Category: Posty

Incidents and incident reports in 2018

Date of publication: 15/03/2019, przemyslawf

Publication of our annual report is coming soon. Editing is moving forward at full speed, but in the meantime we’d like to share some statistics concerning 2018. This statistics provide a big bicture of an IT security landscape in Poland and as well conclusions about major trends in this area. For many years already CERT Polska has incorporated eCSIRT.net incident classification (now, the sixth version marked as mkVI)1, which defines pretty well different incident categories.

In 2018 operators of CERT Polska received 19439 incident reports. We carefully analyzed and categorized all of them. Among these reports, 5675 were the reason to register incident. Our team created 3739 security incidents, what gives on the average over 10 incidents created daily. The remaining a dozen or so reports not assigned to any incident were irrelevant or can be considered as automatic alerts sent from several alerting systems. In case of the latter our activities were connected with supplying our n6 platform2 and other analytic tools as well.

Often, one incident can be connected with many incident reports, e.g. three different entities report the same phishing site.

In the table below we present incidents handled by our team, divided into categories according to eCSIRT.net classification.

Category Incidents %
Abusive Content 431 11,53
Spam 419 11,21
Harmful Speech 5 0,13
Child/Sexual/Violence/… 0 0
Unclassified 7 0,19
Malicious Code 862 23,05
Virus 4 0,11
Worm 0 0
Trojan 117 3,13
Spyware 0 0
Dialer 1 0,03
Rootkit 1 0,03
Unclassified 739 19,76
Information Gathering 101 2,7
Scanning 80 2,14
Sniffing 1 0,03
Social Engineering 7 0,19
Unclassified 13 0,35
Intrusion Attempts 153 4,09
Exploiting of known Vulnerabilities 30 0,8
Login attempts 37 0,99
New attack signature 0 0
Unclassified 86 2,3
Intrusions 125 3,34
Privileged Account Compromise 11 0,29
Unprivileged Account Compromise 21 0,56
Application Compromise 35 0,94
Bot 4 0,11
Unclassified 54 1,44
Availability 49 1,31
DoS 7 0,19
DDoS 35 0,94
Sabotage 0 0
Outage (no malice) 1 0,03
Unclassified 6 0,16
Information Content Security 46 1,23
Unauthorised access to information 21 0,56
Unauthorised modification of information 13 0,35
Unclassified 12 0,32
Fraud 1878 50,23
Unauthorized use of resources 1 0,03
Copyright 8 0,21
Masquerade 43 1,15
Phishing 1655 44,26
Unclassified 171 4,57
Vulnerable 69 1,85
Open for abuse 14 0,37
Unclassified 55 1,47
Other 25 0,67

Table 1. Incidents handled by CERT Polska, divided into eCSIRT.net categories

 

In 2018 CERT Polska created 17,5% more incidents comparing to 2017. Most of them were categorized as phishing, malware or spam. According to the data from 2017 we observed slight change on the podium in that infamous ranking, because then the first three places went as follows: phishing, malware, intrusions. Proportion of phishing incidents remained on similar level comparing to 2017 and reached 44%, which was firmly dominant result above remaining categories. Most popular scenarios were connected with phishings on foreign servers targeting Polish financial institutions (mostly banks). Another popular scenarios were related to phishings targeting services like Netflix or PayPal served from compromised Polish servers. Leading theme behind those attacks was premium users’ credentials theft or simply stealing money from internet bank account. Many scenarios concerned also selling goods on advertisement websites at the attractive prices. Main objective of these operations was to persuade users to enter sensitive data on fake websites, impersonating online payment platforms like Dotpay or PayU.

 

impersonating online payments

Website impersonating online payment platform

 

In 2018 we also observed fake online shops business, which has been visibly developed by some actors. In last year number of incidents related to fake online shops tripled, comparing to 2017. At this point, we’d like to thank all users aware of this kind of threat, who report about such activities more often and more eagerly every year. Attackers tried to find as many victims as possible, e.g. by advertising their shops in social media and popular search engines, where they were optimizing their shops’ position on the list of search results.

 

an example of fake online shop

An example of a fake shop “offering” electronics at the attractive prices

 

The second most popular category of incidents was malware. It’s a broad category with many subcategories, but usually we marked incidents related to malware as “unclassified”. Firstly, because in many scenarios more than one malware family was used, incorporating variety of methods and attack techniques. Secondly, we registered significant number of incidents concerning ransomware, which unfortunately don’t have its own category in eCSIRT.net classification. In that aspect the classification isn’t perfect yet, but we hope that in the next revision it will be updated.

