Advisory ID: NCC-CSIRT-2026-010

Summary: 

The OSGF alerted Nigerian authorities about a cybercrime case in the UAE involving a criminal group that hijacked mobile signals and conducted SMS-based banking fraud. The group used specialized equipment to create fake mobile networks, intercept SMS messages, and send fraudulent messages impersonating banks to steal financial information. This technique poses a potential risk to Nigeria’s telecom infrastructure and financial systems due to the country’s large subscriber base and reliance on SMS banking.

Damage: Critical

Probability: High

Product(s): 

• GSM and LTE mobile networks
• SMS messaging infrastructure
• Mobile banking systems using SMS authentication
• Telecommunications spectrum environments
• Mobile subscribers within proximity of a rogue base station

Version(s): 

All types and versions

Platform(s): 

Telecommunication and Mobile Ecosystems

Description: 

The attack technique uses rogue cellular infrastructure designed to mimic legitimate mobile networks.

The criminals deploy signal-jamming equipment to temporarily disrupt legitimate cellular signals within a targeted area. Once legitimate connectivity is weakened, the attackers activate a rogue base station (fake cellular tower) that broadcasts a stronger signal, causing nearby mobile devices to automatically connect to the attacker-controlled network.

After devices connect to the rogue network, attackers can:

• Send spoofed SMS messages appearing to originate from legitimate financial institutions.
• Intercept SMS communications, including one-time passwords (OTPs).
• Conduct large-scale Smishing campaigns targeting banking customers.

This technique is particularly dangerous because it operates at the network layer of the telecommunications network, allowing attackers to bypass traditional Internet security controls.

Threat Types: 

• Rogue Cellular Network Attacks / IMSI Catcher Threats
• Mobile Signal Hijacking / Jamming
• Smishing (SMS Phishing)
• Financial Cybercrime / Banking Fraud
• Telecommunications Infrastructure Exploitation

Impacts: 

• Unauthorized access to bank accounts through stolen credentials or OTP interception.
• Large-scale financial fraud targeting mobile banking users.
• Manipulation of SMS communications used for transaction authentication.
• Loss of customer trust in telecom and banking systems.
• Possible use of rogue networks for surveillance or data interception.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Deploy rogue base station detection systems across network infrastructure.
• Strengthen radio spectrum monitoring to detect abnormal signal activity.
• Implement mechanisms to detect and block unauthorized BTS transmissions.
• Collaborate with security agencies to track illegal telecom equipment.
• Enhance monitoring of SMS gateways and messaging platforms.

Advisory ID: NCC-CSIRT-2026-009

Summary: 

Security researchers from the Google Threat Intelligence Group (GTIG) disrupted a global cyber-espionage campaign attributed to the threat actor UNC2814, which compromised 53 organizations across 42 countries in Africa, Asia, and the Americas. The attackers deployed a previously unknown malware backdoor, GRIDTIDE, which leveraged the Google Sheets API as a covert command-and-control channel, disguising malicious communications as legitimate cloud traffic to evade detection. The campaign primarily targeted telecommunications operators and government entities, indicating an objective of long-term surveillance and intelligence gathering rather than financial gain.

Damage: Critical

Probability: High

Product(s): 

• Enterprise Linux systems and servers
• Telecommunications infrastructure and enterprise networks
• Cloud-based SaaS platforms abused for command-and-control (C2), particularly Google Sheets API

Version(s): 

All vulnerable Linux systems and servers, Telecommunications infrastructure and enterprise networks, and Cloud-based SaaS platforms abused for command-and-control (C2).

Platform(s): 

• Linux/Unix systems
• Enterprise IT networks and telecommunications infrastructure
• Cloud SaaS environments used for covert C2 communications

Description: 

The UNC2814 campaign relied on a custom backdoor named GRIDTIDE, written in C and capable of executing arbitrary shell commands, uploading and downloading files, and maintaining persistent remote access.

Unlike traditional malware that communicates with dedicated C2 servers, GRIDTIDE used Google Sheets as a communication channel. The malware periodically accessed attacker-controlled spreadsheets through the Google Sheets API to retrieve commands and upload collected data.

The communication model used specific spreadsheet cells to exchange instructions and results. For example, commands could be stored in a designated cell, while command outputs or collected data were written back into other cells within the same spreadsheet. This approach allowed malicious traffic to blend into normal HTTPS connections to legitimate Google services.

