Security landscape of the Polish Internet Annual report on the activities of CERT Polska 2018 NASK/CERT Poland Kolska 12 01-045 Warszawa, Poland phone +48 22 38 08 274 fax +48 22 38 08 399 e-mail: [email protected] Security landscape of the Polish Internet Annual report on the activities of CERT Polska 2018 2018 saw three most common types of incidents – phishing, malware distribution and spam. As a category, phishing stands out the most from other attacks; however, the percentage of such in- cidents (approx. 44%) remained at a level similar to that noted in 2017. Przemysław Jaroszewski, Head of CERT Polska Photo: unsplash.com, Alex Shutin Alex unsplash.com, Photo: Annual Report 2018 3 Table of contents 4 Introduction 38 Android malware campaigns 80 Mirai and its variants 5 About CERT Polska 38 Flaga Polski (Polish Flag) 81 Hide’n’Seek 6 Highlights from 2018 39 Bankowość uniwersalna 82 Torii Polska (Polish Universal 8 Calendar 82 Situation in Poland Banking) 10 Protection of Polish cyberspace 84 Summary 40 LTE 5+ certificate and actions of CERT Polska 84 VPNFilter 42 LTE 5.0 Driver Update 10 Incident handling and responding 86 Magecart 43 BZWBKlight to threats 89 American indictments against 14 Changes in the manner of 44 Campaign impersonating APT groups Niebezpiecznik and Orange reporting incidents due to the 89 “Troll Factories” entry of the Act on National Cyber 45 InPost – disinformation campaigns Security System into force 46 Morele.net store data breach 91 APT28 actions against 14 What are the individual 48 Ostap the DNC CSIRTs responsible for? 49 Brushaloader 93 APT28 and anti-doping 14 Categorisation of entities 52 Backswap agencies 14 Types of incidents in the Act 53 Danabot 94 APT10 and industrial 15 incydent.cert.pl portal espionage 55 Anubis 16 Key changes in law 95 Summary 59 Fake payment provider 16 Act on the National websites 96 Olympic Destroyer – an attack Cybersecurity System against the Winter Games 61 “Payments” Group 18 General Data Protection 98 Advanced threats 62 “Dotpay fr” Group Regulation 98 Fancy Bear / APT28 64 “Nr 3” Group 18 GDPR and CERTs/CSIRTs 98 Lazarus / BlueNoroff / APT38 66 “PayU” Group 19 International exercises 100 LuckyMouse / APT27 and competitions 66 “2 min.” Group 100 APT10 19 Cyber Europe 2018 67 DDoS against home.pl 100 BlackEnergy & GreyEnergy / 69 Ransomware 21 Locked Shields 2018 TeleBots 70 Unsecured printers in the Polish 22 European Cyber Security 101 CozyDuke / APT29 Challenge IP address space 102 Turla / Snake 23 CTF scene 71 SIM card duplication attack 103 Shamoon/Disttrack 24 SECURE 2018 74 Selected incidents and threats 106 Statistics 25 European Cybersecurity Month from around the world 106 Limitations 26 Ouch! Bulletin 74 Attacks on modern processors (Meltdown and Spectre) 107 Botnets 27 Projects Cache side-channel 107 Botnets in Poland 27 SOASP 74 75 Spectre 107 Botnet activity 27 Cuckoo system by telecommunication CVE-2017-5754: development 75 operators Bounds Check Bypass 27 Publishing the MWDB 108 C&C servers website 75 CVE-2017-5715: Branch Target Injection 111 Phishing 27 Publishing n6 under open Services enabling DRDoS source licence 76 Meltdown 111 attacks 28 SISSDEN 76 CVE-2017-5754: Rogue Data Cache Load 120 Vulnerable services 30 RegSOC Newer attack variants 121 POODLE 31 Cyber Exchange 76 Impact of vulnerabilities 122 CWMP 31 Forensics 76 Meltdown 123 TFTP 32 MWDB system 77 Spectre 124 RDP 35 National threats and incidents 77 LoJax 125 Telnet 35 Sextortion scams – “I know 77 Malicious websites your password” 79 IoT botnets 126 Photo: unsplash.com, Alex Shutin Alex unsplash.com, Photo: 4 Annual Report 2018 Introduction Ladies and Gentlemen, 2018 brought significant changes in the scope of We consider this additional obligation provided law and regulations concerning the area of cy- for by the Act not only as a sign of trust and hon- bersecurity and personal data protection. In May, our, but also as an opportunity to carry out this the General Data Protection Regulation came mission even more effectively, in cooperation into force, regulating the processing of personal with other institutions of the national cybersecu- data and introducing tools for imposing signifi- rity system and with everyone who is interested cant financial penalties in the event of a violation. in security on the Internet. The Act on the National Cybersecurity System, which was introduced in August, was the first This report presents a cross-sectional picture of Polish act that provided specific roles for entities the activities of CERT Polska throughout 2018. responsible for ensuring the cybersecurity of the As always, we share numbers regarding users’ state. Due to this act, NASK PIB was entrusted reports, processed by our operators, as well with tasks related to recording and coordinating as those from automated systems aggregated response to incidents involving essential service thanks to the n6 platform. In both cases, we sup- operators, digital service providers, as well as plement the data with our comments on the most a large part of the public finance sector and nat- important trends and observations. We describe ural persons. A significant part of these tasks the most interesting novel threats and vulnera- is carried out by the CERT Polska team. At the bilities, as well as research and implementation same time, the mission of the team remains un- projects in which we participate. changed – to get to know, understand and quan- tify the threats faced by Polish Internet users and We hope you’ll enjoy it. search for effective methods of preventing, de- tecting and eliminating these threats. CERT Polska Team Annual Report 2018 5 Introduction About CERT Polska The CERT Polska Team operates within the The main tasks of the CERT Polska Team are: structures of NASK – National Research Insti- • recording and handling network security in- tute – an academic entity, national .pl domain cidents; registrar and provider of advanced ICT services. • detection and analysis of threats targeted in CERT Polska was established in 1996 as the particular at Polish Internet users or threat- very first Computer Emergency Response Team ening the .pl domain; in Poland. • active response in case of occurrence of di- rect threats to Polish Internet users; By virtue of its effective operations since 1996, it • cooperation with other CSIRT teams in Po- has become a recognised and renowned entity land and abroad as well as with law enforce- in the area of computer security. ment agencies; • participation in national and international Since its inception, the core of the team’s activ- projects related to ICT security; ity has been handling security incidents and co- • research concerning security incident detec- operation with similar entities around the world, tion methodologies, malware analysis and both in operational activities as well as research threat information exchange systems; and development. • development of tools for detecting, monitor- ing, analysis and correlation of threats; Since 1998, CERT Polska has been a member • regular publication of the CERT Polska re- of the global Forum of Incident Response and port on security of Polish cyberspace; Security Teams – FIRST, and since 2000 it be- • independent analyses and tests of ICT secu- longs to the working group of European Emer- rity solutions; gency Response Teams – TERENA TF-CSIRT • informational and educational activities and is accredited by Trusted Introducer. aimed at raising awareness concerning ICT security, including: In 2005, CERT Polska initiated a forum of Polish »» publishing information about computer abuse teams – Abuse FORUM, and in 2010 it security on the cert.pl blog and on joined the Anti-Phishing Working Group, an as- selected social media channels; sociation bringing together companies and insti- »» organising a regular SECURE confer- tutions actively fighting to curb on-line crime. ence; »» specialised training courses. 6 Annual Report 2018 Highlights from 2018 There is an upward trend in the number of inci- also equipped with RAT and ransomware mod- dent reports. In comparison to 2017, the number ules. of recorded incidents grew by 17.5%, with 3,739 total incidents. 75% of these concerned natural We are witnessing the evolution of botnets tak- persons or private entities. ing advantage of IoT devices. Many versions of malware based on the original Mirai botnet code Three most common types of incidents were have emerged, characterised by their customi- phishing, malware distribution and spam. sation for specific devices, discovered vulnera- As a category, phishing stands out the most from bilities and intended use – DDoS attacks, crypto- other attacks, however, the percentage of such mining, data theft. incidents (approx. 44%) remained at a level sim- ilar to that noted in 2017. A new dangerous phenomenon is the creation of VPNFilter botnet, which runs on many home 2018 saw significant changes in the legal system router models, based on advanced, multi-mod- in terms of cybersecurity – both the Act on the ule malware. National Cybersecurity System and the General Data Protection Regulation (GDPR) entered into Incidents related to the provisioning of devices force that year. such as network printers in public networks are still happening. Poor authentication of those de- We recorded an almost threefold increase in inci- vices or no authentication at all make them an dents related to fake on-line stores. A significant attractive target for attackers. increase in the number of reports concerning such cases can be linked not only to the growing In 2018, we saw more and more attacks by popularity of this phenomenon, but also to the APT groups from Asia. The dormant, advanced growing awareness among citizens. teams, such as APT27/LuckyMouse and WhiteWhale The scenarios concerning impersonation of pay- are back in business. Russian groups domi- ment processors became the most popular type nate the rest in terms of activity, like in previous of attacks against on-line banking users in 2018, years.