Advisory ID:  ngCERT-2025-050012

Probability:    High

Damage:        Critical

Platform(s):   Windows operating system

SUMMARY

Lumma Stealer (also known as LummaC2) is a potent and widely distributed information-stealing malware targeting Windows systems. Operated as Malware-as-a-Service (MaaS) via illicit cybercrime markets, it was recently disrupted by Microsoft in response to its escalating threat profile. Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation. Its recent disruption highlights active law enforcement attention, but residual infections and potential re-emergence remain concerns. ngCERT urges organizations to reassess their security measures and implement strategies to mitigate infection risks.

DESCRIPTION

Lumma Stealer is a fast-spreading information-stealing malware distributed via underground forums as Malware-as-a-Service (MaaS). It targets Microsoft Windows (MS-Windows) systems through phishing emails, malicious downloads, or cracked software. Once installed, it enables cybercriminals to remotely steal data.

CONSEQUENCES

KEY CHARACTERISTICS & IMPACT:

1. Infection Vectors: Primarily spreads through phishing emails, malicious advertisements (malvertising), pirated software, and cracked games. Installs silently, functioning as a backdoor.
2. Data Theft: Actively steals sensitive information including:Login credentials (browsers, applications)

1. • Financial data (banking details, cards)
   • Login credentials (browsers, applications)
   • Cryptocurrency wallet information
   • Browser cookies & session data
   • Other confidential files.
   • Persistence & Evasion: Employs advanced techniques like code injection and encrypted communication with Command-and-Control (C2) servers to evade detection.
   3. Lateral Movement: Capable of spreading within compromised networks, amplifying damage.
   4. Monetisation: Stolen data is typically sold on dark web markets or used directly for financial fraud and identity theft.

   Lumma Stealer poses a high risk due to its commercial availability, sophisticated evasion, broad data theft capabilities, and network propagation

SOLUTION/MITIGATION

 The following mitigations should be considered:

1. User Awareness: Train staff/users to identify phishing attempts and avoid downloading pirated/cracked software.
2. Endpoint Protection: Ensure robust, updated anti-malware solutions with behavioral detection capabilities.
3. Network Monitoring: Implement monitoring for suspicious outbound traffic (C2 communication) and lateral movement attempts.
4. Patch Management: Keep all systems and software rigorously updated.
5. Least Privilege: Enforce strict access controls to limit the impact of lateral movement.

Assessment: Lumma Stealer represents a significant ongoing threat to organizational and personal data security, requiring vigilant defensive measures. 

REFERENCES

• https://thehackernews.com/2025/05/fbi-and-europol-disrupt-lumma-stealer.htm
• https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha
• https://www.europol.europa.eu/media-press/newsroom/news/europol-and-microsoft-disrupt-world%E2%80%99s-largest-infostealer-lumma
• https://www.trellix.com/blogs/research/a-deep-dive-into-the-latest-version-of-lumma-infostealer

zAdvisory ID:  ngCERT-2025-050011

Probability:    High

Damage:        Critical

Platform(s):   Cisco Routers

SUMMARY

ngCERT confirms a 30% increase in sextortion attacks (Oct 2024 – Mar 2025), with 54,000+ cases reported in 2024. Nigerian-based threat actors are extorting victims for $500–$10,000 via social/dating platforms (Instagram, WhatsApp, TikTok, Snapchat). Perpetrators use sophisticated grooming tactics to coerce explicit content, triggering cycles of financial/emotional exploitation.

DESCRIPTION

ATTACK CHAIN

1. Grooming Phase:

• Fake profiles (attractive peers) initiate contact → Rapid trust-building via flirtation

2. Content Extraction:

• Coercion into sharing intimate media through emotional manipulation

3. Monetization:

• Threats to distribute content unless paid → Continued demands even after payment

CONSEQUENCES

Successful exploitation could lead to:

1. Financial Ruin: Extortion cycles draining the victim's resources
2. Reputational Destruction: Non-consensual sharing of private media
3. Severe Psychological Trauma: Depression, anxiety, suicidal ideation
4. Permanent Privacy Violation: Loss of digital autonomy.

