Though the report of Affordability Drivers Index (ADI) released last year ranked Nigeria 19th out of 72 countries surveyed for internet affordability, the country was fourth in Africa. The report underscored the importance of the cyberspace to every facet of human endeavour. Nigeria is increasingly becoming attractive to cyber crooks that target individuals, government and businesses. LUCAS AJANAKU reports.
The place of a well-secured digital space is certainly critical for the Federal Government to drive its digital agenda.
The Minister of Communication and Digital Economy, Prof Ali Pantami and the Chief Executive Officer, Nigeria Communication Commission (NCC), Prof Garba Danbatta and other stakeholders in the information communication technology (ICT) sector agree that a free but secure cyber space will promote e-commerce, telemedicine, agriculture and many more, especially as the fifth generation (5G) network will soon be rolled out.
“The future is digital, and we should be committed to supporting and collaborating with African countries to maximise opportunities inherent in digital technologies. We should also be ready to avoid the pitfalls by instituting appropriate regulations as we are doing in NCC,” Prof Danbatta.
From Malware Flubot to Cyber-espionage Lyceum and Malware AbstractEmu, the growing incidence of attempted attacks on the country’s cyber space is becoming worrisome.
Malware Flubot
Last year, the NCC raised the alarm over the existence of new, high-risk and extremely-damaging, Malware called Flubot.
A malware is a generic word used to describe a virus or software, designed specially to “disrupt, damage, or gain unauthorised access to a computer system.”
According to the national agency established by the Federal Government to manage the risks of cyber threats in the Nigeria and which also coordinates incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria, the Nigeria Computer Emergency Response Team (ngCERT), malware Flubot “targets Androids with fake security updates and App installations”.
The ngCERT affirmed that Flubot “impersonates Android mobile banking apps to draw fake web view on targeted applications” and its goal transcends stealing personal data and essentially targets stealing of credit card details or online banking credentials.
FluBot is circulated through Short Message Service (SMS) and can snoop “on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control centre.”
It attacks Android devices by pretending to be “FedEx, DHL, Correos, and Chrome applications” and compels unsuspecting users to alter the accessibility configurations on their devices in order to maintain continuous presence on devices.
The new malware undermines the security of devices by copying fake login screens of prominent banks, and the moment the users enter their login details on the fake pages, their data is harvested and transmitted to the malware operators’ control point from where the data is exploited by intercepting banking-related One Time Passwords (OTPs) and replacing the default SMS app on the targeted Android device.
Consequently, it secures admission into the device through SMS and proceeds to transmit similar messages to other contacts that may be on the device it has attacked enticing them into downloading the fake app.
When Flubot infects a device, it can result in incalculable financial losses. The malware creates a backdoor which grants access to the user’s device, thus enabling the invader or attacker to perform other criminal actions, including launching other variants of malware.
In view of this discovery and understanding of the process by which this malware operates, and to protect millions of telecom consumers and prevent criminal forces, irrespective of location, from using telecom platforms to perpetrate fraud and irredeemable damages, the NCC issued its advisory to which included not clicking on the link of a suspicious text message, and not installing any app or security update; use updated antivirus software that detects and prevents malware infections; apply critical patches to the system and application; and use strong passwords and enable two-factor authentication (2FA) over logins; back-up your data regularly.
Again, the Commission has alerted members of the public that a cybercrime group has perfected a new year scheme to deliver ransomware to targeted organisation’s networks.
The new ransomware uncovered by security experts has been categorised, by ngCERT advisory released over the weekend as high-risk and critical.
According to the ngCERT advisory, the criminal group is said to have been mailing out USB thumb drives to many organisations in the hope that recipients will plug them into their PCs and install the ransomware on their networks. While businesses are being targeted, criminals could soon begin sending infected USB drives to individuals. The ngCERT advisory said the USB drives contain so-called ‘BadUSB’ attacks.
The BadUSB exploits the USB standards versatility and allows an attacker to reprogram a USB drive to emulate a keyboard to create keystrokes and commands on a computer. It then installs malware prior to the operating system booting, or spoofs a network card to redirect traffic.
Numerous attack tools are also installed in the process that allows for exploitation of personal computers (PCs), lateral movement across a network, and installation of additional malware. The tools were used to deploy multiple ransomware strains, including BlackBatter and REvil.
According to ngCERT, the attack has been seen in the US where the USB drives were sent in the mail through the Postal Service and Parcel Service. One type contained a message impersonating the US Department of Health and Human Services and claimed to be a COVID-19 warning. Other malicious USBs were sent in the post with a gift card claiming to be from Amazon.
