Advisory ID: ngCERT-2023-0041

Summary: According to a recent research, the year 2023 has witnessed an alarming increase in the activities of deceptive Android loan apps, that promote themselves as reputable personal loan services, promising quick and easy access to funds. These apps allegedly defraud users by presenting them with enticing loan offers backed up by false claims, while exfiltrating its victims' financial and personal data, which is then used to blackmail and steal their funds. Consequently, android app users are advised to take necessary precautions against the activities of these loan shark apps.   

Threat Type(s): Malware

Damage/Probability: HIGH/HIGH

Description: These malicious SpyLoan apps impersonate reputable loan providers and financial services, as well as promote the same through SMS messages and popular social media channels, as a means to lure victims who are in need of financial assistance. Also, it is important to note that these apps are available to download from dedicated scam websites and third-party app stores, and sometimes on Google Play. Once a user installs the app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device, such as list of accounts, call logs, calendar events, device information, lists of installed apps, local Wi-Fi network information, contact lists, location data, and SMS messages.

Subsequently, the app requests for user registration, which is typically accomplished through SMS one-time password verification to validate the victim’s phone number. Furthermore, the users are compelled to complete the loan application process, by providing extensive personal information, including address details, contact information, proof of income, bank account details, Bank Verification Number (BVN), photos identification cards, National Identification Number (NIN) as well as a selfies. These exfiltrated and acquired data are forwarded to the attackers’ servers, and are used to either harass or blackmail users, even if a loan was not provided. The data can also be sold or used to conduct other malicious activities against their targets.  

Consequences: Subscribing to the services of Loan Shark Android Apps can result to the following:

• Data exfiltration.
• Damage to reputation.
• Financial losses.
• Identity theft.
• Impersonation of victims
• Hacking of mobiles devices.
• Possible installation of malicious software. 

Solution: The following are recommended

• Avoid the installation of loan apps from unofficial sources and third-party app stores.
• Validate the authenticity of financial apps before patronizing them.
• Seek the services of legitimate and financial service providers.
• Report identified or known incidents involving loan sharks.

References:

• https://www.welivesecurity.com/en/eset-research/beware-predatory-fintech-loan-sharks-use-android-apps-reach-new-depths/
• https://www.eset.com/sg/about/newsroom/press-releases1/products/predatory-spyloan-apps-loan-sharks-expand-their-range-to-android-eset-research-finds/

Advisory ID: NCC-CSIRT-071223-045

Summary: Critical vulnerabilities in Cisco’s IOS XE software have been exploited, allowing attackers to gain unauthorised control over devices. The vulnerabilities (CVE-2023-20198 and CVE-2023-20273). These weaknesses allow unauthorised users to gain high-level access to network devices, potentially leading to unauthorised control and activities on affected networks.  .

Threat Type(s): Vulnerability, and Man-in-the-Middle Attack. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Cisco IOS XE Software

Platform(s): Cisco Networking Devices

Version(s): 17.9, 17.6, 17.3, 16.12 

Description: The exploitation of Cisco IOS XE vulnerabilities presents severe consequences, primarily by granting hackers unauthorised high-level access to network devices. This access allows them to control network operations, potentially leading to data breaches, including the theft of sensitive information. Furthermore, these attackers can disrupt network services, significantly impacting business operations and causing financial and reputational damage. The compromised devices could also be used as a launchpad for further attacks or to spread malware across the network, multiplying the risks and potential damage.

Consequences: Potential for compromised network security and unauthorised activities.

Solution: 

• Update to the latest Cisco IOS XE software versions.

• Disable the HTTP Server feature on internet-facing systems.

• Vigilantly monitor networks for signs of malicious activity.

References:

https://www.securityweek.com/exploitation-of-recent-cisco-ios-xe-vulnerabilities-spikes/ 

https://www.owler.com/reports/cisco/cisco--exploitation-of-recent-cisco-ios-xe-vulnera/1701878684398

https://www.itsecuritynews.info/exploitation-of-recent-cisco-ios-xe-vulnerabilities-spikes/

Advisory ID: NCC-CSIRT-061223-044 

Summary: EURECOM researcher Daniele Antonioli discovered multiple novel attacks that break Bluetooth Classic's forward secrecy (a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised) and future secrecy guarantees (guarantees the confidentiality of future messages should the past keys get corrupted), resulting in man-in-the-middle (MitM) scenarios between two already connected peers.  .

Threat Type(s): Vulnerability, and Man-in-the-Middle Attack. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Bluetooth

Platform(s): Smartphones, Laptops and Earphones 

Version(s): Bluetooth 4.2, released in December 2014, and all versions up to the latest, Bluetooth 5.4, released in February 2023. 

Description: The Bluetooth Forward and Future Secrecy (BLUFFS) Attack, as disclosed by the researchers, exploits four architectural vulnerabilities in the Bluetooth session establishment process specification. This attack involves deriving a weak session key and subsequently brute forcing it to impersonate arbitrary victims. The Man-in-the-Middle (MitM) attacker, posing as the paired device, can then negotiate a connection with the other end to establish subsequent encryption using legacy encryption. Additionally, an attacker in proximity can ensure the use of the same encryption key for every session and force the lowest supported encryption key length. Exploiting these weaknesses allows real-time brute-force attacks on the encryption key, enabling live injection attacks on traffic between vulnerable peers. The attack's success relies on the attacking device being within wireless range during the pairing procedure initiation and the ability to capture Bluetooth packets in plaintext and ciphertext, including the victim's Bluetooth address, and craft Bluetooth packets. 

Consequences: By compromising a session key, an attacker can impersonate devices and establish man-in-the-middle (MitM) attacks, thereby undermining the future and forward secrecy guarantees provided by Bluetooth's pairing and session establishment security mechanisms. 

Solution: 

• Make sure that your Bluetooth devices operate in "Secure Connections Only Mode" to ensure sufficient key strength. 
• Ensure that Bluetooth pairing is done via "Secure Connections" mode as opposed the legacy mode. 
• Maintain a cache of seen session key diversifiers to prevent recycling.
• Requiring an attacker in the Central role to authenticate the pairing key. 

References:

https://cybernews.com/security/bluetooth-connections-no-longer-private-with-bluffs-attacks/ 

https://thehackernews.com/2023/12/new-bluffs-bluetooth-attack-expose.html 

https://www.bitdefender.com/blog/hotforsecurity/new-security-threats-in-bluetooth-technology-the-bluffs-attacks/ 

https://www.bleepingcomputer.com/news/security/new-bluffs-attack-lets-attackers-hijack-bluetooth-connections/ 

https://dl.acm.org/doi/10.1145/3576915.3623066  

Advisory ID: NCC-CSIRT-301123-043

Summary: Significant number of Google Drive users have reported the loss of recent files and folder structure changes, dating back to around April-May 2023. This issue has resulted in the disappearance of critical data stored in the cloud.

Threat Type(s): Data Loss, Service DisruptionData Loss, Service Disruption

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Google Drive

Platform(s): Web-based Cloud Storage Service

Version(s): All Versions

Description: Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in thesynchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet. Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in the synchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet.

Consequences: Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services. Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services.

Solution: 

• Do not make changes to the root/data folder in cloud storage.
• Back up important files locally or use an alternative cloud service.
• Monitor for official updates from Google. 

References:

https://www.bleepingcomputer.com/news/google/google-drive-users-angry-over-losing-months-of-stored-data/

https://www.digitaltrends.com/computing/google-drive-data-loss/

https://www.spiceworks.com/tech/data-management/news/google-drive-loses-user-data/amp/