Advisory ID:   ngCERT-2025-100005

SUMMARY

ngCERT has detected a critical and easily exploitable vulnerability affecting the Oracle E-Business Suite (EBS) in Nigeria. This vulnerability, assigned 

CVE-2025-61882 could be exploited remotely by an unauthenticated attacker with network access via HTTP to achieve remote code execution (RCE), potentially leading to full system takeover. Assigned a CVSS 3.1 with a base score of 9.8 (Critical), the flaw has been actively exploited in the wild by the Cl0p ransomware group; hence, it has been listed in CISA's Known Exploited Vulnerabilities (KEV) Catalogue. There is therefore an urgent need for organisations to update applications and apply patches to safeguard against exploits and possible cyberattacks.

Damage:      Critical (CVSS 3.1 Base Score 9.8)

Probability:  High 

Platform(s):  Oracle e-Business Suite

DESCRIPTION

CVE-2025-61882 is a critical vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle EBS
versions 12.2.3 through 12.2.14. It arises from a chain of exploitable weaknesses, including inconsistent HTTP request parsing, path traversal, improper neutralisation of CRLF sequences, XML external entity (XXE) reference issues, XML injection, and server-side request forgery (SSRF). An unauthenticated attacker with HTTP network access crafts malicious HTTP requests to exploit these flaws. The attack begins by leveraging inconsistent request parsing and path traversal to access restricted server resources. By injecting crafted XML payloads, the attacker exploits XXE and XML injection vulnerabilities to manipulate server-side processing. CRLF injection escalates the attack by injecting malicious headers, enabling SSRF to trigger unauthorized server requests. This chain culminates in RCE, allowing the attacker to execute arbitrary commands on the server without authentication.

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Full System Compromise: Unauthenticated attackers can achieve remote code execution (RCE), gaining complete control over the Oracle E-Business Suite (EBS) instance.
2. Data Exfiltration: Sensitive business data, including financial and customer information, can be stolen, leading to severe privacy and intellectual property breaches.
3. Ransomware Deployment: Exploitation by groups like Cl0p enables ransomware attacks, causing data encryption and operational paralysis.
4. Confidentiality and Integrity Loss: Full exposure and modification of sensitive data, undermining system trustworthiness and business operations.
5. Service Disruption: Denial of service can halt critical EBS functions, leading to significant operational downtime.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Apply Security Patches: Immediately install patches for Oracle E-Business Suite versions 12.2.3–12.2.14 as specified in Oracle’s patch availability document (Note 3106344.1 on My Oracle Support). Ensure the October 2023 Critical Patch Update (CPU) is applied as a prerequisite.
2. Restrict Network Access: Limit HTTP access to the BI Publisher Integration component to trusted IP ranges using firewall rules or web application firewalls (WAF) to block malicious requests.
3. Monitor and Detect: Actively monitor logs for indicators of compromise (IOCs), such as IP addresses (e.g., 200.107.207.26, 185.181.60.11), commands (e.g., sh -c /bin/bash -i >& /dev/tcp/ / 0>&1), or file hashes (e.g., SHA-256: 76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d).
4. Upgrade EBS Versions: Migrate to supported EBS versions under Premier or Extended Support to ensure patch availability and enhanced security.
5. Disable Unnecessary Features: Deactivate non-essential Concurrent Processing features to reduce the attack surface.
6. Interim Isolation: If patching is delayed, isolate the EBS environment from untrusted networks and enhance logging to detect exploitation attempts.

