TRIA STEALER ANDROID MALWARE CAMPAIGN. ngCERT’s attention has been drawn to a sophisticated android malware campaign tagged Tria Stealer. The trojan exploits android devices to harvest SMS data, as well as hijack WhatsApp and Telegram accounts. Reportedly, Tria Stealer is spread by luring unsuspecting persons into downloading a malicious Android Package Kit (APK), through fake wedding or event invitations sent on mobile messaging apps. Once installed, the trojan is capable of stealing sensitive data, and exploits the same for account hijacking as well as financial fraud. Consequently, android users and are advised to take proactive steps to safeguard their systems against Tria Stealer infiltration.

• Advisory
• May 28, 2025

CRITICAL FLAW IN APPLE’S PASSWORD APP EXPOSING USERS TO PHISHING ATTACKS. ngCERT has issued an urgent alert regarding a critical vulnerability (CVE-2024-44276, CVSS 9.1 – Critical) in Apple’s Password App for iOS 18, enabling attackers to hijack user sessions and steal sensitive credentials. The flaw originates from the app’s reliance on an insecure HTTP protocol for data transmission, allowing adversaries on shared networks (e.g., public Wi-Fi) to intercept unencrypted traffic and redirect users to malicious phishing sites. These fraudulent pages mimic legitimate services to harvest login credentials, financial data, and other personal information.

• Advisory
• May 26, 2025

CRITICAL FORTINET OPERATING SYSTEMS & FORTIPROXY AUTHENTICATION BYPASS VULNERABILITY. ngCERT has observed the emergence of a critical Fortinet OS & FortiProxy Authentication Bypass Vulnerability tagged (CVE-2024-55591). This flaw allows attackers to execute remote code on affected systems, which can result in full system compromise. Exploiting this flaw can lead to data breaches, privilege escalation, and service disruption. Reportedly, the weakness is identified with a CVSSv3 score of 9.6, with records of active exploitation in the wild. In this regard, users are strongly advised to apply the available patches provided by Fortinet, while emplacing necessary measures to safeguard their systems.

• Advisory
• March 7, 2025

VIPERSOFTX MALWARE INFILTRATION. ngCERT is issuing an urgent security alert regarding the infiltration of ViperSoftX malware within Nigerian cyberspace. ViperSoftX is a JavaScript-based Remote Access Trojan (RAT) capable of stealing sensitive information like banking and cryptocurrency details while evading detection and analysis on an infected system. Cybercriminals distribute this malware through infected email attachments, malicious online advertisements, social engineering, and cracked software. When successfully deployed on a system, the Trojan could be used for several malicious activities, leading to system compromise, data exfiltration, financial losses, identity theft, and ransomware attacks. ngCERT advises individuals and organizations to take immediate steps to protect their systems and data from ViperSoftX malware.

• Advisory
• January 30, 2025

SECURITY RISKS OF EXPIRED SSL CERTIFICATE. ngCERT is issuing an urgent security alert regarding the dangers and risks associated with expired Secure Socket Layer (SSL) certificates, which are increasingly observed within Nigerian cyberspace. SSL is essential for web services as it ensures end-to-end encrypted communication between client and server over the Internet. However, if an SSL certificate on the server side expires, this secure communication is compromised, exposing users to cyber threats. Malicious actors can exploit this vulnerability to execute phishing attacks and Man-in-the-Middle (MitM) attacks, among others, leading to data breaches, data theft, reputational damage, financial losses, and Denial of Service (DoS) attacks. Given these risks, users are advised to renew expired SSL certificates and implement other recommended mitigation steps.

• Advisory
• October 16, 2024

CRITICAL VULNERABILITY IN FORTINET OPERATING SYSTEM. ngCERT is aware of a critical security flaw in several versions of Fortinet Operating System (FortiOS). The vulnerability dubbed (CVE-2024-21762) with a CVSS score of 9.6, is an out-of-bounds write vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code or command on Fortinet SSL VPNs via specially crafted HTTP requests. It is pertinent to note that other recent Fortinet SSL VPN vulnerabilities identified as (CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by cybercriminals as both zero-day and n-day following public disclosure. Consequently, ngCERT advises individuals and organizations to take immediate steps to protect their systems from exploitation by threat actors.

