The National Information Technology Development Agency (NITDA) has alerted Nigerians on Microsoft, a world-renowned multinational technology company’s uncovering of a wide spread malicious email campaign undertaken by the hacking group- NOBELIUM.
The cybercriminals leveraged the legitimate mass-mailing service to masquerade as a US-based development organisation and distribute malicious URLs to a wide variety of organisations especially government organisations, non-government organizations (NGOs), think-tanks, military, IT service providers, health technology and research, and telecommunications providers.
Their antics involve the use of emails claiming to be an alert from USAID about new documents published by former President Donald Trump about “election fraud.”
Once users click the link in the email, the URL would direct them to the legitimate Constant Contact Service and then redirect to Nobelium-controlled infrastructure through a URL that delivers a malicious ISO file. This in turn, enables the criminals to execute further malicious objectives such as lateral movement, data exfiltration and delivery of additional malware.
NITDA has therefore advised Nigerians to be wary of such criminals masquerading as USAID and follow the following recommendations:
§ Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent to cover rapidly evolving attacker tools and techniques.
§ Run EDR in block mode to enable antivirus block malicious artifacts (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.)
§ Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the Internet.
§ Enable investigation and remediation in full automated mode to allow antivirus take immediate action on alerts to resolve breaches.
§ Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them
§ Enable multifactor authentication (MFA) to mitigate compromised credentials.
§ Block all Office applications from creating child processes.
Users and administrators are advised to review and apply the above mitigations.
Similarly, the agency also advised Nigerians to be wary of IGVM, a file-encrypting Ransomware infection that restricts access to data (documents, images, videos) by encrypting files with the “igvm” extension. It attempts to extort money from victims by requesting for “ransom”, in the form of Bitcoin cryptocurrency in exchange for access to data.
This crypto-virus spreads in different methods like web injectors, pirated software, spam emails, malicious software bundles, fake software updates, and deceiving online ads.
The primary task of IGVM ransomware virus is to check your computer system for target file formats and encrypt them using a private RSA key. Once virus locks the files, it then runs several commands via CMD.exe to delete Volume Shadow Copies from your system. It equally prevents the victims from restoring their file copies for free, using Windows tools. Next, the virus modifies Windows HOSTS file by adding a list of domains to it.
These domains are mostly computer or IT-relates websites, so the attackers capitalize on this measure to prevent the victim from seeking help or information online.
NITDA also advised the general public to follow these recommendations:
• Ensure regular data backup and recovery plan for all critical information.
• Use application whitelisting to help prevent malicious software and unapproved programs from running.
• Keep operating system and software up-to-date with the latest patches.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet before installing.
• Do not follow unsolicited web links in emails.
• Do not download or open suspicious email attachments.
• Do not open emails from suspicious recipients.
Furthermore, if paying up seems like the only reason to get your files back, we strongly advise against ransom payments. Various cybersecurity experts do not recommend paying up due to the following reasons:
• The criminals might stop responding as soon as you transfer money to their virtual wallet address;
• The so-called decryption tool can be faulty or fail to work due to data modification on your end;
• Avoid funding this illegal business model. The fact that ransomware operators collect millions in ransoms each year simply encourages people to join this cybercrime industry.
A statement by the agency’s head of corporate affairs and external relations, Mrs Hadiza Umar, urged Nigerians to report any incident by contacting NITDA CERRT via email support@cerrt.ng or via telephone +2348178774580.
