In mid-December Solar Winds suffered a highly sophisticated cyberattack causing public concern. The company is a leader in monitoring and management software. This was a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware. The attacker gained backdoor access to victims via trojanized updates. In this way the attackers gained access to organizations worldwide, including the US Finance, Trade and Energy Departments, US National Security Agency, National Nuclear Security Administration and several State Department networks.
Suspecting a massive cyber espionage financed by a foreign government, the US Cybersecurity and Infrastructure Security Agency published the Emergency Directive with instructions to Mitigate SolarWinds Orion Code Compromise.
So far, there are around 18000 confirmed cases of users who installed the infected updates.
SolarWinds published a Security Advisory for users of Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to urgently upgrade to Orion Platform version 2020.2.1 HF 2, and the users of Orion Platform v2019.4 HF 5 to urgently upgrade to Orion Platform 2019.4 HF 6.
This attack was very sophisticated since it installed malicious software during standard updates, published in March this year and identified by FireEye company a couple of months later. Also, Microsoft, as the products user, announced that malware software was identified and successfully isolated and eliminated. No indicators of access to development services or user data have been found, nor the evidence that the company products had been used for further spread of malware.
Recovery recommendations are highly demanding and require extraordinary competence of experts, more information is available here
The National CERT wishes to inform all banking service clients that a malicious phishing campaign is under way in the Republic of Serbia, targeting one of the banks operating in this country.
Phishing emails appear to be sent from the legitimate bank’s domain, but actually contain malicious attachments on foreign exchange inflow activating a malicious code in the background intended to infect the recipient’s computer.
According to the available information, we would like to notify the citizens that these emails are not being sent from the bank's servers. The bank has undertaken all necessary activities in order to block these messages from reaching its clients.
Based on the past experience, such phishing campaigns are usually directed against several banks, so the National CERT recommends to all users to be cautious and delete similar emails right away, without opening the attachment. The users are also advised to check with the bank the status of any suspicious payment, since the banks normally send to clients digitally signed notifications, so that the identity of the sender can be verified even before the email is opened.
An example of a phishing message can be seen at the following link:
The National CERT is pleased to announce that it became authorized by the Carnegie Mellon University to use CERT Trademark in performing its activities.
CERT is a registered Trademark, protected by the Carnegie Mellon University seal since 1997. It provides visual, internationally recognizable identification, guaranteeing a high level of service quality.
In this way, the National CERT has officially become a part of the community of Centers for safety risk prevention in ICT systems, dedicated to continuous improvements in the area of ICT systems security.
The Regulatory Agency for Electronic Communications and Postal Services, in its capacity of the National CERT of the Republic of Serbia, will mark this year's international Cybersecurity Month with a campaign entitled “Knowledge is power”.
The cybersecurity month is celebrated throughout the world, while in Europe it was first observed in 2012, with the slogan „Cybersecurity is a common responsibility", uniting the European countries in their combat against cyber threats. Ever since, this capmaign has yearly promoted not only a safer and more responsible online behaviour, but also introduced trainings and seminars aimed at educating end-users, preparing them for ever-emerging challenges. In 2019, the year when the Republic of Serbia joined in, 525 activities were recorded in 36 countries.
This year's campaign „Knowledge is power“ kicks off with a workshop for the media representatives, with presentations on current cyber news, events and advices on how to prevent the most frequent cyber attacks and threats.
A webinar for the small and medium-sized enterprises will provide information about legal regulations in the area of cyber security, current free tools and recommendations for a safe work and reduced business risk. The webinar is set to take place on October 15, 2020, whereas all interested parties can apply by email (firstname.lastname@example.org).
In order to raise awareness on the issue of cybersecurity, the National CERT regularly updates its website with news, notifications, recommendations, publications and brochures on best prevention measures and practices against security risks, including information about current cyber threats to citizens, companies and governmental bodies. Since the beginning of the COVID-19 pandemic, the National CERT's recommendations have been focused on how to safely work from home and maintain cybersecurity, with the following brochures being published: Safety recommendations for remote workers, VPN access for small and medium-sized enterprises, Abuse of COVID-19 pandemic in cyberspace, Social engineering, How to reduce the risk of receiving phishing emails (SPF, DMARC, DKIM), Compromised business emails – all of which can be found in the Publications segment of the website. In addition, a promotional video has been created, to be available soon on the same platform.
The National CERT invites you to follow the prepared content featuring as part of the „Knowledge is power“ campaign, as well as on social media.