HYPERLINK

• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-61882
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.crowdstrike.com/en-us/blog/crowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882/
• https://www.hipaajournal.com/cl0p-mass-exploiting-zero-day-vulnerability-oracle-e-business-suite/
• https://www.ncsc.gov.uk/news/active-exploitation-vulnerability-affecting-oracle-ebusiness-suite

Advisory ID:   ngCERT-2025-100004

SUMMARY

ngCERT’s attention has been drawn to the resurgence of SOGU, aka PlugX malware infiltration, which poses a significant threat to Nigeria’s cyberspace. The malware is a sophisticated modular Remote Access Trojan (RAT) deployed by Advanced Persistent Threat (APT) actors in cyber-espionage campaigns. These attacks target critical infrastructure across multiple sectors, including telecommunication companies, as observed in current reports. SOGU is also identified as a backdoor with keylogging, surveillance, data exfiltration and stealth capabilities, while disguising itself as legitimate applications to avoid detection. New variants are equally capable of remote code execution, ensuring persistence through Dynamic Link Libraries (DLL) side-loading while implementing new C2 command identifiers. The compromise of critical infrastructure by this malware could result in privacy and data breaches, supply chain risks, financial losses, as well as reputational damage and possibly geopolitical implications. This underscores the need for public and private sector organisations to emplace robust defences to safeguard and mitigate the threats posed by PlugX.

Damage:      Critical

Probability:  High 

Platform(s):  Operating System, Networks and IoTs

DESCRIPTION

The recent PlugX attacks have targeted critical infrastructure, particularly telecommunications networks, by leveraging DLL side-loading for espionage purposes. In the initial access stage, attackers exploit legitimate executables, such as those from Quick Heal's Mobile Popup Application, to initiate DLL search order hijacking or side-loading of a malicious DLL. Notably, new variants also gain initial access by exploiting vulnerabilities in edge devices, such as firewalls and VPNs, and possibly weaknesses in IoTs. To deploy and execute the payload, the malicious DLL decrypts and loads PlugX (alongside variants like RainyDay or Turian) directly into memory using. This is achieved by utilizing Rivest Cypher 4 (a symmetric stream cypher) encryption and shared algorithms to evade disk-based detection. Likewise, the malware employs techniques like control flow flattening, API hashing, and embedded keyloggers to obscure its operations and resist reverse engineering. To ensure persistence and command execution, PlugX establishes long-term access, enabling arbitrary command execution, file uploads/downloads, and keylogging for credential theft and lateral movement within the network. Furthermore, compromised systems facilitate the theft of sensitive data, such as communications metadata, supporting broader cyber-espionage goals against critical sectors.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. Domains

   a)   [.]relivonline[.]com

   b)   [.]im0[.]site

   c)   [.]frillsforspills[.]com

  d)   [.]365safemail[.]com

2. IPs with Ports

           a) 103[.]79[.]120[.]85:443

           b)  103[.]79[.]120[.]92:443

c)  103[.]79[.]120[.]71:443

d)  103[.]79[.]120[.]71:5000

e)  103[.]107[.]104[.]61:443

f)  103[.]107[.]104[.]61:5000

g)  39[.]105[.]24[.]38:3478

h)  39[.]105[.]24[.]38:443

i)    121[.]201[.]74[.]246:5000

j)   69[.]172[.]75[.]148:5000

k)  154[.]90[.]47[.]123:443

l)   154[.]90[.]47[.]123:5000

m) 45[.]128[.]153[.]73:443

CONSEQUENCES

SOGU aka PlugX malware attacks could result in:

1. Extensive data exfiltration and espionage.
2. Compromise of networks in critical sectors like telecom that can act as vectors for supply chain attacks.
3. Economic and financial losses.
4. Breaches that could further result in reputational damage, customer trust erosion, regulatory fines, and legal scrutiny.
5. Operational disruptions and Denial of Service (DoS) attacks.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Conduct regular security awareness training to help users recognize phishing attempts.
2. Implement advanced email filtering solutions to block malicious emails before reaching end-users.
3. Deploy and maintain up-to-date antivirus solutions capable of detecting PlugX signatures and behaviors.
4. Enforce 2FA to protect access to sensitive systems and applications.
5. Conduct regular analysis of system and network logs to identify anomalies related to PlugX behavior.
6. Ensure the prompt application of patches and updates to all software to minimize exploitation
7. opportunities.
8. Filter network traffic by preventing unknown or untrusted access to remote services on internal systems.
9. Ensure the review of domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