Investigators believe the threat actor often gains initial access by compromising web servers or edge network systems, followed by lateral movement using SSH and legitimate administrative tools.

To maintain persistence on compromised systems, the attackers created system services (e.g., /etc/systemd/system/xapt.service) and executed malware binaries from directories such as /usr/sbin/xapt.

Google and its partners disrupted the campaign by terminating attacker-controlled Google Cloud projects, disabling malicious infrastructure, revoking Google Sheets API access, and notifying affected organizations.

Impacts: 

• Attackers may gain visibility into call records, SMS metadata, or lawful intercept systems.
• Compromised systems may contain information such as names, phone numbers, dates of birth, and national identification data.
• Attackers can maintain long-term access for intelligence gathering or further compromise.
• Use of legitimate cloud APIs makes detection significantly harder

Threat Types: 

• Cyber-espionage: Targeted surveillance against government and telecom organizations.
• Advanced Persistent Threat (APT): Long-term infiltration campaigns designed to maintain covert access.
• Cloud service abuse: Leveraging legitimate SaaS platforms such as Google Sheets for C2 communications.
• Living-off-the-land techniques: Use of legitimate system tools and services to evade detection.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Inspect systems for unauthorized services or binaries linked to GRIDTIDE.
• Block suspicious outbound connections to attacker-controlled infrastructure.
• Isolate affected systems and begin forensic investigation.
• Patch vulnerable web servers and network edge devices.
• Reset compromised credentials and enforce multi-factor authentication (MFA).
• Deploy updated endpoint detection tools capable of identifying APT behaviors.
• Implement network segmentation to protect telecom core infrastructure.
• Conduct proactive threat hunting for indicators associated with UNC2814 activity.
• Strengthen monitoring of cloud API usage across enterprise networks.
• Audit network traffic for suspicious connections to Google Sheets APIs or unusual SaaS usage.
• Monitor Linux servers for unauthorized systemd services and binaries such as /usr/sbin/xapt.
• Strengthen monitoring of telecom infrastructure and cloud service usage to detect covert command-and-control channels.

References:

• https://thehackernews.com/2026/02/google-disrupts-unc2814-gridtide.html

• https://www.reuters.com/sustainability/boards-policy-regulation/google-disrupts-chinese-linked-hackers-that-attacked-53-groups-globally-2026-02-25/

• https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/

• https://industrialcyber.co/ransomware/china-linked-unc2814-exploited-google-sheets-api-for-stealth-c2-targeting-telecom-government-networks/

• https://www.ampcuscyber.com/shadowopsintel/global-telecommunications-and-govt-agencies-intrusion-by-unc2814/

• https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/

• https://securityaffairs.com/188521/apt/google-gtig-disrupted-china-linked-apt-unc2814-halting-attacks-on-53-orgs-in-42-countries.html

Advisory ID: NCC-CSIRT-2026-008

Summary: 

Security researchers from the Acronis Threat Research Unit (TRU) have identified a new version of the LockBit ransomware (version 5.0) actively used in cyberattacks. The updated variant introduces expanded cross-platform capabilities, enabling threat actors to target Windows, Linux, and VMware ESXi systems within a single coordinated campaign.

Damage: Critical

Probability: High

Product(s): 

• Microsoft Windows systems
• Linux servers and enterprise workloads
• VMware ESXi hypervisors and virtual infrastructure

Version(s): 

All vulnerable Windows, Linux, and ESXi deployments.

Platform(s): 

Enterprise endpoints, servers, and virtualized environments running Windows, Linux, or VMware ESXi.

Description: 

LockBit first emerged in 2019 and has evolved into one of the most prolific ransomware families globally through its affiliate-driven Ransomware-as-a-Service model.

The latest version of LockBit, 5.0, introduces improvements to increase operational scale and resilience. Researchers observed that the new variant includes:

• Separate payload builds for Windows, Linux, and VMware ESXi environments, allowing attackers to compromise heterogeneous enterprise infrastructure.
• Advanced encryption routines, including fast symmetric encryption mechanisms such as ChaCha20 for rapid file locking.
• Hypervisor-focused capabilities, including commands that enumerate and shut down virtual machines before encrypting their virtual disks.
• Defense-evasion techniques, such as obfuscation, anti-analysis mechanisms, and disabling certain monitoring features to avoid detection.

