The National CERT of the Republic of Serbia would like to inform and warn the citizens of a multitude of current online phishing and ransomware campaigns along with the existence of malicious applications for mobile devices. Beside the usual Internet based campaings targeting email addresses of the users, some SMS or mobile phone call based campaigns have also been observed.
These messages or malicious applications usually contains information on COVID-19, but a certain number of messages with different content have also been detected, since the users understandably switched to online and mobile communication during the state of emergency.
As part of preventive measures and actions, the National CERT urges all citizens to additionally verify the legitimacy of messages or calls requiring their personal data such as: user name and password, unique citizens identity number, current account number, credit card number including PIN and similar, so as to prevent the abuse of their accounts and personal data by the malicious Internet users.
Microsoft has released update to address vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) protocol.
This vulnerability affecting OS Windows 10 (versions 1903 and 1909) as well as Windows Server (versions 1903 and 1909).
National CERT recommends to users to apply available updates. For more details please visit link: CVE-2020-0796
The National CERT wishes to inform the public on the current phishing campaigns abusing COVID-19 virus (coronavirus) alerts.
The campaign is most frequently being realized in the form of email messages containing different types of information related to COVID-19 virus.
In the email body text, the recipient is asked to enter user name and password, in order to supposedly access information on protection measures related to COVID-19.
In addition, the messages can also contain information on other current topics related to coronavirus, such as: infection maps, possible impact on the economy and similar.
The National CERT recommends the users not to enter their credentials in case of such emails.
In the mid February 2020, the National CERT published a recommendation advising all users to perform necessary regular monthly updates of their Microsoft OS. One of the critical points was about the discovered Microsoft Exchange vulnerabilty (CVE-2020-0688). Based on the available data, the National CERT would like to inform the public about the current massive abuse of the above vulnerabilty and recommend to all users to check if they updated their operating systems, i.e. applied available patches on time, so as to prevent further abuse of the detected vulnerabilities.
In the aim of raising awareness on the safety risks prevention and current vulnerabilities and protection measures, the National CERT has published Recommendations on preventive protection against ransomware attack and Recommendations on ransomware attack recovery.
The Recommendations are dedicated to all types of users – citizens, businesses and government bodies, in light of current attacks on some of the municipal government units in the Republic of Serbia. The National CERT wants to warn about one of the most frequent malware attacks (Ransomware), as well as to point out to the preventive and defensive measures against such type of attack.
For more, please visit:
A new case of abuse of the Internet page WeTransfer used for free Internet database transfer up to 2GB was detected yesterday. This phishing campaign uses an illegal ascmgpr[.]ir domain posing as WeTransfer website.
Since the ascmgpr[.]ir domain is still active, caution is advised to the users of Internet, to pay attention to all e-mails sent by WeTransfer. Since the contaminated mail looks different than the regular one, the National CERT advises all users to check if the link downloading the content is legitimate and whether or not it leads to wetransfer.com domain, before opening it. This can be done by placing the mouse on the Download link without clicking, which then reveals the address of redirection (see picture below). If the domain is not wetransfer.com, the content is not safe for downloading.
It is also possible that the users receive similar messages from firstname.lastname@example.org e-mail address. Such e-mails should not be opened.
We inform the operators of ICT systems of special importance in the Republic of Serbia that they are obliged to register in the records of special importance ICT systems operators, in accordance with the provisions of the Law on Information Security („Official Gazette of RSˮ Nos. 6/16, 94/17 and 77/19) and Rulebook on data contained in the Register of special importance ICT systems operators („Official Gazette of RS“ No. 9/20).
Entry deadline is May 12, 2020.
A very convincing phishing campaign is under way against clients of several banks doing business in the Republic of Serbia. The phishing email seemingly sent out on behalf of several banks and appearing to be arriving from a legitimate domain, contains a notification on foreign exchange inflow and a malicious .pdf zip file attachment, activating a malicious code in the background. The malicous attachment is very sophisticated and has been recognized only by a few anitvirus softwares. For more details, please visit:
Based on the available information, we notify the public that these emails are not being sent from the banks' servers.
The National CERT urges all bank clients who receive silimar emails to delete them right away and, under any circumstances, not to open the attachment.
This September, the Greenbone Networks organization published a report where it is stated that, due to a discovered PACS server vulnerability, several million x-ray snapshots in 52 countries around the world were exposed, which could lead to an array of abuse. One of these countries was the Republic of Serbia.
After a 60-day period, this organization updated its report, saying that 11 countries from the September account (among which the Republic of Serbia; see Section 2.1 Good) undertook appropriate measures to prevent further leakage of their citizens' healthcare data.
For more details, please visit:
The National CERT warns all users about new malicious campaign which spoofs urgent update emails from Microsoft to infect user's systems with the Cyborg ransomware. Fake notices are sent via email to Windows 10 Operating System users, with either the subject line Install Latest Microsoft Windows Update now! or Critical Microsoft Windows Update!
The malicious email itself contains just one line of text which reads “Please install the latest critical update from Microsoft attached to this email”.
Upon clicking on the email's attachment, and once activated, the ransomware encrypts all of the files on the infected user's system, locking all the files on the PC, while displaying a ransom message on the screen.
The National CERT informs all users that Microsoft forwards its update notices and information exclusively through its Operating System and NEVER via email.
It is recommended by the National CERT that users who receive similar emails delete them right away. We remind all Internet users not to open any email attachments or links from unknown or untrusted sources.