Attackers’ rising threats to Nigeria’s cyberspace

ADEYEMI ADEPETUN, in this copy, writes on the persistent threat to Nigeria’s cyberspace as criminals continue to unleash various cyber attacks.

Late last year into the New Year, Nigerians were alerted to several moves by cybercriminals to unleash various attacks on the country’s cyberspace.

From unleashing Malware Flubot to Cyber-espionage Lyceum and Malware AbstractEmu, attempted attacks on the country’s cyberspace are becoming worrisome. The target has been to raid bank accounts, identity theft, impersonation and stealing of corporate information.

Today, reports have it that nearly two-thirds of people, who use online services (more than two billion individuals worldwide) have had their personal data stolen or compromised, which includes global North countries such as the UK where two-thirds of the world’s largest businesses suffer yearly data breaches. The worldwide move to remote work is said to have contributed to a boom in the industry.

A report by the Centre for Strategic Studies revealed that cybercrime costs the global economy as much as $600 billion or 0.8 per cent of global GDP in 2017 and $1 trillion in 2020. It ranks third behind government corruption and narcotics as a global economic ‘scourge,’ amounting to a 14 per cent tax on growth.

At the recently held LEAP 2022 tech conference and exhibition, organised by Saudi Arabia’s Ministry of Communications and Technology in Riyadh, the Chief Executive Officer of Kaspersky, Eugene Kaspersky, informed that 380,000 new malware are released daily, with a target on developing countries.

Like in many countries across the world, cyber-attacks increased in Nigeria during the pandemic because forced restrictions and lockdown meant that people remained indoors. Consequently, job losses led to many young people whose livelihoods were under threat entering cybercrime for financial security.

In response, the Federal Government has called for increased public vigilance, especially against Cyber espionage Lyceum; Malware AbstractEmu and Flubot.

Intrusion of Malware Flubot
The NCC raised the alarm over the existence of new, high-risk and extremely-damaging malware called Flubot.

According to the Nigeria Computer Emergency Response Team (ngCERT), the national agency established by the Federal Government to manage the risks of cyber threats in Nigeria. It also coordinates incident response and mitigation strategies to proactively prevent cyber-attacks against Nigeria, malware Flubot “targets Androids with fake security updates and App installations”.

The ngCERT affirmed that Flubot “impersonates Android mobile banking apps to draw fake web view on targeted applications” and its goal transcends stealing personal data and essentially targets stealing of credit card details or online banking credentials.

FluBot is circulated through Short Message Service (SMS) and can snoop “on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control centre.”

It attacks Android devices by pretending to be “FedEx, DHL, Correos, and Chrome applications” and compels unsuspecting users to alter the accessibility configurations on their devices to maintain a continuous presence on devices.

The new malware undermines the security of devices by copying fake login screens of prominent banks, and the moment the users enter their login details on the fake pages, their data is harvested and transmitted to the malware operators’ control point from where the data is exploited by intercepting banking-related One Time Passwords (OTPs) and replacing the default SMS app on the targeted Android device.

Advising the populace, NCC urged that people should not click on the link of a suspicious text message, and not install any app or security update; use updated antivirus software that detects and prevents malware infections; apply critical patches to the system and application, and use strong passwords and enable two-factor authentication (2FA) over logins; back-up your data regularly.

Telcos, ISPs risk Cyber-espionage Lyceum attacks
While promoters of Flubot continued to make efforts to unleash terror, the Federal Government also hinted that an Iranian hacking group known as Lyceum (also known as Hexane, Siamesekitten, or Spirlin) was also reported to be targeting telecoms, Internet Service Providers (ISPs) and Ministries of Foreign Affairs (MFA) in Africa with upgraded malware in a politically motivated attack-oriented in cyber-espionage.

Information about the cyber-attack is contained in another advisory issued by the ngCERT, warning that the probability and damage level of the new malware as high.

According to the advisory, the hacking group is known to be focused on infiltrating the networks of telecoms companies and ISPs. Between July and October last year, Lyceum was indicted in attacks against ISPs and telecoms firms in Israel, Morocco, Tunisia and Saudi Arabia.

