Saturday May 09, 2026

Advisory ID:   ngCERT-2026-040003

SUMMARY

ngCERT is aware of multiple critical and high-severity vulnerabilities in Zoom products, including Zoom Workplace, Zoom Clients, Zoom Rooms, and VDI components. These vulnerabilities, tracked under several CVEs (CVE-2026-30900 to CVE-2026-30903), range from privilege escalation and command injection to improper input validation and path handling flaws. Successful exploitation may allow threat actors to achieve privilege escalation, unauthorized access, and system compromise. These flaws impact widely deployed enterprise collaboration tools, making them high-value targets for threat actors. Organisation and individuals are advised to immediately remediate these vulnerabilities.

DESCRIPTION

Zoom Products is a unified communications platform for video conferencing, chat, webinars, and collaboration across multiple operating systems. Multiple vulnerabilities stemming from multiple weaknesses in Zoom’s Windows-based components, including improper privilege management, insufficient input validation, and inadequate file path handling. The most critical flaw, CVE-2026-30903, involves external control of file names or paths within the Zoom Workplace Mail feature, allowing unauthenticated attackers to manipulate file operations and escalate privileges remotely. Additional vulnerabilities, CVE-2026-30902 (improper privilege management), CVE-2026-30901 (input validation flaw), and CVE-2026-30900 (improper version check), further enable attackers to elevate privileges or bypass security controls under certain conditions. These vulnerabilities expose Windows systems to both local and remote exploitation scenarios, particularly when systems are unpatched or misconfigured.

Damage:      Critical (CVSS 7.8)

Probability:  High

Platform(s):  Windows

CONSEQUENCES

Exploitation of these vulnerabilities may result in:

    1. Privilege escalation.
    2. Denial of Service (DoS).
    3. Sensitive data exposure.
    4. Remote Code Execution (RCE).
    5. Cross-Site Scripting (XSS) and data manipulation.
    6. Operational and business disruption/risk.
    7. Malware/Ransomware Deployment. 

SOLUTION/MITIGATION

ngCERT recommends the following:

    1. Update all Zoom products to the latest versions and apply patched releases (Zoom Security Bulletins - ZSB-26001 to ZSB-26005).
    2. Enable automatic updates across all Zoom clients and components.
    3. Monitor for abnormal privilege escalation events.
    4. Remove or upgrade deprecated/unsupported Zoom versions.
    5. Enforce endpoint protection (EDR/antivirus) and monitor for suspicious activity.    

HYPERLINK

Advisory ID:   ngCERT-2026-040001

SUMMARY

ngCERT is aware of an ongoing ClickFix (pastejacking) campaign targeting developers and users of AI tools. The campaign distributes Atomic macOS Stealer (AMOS), a sophisticated information-stealing malware affecting macOS systems. The attack leverages social engineering techniques to trick users into executing malicious terminal commands. Organisations and individuals are strongly advised to exercise caution and implement appropriate security controls.

DESCRIPTION

ClickFix (pastejacking) is a social engineering technique that manipulates users into copying and executing malicious commands from deceptive sources such as fake documentation pages, malicious advertisements, or AI-generated content. In this campaign, attackers disguise harmful terminal commands, often obfuscating them with encoding techniques such as base64, as legitimate setup or troubleshooting instructions. Once executed, these commands download and install AMOS. The malware establishes persistence on the compromised system, harvests sensitive information (including credentials and files), and may deploy additional backdoors to enable persistent remote access.

Damage:      Critical

Probability:  High

Platform(s):  macOS

CONSEQUENCES

If successfully exploited, this campaign may result in:

    1. Credential theft, including browser-stored passwords and Apple Keychain data.
    2. Unauthorized remote access through backdoor mechanisms.
    3. Data exfiltration, including sensitive files and developer assets.
    4. Compromise of cryptocurrency wallets and financial information.
    5. Deployment of additional malware and further system exploitation.
    6. Organisational risks such as supply chain compromise and credential leakage. 

