Notifications Archive 2017 Year

11. December 2017

Spider Ransomware Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users on the propagation of the new ransomware named Spider.

The Spider malware was detected on December 10. 2017, and it is assumed it belongs to the "File-Spider" type. This type of malware encrypts all files stored on the computer or mobile device so that they cannot be opened. It prevents the user from using the computer or accessing certain files unless he pays a ransom, and thus buys the decryption keys.

The malware comes from the e-mail address office@adriadoo.com. All messages received so far were written in Serbian language and titled "Debt Claim– ХХХХХХХ'' (''Potraživanje dugovanja – ХХХХХХХ'' in Serbian), and signed by a fictitious debt collector Ivan Azeljković. The message text indicates the enforcement of a specific Belgrade Basic Court decision, providing the account number for paying the prescribed amount. It also explains that, since the given information is private, the attached Microsoft Word file had to be created. The receiver is finally instructed to click on "Enable Editing" and then on "Enable Content" on the ribbon.

Information about this type of malware can be found on social networks, pointing to the Balkan region, which is correct, since the same attacks have been executed in the Republic of Srpska and Bosnia and Herzegovina.

SRB-CERT advises all users not to open the attachment from the said e-mail and to create backup copies of all important computer and mobile device files on a regular basis.

If the computer has already been infected, the recommended procedure is as follows:

  • remove the infected device from the network,
  • inform the National CERT of the Republic of Serbia about the incident, via e-mail address info@cert.rs,
  • DO NOT pay a ransom, since there is no guarantee that you will receive the decryption keys and be able to restore the infected files.
12. October 2017

WPA2 Protocol Vulnerability

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users about the detected vulnerability of the WPA2 protocol (Wi-Fi Protected Access II).

The research work of the IMEC-DistriNet Research Group enabled the detection of a major vulnerability in the WPA2 protocol which secures all protected Wi-Fi networks. By exploiting this vulnerability, the attackers can steal sensitive information like user credentials, passwords, credit card or bank account numbers, etc.

At the moment, users who access the Internet via either protected or unprotected public Wi-Fi networks (in restaurants, cafes, hotels, shopping malls, public transportation, culture and education institutions, etc) are most likely to be exposed to attacks. In order to be able to exploit the WPA2 protocol vulnerabilities, the attacker must be in the immediate vicinity of the targeted access point. Hence, only the users connected to the same access point as the attacker can be affected.

Whenever someone joins a Wi-Fi network, a "4-way handshake" of the WPA2 protocol is executed to produce a fresh encryption key for all subsequent Wi-Fi network traffic. To guarantee security, a key should be installed and used only once. But, by using the key reinstallation attack (KRACK), the attacker can trick the victim's device into reinstalling an already-in-use key, allowing him to steal sensitive information or even inject malware into a website, depending on the network configuration. Additionally, the attacker can modify the DHCP (Dynamic Host Configuration Protocol) settings and thus enable DNS misuse in order to direct users to malicious websites.

SRB-CERT advises all users to update their Wi-Fi-enabled devices as soon as a software update is made available. An alternative solution for providing an additional protection level would be to use a secure VPN (Virtual Private Network) or other protected Internet protocols (HTTPS, Secure Shell, etc.).

Data sources:

https://www.krackattacks.com/

https://papers.mathyvanhoef.com/ccs2017.pdf

28. June 2017

Alert - Petya Ransomware Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer users on the fast propagation of the new ransomware attack named Petya.

This type of malware prevents the user from accessing and using computer files. It is a serious global threat which has already affected computer systems in many countries.

The attack is very similar to the WannaCry virus attack, which caused significant damage throughout the world in May this year.

The users are advised not to open e-mail messages and attachments received from unknown senders. These precaution measures apply to unknown links and chat messages as well.

It is recommended to update operating systems an antivirus software on a regular basis and create backups of all important computer data, in order to minimize harmful effects caused by this type of attacks.

Besides urgent upgrading, protection can be accomplished by disabling the SMBv1 protocol (Server Message Block) for data sharing, by applying the patch CVE-2017-0199 (https://portal.msrc.microsoft.com/en-US/security-guidance) and by blocking the WMI remote access possibility. In order to close the 135 and 445 (TCP) ports, PSEXEC.EXE can be additionally blocked.

Users are also advised NOT TO pay the requested ransom amount since the attackers are unable to retrieve data exposed to Petya virus. This ransomware uses the following contact address: wowsmith12345@posteo.net.

(http://thehackernews.com/2017/06/petya-ransomware-attack.html)

24. May 2017

The need for constant protection measures in the field of information security

The National CERT of the Republic of Serbia (SRB-CERT) is informing all computer and mobile device users that there is the need for constant protection measures in the field of information security and caution when accessing unknown content on the Internet.

Information security threats are frequent and one of the active worms is ''EternalRocks'' that is spreading via SMB (Server Message Block) protocol. Unlike ransomware ''WannaCry'' this worm does not have the ''kill switch'' function that can slow down the spread. It uses 7 NSA tools.

There are very few devices infected with ''EternalRocks'' worm but the situation can change very quickly. As the purpose of this worm remains unknown we assumed that these are preparations for starting malicious activities in the future.  

For more details please visit CERT-EU документ.

13. May 2017

Ransomware 'WannaCry' Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users on the fast propagation of the ransomware attack named ‘’WannaCry’’. This malicious software (malware) that disables computer access and use of data is a global threat and already made huge damage in many countries and their ICT systems. 
Since this malware attacks Microsoft Windows systems, the National CERT recommends all users to update their operating systems with MS17-010 version.
For more information please visit:  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

The website www.cert.rs uses cookies for improvement of user experience and website functionality. By continuing to browse this website, you agree to the use of cookies.

Details