Advisory ID: NCC-CSIRT-2025-021

Summary: 

Researchers have discovered a self-propagating malware campaign called SORVEPOTEL, which spreads primarily through WhatsApp messages containing malicious ZIP attachments, and occasionally via email. Once executed, the malware can harvest sensitive data, monitor browser activity, take control of WhatsApp sessions, and automatically forward the infected ZIP file to a victim’s contacts, allowing it to spread rapidly.

The campaign has recorded hundreds of infections, with initial impact concentrated in Brazil, targeting organizations in the manufacturing, banking, education, technology, and construction sectors. Brazilian authorities warn that the malware could evolve to target sensitive government systems, raising concerns about broader regional and international implications.

Damage/Probability: Critical/High

Product(s): 

• WhatsApp (Web/Desktop sessions exploited for propagation)
• Microsoft Windows endpoints (primary infection targets)
• Email clients (alternative delivery channels)

Version(s): 

Not version-specific, affects a wide range of unpatched/poorly secured IoT firmware and consumer router firmware versions.

Platform(s): 

• Windows desktop/laptop environments
• Corporate workstations
• Devices linked to WhatsApp Web (accessed) through a web browser on Windows systems.

Description: 

The SORVEPOTEL malware is distributed through phishing messages sent from compromised WhatsApp accounts or emails that include ZIP attachments disguised as invoices, receipts, or forms. When opened, these files execute a .NET-based loader (e.g., Maverick.StageTwo), which installs the main payload (Maverick.Agent).

The malware establishes persistence through batch scripts and scheduled tasks, monitors browser activity for a list of financial websites, and communicates with command-and-control (C2) servers for further instructions. Critically, it abuses WhatsApp Web/Desktop sessions on infected systems to automatically send the malicious ZIP file to the victim’s contact list, enabling self-spreading propagation.

Although currently focused in Brazil, researchers caution that the malware’s modular structure could be easily adapted to target users in other regions, including West Africa. Its tactics of social engineering, data theft, and automated messaging are consistent with methods observed in regional financial and government-targeted cyber campaigns.

Impacts: 

• Theft of credentials and session tokens from browsers and financial platforms.
• Rapid lateral spread through trusted WhatsApp contacts.
• Compromise of sensitive data, including government and corporate information.
• Disruption of operations and potential reputational damage.

Detection & Indication of Compromise (IoCs): 

• Unexpected WhatsApp messages from known contacts containing ZIP attachments.
• Suspicious .NET executables appearing in “Downloads” or “Temp” folders.
• New batch scripts or scheduled tasks created after ZIP extraction.
• High-volume outbound WhatsApp Web traffic from a desktop device.
• Unusual connections to unrecognized domains following ZIP execution.

Solutions:  

• User Awareness: Do not open ZIP attachments from WhatsApp or email unless verified independently.
• Session Control: Immediately log out of all active WhatsApp Web/Desktop sessions after any suspicious activity.
• Endpoint Protection: Update antivirus and EDR signatures; quarantine any identified infections.
• System Hardening: Restrict execution of unsigned scripts or .NET binaries; apply OS and browser patches.
• Containment: Isolate compromised hosts and review browser and WhatsApp activity logs.
• Messaging Controls: Implement attachment filtering for email and monitor corporate WhatsApp channels.
• Include WhatsApp-based social engineering in security awareness and phishing simulations.
• Instruct SOC teams to monitor for malware families linked to the Maverick loader.
• Strengthen endpoint and network segmentation to limit lateral spread.
• Share any identified IOCs with NCC-CSIRT and relevant national CERTs for coordinated response.

References:

• https://cyberpress.org/malware-attack/

• https://ithelp.harrisburgu.edu/support/discussions/topics/44001025903

• https://kudelskisecurity.com/research/sorvepotel-self-propagating-malware-spreading-via-whatsapp

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html

• https://cybersecuritynews.com/threat-actors-attack-windows-systems-with-sorvepotel-malware/

• https://gbhackers.com/sorvepotel-malware/

• https://cyberpress.org/malware-attack/

• https://www.trendmicro.com/en_us/research/25/j/self-propagating-malware-spreads-via-whatsapp.html

• https://thehackernews.com/2025/10/researchers-warn-of-self-spreading.html

Advisory ID:   ngCERT-2025-100010

SUMMARY

ngCERT writes to alert on the exploitation of vulnerabilities in F5 Devices and Networks by threat actors. Notably, the threat actors compromised F5’s systems and exfiltrated files, including a portion of its BIG-IP source code and vulnerability information, enabling targeted exploits for credential access and network infiltration. The attack has implications for data exfiltration, financial losses and reputational damage. Reportedly, these vulnerabilities pose an imminent threat to government networks and organisations using F5 products, with no specific CVEs disclosed. It is worth noting that F5 rotated signing certificates and keys in October 2025 to address risks from the breach. Thus, ngCERT urges all government agencies and organizations using F5 products to act promptly to prevent compromise of their systems and networks.