SOLUTION/MITIGATION

ngCERT recommends the following:

    1. Avoid executing terminal commands from untrusted sources, including advertisements, unknown websites, or unverified AI-generated content
    2. Verify all documentation and instructions, ensuring they originate from official vendor domains
    3. Educate users and developers on pastejacking techniques and social engineering risks
    4. Deploy Endpoint Detection and Response (EDR) solutions to monitor suspicious shell activity
    5. Restrict and monitor script execution on macOS systems
    6. Enable and maintain built-in protections such as Gatekeeper and XProtect
    7. Regularly update macOS and security tools to detect emerging threats
    8. Monitor for unusual outbound network traffic and unauthorized persistence mechanisms
    9. Implement least-privilege access controls to limit the impact of compromised accounts

HYPERLINK

Advisory ID: NCC-CSIRT-2026-014

Summary: 

The Nigerian Communications Commission Computer Security Incident Response Team (NCC-CSIRT) alerts stakeholders to an ongoing ransomware campaign attributed to the XP95 Ransomware Group, which has recently targeted government institutions and critical sectors globally.

The attackers employ data exfiltration and extortion techniques, compromising sensitive information and threatening public disclosure unless ransom demands are met. Recent incidents indicate a rapid escalation in the group’s activities, with multiple high-impact breaches recorded within a short timeframe.

Given similarities in system vulnerabilities and cybersecurity posture across institutions, Nigerian organizations, particularly within government and critical infrastructure sectors, are at elevated risk of similar attacks.

Damage: Critical

Probability: High

Product(s)

  • Enterprise IT Systems
  • Government Databases
  • Healthcare Information Systems
  • Web Applications and Network Infrastructure

Version(s):

  • All unpatched or improperly configured systems
  • Systems with weak authentication mechanisms

Platform(s): 

  • Windows
  • Linux
  • Cloud-based environments
  • On-premise enterprise networks

Description: 

The XP95 ransomware group is an emerging and highly active threat actor known for targeting data-rich organizations, including government agencies and healthcare providers.

Recent reported incidents include:

  • A South African government agency breach involving over 453,000 files ( approximately 154GB) of sensitive data.
  • A Spanish healthcare software provider was compromised, resulting in the exfiltration of approximately 165GB of patient data.
  • Additional attacks on provincial government institutions targeting job seekers and student databases.

The group’s attack techniques involve:

  • Exploiting unpatched software vulnerabilities
  • Leveraging weak authentication and poor password practices
  • Gaining unauthorized access to enterprise networks
  • Exfiltrating large volumes of sensitive data
  • Issuing ransom demands with threats of public data release
The increasing frequency and scale of these attacks highlight a growing threat to public sector institutions and critical infrastructure, particularly in environments with insufficient cybersecurity controls.

Impacts: 

  • Large-scale data breaches involving sensitive information
  • Financial loss due to ransom payments and remediation costs
  • Disruption of critical services and operations
  • Reputational damage and loss of public trust
  • Regulatory and legal implications

Threat Types: 

  • Ransomware (Double Extortion)
  • Data Exfiltration
  • Unauthorized Network Access
  • Exploitation of System Vulnerabilities

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Apply timely security patches and updates across all systems
  • Conduct regular vulnerability assessments and penetration testing
  • Enforce Multi-Factor Authentication (MFA)
  • Implement strong password policies
  • Adopt least-privilege access principles
  • Segment critical networks
  • Deploy Intrusion Detection and Prevention Systems (IDS/IPS)
  • Monitor for unusual network activity
  • Maintain regular, secure, and offline backups
  • Test backup restoration procedures periodically
  • Implement Security Information and Event Management (SIEM) solutions
  • Establish and regularly update incident response plans
  • Conduct regular cybersecurity awareness training
  • Educate users on phishing and social engineering risks

References:

Advisory ID: NCC-CSIRT-2026-012

Summary: 

The Nigerian Communications Commission Computer Security Incident Response Team (NCC-CSIRT) is issuing this advisory to alert Telecommunications Operators, Internet Service Providers, and critical information infrastructure stakeholders about a global cyber espionage campaign involving the GRIDTIDE backdoor and the advanced threat actor UNC2814.
The campaign primarily targets telecommunications providers and government organizations worldwide and has affected dozens of organizations across multiple countries. The threat actor uses stealth malware, cloud services, and persistent backdoors to gain long-term access to telecom networks and sensitive communications data.

