HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space Twitter
WLine
AKAM
WLine
DigitalIndia
WLine
csk
WLine
WLine
WLine
Full Member FIRST
Line
Full Member APCERT
Line
Global Research Partner APWG
Line
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Press  
Line
point point Tender  NEW
Line
point point Download Brochure
Line
point Subscribe Mailing List
Line
point Contact Us
Line
Reporting
point
Incident Reporting
Line
Vulnerability Reporting
Line
Feedback
Line
KnowledgeBase
Line
Point Guidelines
Line
Point Presentations
Line
Point White Papers 
Line
Point Monthly Security Bulletin 
Line
point Point Annual Report 
Line
Line
Line
line
Line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point Antivirus Resources
line
FAQ
line
line
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Current Activities
point

CURRENT ACTIVITIES

Drinik Android malware targeting Indian banking users, masquerades as Income Tax refund
(September 21, 2021)
It has been observed that Indian banking customers are being targeted by a new type of mobile banking campaign using Drinik android malware.
[More >>]
Activities related to OnePercent Group Ransomware attacking enterprises through IceID banking Trojan
(September 01, 2021)
It has been reported that a ransomware operator dubbed as OnePercent group has been attacking enterprise networks using the Cobalt Strike post-exploit toolkit and remote PowerShell commands.
[More >>]
Phishing websites hosted on NGROK platform, targeting Indian banking customers
(August 10, 2021)
It has been observed that Indian banking customers are being targeted by a new type of phishing attack using ngrok platform. The malicious actors have abused the ngrok platform to host phishing websites impersonating internet banking portals of Indian banks. Using these phishing websites, malicious actors are collecting sensitive information of the customers like Internet Banking credentials, mobile number, One Time Password(OTP) etc. to perform fraudulent transactions.
[More >>]
Ransomwares targeting vulnerable SonicWall Devices
(July 20, 2021)
It has been reported that an imminent ransomware threat targeting unpatched, End-of-Life SRA & SMA 8.X Remote Access Devices of SonicWall.
[More >>]
Fake COVID vaccine registration App
(May 08, 2021) (Updated : June 17, 2021)
It has been reported that, a fake SMS message is in circulation that falsely claims to offer an app to let users register for COVID-19 vaccine in India.
[More >>]
Targeted attack on FireEye
(December 14, 2020)
It has been reported that Fireeye Inc! has reportedly been targeted by a cyber-attack which has resulted in the theft of their red-team / penetration testing tools.The attack campaign is reportedly attributed to a highly sophisticated actor employing novel techniques to gain access.Details of tools stolen in this cyber breach are provided below:-