HYPERLINK

• https://cybersecsentinel.com/the-return-of-plugx-malware-with-fresh-tricks/
• https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
• https://security.googlecloudcommunity.com/community-blog-42/finding-malware-detecting-sogu-with-google-security-operations-3869
• https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

Advisory ID:   ngCERT-2025-100003

SUMMARY

ngCERT is aware of LockGoga, MegaCortex, and Nefilim, sophisticated and hybrid ransomware variants which have been active from 2019-2021, and linked to a threat actor identified as deadforz with aliases “Boba,” “msfv,” and “farnetwork. These ransomware strains have targeted critical infrastructure, manufacturing, healthcare, and transportation sectors in several countries across the globe, resulting in the loss of millions of US dollars. This underscores the need for Organizations to review their systems for indicators of compromise (IoCs) and strengthen defences against potential affiliate-driven attacks.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows, Dell Firmware

DESCRIPTION

Notably, LockGoga targets industrial systems by utilizing Advanced Encryption Standard (AES) encryption, and appends ".locked" to files. Initial access is achieved through phishing or stolen Remote Desktop Protocol (RDP) credentials. Thereafter, the malware is dropped in the %TEMP% folder, which disables networks, clears disk space with cipher.exe, encrypts files and demands email-based payment. Also, MegaCortex is a hybrid ransomware used to target enterprises and possesses anti-analysis capabilities. Its attack chain involves initial access through phishing, SQL injection, or RDP exploits. Next, it uses Cobalt Strike for persistence, runs kill.bat to evade antivirus detection, propagates via Qakbot, and demands multi-million-dollar ransoms. Furthermore, Nefilim uses double extortion with AES-128 or Rivest–Shamir–Adleman (RSA-2048) cryptosystem (a family of public-key cryptosystems used for secure data transmission). It also appends ".NEFILIM" or ".DERZKO" to files, while exploiting CVE-2019-19781 (a critical vulnerability in Citrix Application Delivery Controller (ADC) and Gateway products, allowing unauthenticated attackers to execute arbitrary code remotely via a directory traversal flaw). Threat actors also exploit RDP or phishing for initial access. Further, Mimikatz and PsExec/WMI are employed for credential dumping, lateral movement within networks, privilege escalation, and persistence before exfiltrating data to clouds like MEGAsync. Thereafter, the criminals threaten to leak sensitive information.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. LockGoga: SHA256 hashes in Fortinet/Unit42 reports; %TEMP% execution, cipher.exe use, ".locked" extensions; email-based ransom demands.

2. MegaCortex: Hashes in Heimdal reports; kill.bat, Cobalt Strike beacons, RDP port 3389 activity; Qakbot-related traffic.

3. Nefilim: Delphi-based samples; Mimikatz dumps, PsExec/WMI usage, MEGAsync exfiltration; connections to known exfil domains; Citrix exploit attempts.

CONSEQUENCES

Successful attacks by LockGoga, MegaCortex, and Nefilim ransomware variants could result in:

1. Disruption of operations, supply chain interruptions and possible Denial of Service (DoS) attacks.
2. Financial losses due to ransom payments, recovery costs and General Data Protection Regulation (GDPR) fines.
3. Reputational damage due to data exposure from possible dark web leaks and the possibility of secondary extortion.
4. National security risks occasioned by breaches to defence and sensitive critical infrastructure.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Patch vulnerabilities such as CVE-2019-19781 and RDP, enforce Multifactor authentication, implement Zero Trust and least-privilege access to initial access.
2. Deploy Endpoint Detection and Response (EDR) for behavioural monitoring such as process injection, lateral movement, credential dumping and cloud exfiltration.
3. Maintain offline, immutable backups (3-2-1 rule); test recovery quarterly; avoid ransom payments and report to ngCERT in the event of an attack, to ensure speedy recovery.
4. Block IoCs at firewalls.
5. Conduct regular phishing awareness training for all staff.