Damage: Critical

Probability: High

Product(s)/Platform(s): 

The campaign does not target a specific vendor product but rather infrastructure commonly used in telecommunications environments, including:

  • Linux Servers and Web Servers
  • Edge Network Devices
  • Telecom Core Network Systems
  • Subscriber Databases
  • Call Data Record (CDR) Systems
  • Network Management Systems
  • Cloud Infrastructure and SaaS Platforms

Indicators of Compromise (IOCs): 

  • Suspicious connections to Google Sheets API or unusual SaaS API traffic
  • Unknown system services (e.g., xapt.service)
  • Unauthorized SSH lateral movement
  • Use of SoftEther VPN connections
  • Unknown service accounts
  • Persistent malware in /usr/sbin directories
  • Unusual outbound encrypted connections
  • Cloud API traffic from servers that normally do not use cloud services

Description: 

The UNC2814 campaign is a long-running cyber espionage operation active since at least 2017, targeting telecommunications and government networks globally. The attackers deploy the GRIDTIDE backdoor, a C-based malware that uses legitimate cloud services, particularly Google Sheets API, as a command-and-control (C2) channel to disguise malicious traffic as normal cloud activity.
Instead of connecting to traditional malicious servers, the malware communicates with attacker-controlled spreadsheets, where commands are stored in spreadsheet cells and executed on compromised systems. The malware can execute shell commands, upload and download files, and collect system information from infected hosts.
Attackers typically gain initial access by exploiting vulnerable web servers or edge network devices. After gaining access, they establish persistence by installing the malware as a system service and move laterally through the network using service accounts and SSH connections. Encrypted tunnels such as SoftEther VPN are used to maintain covert communication and potentially exfiltrate sensitive data such as personally identifiable information, call logs, and communications metadata.
The campaign specifically targets telecommunications networks because access to telecom infrastructure can enable surveillance, monitoring of communications, and tracking of individuals through call data records and messaging metadata.

Impacts: 

  • Gain persistent access to telecom networks
  • Monitor communications and subscriber data
  • Access call data records and SMS metadata
  • Conduct surveillance on targeted individuals
  • Move laterally across telecom infrastructure
  • Maintain long-term undetected access
  • Compromise government communications
  • Access lawful interception systems

Threat Types: 

  • Cyber Espionage
  • Advanced Persistent Threat (APT)
  • Backdoor Malware
  • Command and Control (C2)
  • Data Exfiltration
  • Network Intrusion
  • Persistence / Unauthorized Access

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Patch and secure all public-facing web servers and edge devices.
  • Strictly monitor outbound connections to cloud services such as Google Sheets, Google Drive, and other SaaS platforms.
  • Implement network segmentation within telecom infrastructure.
  • Monitor for unauthorized system services and persistence mechanisms.
  • Audit service accounts and SSH access logs.
  • Deploy Endpoint Detection and Response (EDR) solutions on critical servers.
  • Implement multi-factor authentication for administrative accounts.
  • Monitor VPN usage and block unauthorized VPN tools such as SoftEther.
  • Conduct threat hunting for advanced persistent threats.
  • Review access to subscriber databases and call data record systems.

References:

Advisory ID: NCC-CSIRT-2026-013

Summary: 

COLDEYE backdoor is a sophisticated kernel-level malware used in targeted cyber-espionage campaigns. This malware is known to provide persistent root-level access to compromised systems and is associated with advanced threat actors such as UNC2814.
COLDEYE has been observed in telecom infrastructure, government systems, and cloud-hosted services, where it enables attackers to manipulate critical data, exfiltrate information, and maintain long-term stealth access.

