Notifications

3. December 2018

Mandatory Registration of Company e-mail Addresses

The amendments to the Serbian Company Law adopted in June 2018 set down the obligation of all companies registered in the Republic of Serbia to register their e-mail addresses. The provisions of the Law related to the obligation of newly founded companies to register their business e-mail address came into force on 1 October 2019, while the deadline for the existing companies is 1 October 2019.

10. October 2018

A Root Key Signing Key (KSK) Rollover Announced by ICANN

On October 11, 2018, at 16:00 UTC, the Internet Corporation for Assigned Names and Numbers (ICANN) will be performing a root Key Signing Key (KSK) rollover for the first time.

ICANN is the world leading Internet governing organization, responsible for the Internet's global Domain Name System (DNS), including policy development for internationalization of the DNS system. The DNS system resolves domain and computer names to IP addresses and DNSSEC is the DNS Security Extension which prevents user redirection to websites containing malware.

Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers.

More information about how to prepare for the root zone KSK rollover can be found at:

https://www.icann.org/resources/pages/ksk-rollover

1. October 2018

Facebook Vulnerability Impacted 50 Million Accounts

On 25.09.2018 Facebook's engineering team discovered a vulnerability in Facebook's code that impacted "View As" feature that lets people see what their own profile looks like to someone else. This vulnerability allowed attackers to steal Facebook access tokens and take over users' accounts. The security issue affected almost 50 million accounts.

Facebook declared to have fixed the vulnerability and informed law enforcement.

Facebook has reset the access tokens of the 50 million affected accounts to protect their security, and of another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back into Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Facebook temporarily turned off the "View As" feature while they conduct a thorough security review.

Facebook stated that there was no need for anyone to change their password. Additionally, if anyone wants to take the precautionary action of logging out of Facebook, they should visit the "Security and Login" section in Settings. It lists the places people are logged into Facebook, including a one-click option to log out of them all.

 

 

Source: https://newsroom.fb.com/news/2018/09/security-update/

 

Аdditional info: 

https://www.facebook.com/help/securitynotice?ref=sec%3Futm

https://www.facebook.com/help/www/105487009541643?helpref=faq_content

 

9. July 2018

Rakhni Trojan - Multifunctional Malicious Software

The Kaspersky Lab has detected a new type of malicious software called Rakhni Trojan (Trojan-Ransom.Win32.Rakhni). This type of malicious software has multifunctional abilities. It can be run as ransomware, crypto-miner or net-worm depending on the attacker's decision. Initially, it runs content checks on the victim's PC after which the attacker triggers one of the three possible options.

This type of malicious software emerges on the territory of Russia and spreads further via spam and phishing campaigns. It contains e-mails with fake corporate financial documents. Once they have opened the e-mail, users get instructions on how to open the attached PDF file. By clicking on the PDF, the victim launches an executable file written in Delphi which uses a fake Adobe Systems Incorporated digital signature.

If an attacker decides to launch the ransomware option, the user will receive a MESSAGE.txt file with the ransom request (please visit decryption tools).

If an attacker decides to start the crypto-mining option, a VBS script will start mining Monero and Dashcoin cryptocurrency.

If the previous two options are not suitable, the attacker may decide to run net-worm option which allows the Trojan to copy itself on all computers of the local network.

For more details please visit: threatpost.com

 

 

 

 

4. May 2018

Twitter urging all 330 million users to change password

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all Twitter users to change their passwords after a bug expose them in plain text. If not your account can be misused. Apparently, passwords were being saved in plain text, instead of masking them in with the hashing process. Twitter claims that they have found the bug and removed all passwords immediately. There is no official statement regarding how many passwords were exposed before they found and fixed this issue.
National CERT recommends password change to all Twitter users in order to avoid any kind of misuse of their account.

For more details, please visit https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now.

11. December 2017

Spider Ransomware Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users on the propagation of the new ransomware named Spider.

The Spider malware was detected on December 10. 2017, and it is assumed it belongs to the "File-Spider" type. This type of malware encrypts all files stored on the computer or mobile device so that they cannot be opened. It prevents the user from using the computer or accessing certain files unless he pays a ransom, and thus buys the decryption keys.

The malware comes from the e-mail address office@adriadoo.com. All messages received so far were written in Serbian language and titled "Debt Claim– ХХХХХХХ'' (''Potraživanje dugovanja – ХХХХХХХ'' in Serbian), and signed by a fictitious debt collector Ivan Azeljković. The message text indicates the enforcement of a specific Belgrade Basic Court decision, providing the account number for paying the prescribed amount. It also explains that, since the given information is private, the attached Microsoft Word file had to be created. The receiver is finally instructed to click on "Enable Editing" and then on "Enable Content" on the ribbon.