SOLUTION/MITIGATION

For Individuals:

For Individuals:

🔒 Prevent Exposure:

• NEVER share intimate content online, regardless of trust level
• REJECT video calls/explicit conversations with unknown contacts
• LOCK DOWN social media: Enable 2FA, set profiles to private
  
  🚨 If Targeted:
• DO NOT PAY – Payment guarantees continued extortion
• PRESERVE EVIDENCE: Screenshot chats/profile details (DO NOT delete accounts)
• BLOCK & REPORT: Submit via ngCERT Portal
  
  For Institutions:
  
  🎓 Mandate Digital Literacy:
• Integrate sextortion prevention into school curricula (ages 12+)
• Train educators to identify grooming behaviours
  
  ⚖️ Enhance Law Enforcement:
• Deploy cryptocurrency tracing for ransom tracking
• Coordinate with INTERPOL for cross-border actor disruption

VICTIM SUPPORT

Immediate Assistance:

• ngCERT Hotline: 090 5555 4499
• Emergency Email: incident@cert.gov.ng/" id="OWAf051b667-128a-5b06-fd5f-0b39402b14d1" class="x_OWAAutoLink" style="border: 0px; font: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" title="https://mailto:/" data-linkindex="1" data-auth="NotApplicable">
  
  ✊ Key Message: Sextortion is a crime – NOT your fault. ngCERT stands with victims.

WHY ACT NOW?

This 30% YoY surge reflects organised Nigerian cybercrime networks weaponising social platforms. Without intervention, 2025 cases will
exceed 70,000. Proactive education + rapid reporting are critical to break exploitation cycles.

 🔍 Behavioural Red Flags:

• Rapid escalation from casual chat to sexual topics.
• Requests to move conversations off-platform.
• "You can trust me" insistence after minimal interaction.

 REFERENCES

• https://cert.gov.ng/ngcert/resources/CyberCrime__Prohibition_Prevention_etc__Act__2024.pdf
• https://www.schoolcounselor.org/Newsletters/November-2022/Child-Sexual-Exploitation-in-the-Digital-Age?st=NJ
• https://www.missingkids.org/theissues/sextortion 

Advisory ID:  ngCERT-2025-050005

SUMMARY

ngCERT is aware of Cisco’s declaration of product End-of-Life (EoL) and End-of-Support (EoS) for Cisco Catalyst 1900, 2900, and 3900 series routers. This implies that Cisco no longer sells or supports the affected devices; hence, software/firmware updates, security patches, and bug fixes will cease. Additionally, technical support and warranty services are discontinued, while hardware replacement/services may become unavailable. The continued use of these devices is liable to introduce significant operational and security risks as well as compliance violations to enterprise and government networks. This advisory, therefore, highlights the security risks and consequences associated with the continued use of Cisco Catalyst 1900, 2900, and 3900 Series Routers and provides mitigation strategies for organizations and individuals.

Probability:    High

Damage:        Critical

Platform(s):   Cisco Routers

DESCRIPTION

The Cisco Catalyst 1900, 2900, and 3900 routers, widely deployed in enterprise environments, have long since passed their official EoL milestones, implying that Cisco has discontinued all software updates, security patches, and hardware support for these devices as follows.

• Catalyst 1900 Series: End-of-Support Date - 31-May-2025
• Catalyst 2900 Series: End-of-Support Date - 31-Dec-2022
• Catalyst 3900 Series: End-of-Support Date- 31-Dec-2022.

Organizations with Cisco Catalyst 1900, 2900, and 3900 series routers deployed past their EoL and EoS dates are vulnerable to known exploits such as CVE-1999-1129, CVE-2015-0586, and CVE-2017-6742, making them prime targets for malware, ransomware, and unauthorized access. Troubleshooting becomes difficult without vendor support, scarcity of spare parts, and compatibility with modern protocols are limited. Additionally, as these routers age, the risk of sudden failure increases, potentially disrupting critical operations. The risks of maintaining these legacy systems far outweigh any perceived cost savings, making timely upgrades essential. Furthermore, outdated encryption and weak authentication further expose networks to threats.