Damage:      Critical

Probability:  High 

Platform(s): F5’s BIG-IP development and engineering platforms

DESCRIPTION

The breach, exploited through vulnerable internet-exposed software due to non-compliance with F5's own security guidelines, allowed long-term access to development and engineering platforms. Exfiltrated data includes BIG-IP source code and vulnerability information, facilitating static/dynamic analysis for flaws, exploit development, and access to embedded credentials/API keys. No specific CVEs have been disclosed yet, but the incident is related to F5's October 2025 Quarterly Security Notification and certificate/key rotation. Affected products include F5 BIG-IP hardware devices, F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IQ software, and BNK/CNF, with risks amplified for end-of-support devices. Exploitation requires no user interaction and can be remote if devices are internet-exposed. No public PoC exists, but the actor's knowledge increases the exploitation likelihood.

CONSEQUENCES

Successful exploitation of F5 vulnerabilities could result in:

1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Inventory and Assessment: Identify all F5 products (hardware, software, virtualised); conduct compromise assessments on internet-exposed management interfaces.
2. Apply Updates and Patches: Install the latest F5 security updates from the October 2025 Quarterly Notification, validating MD5 checksums; prioritize for key products by October 22, 2025, and others by October 31, 2025.
3. Certificate and Key Rotation: Rotate F5-associated digital certificates and keys per guidance; update BIG-IP image verification processes to recognise new signing keys.
4. Harden Systems: Restrict management access, follow F5 hardening best practices such as K53108777 and disconnect or replace end-of-support devices.
5. Monitoring and Reporting: Perform continuous threat hunting and report suspected compromises to ngCERT.

HYPERLINK

• https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
• https://www.ncsc.gov.uk/news/confirmed-compromise-f5-network
• Chinese Hackers Blamed for Severe Breach at US Cyber Firm F5 - Bloomberg
• Confirmed compromise of F5 network - NCSC.GOV.UK
• F5 signing certificate and key rotation, October 2025

Advisory ID:   ngCERT-2025-100009

SUMMARY

ngCERT cautions on active exploitation of Zero-Dayvulnerabilities in Windows Remote Access Connection Manager (RasMan) and Windows Agere Modem Driver services, dubbed (CVE-2025-59230 and CVE-2025-24990). Both flaws are elevation of privilege (EoP) vulnerabilities stemming from improper access control, allowing local attackers to escalate to SYSTEM-level privileges. Notably, other vulnerabilities related to privileged escalation have been identified as (CVE-2025-49708 and CVE-2025-55315) with CVSS scores: 9.9. Although these vulnerabilities were addressed in Microsoft's October 2025 Patch Tuesday updates, Windows system users are at high risk of compromise and attacks. The ongoing exploitation of these vulnerabilities by attackers underscores the critical need for organizations to deploy security patches without delay..

Damage:      Critical (CVSS Score: 7.8)

Probability:  High 

Platform(s): Windows System (Remote Access Connection Manager and Windows Agere Modem Driver)

DESCRIPTION

The initial attack chain for CVE-2025-59230 begins when attackers obtain initial low-privilege local access, often through phishing, malware, or social engineering. The exploiter then sends specially crafted requests to the RasMan service, which manages remote network connections. Due to improper access controls, these requests bypass restrictions, allowing arbitrary code execution and escalation to SYSTEM privileges. This grants full system control, including data manipulation and persistence, with functional exploit code observed in the wild. For CVE-2025-24990, the exploitation process begins with low-privilege local access on a system where the driver is present (default in supported Windows versions, even without active hardware). The attacker interacts with the driver, triggering an untrusted pointer dereference that manipulates kernel memory. This leads to arbitrary code execution in kernel mode, escalating privileges to administrator or SYSTEM level. The chain can integrate with other flaws, such as CVE-2025-24052, for broader attacks like ransomware deployment, and also affect legacy fax modem setups.

CONSEQUENCES

Successful exploitation of the aforementioned flaws can result in:

1. Full system compromise.
2. Data breaches.
3. Malware infiltration.
4. Data deletion and exfiltration.
5. Ransomware deployment and attack.
6. Financial losses.
7. Reputational damage.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Immediately apply Microsoft's October 2025 security updates, followed by a system restart.
2. For CVE-2025-59230, disable the RasMan service if not needed for remote access or VPN.
3. Monitor logs for suspicious privilege escalations using tools like Sysmon or EDR.
4. For CVE-2025-24990, audit and remove dependencies on Agere Modem hardware.
5. Disable fax modem functionality through Group Policy if patching is delayed.
6. Restrict local logons to trusted accounts and implement least-privilege principles with AppLocker or Device Guard.
7. Conduct vulnerability scans to identify exposed systems.