Damage: Critical

Probability: High

Product(s): 

Linux-based enterprise servers

Version(s): 

No specific version; affects general Linux distros

Platform(s):

Linux (Ubuntu, Debian, CentOS, RHEL); virtualized cloud instances

Indicators of Compromise (IOCs): 

Organizations are advised to cross-check the following IoCs with their SIEM and endpoint monitoring tools:

  • Unexpected kernel modules loaded on Linux servers
  • Unauthorized system services or startup scripts
  • Outbound connections to unusual cloud storage APIs from critical servers
  • Unauthorized file changes in system directories (/etc, /usr/bin)
  • Anomalous processes running with root privileges

Description: 

COLDEYE is a highly sophisticated kernel-level backdoor that primarily targets Linux servers in telecom networks, government systems, and cloud-hosted platforms. It achieves persistent root-level access by installing as a kernel module or system-level rootkit, enabling it to remain active after system reboots and evade traditional endpoint detection mechanisms. The malware can escalate privileges on misconfigured or vulnerable servers, granting attackers unrestricted access to critical system files, administrative credentials, and network services.
COLDEYE communicates with remote command-and-control infrastructure, often leveraging legitimate cloud services such as Google Sheets via the GRIDTIDE backdoor framework. This allows attackers to execute scripts, upload or download files, and perform detailed system reconnaissance while blending with normal network traffic. The malware facilitates the exfiltration of sensitive information, including subscriber databases, call detail records, SMS data, and cloud service tokens. It uses stealth techniques, such as kernel-level hooks and process masking, to avoid detection by host-based intrusion detection systems.
After establishing a foothold, COLDEYE may move laterally within networks, exploiting SSH, VPN, or internal service credentials to compromise additional systems. Its operational impact is significant, potentially exposing subscriber privacy, critical intelligence, and core telecom operations, including lawful interception systems. By maintaining long-term access, attackers can monitor and manipulate sensitive communications over extended periods. Deployment typically occurs following an initial compromise through vulnerable services, phishing targeting administrative accounts, or other advanced persistent threat tools, forming part of a larger espionage campaign.

Impacts: 

  • Compromise of Sensitive Data
  • Unauthorized System Control
  • Lateral Network Compromise
  • Operational Disruption
  • Long-Term Surveillance
  • Reputational and Regulatory Impact
  • Financial Consequences

Threat Types: 

  • Advanced Persistent Threat (APT)
  • Kernel-Level Malware / Rootkit
  • Data Exfiltration / Espionage
  • Unauthorized Access / Privilege Escalation
  • Command-and-Control (C2) Abuse
  • Lateral Movement
  • Telecom / Infrastructure Disruption

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Isolate compromised systems from the network
  • Conduct full system integrity checks and Memory Forensics
  • Monitor unusual outbound connections to cloud services
  • Apply the latest OS and kernel security updates and disable unused services and accounts
  • Restrict administrative and root access
  • Implement network and host-based anomaly detection
  • Monitor for abnormal process execution and kernel module loading
  • Review system logs for unauthorized access events
  • Implement UEFI Secure Boot where possible to prevent the loading of unsigned malicious kernel modules

References:

  1. Apple Fixes WebKit Vulnerability That Could Allow Malicious Websites Access User Data
  2. NCC-CSIRT Cybersecurity Advisory on Rogue Cellular Network Attacks and Mobile Signal Hijacking Used for Banking Fraud
  3. NCC-CSIRT Cybersecurity Advisory on Global Server Espionage Campaign on Telecom and Government Entities
  4. NCC-CSIRT Cybersecurity Advisory on LockBit Strikes with New 5.0 Version Targeting Windows, Linux, and ESXi Systems

Page 2 of 39