Saturday May 09, 2026

Advisory ID: ngCERT-2024-0018

Summary: 

Security investigations revealed that a self-propagating USB malware released in 2020, is still active and spreading across systems worldwide, through infected USB drives. Over the past 6 months, monitoring of the PlugX worm variant revealed that about 2.5 million IP addresses were infected, in over 170 countries including Nigeria. Currently, over 100,000 unique IPs still send daily requests to the sinkhole, indicating that the botnet remains active. It is worthy to note that 15 out of the 170 countries affected by the malware spread, account for 80% of the infections recorded, Nigeria inclusive. Like other Remote Access Trojans (RAT), the PlugX malware can be used to obtain unauthorized access to systems, steal sensitive data, as well as carry out other malicious activities on compromised systems. Thus, the likelihood that the malware was developed to collect intelligence on strategic and security concerns from various countries cannot be ruled out. This underscores the need for network and system administrators as well as device users to emplace safeguards to prevent likely attacks.. 

Damage/Probability: CRITICAL/HIGH

Description: 

PlugX worm is very sophisticated and acts as a backdoor, allowing malicious actors to remotely access and take full control of infected machines. The attack begins with the wormable component of the PlugX infecting connected USB flash drives by adding to them a Windows shortcut file taking the name of the infected flash drive, and a DLL side loading triad (legitimate executable, malicious DLL and binary blob) inside the drive RECYCLER.BIN hidden folder. The legitimate content of the USB devices is moved to a new directory whose name is the non-breaking space character (hexadecimal ascii code: 0xA0). when a user opens the USB device, only a shortcut with the name of the USB device is presented to him, pushing him to click on it. By clicking on the shortcut, the PlugX infection chain is executed. PlugX starts by closing the current window and reopening a new one in the directory (as previously mentioned named 0xA0) containing the legitimate files. Then, it copies itself to the host inside %userprofile%/AvastSvcpCP/, and enables its persistence by creating a new key under HKCU[…]\CurrentVersion\Run registry Key. Finally, it re-executes itself from the host before terminating. Once executed from the host, the worm component of this PlugX variant checks every 30 seconds for the connection of a new flash drive to automatically infect. Its self-propagating capability, coupled with its tenacity mechanism enables it to stay active allowing it to control a broad network of compromised computers globally. Despite losing control over the botnet, anyone with interception abilities can still use the compromised hosts for malicious purposes.

Consequences: 

A successful attack could result to the following:

  • Unauthorized access to systems.
  • Invasion of privacy.
  • Data losses and exfiltration.
  • Remote storage of illegal files.
  • Denial of Service (DoS) attacks.

Solution: 

The following are hereby recommended: 

  • Security administrators should block the IoCs on all applicable security solutions post validation.
  • System administrators should regularly take Backup of the applications, databases, and all critical data.
  • Ensure systems are regularly patched or updated.
  • Avoid downloading and executing files from untrusted websites.
  • Adopt strong reputable antivirus and anti-malware solutions.
  • Implement measures to secure USB ports and also educate users on the potential dangers associated with using untrusted USB devices.

References:

Advisory ID: ngCERT-2024-0014

Summary: 

Multiple critical vulnerabilities have been reported in Oracle products. The identified security flaws could allow attackers to remotely execute code, manipulate data, or gain unauthorized access to systems. Notably, security research revealed that over 200 vulnerabilities can be exploited remotely by unauthenticated attackers. Nonetheless, Oracle has released its Critical Patch Update (CPU) including 441 security patches, with over 200 addressing remotely exploitable flaws. Also, the released updates include patches for third-party components in Solaris, Oracle Linux, and Oracle VM Server for x86. Accordingly, users are advised to upgrade their products to the latest versions as recommended. 

Damage/Probability: CRITICAL/HIGH

Platform(s): Oracle

CVE(s): CVE-2024-21107, CVE-2024-21118, CVE-2024-21119, CVE-2024-21109, CVE-2024-21110, CVE-2024-21116, CVE-2024-21016, CVE-2024-21017, CVE-2024-21018, CVE-2024-21019, CVE-2024-21020, CVE-2024-21021, CVE-2024-21022, CVE-2024-21023, CVE-2024-21024, CVE-2024-21025, CVE-2024-21026, CVE-2024-21027, CVE-2024-21028, CVE-2024-21029, CVE-2024-21030, CVE-2024-21031, CVE-2024-21032, CVE-2024-21033, CVE-2024-21034, CVE-2024-21035, CVE-2024-21036, CVE-2024-21037, CVE-2024-21038, CVE-2024-21039, CVE-2024-21040, CVE-2024-21041, CVE-2024-21042, CVE-2024-21043, CVE-2024-21044, CVE-2024-21045, CVE-2024-21046, CVE-2024-21086, CVE-2024-21120

