HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space Twitter
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Full Member APCERT
Line
Global Research Partner APWG
Line
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Press  
Line
point point Recruitment NEW
Line
point point Tender  NEW
Line
point point Download Brochure
Line
point Subscribe Mailing List
Line
point Contact Us
Line
Reporting
point
Incident Reporting
Line
Vulnerability Reporting
Line
Feedback
Line
KnowledgeBase
Line
Point Guidelines
Line
Point Presentations
Line
Point White Papers 
Line
Point Monthly Security Bulletin 
Line
point Point Annual Report 
Line
Line
Line
line
Line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point Antivirus Resources
line
FAQ
line
Archive
line
line
line
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Current Activities
point

CURRENT ACTIVITIES

Phishing campaigns impersonate popular video conferencing platforms, AarogyaSetu app & WHO
(May 15, 2020)
In recent trends, threat actors are taking advantage of pandemic situation to trick the users to give up their sensitive information by taking advantage of the interest associated with recent novel coronavirus activities, news, and information.
[More >>]
DDoS attacks (Hoaxcalls) by exploiting vulnerabilities in Grandstream and DrayTek Devices
(April 06, 2020)
A large number of DDoS attacks have been reported, which are being propagated via infected Grandstream UCM6200 and Draytek Vigor devices. Attackers are using the DDoS botnet dubbed Hoaxcalls to scan and infect devices which are vulnerable to exploits resulting in further attacks in the IoT space.

Affected devices

Grandstream

Unauthenticated RCE flaws were found on the following products:

  • GAC2500 (Conference phone)
  • GVC3202 (Video-conferencing unit)
  • GXP2200 (VoIP phone)
  • GXV3275 (VoIP phone)
  • GXV3240 (VoIP phone)
Authenticated RCE flaws were found on the following products:
  • GXV3611IR_HD (Security camera)
  • UCM6204 (IP PBX)
  • GXV3370 (VoIP phone)
  • WP820 (WiFi phone)
  • GWN7000 (Router)
  • GWN7610 (Wireless access point)
DrayTek Devices with firmware versions:
  • Vigor2960 prior v1.5.1
  • Vigor300B prior v1.5.1
  • Vigor3900 prior v1.5.1

The detail of vulnerabilities targeted by the attacker is mentioned below:
  1. SQL Injection Vulnerability in Grandstream Devices (CVE-2020-5722)

    This vulnerability exists in the HTTP interface of Grandstream UCM6200 series devices due to improper validation of the user_name parameter. A remote attacker could exploit this vulnerability by executing a specially crafted HTTP request resulting in a remote SQL injection attack. Successful execution of this vulnerability could allow the attacker to execute shell commands as root or inject HTML in password recovery emails.The patches for the vulnerability is not available.

  2. Remote Code Execution Vulnerability in DrayTek Devices (CVE-2020-8515)

    This vulnerability exists in the /www/cgi-bin/mainfunction.cgi function of DrayTek devices (Vigor2960, Vigor3900 and Vigor300B but affected versions list contains much more) due to improper filtering of the keyPath parameter during authentication. A remote attacker could exploit this vulnerability through shell metacharacters resulting in bypassing the checks. Successful exploitation of this vulnerability could allow the attacker to execute remote code execution as root (without authentication).

    Necessary Action: Users of affected models should upgrade to 1.5.1 firmware or later as soon as possible.
[More >>]
Fake UPI IDs circulated on the pretext of "Prime Minister's Citizen Assistance and Relief in Emergency Situations Fund"
(March 30, 2020)
CERT-In has received several reports about fake UPI IDs, which are similar to the UPI ID used by the "Prime Minister`s Citizen Assistance and Relief in Emergency Situations (PM-CARES) Fund" - pmcares@sbi
[More >>]
"CORONAVIRUS PANDEMIC [COVID-19] BASED CYBER ATTACKS"
(March 23, 2020)
Novel Coronavirus, originated in December 2019 is a viral disease spread worldwide.
[More >>]
"STOP" Ransomware attacks
(February 25, 2020)
CERT-In has observed a new variant of "STOP" ransomware is spreading widely. Once the victim computer is infiltrated with STOP ransomware, all files are encrypted and an extension ".stop" is appended to the encrypted files at the end. After encrypting all the files, ransomware will also delete the Shadow Volume Copies so that recovery is not possible.
[More >>]
Windows 7 End of Life
(January 13, 2020)
Windows 7 will enter its End of Life on Tuesday, January 14, 2020 which means that Microsoft will no longer be offering updates of security fixes for the old operating system.
[More >>]
Large scale compromise of SME/SOHO router via exploiting Known vulnerabilities
(November 01, 2019)
A surge in compromising the router deployed at SME Sector and SOHO (Small office and Home) segment is seen. Attacker behind these attack campaign used the variants of some known malware for targeting these IOT devices.
[More >>]
Information stealing malware spreading via fraudulent emails purporting to originate from Income Tax Department
(September 19, 2019)
A phishing and malware campaign is active since at least September 12th and is targeting individuals as well as financial organizations. The campaign involves fake emails purporting to be sent from Indian Income Tax Department. Two variants of the emails have been observed. First variant includes an attachment with extension ".img" which contains a malicious ".pif" file. The second variant lures the users to download a malicious ".pif" file hosted on a Sharepoint page via a link of fraudulent domain incometaxindia[.]info . This domain has now been disabled.
[More >>]
Remote Access Trojan Spreading via Fake Income Tax calculator
(August 21, 2019)
A remote access Trojan (RAT) is spreading via crafted Microsoft Office Spread sheet file[s] which lure the victim as Fake Income tax calculator. Once victim open that document, it contains malicious macro embedded in it which start immediately execute.
[More >>]
Misconfiguration of iSCSI storage devices
(April 03, 2019)
It is reported that a number of iSCSI storage devices have been exposed to Internet without any authentication.
[More >>]
Global DNS Infrastructure Hijacking Campaign
(January 24, 2019)
It has been reported that a large scale DNS Infrastructure Hijacking attack campaign targeting domains belonging to government, telecommunications and internet infrastructure entities across the Globe. Where malicious actors redirected traffic from companies all over the globe through their own malicious servers, obtaining valid encryption certificates, and recording company credentials for future attacks. It is reported that the attackers have used DNS hijacking techniques to create a base for further attacks on the system.
[More >>]
Large scale compromising of Home router or SOHO router using Novidade exploit Kit
(December 13, 2018)
It has been reported that a large scale attack campaign targeting Home/SOHO routers using the exploit kit (named as Novidade) which it deliver to victim via malvertising, compromised website injection and instant messengers.
[More >>]
Surge in crypto mining activities through MikroTik Router
(October 09, 2018)
There are reports of large scale crypto mining done through thousands of compromised routers that injects a crypto miner on all websites visited by the owners. Using Crypto mining, attackers used the user system resources (Power, computation capacity) to mine crypt currency without user permission.
[More >>]
Safeguarding from SMShing income tax refund attacks
(August 07, 2018)
There have been increased reports of incidents related to fake SMS purportedly from Income Tax department as the filing of Income Tax Return nears. This SMShing campaign uses popular URL shortening services such as bit.ly,goo.gl,ow.ly and t.co etc.
[More >>]
New "PyRoMineIoT" Miner and IoT Device Scanner Malware
(June 25, 2018)
It has been reported that a crypto-currency miner dubbed "PyRoMineIoT" has been spreading widely across different countries.
[More >>]
Previous   |  Next >>
point
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 29, 2020