• Advisory
• July 11, 2024

ANDROMEDA MALWARE INFILTRATION DISCOVERED. ngCERT is aware of the resurgence of Andromeda malware, also known as Gamarue, Wauchos, and Andromeda Stealer, which is a dangerous Trojan horse with multiple malicious capabilities. This malware has been used by threat actors to create a network of infected computers, known as Andromeda Botnet, which can be used to launch further attacks by distributing other malwares such as ransomwares, banking Trojans, Distributed Denial of Service (DDos), spam bot and backdoor. Despite the takedown of the Andromeda botnet by US and Europe law enforcement agencies in 2017, new variants have been detected, infecting systems worldwide, including Nigeria. ngCERT advises individuals and organisations to take immediate steps to protect their systems and data from Andromeda and other malware threats.

• Advisory
• June 6, 2024

OS Command Injection Vulnerability in GlobalProtect. Security researchers identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. The vulnerability allows the threat actor to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. Accordingly, users of Palo Alto products in Nigeria are advised to upgrade their products to the latest versions as recommended.

• Advisory
• April 25, 2024

New StrelaStealer Malware Campaign Targeting Organizations Email Accounts. There is a concerning development involving a new StrelaStealer malware campaign that has affected numerous organizations with most recent cases occurring in the United States and Europe, highlighting the necessity for Nigerian organizations to remain vigilant, as reports indicate widespread propagation. This campaign is specifically designed to target email account credentials. The sectors most heavily targeted by this campaign include finance, legal services, manufacturing, government agencies, utilities, and energy, among others. The potential consequences of these attacks are severe, ranging from data theft to financial losses and other forms of fraudulent activity. Therefore, it emphasizes the critical need for proactive measures to be taken to prevent such attacks from compromising our critical information infrastructures.

• Advisory
• April 5, 2024

Security Update On Google Chrome Browser. Security researchers discovered three high-severity vulnerabilities in the Google Chrome browser (CVE-2024-1060, CVE-2024-1059, and CVE-2024-1077). According to reports, the vulnerabilities might allow threat actors to remotely exploit Chrome, potentially executing arbitrary code, stealing sensitive user data, or causing system crashes. Meanwhile, Google has released new security updates to address many vulnerabilities in its Chrome browser. Nonetheless, users must take proper actions to mitigate dangers.

• Advisory
• February 13, 2024

Malicious Advertising Campaign Distributing Info-Stealer Malware. Cybercriminals are continuously looking for and developing new ways to disseminate malware, with the most recent option being through malicious advertisements. These malicious advertising, or malvertising campaign are used to spread .NET loaders, known as MalVirt, that deploy information-stealing malware unto unsuspecting devices. Malvertising is a relatively recent hacking strategy that embeds harmful malware in digital advertisements. Almost every internet user is vulnerable to infection.

• Advisory
• January 9, 2024

Hijacked Microsoft IIS Servers Used to Distribute Malware. AhnLab Security Emergency Response Centre (ASEC) has revealed that the North Korean state-sponsored Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to hijack them for malware distribution. This latest campaign takes advantage of a weakness in INISAFE CrossWeb EX V6 to transmit the Lazarus malware. INISAFE CrossWeb EX V6 is a software used to protect against malicious websites and malware attacks. However, it has been reported that the Lazarus group has exploited a vulnerability in the software to distribute malware. The malware is installed when a system using a vulnerable version of INISAFE CrossWeb EX V6 visits a website via a web browser.

• Advisory
• July 27, 2023

Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability. A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM) releases prior to 3.0.2 could allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the underlying operating system.

• Advisory
• July 21, 2023

ESXi Remote Code Execution Vulnerability. Investigation revealed that the vulnerability ESXi versions 6.0, 6.5 and 6.7 running on any platform, and the Horizon cloud desktop-as-a-service (DaaS) platform version 8.x. could be exploited to perform remote code execution.

• Vulnerability
• July 21, 2023