HYPERLINK

• https://x.com/DarkWebInformer/status/1979747123571855770
• https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
• https://gbhackers.com/hackers-exploit-windows-remote-access-connection-manager-0-day/
• https://socprime.com/blog/cve-2025-59230-and-2025-24990-vulnerabilities/

Advisory ID:   ngCERT-2025-100008

SUMMARY

ngCERT has observed a growing dependence on SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols, which are essential for securing data transmission across digital networks, particularly the internet. While SSL, introduced in the 1990s, has been deprecated due to significant security flaws, TLS, currently at version 1.3, serves as the modern, robust standard. TLS secures communication by encrypting data, authenticating parties through digital certificates, and ensuring data integrity via a secure handshake process that negotiates cryptographic parameters and exchanges keys. Beyond its role in securing websites (HTTPS), TLS also protects email, VoIP, messaging applications, and VPNs. Proper implementation is critical to defending sensitive information such as login credentials, financial data, and personal records from threats like man-in-the-middle attacks, data interception, and protocol downgrades. ngCERT advises organisations to disable outdated protocols (SSL, TLS 1.0/1.1), enforce strong cipher suites, maintain up-to-date systems, and use valid, trusted digital certificates to reduce risk and ensure secure communications.

Damage:      Critical 

Probability:  High 

Platform(s):  Web

DESCRIPTION

SSL/TLS (Secure Sockets Layer/Transport Layer Security) are cryptographic protocols fundamental to securing data transmission over digital networks by providing confidentiality, authentication, and data integrity. SSL, developed in the 1990s, was widely used but is now obsolete due to inherent vulnerabilities. It has been replaced by TLS, which is the current industry standard. TLS protects data by encrypting information transmitted between clients and servers, verifying identities using digital certificates issued by trusted Certificate Authorities (CAs), and ensuring that data is not modified during transit. The process begins with a TLS handshake in which both parties agree on supported cryptographic algorithms (cipher suites), exchange keys securely, and establish a session key for encrypted communication. TLS 1.3, the latest version, improves security by removing insecure algorithms, reducing handshake latency, and simplifying protocol operations. TLS underpins the security of a wide range of services including HTTPS websites, secure email (SMTP, IMAP, POP3), VPNs, VoIP, and messaging apps. As online services increasingly handle sensitive information, TLS plays a vital role in defending against cyber threats such as man-in-the-middle attacks, certificate spoofing, protocol downgrade attacks, and data interception. It is a cornerstone of modern digital security and privacy in today's interconnected world.

CONSEQUENCES

1. Data Exposure: Unencrypted or improperly secured transmissions may allow attackers to intercept passwords, personal data, and financial details.
2. Man-in-the-Middle (MitM) Attacks: Attackers can intercept or manipulate data by impersonating legitimate communication endpoints.
3. Protocol Downgrade Attacks: Attackers may force connections to use outdated and vulnerable SSL/TLS versions.
4. Certificate Issues: Use of expired, misissued, or untrusted certificates can cause service disruptions and trigger browser warnings.
5. Loss of User Trust: Security incidents can damage brand reputation and reduce customer confidence in digital services.
6. Regulatory Non-Compliance: Inadequate data protection may violate laws such as GDPR, HIPAA, or PCI-DSS, leading to penalties.
7. Financial Loss: Breaches and compliance failures can result in legal costs, fines, and lost revenue.
8. Compromised Integrity: Data may be altered in transit without detection, causing misinformation or injecting malicious payloads.
9. Service Disruption: Exploited vulnerabilities in SSL/TLS implementations can result in denial-of-service or related attacks.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Use Latest TLS Versions: Disable SSL, TLS 1.0, and TLS 1.1; enforce TLS 1.2 or TLS 1.3 for all encrypted communications.
2. Implement Strong Cipher Suites: Use modern, secure encryption algorithms; avoid outdated or weak ciphers such as RC4, DES, or MD5.
3. Obtain Certificates from Trusted CAs: Ensure all digital certificates are issued by reputable Certificate Authorities.
4. Regularly Renew and Manage Certificates: Track certificate expiration dates and renew or revoke them as needed to avoid security lapses.
5. Enable Certificate Validation: Ensure clients validate server certificates to detect spoofed or forged certificates.
6. Use Certificate Pinning (Where Applicable): Bind clients to specific, trusted certificates to prevent impersonation attacks.
7. Keep Software Up to Date: Regularly patch TLS libraries (e.g., OpenSSL), web servers, and dependent applications.
8. Perform Regular Security Audits: Conduct vulnerability assessments and penetration tests focused on TLS configurations.
9. Enforce HTTP Strict Transport Security (HSTS): Mandate HTTPS-only connections to prevent downgrade attacks and mixed-content issues.

HYPERLINK

• www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
• www.freecodecamp.org/news/attacks-on-ssl-tls-and-how-to-protect-your-system/
• certera.com/blog/common-ssl-tls-challenges-issues-attacks-to-exploits/
• akimbocore.com/article/hardening-ssl-tls-common-ssl-security-issues-vulnerabilities/