HYPERLINK

• https://www.fortinet.com/blog/threat-research/lockergoga-ransomeware-targeting-critical-infrastructure
• https://heimdalsecurity.com/blog/megacortex-ransomware/
• https://www.sisainfosec.com/blogs/nefilim-ransomware/
• https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks

Advisory ID:   ngCERT-2025-100002

SUMMARY

ngCERT has detected about 78 (medium to low) vulnerabilities primarily impacting Microsoft Windows components like Windows Digital Media and Secure Boot, as well as Dell firmware. These weaknesses include elevation of privilege (EoP), security feature bypasses, and improper access controls, with CVSS v3.1 scores from 4.3 to 8.1 (low to high severity). Most of these require local access, but exploitation could lead to system compromise or data exposure. Although the vulnerabilities have been patched, there is an urgent need for these systems to be updated and the patches applied to safeguard against exploits and possible cyberattacks.

Damage:      Critical

Probability:  High 

Platform(s):  Microsoft Windows, Dell Firmware

DESCRIPTION

The vulnerabilities mainly affect Microsoft Windows 10/11 and Server 2019/2022, with some impacting Dell firmware and older non-Microsoft products. Key details include:

a) Windows Digital Media (EoP):Over 40 CVEs, such as (CVE-2025-21229 and CVE-2025-21255), involve improper input validation or out-of-bounds reads, allowing local attackers to gain SYSTEM-level privileges.

b)  Windows Secure Boot:CVE-2025-21211 allows bypassing Secure Boot via flaws in DBX update validation, enabling unsigned bootloader execution.

c)  Dell Firmware: CVE-2024-52537 permits high-privileged attackers to exploit symlink issues in the Dell Client Platform Firmware Update Utility for privilege escalation.

d) Other Microsoft Issues:CVEs like CVE-2024-55541 (audio driver buffer overflow) and CVE-2024-51456 (SMB Remote Code Execution) cover Denial-of-Service (DoS), kernel exploits, and remote code execution.

e)  Legacy/Other Vendors: Older CVEs such as CVE-2023-50946 in OpenSSH, CVE-2021-29669 in Zyxel) involve RCE, EoP, or information disclosure in non-Microsoft products.

CONSEQUENCES

Successful exploitation of these flaws could result in:

1. Privilege Escalation: Local attackers could gain SYSTEM access, enabling malware persistence, data theft, or network lateral movement.
2. System Integrity Loss: Secure Boot bypass (CVE-2025-21211) allows rootkits or tampered firmware to evade boot protections.
3. Service Disruption: Denial of Service (DoS) issues, such as (CVE-2024-55541), may crash services or leak kernel memory.
4. Chained Attacks: These flaws could enable ransomware or APTs. No active exploits are reported as of October 2025, but local access increases insider threat risks.

SOLUTION/MITIGATION

To mitigate these vulnerabilities, ngCERT recommends the following measures:

1. Apply Patches: Install Microsoft January 2025 updates via Windows Update or WSUS. For CVE-2024-52537, update Dell firmware using Dell Command Update.
2. Enhance Access Controls: Enforce least privilege, disable untrusted media playback, and use AppLocker/WDAC to block unsigned binaries.
3. Monitor and Harden: Enable Secure Boot and TPM 2.0; use EDR tools to detect privilege escalation. Apply upstream patches for legacy CVEs such as OpenSSH.
4. Verify Systems: Scan for vulnerable versions with tools like Qualys or Tenable. Check Microsoft Security Response Centre for updates.
5. Best Practices: Segment networks, adopt zero-trust, and test patches in staging environments. Isolate or retire end-of-support systems.

HYPERLINK

• https://msrc.microsoft.com/update-guide
• https://www.tenable.com/blog/microsofts-september-2025-patch-tuesday-addresses-80-cves-cve-2025-55234
• https://www.rapid7.com/blog/post/em-patch-tuesday-september-2025/
• https://isc.sans.edu/diary/31590