In ESXi environments, attackers may upload the ransomware payload to the hypervisor, use administrative commands to power down virtual machines, and encrypt VM datastore files located under /vmfs/volumes/.

Because a single hypervisor may host dozens or hundreds of virtual machines, successful compromise can cause large-scale business disruption.

Threat Types: 

• Ransomware (RaaS): LockBit operates through affiliates who deploy the ransomware after gaining network access.
• Cross-platform malware: Separate builds target Windows, Linux servers, and VMware ESXi hosts.
• Data exfiltration and double extortion: Victims may face threats of data leaks if ransom payments are not made.
• Defense evasion: The malware uses obfuscation and anti-analysis techniques to evade detection.

Impacts: 

• LockBit 5.0 can encrypt endpoints, servers, and virtual machines simultaneously.
• Attacks on ESXi hypervisors can affect multiple virtual workloads hosted on the same system.
• Stolen data may be published on leak sites to pressure victims.
• Critical services, databases, and enterprise systems may become unavailable.
• Recovery costs, regulatory penalties, and loss of customer trust may occur.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

• Isolate infected systems and disable network connectivity to prevent lateral movement.
• Stop unauthorized administrative access to hypervisors and servers.
• Preserve forensic evidence and system logs.
• Patch exposed services and disable unused remote access services.
• Reset compromised credentials and enforce multi-factor authentication (MFA).
• Conduct full scans using updated EDR and anti-malware tools.
• Implement network segmentation to limit lateral movement.
• Maintain offline and immutable backups and regularly test restoration processes.
• Restrict administrative privileges and monitor privileged accounts closely.

References:

• https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems/

• https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems/

• https://www.helpnetsecurity.com/2026/02/16/lockbit-5-0-ransomware-windows-linux-esxi/

• https://securitybrief.com.au/story/lockbit-5-0-ransomware-targets-windows-linux-esxi

• https://socprime.com/active-threats/19-shades-of-lockbit5-0/

• https://www.techradar.com/pro/security/lockbit-malware-is-back-and-nastier-than-ever-experts-claim

Advisory ID:   ngCERT-2026-030002

SUMMARY

ngCERT wishes to alert to a security vulnerability identified in network infrastructure devices with Open-Telnet (TCP Port 23) enabled. Telnet, a legacy remote administration protocol, transmits all data, including authentication credentials, in plaintext, making it highly unsecure. Successful exploitation may expose systems to potential unauthorised access and compromise in modern network environments.  Organisations are advised to disable Telnet, block port 23, and use SSH for secure remote access.

DESCRIPTION

Open-Telnet is a client-server protocol that allows remote terminal access over TCP/IP, typically using port 23. It transmits all data in plaintext and unencrypted, making sensitive information such as passwords and other data easy to intercept. Exposed services may allow remote access if credentials are weak or default and are susceptible to exploitation, including probing servers or exploiting vulnerabilities. Despite these risks, Telnet is still used for network diagnostics, troubleshooting, legacy system access, instructional purposes, and device configuration. Its unencrypted transmission and weak access controls make exposed systems highly vulnerable, emphasizing the need for secure alternatives such as SSH.

Damage:      Critical (CVSS score: 9.8)

Probability:  High

Platform(s):  Network Devices, Servers, IoT Devices, Routers, Switches, and Embedded Systems with Telnet Service Enabled

CONSEQUENCES

Systems with open Telnet services face the following risks:

1. Unauthorized Access.
2. Credential Theft.
3. Privilege Escalation.
4. Botnet Recruitment.
5. Data Breach.
6. Service Disruption. 

SOLUTION/MITIGATION

To mitigate against this vulnerability, ngCERT recommends the following:

1. Disable Telnet and block TCP port 23 on all affected devices.
2.  Replace Telnet with SSH for secure, encrypted remote access.
3. Reset credentials and review logs for all affected systems.
4. Enforce strong access controls and restrict remote access.
5. Maintain updates and ongoing security monitoring.

HYPERLINK

• https://www.picussecurity.com/resource/blog/cve-2026-24061-critical-telnetd-flaw-grants-root-access
• https://thecyberexpress.com/microsoft-telnet-0-click-vulnerability/