CONSEQUENCES

Successful exploitation could lead to:

1. Unpatched Exploits: These routers do not receive security updates, making them vulnerable to known and zero-day exploits.
2. Regulatory & Compliance Violations: Non-compliance with standards like PCI DSS, HIPAA, or NIST due to insecure infrastructure. This could lead to fines, audits, or loss of certifications in regulated industries.
3. Operational Instability: Hardware failure risks increase due to ageing components.
4. Network Performance Degradation: Poor integration with newer systems or cloud services.
5. Increased Attack Surface: Devices may be targeted by automated botnets or lateral movement in APT campaigns.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Patch Immediate Device Assessment: Inventory all existing Cisco Catalyst 1900/2900/3900 routers and identify devices exposed to external networks or critical infrastructure segments.
2. Replace and Upgrade to Supported Hardware: Plan and execute migration to currently supported Cisco platforms (e.g., Catalyst 9000 Series, ISR 4000 Series). Choose models that support modern standards or consider alternatives from other vendors.
3. Network Segmentation & Isolation: If decommissioning is delayed, isolate these devices in a separate VLAN with strict access controls and monitor traffic for anomalies using intrusion detection systems (IDS).
4. Disable unused services and interfaces: Turn off Telnet, HTTP, SNMPv1/2, and other outdated protocols in favor of SSH, HTTPS, and SNMPv3.
5. Update Network Policies: Modify procurement and lifecycle management policies to decommission unsupported devices proactively.
6. Align network hardware lifecycle with cybersecurity and compliance frameworks (e.g., NIST, ISO 27001).

 REFERENCES

• https://www.cisco.com/c/en/us/products/routers/1900-series-integrated-services-routers-isr/eos-eol-notice-listing.html
• https://www.cisco.com/c/en/us/products/routers/2900-series-integrated-services-routers-isr/eos-eol-notice-listing.html
• https://www.cisco.com/c/en/us/products/routers/3900-series-integrated-services-routers-isr/eos-eol-notice-listing.html
• https://www.cisco.com/c/en/us/support/switches/retired.html

Advisory ID:  ngCERT-2025-050007

Probability:    High

Damage:        Critical

Platform(s):   Microsoft Office

SUMMARY

ngCERT warns of a marked intensification in cyber espionage activities by SideWinder (aka Rattlesnake or *T-APT-04*), a state-aligned advanced persistent threat (APT) group. Historically focused on government and military entities, the group has now expanded its operations to target maritime, logistics, telecommunications, and financial institutions across Africa and Asia. This shift underscores heightened risks to critical infrastructure and economic stability in these regions.

DESCRIPTION

The key tactics and exploits include:

 Weaponized Phishing Campaigns:

• SideWinder distributes spear-phishing emails containing malicious Microsoft Office documents engineered to exploit memory corruption vulnerabilities (CVE-2017-11882, CVSS 7.8 – High; CVE-2018-0802, CVSS 7.8 – High). These documents execute arbitrary code to compromise systems.
• Open XML (OOXML) File Abuse:
  Malicious OOXML files bypass legacy security controls to deploy payloads.
• Post-Exploitation Malware:
  After initial access, the group deploys custom tools like StealerBot (data-harvesting malware) and advanced Remote Access Trojans (RATs) to exfiltrate sensitive data, establish persistence, and pivot laterally within networks.

CONSEQUENCES

This could further result in:

1. Operational Disruption: Compromised systems in logistics or maritime sectors could halt critical supply chains.
2. Financial Loss: Theft of banking credentials or intellectual property from financial institutions.
3. National Security Threats: Exfiltration of government/military data or sabotage of telecom infrastructure.

SOLUTION/MITIGATION

ngCERT recommends the following:

1. Patch Legacy Systems: Prioritize updates for Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802).
2. Block Suspicious OOXML Files: Use email filtering to quarantine documents with macros or unusual metadata.
3. Enforce Multi-Factor Authentication (MFA): Limit lateral movement via compromised credentials.
4. Monitor for Lateral Movement: Deploy endpoint detection (EDR) and network traffic analysis tools.
5. Train Staff: Simulate phishing attacks to raise awareness of malicious document tactics.
6. Adopt a Zero Trust security framework to verify all access and restrict to the minimum necessary permissions.

 Urgency!!!

With SideWinder’s evolving capabilities and cross-sector targeting, organizations in affected regions face high-severity risks (CVSS 7.8–9.0 contextual scores). Proactive defense is critical to preempt large-scale breaches.

 REFERENCES

• https://thehackernews.com/2024/10/sidewinder-apt-strikes-middle-east-and.html
• https://thehackernews.com/2025/03/sidewinder-apt-targets-maritime-nuclear.html
• https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
• https://cydome.io/sidewinder-apt-group-intensifies-cyber-attacks-campaign-against-shipping-companies/