GovCERT Blog

Letzte Blogeinträge (in englisch)

Cyber Security for the Healthcare Sector During Covid19
At the time of writing this blog post (October 27 2020), the Federal Office of Public Health FOPH has announced 5’949 confirmed COVID19 infections in Switzerland within the past 24 hours. After the initial COVID19 measures imposed by the federal council this spring and lifting of these in summer, the upcoming months will probably be challenging again for all of us. However, the pandemic is not only challenging for the Swiss economic and the general public but also the healthcare sector.
27.10.2020 14:19
Security of the Swiss Domain Landscape (ccTLD ch)
Since the introduction of the Domain Name System (DNS) in 1987 (RFC1034 / RFC1035), more than 30 years have passed. The internet became as crucial as food and power supply. Back in 1987, the inventors and engineers of DNS probably never thought that the internet would become such a big and crucial thing for the 21th century. As a result, DNS comes with a handful of weaknesses that can be exploited by threat actors for malicious purposes.
17.09.2020 09:03
Phishing Attackers Targeting Webmasters
Since the beginning of April 2020, we are seeing an increase in phishing attacks against webmasters and domain owners in Switzerland. Unknown threat actors are phishing for credentials for accounts on web admin panels of at least three major hosting providers in Switzerland. In order to gain access to these web admin panels, the perpetrator is sending out many phishing emails that pretend to come from Swiss hosting providers. In fact, they originate from hijacked email accounts abroad or from infrastructures that the perpetrator has rented at hosting providers abroad for exclusively for this purpose.
22.04.2020 12:00
Analysis of an Unusual HawkEye Sample
Introduction Currently, we are observing HawkEye samples being distributed by large malspam waves. HawkEye1 is a keylogger which has been around quite a long time (since 2013) and has evolved since then and gained more functionality. There are several good blog posts about HawkEye in general 2 3. Recently we observed an interesting obfuscation method in a HawkEye binary 4, which we are going to describe in this blog post.
20.02.2020 10:45
Trickbot - An analysis of data collected from the botnet
We are monitoring various threats and in that context we have collected quite some data about the Trickbot botnet in the past few years. This paper is based on an analysis of selected aspects of our Trickbot data collection. Some of our analysis is rather straightforward, yet, we also take the freedom to make some speculative statements, which might turn out to be debatable or plain wrong. In that spirit we are open for discussions and are happy to receive comments by the readers of this article.
25.09.2019 08:40
Severe Ransomware Attacks Against Swiss SMEs
As we have seen an ever-increasing number of ransomware cases that show a rather sophisticated modus operandi, we are publishing a warning via MELANI Newsletter along with this blog post, documenting technical details about the recent ransomware attacks against Swiss small and medium enterprises (SMEs). The goal of this blog post is to give you a better understanding of the various modus operandi of the most common ransomware families we have encountered hitting Swiss targets in the past months.
09.05.2019 11:15
Reversing Retefe
Introduction Approximately one year ago, we have published our blog post The Retefe Saga. Not much has changed since last year except that we have seen a rise of malspam runs in the last couple of weeks and we want to use the opportunity to show how to reverse engineer the Retefe malware. Let's start with a graph of the Retefe malspam runs, we have seen the past 3 years.
08.11.2018 10:20
Leaked Accounts
MELANI/GovCERT has been informed about potentially leaked accounts that are in danger of being abused. MELANI/GovCERT provides a tool for checking whether your account might be affected: We would like to give some technical information about the tool: We only transfer a SHA256 hash that is created on the client side using JavaScript. Thus we don't know the queried eMail addresses or account name. No eMail addresses or account names are stored on the server, just the hashes.
29.08.2017 10:00
The Retefe Saga
Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong. We don’t know where the sudden media interest and the attention from anti-virus vendors on this threat actor are coming from.
03.08.2017 13:15
Notes About The NotPetya Ransomware
NotPetya Ransomware A new ransomware, currently named NotPetya, has begun spreading yesterday. There are many victims, especially in Ukraine, but also large companies have been hit hard such as Maersk or Merck. There are infections in Switzerland as well. As many others we have analyzed the malware and tried to harden evidence about its functioning. As there are many good papers already published, we do not want to repeat all these things but to highlight a few important facts that now can be considered being hardened evidence.
28.06.2017 02:00

Letzte Änderung 16.12.2020

Zum Seitenanfang