AdPassHunt:- credential stealer tool that hunts Active Directory credentials.
  • 590bd7609edf9ea8dab0b5fbc38393a870b329de
  • 29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0
Beacon:- used for several goals, such as persistence, execution, privilege escalation, credential dumping, lateral movement etc.
  • 03a8efce7fcd5b459adf3426166b8bda56f8d8439c070b620bccb85a283295f4
  • e4dd5fc22ff3e9b0fa1f5b7b65fb5dfeac24aab741eee8a7af93f397b5720f4a
  • d011a846badec24a48a50d1ab50f57d356b9dd520408cbb3361182f6f0489a1e
  • 0a566a0ddbaf9975221fe842b9b77c4a8b5d71bb2c33e0a46da26deec90dcbea
  • 61cd1311d2e4663b86b5a70c2aafd5af6b247a6ebf407170296e37aaf8c69392
Beltalowda:- used for conducting variety of security-oriented checks on victim machine.
  • d80b7a31d68b5f483073ff7af0984c1090f6a493f84db7d3a301e3e35fdb4a56
  • 7b7cbb1a62faf7e7a9ee1d0254c5681779b61abd3c9763b6588857c14cccdd9b
  • 8f991317f1473fa8af3c3d6ade2551ddac01425db6e7b0c718b81c324c43730d
  • 1d841ff51f8b5b08d7b4752cd498108d4b3f82864257dbd8e35b097c766f9e24
  • 29054e2cad080a61db11a61791206ea939cbf79abee71c44fa0e7603dd168840
  • dea11a5bc6ff271e40e477d1645bdeb19454bdd8eac077e598ca56ee885fc06e
  • b89158aeac0e98f7cc2a6c3040ad2f57093bdb9064eab2c585c1250d5efa850e
  • 00d1726e2ba77c4bed66a6c5c7f1a743cf7bb480deff15f034d67cf72d558c83
  • 5cacbf4e84027cb3c0ec55940dddee6f4d368aae778d635003cb3013b547ede0
  • bb939544ac109ca674ee9de4d8b292f9b117c9c676ddab61d15a6e219ad3986c
Rubeus, Fluffy:- used to Steal or Forge Kerberos Tickets.
  • 8bebf19d54c749560301eaada2e92eb240501b8c
  • a729d51f3deff5065e4978df2f88517d26e0d5db542c9cf8501a4206d8d2432c
  • 9758688dd18db6ec86c4835d9ba67b5e209c32c81981dc69d705670f8b95d5e6
  • 0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891
  • 76faeb790d1c1aa5fd3473f86f602b371682415368ddd553ebc60eb3c7683f7f
  • 0097d59dc02cbac14df25ef05fc6d75f835d1db68f760d71fa4a0a57d9960606
  • c74352729dd49829f5e398a7fc7dd033d9e4aba3d93162c4fbcbe394cc31c3d4
  • 9c6a910a047e29e07b4015866dc05e00829b888a86d1d357ed49652a9b73f1b6
  • 6c1829be1c49c04b956b431386c389a6bf83327a5e7e68ff453103820ad4464d
  • 817867c23a7bf47e99c93201f99f5eb805396327765aa76338c5f9e0c89eac4a
  • 65044ea9fea1e34042adf3ff5e5fb17fc021ba4b0775415fad2465558a782c5e
G2JS:- used for automating Microsoft Windows Script Host (WSH) scripts weaponization.
  • dcce258cc818febe2b888c8eee42aa95393b2fb4f1f2406330840ab8ad5c7d50
  • A3a8dedf82741a1997b17a44fbb1e5712ba3a5db11146519cf39281def9329a7
  • eed9402cb6fdc047b12f67493ba10970155a00086918eaad9542ab24096cc715
  • 398afc4c33e00b26466abb87668e33be766dbbf4c493fe04d180a14d14a32fa3
  • da3bdb6b9348a8d9328e669c744d0f21a83937c31894245e3157121342efe52c
  • cdabbe815b7aafa94469b97fa3665137c4d5b2da4fdd7648ba2851cf2df214fc
  • f8c8bb2ac03cc2a037ddde4ad175aa05aa80277483fcdac42627fbdcc36f64ba
  • fd2e546faed7426c448d1a11d8e1d4b8a06b5148c9c8dfa780338fac2ab53c5b
  • 0b8eab0a1961c52c141ac058c11e070d724d600cf903f2457c8ed189e7aae047
  • 117b9c9127beaf2e3ce7837c5e313084fd3926f1ebf1a77563149e08347cb029
[More >>]
Cyber Threat Signal 2021
(December 08, 2020)
Cyber threat signal 2021 publication is a joint collaborative work of CERT-In along with AusCERT (Australia CERT),KrCERT/CC (South Korea CERT) and Sri Lanka CERT|CC (Sri Lanka CERT) regarding the most pertinent cyber threats that could be witnessed in the year 2021.
[More >>]
Privilege Escalation Vulnerability in Microsoft Netlogon
(September 18, 2020)
A vulnerability has been reported in Microsoft Netlogon which could allow an attacker to cause privilege escalation on the targeted system.
[More >>]
Phishing Campaign Targeting Users of email.gov.in
(September 01, 2020)
CERT-In has observed a phishing campaign targeting users of NICs email service for Government of India (email.gov.in).
[More >>]
Credit Card Skimmer Targets Microsoft ASP.NET Sites
(July 16, 2020)
It has been reported that Credit card skimming through various e-commerce sites are spreading worldwide.
[More >>]
Malicious Google Chrome Extensions
(June 24, 2020)
It has been reported that Google has removed 106 extension of the Google Chrome browser from the Chrome Web Store which were found collecting sensitive user data.
[More >>]
Phishing campaigns impersonate popular video conferencing platforms, AarogyaSetu app & WHO
(May 15, 2020)
In recent trends, threat actors are taking advantage of pandemic situation to trick the users to give up their sensitive information by taking advantage of the interest associated with recent novel coronavirus activities, news, and information.
[More >>]
DDoS attacks (Hoaxcalls) by exploiting vulnerabilities in Grandstream and DrayTek Devices
(April 06, 2020)
A large number of DDoS attacks have been reported, which are being propagated via infected Grandstream UCM6200 and Draytek Vigor devices. Attackers are using the DDoS botnet dubbed Hoaxcalls to scan and infect devices which are vulnerable to exploits resulting in further attacks in the IoT space.

Affected devices

Grandstream

Unauthenticated RCE flaws were found on the following products:

  • GAC2500 (Conference phone)
  • GVC3202 (Video-conferencing unit)
  • GXP2200 (VoIP phone)
  • GXV3275 (VoIP phone)
  • GXV3240 (VoIP phone)
Authenticated RCE flaws were found on the following products:
  • GXV3611IR_HD (Security camera)
  • UCM6204 (IP PBX)
  • GXV3370 (VoIP phone)
  • WP820 (WiFi phone)
  • GWN7000 (Router)
  • GWN7610 (Wireless access point)
DrayTek Devices with firmware versions:
  • Vigor2960 prior v1.5.1
  • Vigor300B prior v1.5.1
  • Vigor3900 prior v1.5.1

The detail of vulnerabilities targeted by the attacker is mentioned below:
  1. SQL Injection Vulnerability in Grandstream Devices (CVE-2020-5722)

    This vulnerability exists in the HTTP interface of Grandstream UCM6200 series devices due to improper validation of the user_name parameter. A remote attacker could exploit this vulnerability by executing a specially crafted HTTP request resulting in a remote SQL injection attack. Successful execution of this vulnerability could allow the attacker to execute shell commands as root or inject HTML in password recovery emails.The patches for the vulnerability is not available.

  2. Remote Code Execution Vulnerability in DrayTek Devices (CVE-2020-8515)

    This vulnerability exists in the /www/cgi-bin/mainfunction.cgi function of DrayTek devices (Vigor2960, Vigor3900 and Vigor300B but affected versions list contains much more) due to improper filtering of the keyPath parameter during authentication. A remote attacker could exploit this vulnerability through shell metacharacters resulting in bypassing the checks. Successful exploitation of this vulnerability could allow the attacker to execute remote code execution as root (without authentication).

    Necessary Action: Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible.
[More >>]
Fake UPI IDs circulated on the pretext of "Prime Minister's Citizen Assistance and Relief in Emergency Situations Fund"
(March 30, 2020)
CERT-In has received several reports about fake UPI IDs, which are similar to the UPI ID used by the "Prime Minister`s Citizen Assistance and Relief in Emergency Situations (PM-CARES) Fund" - pmcares@sbi
[More >>]
"CORONAVIRUS PANDEMIC [COVID-19] BASED CYBER ATTACKS"
(March 23, 2020)
Novel Coronavirus, originated in December 2019 is a viral disease spread worldwide.
[More >>]
Previous   |  Next >>
point
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On September 22, 2021