Security of Polish Cyberspace NASK/CERT Polska ul. Kolska 12, 01-045 Warszawa tel. +48 22 38 08 274 fax +48 22 38 08 399 mail: [email protected] Security of Polish Cyberspace Scan the code to visit our website Annual report 2019 on the activity of CERT Polska 1 cert06.indd 1 20-06-04 10:12 Annual CERT Polska Report 2019 NASK PIB/CERT Polska ul. Kolska 12, 01-045 Warszawa Telefon: +48 22 38 08 274 Faks: +48 22 38 08 399 e-mail: [email protected] www.cert.pl Co-financed by the Collecting Europe Facility of the European Union 2 Security of Polish Cyberspace Annual report 2019 on the activity of CERT Annual CERT Polska Report 2019 We are more frequently dealing with so-called ransomware infections, i.e. software encrypting data and demanding ransom from the victim. Przemysław Jaroszewski Head of CERT Polska NASK 4 Security of Polish Cyberspace Table of contents About CERT Polska ....................6 Attack on Otomoto.pl customers Selected vulnerabilities .............104 Introduction .................................7 – text messages and fake Vulnerabilities in medical payments .................................51 equipment..............................104 The most important A genuine payment intermediary CVE-2019-3568 – buffer overflow observations from 2019 .............9 – Allegro phishing ....................53 in WhatsApp used for NSO Calendar of events ...................10 Account verification required / Group’s malware infection .....105 Protection of Polish negative transaction feedback ..54 Vulnerabilities exploited cyberspace and the activities Data breaches ............................55 by Chinese authorities for of CERT Polska .........................12 Warsaw University in attack against the Uyghur Handling of reports and incidents of Life Sciences .......................55 minority ..................................106 and responding to threats ...........12 Virgin Mobile Poland ...............56 CVE-2019-7286 ..................107 International exercise Sextortion scam.......................57 CVE-2019-7287 ..................108 and competitions ........................16 Taking over of .pl domains CVE-2019-8641 – remote Locked Shields 2019 ...............16 associated with a BadWPAD access to a device through European Cyber Security attack ..........................................58 iMessage ............................108 Challenge ................................17 What is Web Proxy Auto- Citrix Gateway / ADC CTF Scene .................................18 Discovery Protocol? ................58 and mass exploitation of SECURE.....................................20 20 years of BadWPAD! ............59 CVE-2019-19781................... 110 The OUCH! newsletter ...............21 DNS Devolution mechanism ...60 CVE-2019-0797 vulnerability Projects.......................................21 BadWPAD in Poland ...............61 in Windows ............................ 111 SISSDEN.................................21 Am I exposed? ........................62 Statistics.................................. 113 RegSOC ..................................23 Emotet malware campaigns .......63 Limitations ................................ 113 SOASP and AMCE ..................24 Android malware campaigns ........66 Botnets ..................................... 114 n6..........................................24 Genialny Kredyt .......................67 Botnets in Poland .................. 114 mwdb.cert.pl platform ...........25 Flash update............................68 Botnet activity broken down injects.cert.pl websitel...........27 PayU........................................69 by telecommunications DRAKVUF and DRAKMON ..28 InPost ......................................70 operators ............................... 114 Forensics .................................29 Polish Police / DHL ..................71 C&C servers .......................... 115 CyberExchange .......................29 Preventing infection .................71 Phishing .................................... 118 #BezpiecznyPrzemysł .............30 Reverse proxy phishing ..............72 Services enabling IoT Tracker ..............................31 Bombing alarms..........................74 DRDoS attacks ......................... 119 Security of IoT devices ...............33 Social engineering attacks on Open DNS servers ................121 Vulnerable routers ...................33 points of sale ..............................77 SNMP ....................................122 Vulnerable smartwatches ........34 Selected worldwide incidents Portmapper............................123 Publicly available printers ........35 and threats worldwide ..............79 NTP .......................................124 IoT botnets in Polan ................36 Ransomware ..............................79 mDNS ....................................125 ENISA research and projects .....38 Pegasus......................................81 SSDP .....................................126 Training material ......................38 Malicious applications NetBIOS ................................127 Study on early detection on Google Play ...........................83 Vulnerable services ..................128 of incidents ..............................39 Android banking trojan................87 POODLE ...............................130 Domestic threats Anubis .....................................88 CWMP ...................................131 and incidents ............................41 Cerberus..................................89 TFTP .....................................132 Disinformation and cybersecurity..41 Gustuff .....................................90 Telnet .....................................133 The hunt for an American Ginp .........................................91 RDP .......................................134 soldier ......................................41 Preventing infection .................... 92 BadWPAD .............................135 Evacuation involving Dragon 19 FaceApp controversy..................93 Vulnerable services ..................136 exercises .................................42 Shutdown of the Internet in Iran ..94 Analysis of threats in Polish Dispossession and transfer Cryptocurrency exchanges .........96 hosting companies....................138 of real property to German Liquidation of Bitmarket ...........96 General threats......................138 citizens ....................................43 Attack on Binance.......................97 Services enabling DRDoS Summary .................................44 How to trade safely? ..................97 attacks ...................................141 Ransomware in Poland ..............44 Operation ShadowHammer ........98 Vulnerable services ...............142 “BLIK” scams involving social Operacja ShadowHammer ......98 media ..........................................46 Russian APTs: Turla, Sofacy Fake stores .................................49 (APT-28), Dukes (APT-29) ......99 Scams involving popular Asian APTs: Lazarus, advertising sites ..........................50 APT-41, Platinum ..................101 5 Annual CERT Polska Report 2019 About CERT Polska Responsibility to maintain secure network CERT Polska operates within the structures of NASK – a national research institute which conducts scientific studies, operates the national .pl domain registry and provides advanced IT services. CERT Polska is the first Polish computer emergency response team. Active since 1996 in the response teams community, it has become a recognized and experienced entity in the field of comput- er security. Since its launch, the core of the team’s activity has been handling security incidents and cooperation with similar units worldwide. CERT Polska also conducts extensive security-related R&D. In 1998 CERT Polska became a member of the international forum of response teams (FIRST), and since 2000 it has been a member of the working group of the European response teams: TERENA TF-CSIRT, accredited by Trusted Introducer. In 2005 by the initiative of CERT Polska, a forum of Polish abuse teams, Abuse FORUM, was created. In 2010 CERT Polska joined the Anti- Phishing Working Group, an association of companies and institutions which actively fight on-line crime. In accordance with the National Cybersecurity System Act (2018), NASK is selected as one of Com- puter Security Incident Response Teams, the so-called CSIRT, coordinating the handling of incidents reported by essential service providers, digital service providers, and local governments. On top of that, all users can report incidents to CSIRT NASK. In addition, NASK establishes the analyti- cal and R&D base for the domestic cybersecurity system. CERT Polska is responsible for a large number of these tasks. Main responsibilities of CERT Polska include: • registration and handling of network security incidents; • active response in case of direct threats to users; • cooperation with other CERT teams in Poland and worldwide; • fulfilment of the obligations specified in the National Cybersecurity System Act; • participation in national and international projects related to the IT security; • research into methods of detecting security incidents; • analysis of malware, systems for exchanging information on threats; • development of proprietary and open source tools for detection, monitoring, analysis, and correla- tion of threat; • regular publication of the annual CERT Polska Report on security of Polish cyberspace; • informational and educational activities, aimed at raising awareness in relation to IT security,