The advanced persistent threat (APT) group has been linked to campaigns that hit Middle Eastern oil and gas companies in the past. Now, the group appears to have expanded its focus to the technology sector. In addition, the APT is responsible for a campaign against an unnamed African government’s Ministry of Foreign Affairs.

By the attackers’ modus operandi, Lyceum’s initial onslaught vectors include credential stuffing and brute-force attacks. So, once a victim’s system is compromised, the attackers conduct surveillance on specific targets. In that mode, Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James).

ngCERT advised multiple layers of security in addition to constant network monitoring to stave off potential attacks.

Telecoms consumers and the general public were advised to ensure the consistent use of firewalls (software, hardware and cloud firewalls); enable a Web Application Firewall to help detect and prevent attacks coming from web applications by inspecting HTTP traffic; install up-to-date antivirus programmes to detect and prevent a wide range of malware, Trojans, and viruses, which APT hackers will use to exploit your system; implement the use of Intrusion Prevention Systems that monitor network, and create a secure sandboxing environment that allows one to open and run untrusted programmes or codes without risking harm to the operating system.

Others are to ensure the use of the virtual private network (VPN) to prevent an easy opportunity for APT hackers to gain initial access to the company’s network; enable spam and malware protection for email applications, and educate employees on how to identify potentially malicious emails.

AbstractEmu attacks via Apps
The FG also informed of another Android malware named ‘AbstractEmu’, which can gain access to smartphones, take complete control of infected ones and silently modify device settings by taking steps to evade detection.

AbstractEmu has been found to be distributed via Google Play Store and third-party stores such as the Amazon Appstore and the Samsung Galaxy Store, as well as other lesser-known marketplaces like Aptoide and APKPure.

The advisory stated that a total of 19 Android apps that posed as utility apps and system tools like password managers, money managers, app launchers, and data saving apps have been reported to contain the rooting functionality of the malware.

According to the report, rooting malware, though rare, is very dangerous. By using the rooting process to gain privileged access to the Android operating system, the threat actor can silently grant itself dangerous permissions or install additional malware – steps that would normally require user interaction. Elevated privileges also give the malware access to other apps’ sensitive data, something not possible under normal circumstances.

In its advisory, the ngCERT noted that while the malicious apps were removed from Google Play Store, the other app stores are likely distributing them. Consequently, the NCC reiterated a two-fold ngCERT advisory to mitigate the risks. The two-fold advisory said users should be wary of installing unknown or unusual apps, look out for different behaviours as they use their phones, and they should reset the phone to factory settings when there is suspicion of unusual behaviours in the phone.

Advice from Microsoft’s threat and data research
Tapping from Microsoft, which noted that with weak passwords, password spraying, and phishing the entry point for most attacks, identity is the new battleground of cyber threats.

In its first edition of Cyber Signals, Microsoft’s new quarterly cyber threat intelligence brief, the firm took a closer look at the dangers of the rising mismatch in the scale of identity-focused attacks in relation to levels of organisational preparedness.

The newly released research showed that though threats have been rising fast over the past two years, there has been low adoption of strong identity authentication, such as multifactor authentication and passwordless solutions. In fact, just 22 per cent of Microsoft’s Cloud Identity Solution, Azure Active Directory, users had implemented strong identity authentication protection as of December 2021.

In fact, according to Cyber Signals, basic security hygiene still protects against 98 per cent of attacks. Key recommendations for organisations looking to increase their level of security include; implementation of zero trust to reduce risk; preventing passwords from falling into the wrong hands; reviewing account privileges regularly and constantly verifying the authenticity of users and activities.

Microsoft noted that privileged-access accounts if hijacked, become powerful weapons attackers can use to gain greater access to networks and resources. It stressed that the security teams should be auditing access privileges frequently, using the principle of least privilege granted to enable employees to get jobs done.

According to the American firm, another fundamental aspect of security hygiene should be to thoroughly review all tenant administrator users or accounts tied to delegated administrative privileges. Microsoft said this will help organisations verify the authenticity of users and activities. Security team should then disable or remove any unused delegated administrative privileges.