The Nigerian Communications Commission (NCC) through its Computer Security Incidents Response Team (CSIRT) set up for the telecommunications sector, has announced the discovery of two new separate cyber threats targeting Windows platforms and a particular kind of router.
According to a statement signed by NCC Director, Public Affairs, Dr. Ikechukwu Adinde, the discoveries were made known in two separate advisories released by the cyber-space protection team earlier in April 2022.
The first cyber threat, according to the NCC, is ransomware known as ‘Lokilocker’, which is capable of wiping data from all versions of Windows systems or platforms causing data loss, and denial of service (DoS), which reduces users’ productivity.
Lokilocker, the statement said, is a relatively new ransomware that has been discovered by security researchers that operates by encrypting user files and rendering the compromised system useless if the victim does not pay the demanded ransom in time.
To hide the malicious activity, the ransomware displays a fake window update screen, cancels specific processes and services, and completely disables the task manager, windows error reporting, machine firewall and windows defender of the compromised system.
Its devastating effects include in-built processes that prevent data recovery as it deletes backup files, shadow copies, and removes system restore points. It also overwrites the user login note and modifies original equipment manufacturer (OEM) information in the registry of the compromised system.
The NCC CSIRT in its advisory stated that “To protect against infections by LokiLocker and similar ransomware, the best rule is to always have a backup copy of your data, which should be stored offline.”
It added that “all downloads and email attachments should be opened with caution, even if they are from trusted sites or senders. Users should also ensure their attachments are scanned with an up-to-date antimalware solution, before opening.”
The second cyber threat discovered by the NCC CSIRT is a “Botnet” that targets the Microtik version of routers. CSIRT revealed that thousands of routers from Microtik have been found to be vulnerable and being used to constitute what has been named one of the largest botnets in history.
This botnet, according to CSIRT statement, exploits an already-known vulnerability, which allows unauthenticated remote attackers to read arbitrary files and authenticated remote attackers to write arbitrary files, due to a directory traversal vulnerability in the WinBox interface. The vulnerability which was previously fixed allowed the perpetrators to enslave all the routers and then rent them out as a service.
Following the new research published by Avast, a cryptocurrency mining campaign taking advantage of the newly disrupted Glupteba botnet as well as the famed Trickbot malicious software were found to have been disseminated by the very same command-and-control (C2) server. The C2 server functions as botnet-as-a-service, which controls nearly 230,000 vulnerable MicroTik routers. The Botnet, however, has been linked to what is now called the Meris Botnet.
The threat types emanating from the botnet include bypass authentication, data loss, denial of service, remote code execution, sniff password and unauthorized access. These situations result in dangers to victims of this cyber threat including malware distribution, mining cryptocurrency, thereby increasing the use of system resources, remote code execution and data theft.
To be protected from this threat, NCC advises users to update or apply the latest patches to their routers early, set strong router passwords, disable the administration interface of the routers from the public, stay away from illegitimate or cracked software versions of legitimate applications, and use decent antivirus software with in-built web-filtering, and apply the latest patches as soon as they arrive.