There has been another hacker group operating in Africa’s telecoms space, and the Nigerian Communications Commission (NCC) has issued a public warning about it.
Lyceum (also known as Hexane, Siamesekitten, or Spirlin) has been targeting telecommunications, ISPs, and MFAs in Africa with improved malware in recent politically motivated cyberespionage assaults.
The Nigerian Computer Emergency Response Team has published a new caution concerning this cyber attack (ngCERT). The likelihood and severity of the new malware’s impact were both classified as high by the National Cyber Security Center (ngCERT).
As stated in the advice, the hacker group is well-known for concentrating its efforts on accessing the networks of telecommunications companies and internet service providers (ISPs). It was discovered that Lyceum was involved in assaults on ISPs and telecoms organisations in Israel, Morocco, Tunisia and Saudi Arabia between July 2021 and October 2021.
In the past, attacks on oil and gas companies in the Middle East have been traced to the Advanced Persistent Threat (APT) group. In recent months, it appears that the group has shifted its attention to the tech world. An undisclosed African government’s Ministry of Foreign Affairs has also been the target of an APT campaign.
In the beginning, the attackers used credential stuffing and brute-force attacks to gain access to Lyceum. Consequently, once an attacker has gained access to a victim’s system, he or she might begin spying on specific individuals. Shark and Milan are two different types of malware that Lyceum will attempt to deploy while in this mode (known together as James).
Backdoors are used by both types of malicious code. A 32-bit application built-in C# and.NET, Shark creates a configuration file for domain name system (DNS) tunnelling or Hypertext Transfer Protocol (HTTP) C2 interactions, whereas Milan – a 32-bit Remote Access Trojan (RAT) gathers information.
Neither of them is unable to communicate with the command and control (C2) servers of the organisation. There are over 20 domains in the APT’s C2 server network, six of which were previously unassociated with the threat actors’ activities.
Individual accounts at firms of interest are frequently targeted, and once compromised, they are used to initiate spear-phishing assaults targeting high-profile executives. A threat actor or their sponsors can use these industries to surveil individuals of interest, according to the report’s findings.
Nonetheless, the National Communications Commission (NCC) has reiterated on the ngCERT findings that numerous layers of security, as well as regular network monitoring, are necessary by telecom operators and Internet service providers (ISPs) alike in order to fend off prospective assaults.
The following recommendations are made specifically to telecom users and the broader public:
1. To begin, ensure that are always used (software, hardware and cloud firewalls).
2. By inspecting HTTP traffic, a Web Application Firewall can assist in the detection and prevention of attacks that originate in web applications.3.
3. Use up-to-date antivirus software to detect and prevent malware, trojans, and viruses used by APT hackers to exploit your system.
4. Install Intrusion Prevention Systems (IPS) to monitor your network and protect it from malicious activity.
5. Establish a secure sandboxing environment that allows you to open and run untrusted programmes or codes without the risk of causing damage to your computer’s operating system. 6.
6. Make use of a virtual private network (VPN) to prevent APT hackers from gaining access to your company’s network using a simple point-to-point connection.
7. Enable spam and malware protection for your email applications, and train your personnel on how to spot potentially harmful communications.
With the launch of the NCC’s Cyber Threat Response Centre (CSIRT), the NCC restated its commitment to active surveillance and monitoring of cyber activity in the sector and keeping stakeholders informed of potential cyber threats. For this reason, the networks that offer important services and protect telecom customers from cyber threats must be secure.
