Tag: exploit

Heartbleed in TOR (and in Poland)

Date of publication: 11/04/2014, CERT Polska

heartbleed-iconIn the last few days the most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library, versions 1.0.1a-f, and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it.

Read more

Ransomware still a threat to Polish users

Date of publication: 19/09/2013, CERT Polska

malware-icon

During the summer holidays we observed an increased infection rate of ransomware. We mentioned this type of malware a few times already in the past (here is a description of similar malware and here is information detailing how to remove it from your computer). CERT Polska was able to acquire three samples of this malware from three different sources. In every case we were able to determine the infection vector. Most probably, all of the three samples were created by the same group of cybercriminals. One of the samples came from a hacked .gov.pl website in collaboration with CERT.GOV.PL, second sample was from a hacked website in .eu domain and the last sample was from a malicious advertisement from a .pl website. A case of malware on the governmental website was also a subject of our previous blog post.
Read more

Malware campaign on Polish governmental site

Date of publication: 20/05/2013, CERT Polska

malware-icon

CERT Polska and CERT.GOV.PL recently discovered a website in the gov.pl domain that has been a part of malware campaign at least since the beginning of May 2013. The page contained a JavaScript code that added a hidden iframe which redirected to the exploit kit. Next, with the help of “Smoke Loader”, two binaries containing malware were downloaded. The first binary was a FakeAV software, which forced the user to buy a “full version” with the promise that it will remove all of the imaginary problems with her machine. The second binary contained a Kryptik trojan, which steals information from a large variety of FTP, SSH and WWW clients. It also steals SSL certificates used to sign code and performs a dictionary attack on the current logged user account. Both of them contain various techniques which are meant to prevent disassembly and debugging.
Read more