Threats in Polish networks – CERT Polska 2014 report (English version)

25 May 2015 piotrk

Today, we published the annual CERT Polska report in its English version. This report presents the most important trends and observations that we think shaped Polish cybersecurity in 2014. This includes new, upcoming threats, their evolution and our responses to them.

In 2014 CERT Polska continued its effort to better the security of Internet users in Poland and worldwide. Last year our efforts focused on botnet mitigation, especially when these botnets used .pl domain for command and control services. Our actions made the cybercriminals limit the use of the .pl TLD and we observed the misuse of .pl domain much more rarely. However, there are cases in which the Domain Name Tasting service (short lived domain registration) is used for Exploit Kit deployment.

The most severe threat to Polish cyberspace users were (and still are) banking trojans. In 2014, we observed the rise of Tinba, VMZeuS, Kronos and IFSB families. All of the mentioned malware uses so called “webinjects” little snippets of (usually JavaScript) code that are injected in the online bank website to perform specific tasks, like using social engineering to steal one time passwords. Webinjects also played another role: they were served when a home router was hacked and had its DNS servers changed. Due to this change, an affected user connected to the online bank website using a cybercrimals’ proxy, which in turn injected a Java-Script code to the website.

Last year we also observed an increase in APT attacks, some of which were targeting Poland: examples include APT 28, Dragon Fly and Black Energy 2. However, these operations are much broader than just being directed at Poland which remained one of many targets, rather than a primary one.

An interesting new category of malware threats made their debut: malware that changed the bank account number either in the Windows clipboard (VBKlip) or in the browser’s memory (Banatrix). There is some evidence that the authors of this malware are able to freely use Polish language and as such, we decided to analyze this malware further.

Security vulnerabilities in the basic network protocols, their implementations or other popular tools composed another piece of the cybersecurity landscape in 2014. Cybercriminals continue to use misconfigured network services like DNS or NTP to launch DDoS attacks. Data from our n6 platform provides a good estimate on the rate at which these vulnerabilities and misconfigurations are fixed by the Polish network operators.

Statistical analysis presented in this report are largely based on the data contained in the n6 platform. It aggregates over 50 different sources of information coming from over 30 different companies and groups from all over the world. The data, combined with our own sources, enables us to present this unique analysis of the state of security of Polish networks in 2014.

You can download the full English language report here.

The original Polish report, published April 21st is available here.

Malware attack on both Windows and Android

22 May 2015 Łukasz Siewierski

On the 7th of May, 2015 we observed a new malicious e-mail campaign, which used the logo and the name of Polish Post Office (”Poczta Polska”). The e-mail supposedly informed about an undelivered package – however, they also included a link which, after several redirects, lead to the download of a malicious file. This file was either a Windows executable or Android APK file (depending on the presented User Agent string).

The e-mails were similar to the one presented below.

Read more

SECURE 2015 – Call for Speakers

8 May 2015 przemek

Call for Speakers for SECURE 2015 is now open. If you have an interesting topic and would like to share your ideas with a crowd of Polish and international IT security specialists, and/or are looking for a good reason to visit Warsaw, Poland, please consider submitting your proposal. You will find all applicable information below.

Read more

DGA botnet domains: malicious usage of pseudo random domains

6 May 2015 piotrb

Polish Team Wins 3rd Place in NATO Locked Shields Exercise

28 April 2015 alex

Zagrożenia w Polsce 2014 – raport CERT Polska

21 April 2015 piotrk

DGA botnet domains: on false alarms in detection

17 April 2015 piotrb