The National CERT wishes to warn the users of Microsoft Office 365 of a possible new phishing campaign where attackers try to get hold of the users’ Office 365 account login credentials.
The phishing message features fake notification about the Zoom communication platform account being taken down, with a link redirecting the user to a fake Microsoft login page. Based on the latest research, similar phishing messages appear to have reached over 50,000 email addresses so far. Taking over the credentials enables the attackers to access and abuse all the sensitive information stored in these accounts.
More info is available at the following links:
So far, with the pandemic still increasingly present and a great deal of work being done from home, numerous abuses of communications platforms have been observed, among them the popular Zoom application. For more, please follow the National CERT’s link.
A phishing campaign is under way against clients of several banks doing business in the Republic of Serbia. The phishing emails appear to be sent out from legitimate domains and contain attachments on foreign exchange inflow activating a malicious code in the background.
Based on the available information, we notify the public that these emails are not being sent from the banks' servers. The banks have undertaken all necessary activities in order to block these messages from reaching the clients.
The National CERT recommends to all bank clients who receive silimar emails to delete them right away and, under any circumstances, not to open the attachment.
Below are some of the latest examples of the phishing messages:
The National CERT of the Republic of Serbia informs the citizens and companies that a phishing campaign abusing the Covid-19 pandemic, targeting the public institutions and companies is under way. An email sent from address email@example.com, contains a fake notification from the Institute of Public Health of Serbia „Dr Milan Jovanović Batut“ about free distribution of protective gear to all registered individuals, and an attachment titled „preventive gear application form.pdf.zip“. This fake registration requires filling-in of the attached application form and it being sent by the end of working hours, thus abusing the emergency procedure and starting the download of malicous software - malware LokiBot. More on this malware can be found here
The National CERT advises all citizens and companies who receive such notification not to open the attachment contained in the email and report the phishing attempt to firstname.lastname@example.org
Here you can find a warning issued by the Department of prevention of high tech crime, of the Ministry of Interior.
The National CERT of the Republic of Serbia would like to inform all users that a massive registration of fake domains supposedly belonging to Zoom platform has been detected. Over 1700 new domains linked to this platform were registered during the ongoing coronavirus pandemic, whereas 25% of the total number were recorded within last seven days.
The Zoom platform became increasingly popular as a communication platform in the conditions of the current pandemic, when a great deal of work is being done from home. Many educational institutions, companies and government bodies are using this platform which has around 13 million active users.
The National CERT recommends that the Zoom platform be downloaded directly from the zoom.us website. The received invitation link to a meeting should be additionally examined in detail. Representatives of Zoom recommend to avoid options such as „personal meeting” with more users, since this opens an opportunity for abuse of personal meeting IDs and personal links, as well as joining the meeting at any moment. Special attention is advised for the meeting security settings, the necessity to create a meeting participation password and the sharing thereof with care.
For more, please click here
At the beginning of March 2020, the National CERT warned all users of the current ransomware attack named PwndLocker, targeting, among other, the operation of some of the municipal administrations on the territory of the Republic of Serbia. The analysis revealed that PwndLocker contains the vulnerability used to unlock all data that have been locked.
The National CERT would therefore like to inform all citizens, businesses and government entities that a new type of ransomware has been created under the name ProLock, which is an improved version of PwndLocker. ProLock does not contain the above vulnerability and, if successfully distributed within information systems or computers, it can cause considerable damage in the infected environment.
The global emergency caused by the spread of COVID-19 has lead to the increased online activity worldwide, for the purpose of which many open RDP ports became suspected to be points of entry for this type of attack.
The National CERT recommends that all users apply enhanced existing measures of prevention and protection published on March 4, 2020 to protect their systems or initiate recovery steps if targeted. It is advised to create backup copies of all important data, to minimize damage in case of a successful attack.
The National CERT of the Republic of Serbia would like to inform and warn the citizens of a multitude of current online phishing and ransomware campaigns along with the existence of malicious applications for mobile devices. Beside the usual Internet based campaings targeting email addresses of the users, some SMS or mobile phone call based campaigns have also been observed.
These messages or malicious applications usually contains information on COVID-19, but a certain number of messages with different content have also been detected, since the users understandably switched to online and mobile communication during the state of emergency.
As part of preventive measures and actions, the National CERT urges all citizens to additionally verify the legitimacy of messages or calls requiring their personal data such as: user name and password, unique citizens identity number, current account number, credit card number including PIN and similar, so as to prevent the abuse of their accounts and personal data by the malicious Internet users.
Microsoft has released update to address vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) protocol.
This vulnerability affecting OS Windows 10 (versions 1903 and 1909) as well as Windows Server (versions 1903 and 1909).
National CERT recommends to users to apply available updates. For more details please visit link: CVE-2020-0796
The National CERT wishes to inform the public on the current phishing campaigns abusing COVID-19 virus (coronavirus) alerts.
The campaign is most frequently being realized in the form of email messages containing different types of information related to COVID-19 virus.
In the email body text, the recipient is asked to enter user name and password, in order to supposedly access information on protection measures related to COVID-19.
In addition, the messages can also contain information on other current topics related to coronavirus, such as: infection maps, possible impact on the economy and similar.
The National CERT recommends the users not to enter their credentials in case of such emails.
In the mid February 2020, the National CERT published a recommendation advising all users to perform necessary regular monthly updates of their Microsoft OS. One of the critical points was about the discovered Microsoft Exchange vulnerabilty (CVE-2020-0688). Based on the available data, the National CERT would like to inform the public about the current massive abuse of the above vulnerabilty and recommend to all users to check if they updated their operating systems, i.e. applied available patches on time, so as to prevent further abuse of the detected vulnerabilities.
In the aim of raising awareness on the safety risks prevention and current vulnerabilities and protection measures, the National CERT has published Recommendations on preventive protection against ransomware attack and Recommendations on ransomware attack recovery.
The Recommendations are dedicated to all types of users – citizens, businesses and government bodies, in light of current attacks on some of the municipal government units in the Republic of Serbia. The National CERT wants to warn about one of the most frequent malware attacks (Ransomware), as well as to point out to the preventive and defensive measures against such type of attack.
For more, please visit: