DOCSLIB.ORG

The Polish Internet 2016 Annual Report from the Actions of CERT Polska ISSN 2084-9079

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Polish Internet 2016 Annual Report from the Actions of CERT Polska ISSN 2084-9079 SECURITY LANDSCAPE OF THE POLISH INTERNET 2016 Annual report from the actions of CERT Polska ISSN 2084-9079 1 THE SECURITY LANDSCAPE OF THE POLISH INTERNET 2016 Annual report from the actions of CERT Polska Introduction...... ..................................................5 Threats, incidents and observations About CERT Polska .............................................6 particularly important for Polish Internet users ........................................... 39 Highlights from 2016 ..........................................7 Pravyi Sektor ........................................ 39 Calendar ............................................................8 Ransomware ....................................... 43 Protection of Polish cyberspace Locky ................................................ 44 and actions by CERT Polska ...........................11 Cerber .............................................. 44 Misha & Petya ................................. 45 CERT Polska as part of the National TorrentLocker .................................. 46 Cyber-Safety Centre. ................................ 11 CryptXXX & CrypMIC ..................... 46 Handling incidents and reacting CryptoMix ........................................ 47 to threats ..................................................... 11 TeslaCrypt ........................................ 48 NATO Locked Shields 2016 exercises ....... 15 DMA Locker ..................................... 48 Cyber Europe 2016 exercises.................... 16 Summary .......................................... 48 SECURE 2016 conference .......................... 16 Polish malware scene ........................ 48 European Cyber Security Month .............. 18 Benio ................................................ 48 OUCH! bulletin ............................................ 18 vjw0rm .............................................. 49 Execution .................................................... 18 Proxy Changer (Pacca) ................. 50 NECOMA ................................................. 18 InPost campaign + “borrowed” SISSDEN .................................................... 19 LuminosityLink RAT .......................... 50 n6.... ......................................................... 19 DMA Locker ..................................... 51 CyberROAD ............................................ 20 GMBot .................................................. 51 Exploit kity ................................................ 21 Nymaim ............................................... 53 State of the Internet as of 2016 based The course of the infection ............ 54 on information gathered Infection symptoms ........................ 54 by CERT Polska .................................................23 Characteristic elements ................ 55 Global threats and incidents .................... 23 ISFB ....................................................... 55 Mirai ......................................................... 23 From ISFB to mobile devices .......... 55 Mirai operatio ..................................... 23 Ostap group........................................ 58 The largest Mirai attacks .................... 25 Bitcurex ................................................ 59 Mirai in Poland .................................... 26 Overview of the CTF 2016 scene ...... 60 Summary ............................................. 29 Statistics ......................................................... 61 Using network devices for malicious Botnets ......................................................... 62 purposes .................................................. 29 Botnets in Poland ................................... 62 Attacks on DSL servers ....................... 29 Botnet activity divided into Spam from routers .............................. 31 telecommunication operators ............. 62 Using routes as SOCKS Proxy ............. 31 C&C servers ............................................ 64 Attacks using a SWIFT Phishing ...................................................... 68 banking system ....................................... 33 Services used to perform Avalanche .............................................. 33 DRDoS attacks ............................................ 69 USA elections .......................................... 35 Open DNS servers ................................... 72 Most important vulnerabilities NTP .......................................................... 73 identified in 2016 .................................... 36 SSDP ......................................................... 74 DirtyCow (CVE-2016-5195) ................ 36 SNMP ........................................................ 75 MySQL Priv Escal / RCE Port mapper ............................................ 76 (CVE-2016-6662) ................................. 37 NetBIOS.................................................... 77 Tor Browser/Firefox RCE Vulnerable services .................................... 78 (CVE-2016-9079) ................................ 37 POODLE ................................................... 79 Cisco ASA – EXTRABACON NAT-PMP .................................................. 80 (CVE-2016-6366)/ EPICBANANA FREAK ....................................................... 81 (CVE-2016-6367) ................................. 37 IPMI.. ........................................................ 82 Google vs Microsoft - a 7 day Malicious websites ..................................... 83 disclosure (CVE-2016-7255) ............... 38 Vulnerabilities in anti-virus software Glossary of basic terms ..................................85 (including CVE-2016-2208) ................ 38 able of contents T CERT Polska Annual Report 2016 Introduction Dear readers, We present the report from the actions of the 20 years. We believe that network and infor- CERT Polska team in 2016. It is an attempt to mation security is the discipline, where coope- describe the security landscape of both the ration, trust and exchange of key information Polish and Global Internet, seen from the per- about threats are more vital than business spective of the incident reports handled by competition. That is why we hope that thanks our team and our own research activity. The to the development of NC Cyber and the report also includes the description of projects involvement of various entities in this initiative carried out by CERT Polska and the most im- (from essential service providers, through law portant events we participated in. enforcement, to the researchers and commer- cial companies from the security field), there In 2016, the Ministry of Digital Affairs gave NASK will be even more possibilities to use the com- a task to create the National Cybersecurity petence of the CERT Polska team. This means Centre (NC Cyber). The role of the CERT Pol- that 2017 will be a year of challenges for our ska team in this project is to provide analytical team, but also full of opportunities for progress. facilities with high technical competence, so as to be able to monitor and analyse threats to Polish Internet users and actively counte- ract them. It seems a natural continuation of our mission, which we have fulfilled for over CERT Polska 5 CERT Polska Annual Report 2016 About CERT Polska The CERT Polska team acts within the structures The main tasks of CERT Polska are: of NASK - an institute that carries out scientific • registration and handling of network security research, maintains the National Cybersecu- incidents; rity Centre (Narodowe Centrum Cyberbez- • active response in case of direct threats pieczeństwa, NC Cyber), the national registry to users; of .pl domains and supplies advanced ICT • cooperation with other CERT teams in Poland services. and worldwide; • participation in national and international CERT Polska is the first Computer Emergency projects related to the IT security; Response Team in Poland. By virtue of its ef- • research into methods of detecting security fective operations since 1996, it has become incidents, analysis of malware, systems for a recognised and renowned entity in the area exchanging information on threats; of computer security. Since its inception, the • development of proprietary and open sour- core of the team’s activity has been handling ce tools for detection, monitoring, analysis, security incidents and cooperation with similar and correlation of threat; entities around the world, both in operatio- • regular publication of the annual CERT Polska nal activities as well as research and deve- Report on security of Polish cyberspace; lopment. Since 1998, CERT Polska has been a • informational and educational activities, member of an international forum that brings aimed at raising awareness in relation to IT together emergency response teams – FIRST, security, including: and since 2000 it belongs to a working group of European emergency response teams – TF a. maintaining a blog at cert.pl as well as -CSIRT and is accredited by Trusted Introducer. Facebook and Twitter accounts; In 2005, CERT Polska initiated a forum of Polish b. organization of the annual SECURE con- abuse teams - Abuse FORUM, whereas in 2010 ference (www.secure.edu.pl); it joined the Anti-Phishing Working Group, an c. specialized trainings. association that gathers companies and insti- tutions that actively combat Internet crime. fot. pixabay.com 6 CERT Polska Annual Report 2016 Highlights from 2016 • In 2016, CERT Polska handled 1,926 in- e-mail messages with attachments, and cidents, 32
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
    [Show full text]
  • The Evolution of Ransomware
    The evolution of ransomware SECURITY RESPONSE The evolution of ransomware Kevin Savage, Peter Coogan, Hon Lau Version 1.0 – August 6, 2015 Never before in the history of human kind have people across the world been subjected to extortion on a massive scale as they are today. CONTENTS OVERVIEW ..............................................................................3 Key information ......................................................................5 Types of ransomware .............................................................5 How ransomware has evolved ...............................................7 Targets for ransomware .......................................................13 Systems impacted by ransomware ......................................14 Ransomware: How it works ..................................................18 Ransom techniques ..............................................................27 How widespread is the problem of ransomware .................33 What does the future hold for ransomware? .......................37 Conclusion ............................................................................45 Appendix ..............................................................................47 Mitigation strategies ............................................................51 Symantec detections for common ransomware families 54 Resources .............................................................................56 OVERVIEW Never before in the history of human kind have people across the world been
    [Show full text]
  • Minimizing the Risk of Ransomware
    Minimizing the Impact of Ransomware Authors: Tushar Nandwana, OneBeacon Technology Risk Control and Joe Budzyn – OneBeacon Insurance Group Published: July 2018 1 Ransomware has featured prominently in the news over the last few years. Ransomware – Hospitals, municipalities, businesses, law enforcement agencies, individuals and A Growing Threat even entire regions of the world have been affected by it. Some have paid the ransom and recovered their computer data; others have lost their data forever. In March 2018, the city of Atlanta, Georgia was hit by SamSam ransomware which prevented city residents from paying their bills and accessing court information online. The demand was for $51,000 but it ultimately cost the city several million dollars from other costs to rectify. SamSam also infected the Colorado Department of Transportation twice in February 2018. Numerous other U.S. municipalities and healthcare organizations have been hit by this ransomware2. WannaCry wreaked havoc on the world in May 2017. With its worm‐like, self‐ propagating behaviour, it spread to thousands of systems within hours using the Eternal Blue exploit to target Windows machines. WannaCry resulted in an estimated $4B in economic losses to the affected businesses and infected 30,000 machines worldwide3. In June 2017 we also saw Petya and NotPetya which used the same exploit as WannaCry, but were more intent on destruction rather than ransom. NotPetya targeted systems specifically in the Ukraine4. FedEx ended up reporting a $300M loss, not from the ransom payout but due to the downtime and economic loss sustained by its Ukrainian subsidiary, TNT Express5. Petya caused Danish shipping giant AP Moller $300M in lost revenue6.
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
    [Show full text]
  • 1.Computer Virus Reported (1) Summary for This Quarter
    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
    [Show full text]
  • ESET Observed That the Focus of Android Ransomware Operators Cybercriminals, Even Though It Had Been Around for Many Years Before
    TRENDS IN ANDROID RANSOMWARE Authors Robert Lipovský – Senior Malware Researcher Lukáš Štefanko – Detection Engineer Gabriel Braniša – Malware Researcher The Rise of Android Ransomware Contents SUMMARY 2 RANSOMWARE ON ANDROID 2 Common infection vectors 3 Malware c&c communication 3 Malware self-protection 4 ANDROID RANSOMWARE CHRONOLOGY 5 Android defender 5 Ransomware meets fake av, meets…porn 7 Police ransomware 8 Simplocker 9 Simplocker distribution vectors 9 Simplocker in English 10 Lockerpin 11 Lockerpin’s aggressive self–defense 12 Jisut 13 Charger 15 HOW TO KEEP YOUR ANDROID PROTECTED 15 – 1 – The Rise of Android Ransomware SUMMARY RANSOMWARE ON ANDROID 2016 brought some interesting developments to the Android ransomware Ransomware, as the name suggests, is any type of malware that demands scene Ransomware is currently one of the most pressing cybersecurity a sum of money from the infected user while promising to “release” issues across all platforms, including the most popular mobile one a hijacked resource in exchange There are two general categories of malware that fall under the “ransomware” label: Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop • Lock-screen ransomware malware, as well as develop their own sophisticated methods specialized • Crypto-ransomware for targets running Android devices In lock-screen types of ransomware, the hijacked resource is access to the In addition to the most prevalent scare tactics used by lock-screen
    [Show full text]
  • General Subtitling FAQ's
    General Subtitling FAQ’s What's the difference between open and closed captions? Open captions are sometimes referred to as ‘burnt-in’ or ‘in-vision’ subtitles. They are generally encoded as a permanent part of the video image. Closed captions is a generic term for subtitles that are viewer-selectable and is generally used for subtitles that are transmitted as a discrete data stream in the VBI then decoded and displayed as text by the TV receiver e.g. Line 21 Closed Captioning system in the USA, and Teletext subtitles, using line 335, in Europe. What's the difference between "live" and "offline" subtitling? Live subtitling is the real-time captioning of live programmes, typically news and sports. This is achieved by using either Speech Recognition systems or Stenographic (Steno) keyboards. Offline subtitling is created by viewing previously recorded material. Typically this produces better results because the subtitle author can ensure they produce An accurate translation/transcription with no spelling mistakes Subtitles are timed to coincide precisely with the dialogue Subtitles are positioned to avoid obscuring other important onscreen features Which Speech Recognition packages do Starfish support? Starfish supports Speech Recognition packages from IBM and Dragon and other suppliers who confirm to the Microsoft Speech API. The choice of the software is usually dictated by the availability of a specific language. Starfish Technologies Ltd FAQ General FAQ’s What's the difference between subtitling and captioning? The use of these terms varies in different parts of the world. Subtitling often refers to the technique of using open captions for language translation of foreign programmes.
    [Show full text]
  • Stuxnet Under the Microscope
    Stuxnet Under the Microscope Revision 1.31 Aleksandr Matrosov, Senior Virus Researcher Eugene Rodionov, Rootkit Analyst David Harley, Senior Research Fellow Juraj Malcho, Head of Virus Laboratory 2 Contents 1 INTRODUCTION ................................................................................................................................. 5 1.1 TARGETED ATTACKS ............................................................................................................................. 5 1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7 1.3 STUXNET REVEALED............................................................................................................................ 11 1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15 2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17 2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17 2.2 STUXNET TIMELINE............................................................................................................................. 19 3 DISTRIBUTION ................................................................................................................................. 24 3.1 THE LNK EXPLOIT .............................................................................................................................
    [Show full text]
  • Applying a Framework to Assess Deterrence of Gray Zone Aggression for More Information on This Publication, Visit
    C O R P O R A T I O N MICHAEL J. MAZARR, JOE CHERAVITCH, JEFFREY W. HORNUNG, STEPHANIE PEZARD What Deters and Why Applying a Framework to Assess Deterrence of Gray Zone Aggression For more information on this publication, visit www.rand.org/t/RR3142 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0397-1 Published by the RAND Corporation, Santa Monica, Calif. © 2021 RAND Corporation R® is a registered trademark. Cover: REUTERS/Kyodo Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report documents research and analysis conducted as part of a project entitled What Deters and Why: North Korea and Russia, sponsored by the Office of the Deputy Chief of Staff, G-3/5/7, U.S.
    [Show full text]
  • Speech Recognition Technology for Disabilities Education
    J. EDUCATIONAL TECHNOLOGY SYSTEMS, Vol. 33(2) 173-184, 2004-2005 SPEECH RECOGNITION TECHNOLOGY FOR DISABILITIES EDUCATION K. WENDY TANG GILBERT ENG RIDHA KAMOUA WEI CHERN CHU VICTOR SUTAN GUOFENG HOU OMER FAROOQ Stony Brook University, New York ABSTRACT Speech recognition is an alternative to traditional methods of interacting with a computer, such as textual input through a keyboard. An effective system can replace or reduce the reliability on standard keyboard and mouse input. This can especially assist dyslexic students who have problems with character or word use and manipulation in a textual form; and students with physical disabilities that affect their data entry or ability to read, and therefore to check, what they have entered. In this article, we summarize the current state of available speech recognition technologies and describe a student project that integrates speech recognition technologies with Personal Digital Assistants to provide a cost-effective and portable health monitoring system for people with disabilities. We are hopeful that this project may inspire more student-led projects for disabilities education. 1. INTRODUCTION Speech recognition allows “hands-free” control of various electronic devices. It is particularly advantageous to physically disabled persons. Speech recognition can be used in computers to control the system, launch applications, and create “print-ready” dictation and thus provide easy access to persons with hearing or 173 Ó 2004, Baywood Publishing Co., Inc. 174 / TANG ET AL. vision impairments. For example, a hearing impaired person can use a microphone to capture another’s speech and then use speech recognition technologies to convert the speech to text.
    [Show full text]