software and libraries allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), causing security features to be downgraded or disabled within a client and server connection (a Terrapin Attack). This allows attackers to exploit the SSH protocol, potentially gaining unauthorized access to sensitive information or compromising network security. Notably, Terrapin method of attack alters SSH data during the handshake between servers and devices, functioning as a Man-in-the-middle (MITM) between connections that exist between remote administrators and their core, or on-prem, network. While this CVE is classified as moderate because the attack requires an active MITM to intercept and modifies a connection’s traffic at the TCP/IP layer, it does allow attackers to delete consecutive messages. Some of the vulnerable products and versions include, OpenSSH versions before 9.6 and other software and libraries, such as LibSSH, PuTTY, AsyncSSH, Dropbear SSH, Transmit, paramiko and golang-go.crypto.

Solution:  

The following are recommended:

• System administrators should carry out organizations inventory and scan all systems with vulnerable SSH versions.
• Organizations should patch their SSH implementations with the latest security updates.
• System administrators and users should carry out regular review and update of SSH key management practices.
• Regular security audits and adopting a layered security approach.
• Implementation of robust firewalls, intrusion detection systems, and rigorous access controls to significantly reduce the risk of such vulnerabilities.

References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-48795

• https://nvd.nist.gov/vuln/detail/CVE-2023-48795

• https://www.fortiguard.com/psirt/FG-IR-23-490

• https://blog.qualys.com/vulnerabilities-threat-research/2023/12/21/ssh-attack-surface-cve-2023-48795-find-and-patch-before-the-grinch-arrives-with-cybersecurity-asset-management

Advisory ID: ngCERT-2024-0033

Summary: 

ngCERT is issuing an urgent security advisory regarding a high-severity vulnerability in Veeam Backup and Replication (VBR) software, recently exploited by ransomware groups. The flaw is designated CVE-2023-27532, affecting VBR versions 12 and below. Threat actors exploit this weakness by obtaining encrypted and plaintext credentials stored in the configuration database, which is further used to elevate privileges and execute arbitrary code on affected systems. The successful exploitation of the vulnerability may result in malware installation, system takeover, data exfiltration and ultimately ransomware attacks. It is pertinent to note that, the Phobos ransomware group recently exploited this flaw in a ransomware attack on a cloud infrastructure, within the Nigerian Cyberspace. Accordingly, users are strongly advised to implement the latest security patches from VBR, and other mitigation steps recommended herein.

Threat Type(s): Ransomware

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Microsoft Exchange server, SQL Server, Windows Server, Linux Server, Oracle, Azure, AWS, VMware, Hyper-V

Platform(s): WIndows and Linux Operating Systems

Version(s): All Versions

Description: 

The CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication (VBR) software, which allows unauthorized users to access sensitive information, including encrypted credentials. Cybercriminals exploit this flaw by connecting to the exposed Veeam services (C:\ProgramFiles\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe) on port TCP 9401, where they can issue requests to extract confidential data from backup infrastructure without proper authentication. To exploit CVE-2023-27532, attackers typically scan for unpatched Veeam instances exposed to the internet. Once they locate a vulnerable system, they bypass authentication mechanisms by sending crafted requests directly to the service, allowing them to obtain critical information, such as administrative credentials. With this information, attackers can escalate privileges, gain unauthorized access to the backup environment, and even compromise the entire network. Such an exploit can lead to severe consequences, including data breaches, ransomware deployment, or malicious data manipulation, as the backup servers often store highly sensitive and valuable information.

Solution: 

•  Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
• Block the malicious external IP addresses and other malicious IP addresses on your network.
• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
• Activate built-in security features on endpoint devices which scan applications for malware.
• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection    and response solution including anti-malware software.
• Enforce a strong password policy, implement regular password changes.
• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html

• https://cisometric.com/articles/ransomware-alert-estateransomware-exploits-veeam-backup-software

• https://cirt.gy/article/al2024_15-veeam-backup-replication-software-security-flaw-exploited-by-new-ransomware-group-estateransomware-15th-july-2024/