Description: 

The critical vulnerabilities discovered in Oracle products could be exploited by cyber criminals to remotely execute code, manipulate data, steal data or gain unauthorized access to systems. Remote code execution vulnerabilities are flaws in software and systems that allow an attacker to gain remote unauthorised access as well as run malicious code on a target system. Thereafter, an attacker can exfiltrate sensitive data, destroy data or execute Denial of Service (DoS) attack. Some of the products fixed in the recent critical patch update include; Oracle Database Servers, Oracle Communications Applications, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle banking and financial services platforms, Oracle identity managers, Oracle customers management platforms, Oracle hospitality management platforms, Oracle healthcare management platforms, Oracle database management platforms, Oracle communications management platforms, amongst many other products (see https://www.oracle.com/security-alerts/cpuapr2024.html). 

Consequences: 

Successful exploitations of the vulnerabilities could result to:

  • Unauthorised access to sensitive data.
  • Security restriction bypass
  • Data manipulations and exfiltration.
  • System compromise.
  • Privilege Escalation.
  • Financial loss.
  • Fraudulent activities.
  • Reputational Damage.
  • Denial of Service (DoS).
  • Cross-site scripting. 

Solution: 

Due to the threat posed by a successful attack, Oracle strongly recommends that:

  • Users of Oracle products should immediately apply the security updates recently released by Oracle accessible at (https://www.oracle.com/security-alerts/cpuapr2024.html)
  • Until the Critical Patch Update patches are applied, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
  • Customers should immediately upgrade to supported versions of their products.

References:

Advisory ID: NCC-CSIRT-260424-008

Summary: 

Recent reports indicate that Brokewell malware represents a significant threat to Android devices, capable of compromising their security and exfiltrating sensitive information. It operates covertly, aiming to infiltrate devices allowing the attackers gain full control over infected devices, potentially leading to the theft of personal data, financial information, and sensitive credentials.

Threat Type(s): Malware, Remote Access Trojan (RAT)

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android OS

Platform(s): Android Devices

Version(s): All Versions

Description: 

Brokewell malware employs various techniques to compromise Android devices, including phishing attacks, malicious app installations, and exploiting software vulnerabilities. Once installed, it operates stealthily in the background, evading detection by security software utilizing social engineering techniques to deceive users into downloading and installing malicious content and also allowing attackers to:

  • Execute arbitrary commands.
  • Steal sensitive data, including personal and financial information.
  • Intercept and monitor user activity and communications.
  • Record audio and capture screenshots

Consequences: 

Thee consequence of this vulnerability includes but not limited to:

  • Theft of personal and financial information.
  • Financial losses
  • Compromise of sensitive credentials, including usernames and passwords.
  • Unauthorized access to device functions and data.
  • Potential for further malware distribution or exploitation of compromised devices in botnet operations.
  • Loss of privacy and confidentiality.

Solution: 

To mitigate the risks associated with this vulnerability, it is highly recommended that users take the following steps.

  • Keep Software Updated: Ensure that the Android operating system, apps, and security patches are regularly updated to address known vulnerabilities and security flaws.
  • Exercise Caution: Avoid downloading apps or clicking on links from unknown or untrusted sources. Stick to official app stores like Google Play and carefully review app permissions before installation.
  • Enable Security Features: Activate built-in security features, such as Google Play Protect, to scan apps for potential threats and Verify Apps to identify potentially harmful applications.
  • Inform Users: Educate users about the risks of downloading and installing apps from unreliable sources and advise them to exercise caution when clicking on links or downloading attachments from unknown senders.
  • Backup Data: Regularly backup important data stored on your Android device to an external drive or to cloud storage. In the event of a malware infection or data breach, having backups ensures that critical information can be restored without

References:

Advisory ID: ngCERT-2024-0011

Summary: 

A new version of the Vultur banking trojan posing as a security app, authenticator or productivity apps to steal sensitive data and gain total control over compromised android devices has been discovered. The malware has been embedded in over 800 apps on the Google Play Store and many android devices have been compromised. This latest version of the malware includes more advanced remote-control capabilities and an improved evasion mechanism, enabling its operators to remotely interact with a mobile device and harvest sensitive data. This type of attack relies on "smishing" (SMS phishing) and phone calls to trick their targets into installing a version of the malware. Additionally, it can also be distributed via trojanized dropper apps known as Brunhilda.