Information about this type of malware can be found on social networks, pointing to the Balkan region, which is correct, since the same attacks have been executed in the Republic of Srpska and Bosnia and Herzegovina.

SRB-CERT advises all users not to open the attachment from the said e-mail and to create backup copies of all important computer and mobile device files on a regular basis.

If the computer has already been infected, the recommended procedure is as follows:

  • remove the infected device from the network,
  • inform the National CERT of the Republic of Serbia about the incident, via e-mail address info@cert.rs,
  • DO NOT pay a ransom, since there is no guarantee that you will receive the decryption keys and be able to restore the infected files.
12. October 2017

WPA2 Protocol Vulnerability

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users about the detected vulnerability of the WPA2 protocol (Wi-Fi Protected Access II).

The research work of the IMEC-DistriNet Research Group enabled the detection of a major vulnerability in the WPA2 protocol which secures all protected Wi-Fi networks. By exploiting this vulnerability, the attackers can steal sensitive information like user credentials, passwords, credit card or bank account numbers, etc.

At the moment, users who access the Internet via either protected or unprotected public Wi-Fi networks (in restaurants, cafes, hotels, shopping malls, public transportation, culture and education institutions, etc) are most likely to be exposed to attacks. In order to be able to exploit the WPA2 protocol vulnerabilities, the attacker must be in the immediate vicinity of the targeted access point. Hence, only the users connected to the same access point as the attacker can be affected.

Whenever someone joins a Wi-Fi network, a "4-way handshake" of the WPA2 protocol is executed to produce a fresh encryption key for all subsequent Wi-Fi network traffic. To guarantee security, a key should be installed and used only once. But, by using the key reinstallation attack (KRACK), the attacker can trick the victim's device into reinstalling an already-in-use key, allowing him to steal sensitive information or even inject malware into a website, depending on the network configuration. Additionally, the attacker can modify the DHCP (Dynamic Host Configuration Protocol) settings and thus enable DNS misuse in order to direct users to malicious websites.

SRB-CERT advises all users to update their Wi-Fi-enabled devices as soon as a software update is made available. An alternative solution for providing an additional protection level would be to use a secure VPN (Virtual Private Network) or other protected Internet protocols (HTTPS, Secure Shell, etc.).

Data sources:

https://www.krackattacks.com/

https://papers.mathyvanhoef.com/ccs2017.pdf

28. June 2017

Alert - Petya Ransomware Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer users on the fast propagation of the new ransomware attack named Petya.

This type of malware prevents the user from accessing and using computer files. It is a serious global threat which has already affected computer systems in many countries.

The attack is very similar to the WannaCry virus attack, which caused significant damage throughout the world in May this year.

The users are advised not to open e-mail messages and attachments received from unknown senders. These precaution measures apply to unknown links and chat messages as well.

It is recommended to update operating systems an antivirus software on a regular basis and create backups of all important computer data, in order to minimize harmful effects caused by this type of attacks.

Besides urgent upgrading, protection can be accomplished by disabling the SMBv1 protocol (Server Message Block) for data sharing, by applying the patch CVE-2017-0199 (https://portal.msrc.microsoft.com/en-US/security-guidance) and by blocking the WMI remote access possibility. In order to close the 135 and 445 (TCP) ports, PSEXEC.EXE can be additionally blocked.

Users are also advised NOT TO pay the requested ransom amount since the attackers are unable to retrieve data exposed to Petya virus. This ransomware uses the following contact address: wowsmith12345@posteo.net.

(http://thehackernews.com/2017/06/petya-ransomware-attack.html)

24. May 2017

The need for constant protection measures in the field of information security

The National CERT of the Republic of Serbia (SRB-CERT) is informing all computer and mobile device users that there is the need for constant protection measures in the field of information security and caution when accessing unknown content on the Internet.

Information security threats are frequent and one of the active worms is ''EternalRocks'' that is spreading via SMB (Server Message Block) protocol. Unlike ransomware ''WannaCry'' this worm does not have the ''kill switch'' function that can slow down the spread. It uses 7 NSA tools.

There are very few devices infected with ''EternalRocks'' worm but the situation can change very quickly. As the purpose of this worm remains unknown we assumed that these are preparations for starting malicious activities in the future.  

For more details please visit CERT-EU документ.

13. May 2017

Ransomware 'WannaCry' Propagation

The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users on the fast propagation of the ransomware attack named ‘’WannaCry’’. This malicious software (malware) that disables computer access and use of data is a global threat and already made huge damage in many countries and their ICT systems. 
Since this malware attacks Microsoft Windows systems, the National CERT recommends all users to update their operating systems with MS17-010 version.
For more information please visit:  https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/?utm_source=t.co&utm_medium=referral

The website www.cert.rs uses cookies for improvement of user experience and website functionality. By continuing to browse this website, you agree to the use of cookies.

Details