The National CERT of the Republic of Serbia wishes to inform all users of TeamViewer application that a new update containing CVE 2020 13699 vulnerability patch has been published. This vulnerability can be abused by malicious attackers to acquire the user’s system passwords and compromise their desktop or mobile device.
The most worrying fact is that the attack can be carried out almost automatically, i.e. the interaction of the victim is not necessary – the attack is performed through a simple invitation to visit the malicous Internet page only once.
TeamViewer is one of the most popular applications offering support from a remote location, enabling the user to safely share desktop or mobile screen or take complete control online on their desktop or mobile device from any location.
The National CERT’s recommendation for the users working from home is to make sure all applications, antivirus softwares and OS are regularly updated, as well as to update their TeamViewer app as soon as possible.
More on this vulnerability abuse is available at this link
The National CERT wishes to warn the users of Microsoft Office 365 of a possible new phishing campaign where attackers try to get hold of the users’ Office 365 account login credentials.
The phishing message features fake notification about the Zoom communication platform account being taken down, with a link redirecting the user to a fake Microsoft login page. Based on the latest research, similar phishing messages appear to have reached over 50,000 email addresses so far. Taking over the credentials enables the attackers to access and abuse all the sensitive information stored in these accounts.
More info is available at the following links:
So far, with the pandemic still increasingly present and a great deal of work being done from home, numerous abuses of communications platforms have been observed, among them the popular Zoom application. For more, please follow the National CERT’s link.
A phishing campaign is under way against clients of several banks doing business in the Republic of Serbia. The phishing emails appear to be sent out from legitimate domains and contain attachments on foreign exchange inflow activating a malicious code in the background.
Based on the available information, we notify the public that these emails are not being sent from the banks' servers. The banks have undertaken all necessary activities in order to block these messages from reaching the clients.
The National CERT recommends to all bank clients who receive silimar emails to delete them right away and, under any circumstances, not to open the attachment.
Below are some of the latest examples of the phishing messages:
The National CERT of the Republic of Serbia informs the citizens and companies that a phishing campaign abusing the Covid-19 pandemic, targeting the public institutions and companies is under way. An email sent from address email@example.com, contains a fake notification from the Institute of Public Health of Serbia „Dr Milan Jovanović Batut“ about free distribution of protective gear to all registered individuals, and an attachment titled „preventive gear application form.pdf.zip“. This fake registration requires filling-in of the attached application form and it being sent by the end of working hours, thus abusing the emergency procedure and starting the download of malicous software - malware LokiBot. More on this malware can be found here
The National CERT advises all citizens and companies who receive such notification not to open the attachment contained in the email and report the phishing attempt to firstname.lastname@example.org
Here you can find a warning issued by the Department of prevention of high tech crime, of the Ministry of Interior.
The National CERT of the Republic of Serbia would like to inform all users that a massive registration of fake domains supposedly belonging to Zoom platform has been detected. Over 1700 new domains linked to this platform were registered during the ongoing coronavirus pandemic, whereas 25% of the total number were recorded within last seven days.
The Zoom platform became increasingly popular as a communication platform in the conditions of the current pandemic, when a great deal of work is being done from home. Many educational institutions, companies and government bodies are using this platform which has around 13 million active users.
The National CERT recommends that the Zoom platform be downloaded directly from the zoom.us website. The received invitation link to a meeting should be additionally examined in detail. Representatives of Zoom recommend to avoid options such as „personal meeting” with more users, since this opens an opportunity for abuse of personal meeting IDs and personal links, as well as joining the meeting at any moment. Special attention is advised for the meeting security settings, the necessity to create a meeting participation password and the sharing thereof with care.
For more, please click here
At the beginning of March 2020, the National CERT warned all users of the current ransomware attack named PwndLocker, targeting, among other, the operation of some of the municipal administrations on the territory of the Republic of Serbia. The analysis revealed that PwndLocker contains the vulnerability used to unlock all data that have been locked.
The National CERT would therefore like to inform all citizens, businesses and government entities that a new type of ransomware has been created under the name ProLock, which is an improved version of PwndLocker. ProLock does not contain the above vulnerability and, if successfully distributed within information systems or computers, it can cause considerable damage in the infected environment.
The global emergency caused by the spread of COVID-19 has lead to the increased online activity worldwide, for the purpose of which many open RDP ports became suspected to be points of entry for this type of attack.
The National CERT recommends that all users apply enhanced existing measures of prevention and protection published on March 4, 2020 to protect their systems or initiate recovery steps if targeted. It is advised to create backup copies of all important data, to minimize damage in case of a successful attack.