Damage/Probability: HIGH/HIGH

Platform(s): Android

Description: 

The infection chain begins with the victim receiving an SMS message alerting them of an unauthorised transaction and instructing them to call a provided number for guidance. As the victim follows the instructions, the call is answered by a fraudster who then persuades the victim to open the link which arrives with a second SMS. Clicking on this link then directs the victims to a site that offers a fake version of a security app such as McAfee app or other apps such as, My Finances Tracker, RecoverFiles, Zetter Authenticator, etc. Once the app is installed, the fake app decrypts and executes three Vultur-related payloads (two APKs and a DEX file) that can obtain access to the Accessibility Services, initialise the remote-control systems and establish a connection with its command and control (C2) server. In a second infection chain, the malware has been observed to be distributed via trojanized dropper apps on the Google Play Store, masquerading as authenticator and productivity apps to trick unwitting users into installing them. The dropper-framework called Brunhilda is used to deploy Vultur via three payloads, the last two designed to invoke each other’s functionality.

Consequences: 

Successful installation of this malware on any android device will allow the attacker to:

  • Remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android's accessibility services, as well as download, upload, delete, install, and find files on the device.
  • Steal sensitive financial information to carryout transactions on the victim’s devices.
  • Use the services to prevent victims from deleting the malicious app via traditional measures. Specifically, whenever the user tries to access the app details screen in the Android settings, Vultur automatically clicks the back button which blocks the user from accessing the uninstall button.
  • Prevent the user from interacting with legitimate applications on the device, which are defined in a list provided by the attacker.

Solution: 

It is therefore recommended that android users should:

  • Avoid calling numbers provided in unsolicited messages or emails.
  • Be cautious of links in messages or emails, especially those related to financial transactions.
  • Install apps only from trusted sources like the Google Play Store.
  • Keep Android device and apps updated to the latest versions.
  • Use antivirus software and keep it updated to detect and remove malware.
  • Regularly review financial transactions for any unauthorized activity and report it.

References:

Advisory ID: NCC-CSIRT-150424-007

Summary: 

Recent reports indicate that a sophisticated mercenary spyware has attacked iPhone users. This attack, distributed through deceptive links and vulnerabilities in software, has capabilities for extensive surveillance, including accessing messages, call logs, emails, and even activating cameras and microphones without user consent.

Threat Type(s): Spyware

Impact/Vulnerability: CRITICAL/HIGH

Product(s): iPhones

Platform(s):iOS Devices

Version(s): All Versions

Description: 

The spyware, referred to as "Pegasus," exploits several vulnerabilities in the iOS ecosystem, making it possible to install without the victim's knowledge. Once installed, it provides the attacker with unprecedented access to personal data, allowing real-time and historical tracking of the victim's activities. The software can evade typical security measures and is capable of self-deletion to avoid detection, making it extremely dangerous and stealthy.

Consequences: 

The identified vulnerabilities in this Spyware attack includes but is not limited to:

  • Unauthorized access to personal data, including messages, photos, and contacts.
  • Monitoring of communications and activities, jeopardizing privacy and confidentiality.
  • Potential for financial loss, identity theft, or blackmail.
  • Compromised device security, leading to broader system vulnerabilities.

Solution: 

To mitigate the risks associated with these vulnerabilities, it is highly recommended that users take the following steps.

  • Update Devices: Users should immediately update their iOS devices to the latest version to patch any known vulnerabilities.
  • Enhanced Security Practices: Employ robust security solutions, including VPNs and end-to-end encryption apps.
  • Awareness and Education: Users should be educated on the signs of potential spyware infection and the importance of avoiding suspicious links and downloads.
  • Report Suspicious Activity: Promptly report any unusual behavior or unauthorized access to IT security professionals.
  • Exercise Caution: Avoid clicking on suspicious links or downloading apps from untrusted sources.

References:

  1. Critical Vulnerabilities Identified In D-Link Network Attached Storage Devices
  2. Google Chrome Multiple Vulnerabilities
  3. Multiple Vulnerabilities Discovered in Mozilla Products and Google Chrome Browser
  4. New Attack Campaign Targeting Windows Users with Stealthy Malware

Page 22 of 39