-
Target MDAs, banks, telcos
-
What FG should do – Experts
Hardly a week passes without the Nigerian Communications Commission (NCC) and the National Information Technology Development Agency (NITDA) alerting Nigerians to cyber criminals’ attempt at getting into data of rich and ordinary Nigerians; Ministries, Departments and Agencies of government; commercial banks and telecommunications companies in the country.
Just on Monday, the NCC alerted Nigerians to the existence of an hacking group orchestrating cyber espionage in the African telecoms space. An Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) was reported to be targeting telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa with upgraded malware in a recent politically motivated attacks oriented in cyber espionage. In its latest advisory issued by the Nigerian Computer Emergency Response Team (ngCERT), the NCC rated the probability and damage level of the new malware as high.
According to the advisory, the hacking group is known to be focused on infiltrating the networks of telecoms companies and ISPs. Between July and October, 2021, Daily Trust reports that Lyceum was implicated in attacks against ISPs and telecoms organisations in Israel, Morocco, Tunisia, and Saudi Arabia. The advanced persistent threat (APT) group has been linked to campaigns that hit Middle Eastern oil and gas companies in the past.
Now, the group appears to have expanded its focus to the technology sector. In addition, the APT is responsible for a campaign against an unnamed African government’s Ministry of Foreign Affairs. By the attackers’ mode of operation, Lyceum’s initial onslaught vectors include credential stuffing and brute-force attacks, NCC said.
“So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James)”, the Nigerian telecommunications regulator revealed. It said both malware are backdoors. A backdoor is a malware type that negates normal authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, giving hackers the ability to remotely issue system commands and update malware.
NCC said: “Shark, a 32-bit executable written in C# and .NET, generates a configuration file for domain name system (DNS) tunneling or Hypertext Transfer Protocol (HTTP) C2 communications; whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data.
“Both are able to communicate with the group’s command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.”
According to reports, individual accounts at companies of interest are usually targeted, and then once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization.
The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, threat actors or their sponsors can also use these industries to survey individuals of interest.
However, to guard against this kind of threats, the ngCERT reports that multiple layers of security in addition to constant network monitoring is required by telecom companies and ISPs alike to stave off potential attacks.
Specifically, telecom consumers and the general public are advised to: ensure the consistent use of firewalls (software, hardware and cloud firewalls); enable a Web Application Firewall to help detect and prevent attacks coming from web applications by inspecting HTTP traffic; install up-to-date antivirus programmes to help detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system.
Last week, the NCC also alerted millions of Nigerian telecom consumers of the existence of new, high-risk and extremely-damaging, Malware called Flubot. A malware is a generic word used to describe a virus or software, designed specially to “disrupt, damage, or gain unauthorized access to a computer system.”
NCC said it had received information from the ngCERT), that Flubot “targets Androids with fake security updates and App installations”. The commission said the ngCERT affirmed that Flubot “impersonates Android mobile banking applications to draw fake web view on targeted applications” and its goal transcends stealing personal data and essentially targets stealing of credit card details or online banking credentials. FluBot is circulated through Short Message Service (SMS) and can snoop “on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control centre”, the NCC added.
“This malware attacks Android devices by pretending to be “FedEx, DHL, Correos, and Chrome applications” and compels unsuspecting users to alter the accessibility configurations on their devices in order to maintain continuous presence on devices. The new malware undermines the security of devices by copying fake login screens of prominent banks, and the moment the users enter their login details on the fake pages, their data is harvested and transmitted to the malware operators’ control point from where the data is exploited by intercepting banking-related One Time Passwords (OTPs) and replacing the default SMS app on the targeted Android device”, the NCC said.
Consequently, it said, it secures admittance into the device through SMS and proceeds to transmit similar messages to other contacts that may be on the device it has attacked enticing them into downloading the fake app. “It suffices to say that, when Flubot infects a device, it can result in incalculable financial losses. Additionally, the malware creates a backdoor which grants access to the user’s device, thus enabling the invader or attacker to perform other criminal actions, including launching other variants of malware”.
Similarly, NCC in October alerted Nigerians to a new Android malware that can gain access to smartphones. Named ‘AbstractEmu’, the malware can gain access to smartphones, take complete control of infected smartphones and silently modify device settings while simultaneously taking steps to evade detection, the NCC said.
“This discovery was announced recently by the Nigerian Computer Emergency Response Team (ngCERT), the national agency established by the Federal Government to manage the risks of cyber threats in the Nigeria, which also coordinates incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria’’, said the NCC.
AbstractEmu has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.
NCC said: “The advisory stated that a total of 19 Android applications that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps have been reported to contain the rooting functionality of the malware. The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps include All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light and Phone Plus, among others.’’
To guard against contracting the malware, NCC said smartphone users should be wary of installing unknown or unusual apps, and look out for different behaviours as they use their phones. The commission also said users should reset their phones to factory settings when there is suspicion of unusual behaviours in your phone.
Experts speak
But IT security experts told Daily Trust on Tuesday that the increasing threats on MDAs, banks and telcos shouldn’t be taken with a pinch of salt by those concerned.
Liadi Munir, a Lagos based ICT expert, said it is not enough to alert Nigerians to cyber threat by hackers, but that the Federal Government should secure Nigeria’s cyberspace.
“If the cyberspace is not secure, hackers will keep on attacking their targets. Government should secure the space and fortify its response team’’, Munir said.
Also, Okey Ajunofu, another Lagos based IT security expert, called on the NCC and NITDA to employ ethical hackers to take the fight to the criminals. According to Ajunofu, “In cyber fight, the best form of defence is attack. If the fight is taken to the criminals they will retreat’’.
Why cybercrimes are on the high – NCC
The acceleration of technology innovations and online business transactions amplify vulnerability opportunities which cybercriminals exploit to commit crimes, NCC said. “Undoubtedly, the pace at which technology advances, acceleration of innovations and enterprise in the digital space amplifies vulnerability opportunities, which malicious parties are quick to exploit, thereby slowing down the gains of digital economy’’, the NCC boss, prof Umar Danbatta, said.
The NCC boss however said the telecom regulatory agency was working frantically to build strong cybersecurity stronghold which will reduce vulnerabilities in the Nigeria’s digital economy.
He said: ‘’The NCC is in the forefront of ensuring sound cybersecurity culture that is built on people, process and technology. The launching of NCC sectoral CERT is a testament of our resolve to promote a healthy digital environment. Our various cybersecurity awareness initiatives and campaigns are helping the public understand the risks in digital space and how to reduce the vulnerability opportunities that adversaries can benefit from.’’