However, ngCERT has offered recommendations that will enable corporate and individual networks to mitigate the impact of this new cyber-attack and be protected from the ransomware.
These recommendations include a call on individuals and organisations not to insert USB drives from unknown sources, even if they’re addressed to you or your organization. In addition, if the USB drive comes from a company or a person one is not familiar with and trusts, it is recommended that one contacts the source to confirm they actually sent the USB drive.
Cyber-espionage Lyceum
An Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) was also reported to be targeting telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa with upgraded malware in a politically motivated attack oriented in cyber-espionage.
Information about the cyber-attack is contained in the latest advisory issued by the ngCERT warned the probability and damage level of the new malware as high.
According to the advisory, the hacking group is known to be focused on infiltrating the networks of telecoms companies and ISPs. Between July and October last year, Lyceum was indicted in attacks against ISPs and telecoms firms in Israel, Morocco, Tunisia and Saudi Arabia.
The advanced persistent threat (APT) group has been linked to campaigns that hit Middle Eastern oil and gas companies in the past. Now, the group appears to have expanded its focus to the technology sector. In addition, the APT is responsible for a campaign against an unnamed African government’s Ministry of Foreign Affairs.
By the attackers’ modus operandi, Lyceum’s initial onslaught vectors include credential stuffing and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James).
Both malware are backdoors. Shark, a 32-bit executable written in C# and .NET, generates a configuration file for domain name system (DNS) tunneling or Hypertext Transfer Protocol (HTTP) C2 communications; whereas Milan – a 32-bit Remote Access Trojan (RAT) retrieves data.
Both are able to communicate with the group’s command-and-control (C2) servers. The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.
According to reports, individual accounts at companies of interest are usually targeted, and once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, threat actors or their sponsors can also use these industries to survey individuals of interest.
ngCERT advised multiple layers of security in addition to constant network monitoring to stave off potential attacks.
Telecom consumers and the general public were advised to ensure the consistent use of firewalls (software, hardware and cloud firewalls); enable a Web Application Firewall to help detect and prevent attacks coming from web applications by inspecting HTTP traffic; install up-to-date antivirus programmes to help detect and prevent a wide range of malware, Trojans, and viruses, which APT hackers will use to exploit your system; implement the use of Intrusion Prevention Systems that monitors your network; and create a secure sandboxing environment that allows you to open and run untrusted programs or codes without risking harm to your operating system.
Others are ensure the use of virtual private network (VPN) to prevent an easy opportunity for APT hackers to gain initial access to your company’s network; and enable spam and malware protection for your email applications, and educate your employees on how to identify potentially malicious emails.
Malware AbstractEmu
Another Android malware named ‘AbstractEmu’, which can gain access to smartphones, take complete control of infected smartphones and silently modify device settings while simultaneously taking steps to evade detection.
AbstractEmu has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.
The advisory stated that a total of 19 Android apps that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps have been reported to contain the rooting functionality of the malware.
The apps are said to have been prominently distributed via third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure. The apps include All Passwords, Anti-ads Browser, Data Saver, Lite Launcher, My Phone, Night Light and Phone Plus, among others.
According to the report, rooting malware though rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant itself dangerous permissions or install additional malware – steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.
The ngCERT advisory also captured the consequences of making their devices susceptible to AbstractEmu attack. Once installed, the attack chain is designed to leverage one of five exploits for older Android security flaws that would allow it to gain root permissions. It also takes over the device, installs additional malware, extracts sensitive data, and transmits to a remote attack-controlled server.
Additionally, the malware can modify the phone settings to give app ability to reset the device password, or lock the device, through device admin; draw over other windows; install other packages; access accessibility services; ignore battery optimisation; monitor notifications; capture screenshots; record device screen; disable Google Play Protect; as well as modify permissions that grant access to contacts, call logs, Short Messaging Service (SMS), Geographic Positioning System (GPS), camera, and microphone.
The ngCERT also said in the advisory that, while the malicious apps were removed from Google Play Store, the other app stores are likely distributing them. Consequently, the NCC wishes to reiterate a two-fold ngCERT advisory in order to mitigate the risks. The two-fold advisory said users should be wary of installing unknown or unusual apps, and look out for different behaviours as they use their phones; and they should reset phone to factory settings when there is suspicion of unusual behaviours in the phone.
