Looking back at interesting incidents of CSIRT.CZ in the year 2014

In the last year we noticed several interesting incidents and events which are certainly worth for use to come back to them in this way again. By the way, only the amount of incidents being solved increased from 495 for the year 2013 to 939 incidents in the last year. And these were often not only negligent events.

Probably the most well-known incident in the last year was that one which concerned the vulnerability of ROM-0 in some routers TP-LINK and the fact that this vulnerability started to be actively used by attackers for the attacks on clients of banks in the Czech Republic. A lot of articles have already been written about this vulnerability and that is why I will just only mention that after a successful attack on a router, the attacker changed the setting of DNS servers in the router and consequently redirected the victim to own versions of some popular finders where he subsequently offered to the victims a file with supposed update for Flash Player which, however, actually included malware.

Another rather preventive action referred again to routers. In this case it referred to routers Asus when we found at the server Pastebin a list of these routers whose FTP access was wrongly configured and which enabled in this way an access to an enclosed disc only with the help of the initial password. I distributed the information about vulnerable routers on the basis of IP address to the corresponding administrators.

Another finding is connected with the server Pastebin, which is the finding of a list of 1,800 e-mail addresses of Czech users supplemented by the password to the given box. Also in this case our team cared for the distribution of information to the corresponding administrators of the given e-mail services.

In the last year we also faced spam campaigns which were under various pretences distributed above all by bank Trojan horses. One of these campaigns misused the logo of the Czech Post; the most striking one and in our opinion the most successful one consequently informed the recipient of a supposed debt. It was interesting to watch at these campaigns a gradual increase of pressure when the first campaigns only informed about possibly unpaid debt, successive waves consequently already appealed to the liquidation of debt before distrainment. In our estimations the worst impact was that of the first wave when the users were not yet aware of the fact that it could be a deception. On the other hand, malware contained in it was not yet so sophisticated and that is why we managed to find out very quickly where in the system it is hidden and to offer to the users instructions for its removal. In this respect I would like to thank to the Microsoft company which gives to our team for free the access to the MSDN database so that we could implement these analyses of malware.

In the last year we also managed to promote in the media the problems of hiring of the so-called white horses which occurred in the Czech Republic. According to the feedback of colleagues from the banking sector, this action had a good response and the users themselves started to announce to the banks if someone asked for them the implementation of suspicious financial transactions.

Neither spy campaigns are unfortunately not avoided in our country and consequently while two years ago we solved the spy malware Red October, this year we in cooperation with the government CSIRT solved the incident which referred to the attacks of a spy group known as DragonFly.

We could write a lot about incidents and preventive actions which were solved or implemented by our team in the last year. That is why I tried to choose such ones which in my opinion at the same time suggest possible trends for the next year or such ones which will probably accompany us also in the next year.

Author:

Leave a comment