A vast number of malware incident reports was related to attacks on Polish users. Popular scenarios concerning emails with fake invoice, delivery details or claim for payment (or additional payment) continued spreading in different versions. These emails usually contained malicious attachment as a script, document with macros or link leading to some website distributing malware (e.g. banker or mobile banker app, depending on User-Agent HTTP header).

 

email with malicious attachment

Email with malicious attachment pretending to be an invoice

 

This year for the first time we publish classification of incidents divided into Polish economy sectors. You can find detailed information in the table below. At a glance significant number of incidents is marked as Other (3 out of 4 incidents were classified to this category). These were mostly incidents concerning individuals or private entities. Next places in the classification belong to banking sector and public administration. Total number of the latter was little, comparing to the Other category. We are aware that presented classification is far from ideal. However, we had created this classification before CERT Polska has been designated as one of the three national-level CSIRTs under National Cybersecurity System law. Now, when the law is in force, we’ll be able to specify categories of this classification to reflect security of different economy sectors in a better way.

Sector Incidents %
IT infrastructure 29 0,78
Public health care 13 0,35
Banking 643 17,2
Other financial institutions 62 1,66
Energy industry 20 0,53
Transport 51 1,36
Public administration 85 2,27
Water supply 2 0,05
Other 2834 75,8
Total 3739 100

Table 2. Incidents handled by CERT Polska divided into Polish economy sectors

 

More conclusions you’ll find in our annual report (coming soon). You’re warmly welcomed to follow CERT Polska’s blog and our profiles in social media to be up-to-date with latest news concerning publication of our report.

Network traffic periodicity analysis of dark address space

Date of publication: 01/08/2016, piotrb

Network traffic directed to dark address space of IPv4 protocol can be a good source of information about current state of the Internet. Despite the fact that no packets should be sent to such addresses, in practice various traffic types can be observed there, for example echoes of Denial of Service (DoS) attacks, automated port scanners or misconfiguration of some client software. Example of a DFT plotOften the packets are sent periodically, i.e. in regular intervals. This periodicity can be analyzed by applying the Discrete Fourier Transform (DFT) to the network traffic. Our report shows how such analysis can be performed and also its results. You can read the report here.

Dorkbot botnets disruption

Date of publication: 04/12/2015, CERT Polska

CERT Polska has partnered together with Microsoft, ESET and law enforcement agencies including US-CERT/DHS, FBI, Interpol and Europol in activities aimed at disrupting of the Dorkbot malware family. This disruption – which includes sinkholing of the botnet’s infrastructure – took place yesterday. Dorkbot is a well-known family of malware, operating somewhat under the radar since 2011. Its main objective is to steal data (including credentials), disable security applications (such as antivirus programs), and to distribute other types of malware. According to early estimates, Dorkbot has infected at least one million PCs running Windows worldwide last year, with an average monthly infection size of about 100,000 machines. Polish users were among the targets.
Read more

The Postal Group

Date of publication: 14/10/2015, Łukasz Siewierski

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.Read more

GMBot: Android poor man’s “webinjects”

Date of publication: 02/10/2015, Łukasz Siewierski

maldroidRecently, we obtained a sample of a new Android banking trojan, named GMBot, which tries to be self-contained (i.e. does not need Windows counterpart) and uses application overlay as a poor man’s webinjects substitute. This malware uses known and common techniques, but implements them in a way similar to the webinject-based malware known from Windows OS. This bot’s old source code, written in Java, was also available on a Google-indexed Russian file sharing website. While we want to stress out that GMBot does not do Android webinjects, it is hard not to draw a parallel between webinjects infrastructure and what GMbot does. Is this a glimpse in the future of mobile banking trojans?
Read more

How non-existent domain names can unveil DGA botnets

Date of publication: 01/10/2015, piotrb

dga_icon

Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like

<span class="text">pkjdgjwzcr.pl</span>

. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
Read more

Smoke Loader poses as an Office plugin

Date of publication: 27/08/2015, Łukasz Siewierski

loveletter1

Zaufana Trzecia Strona – a Polish security news portal – informed about a new attack on Polish user’s (link is in Polish) that used a Microsoft Office plugin install wizard as a decoy. In reality, the user not only installed the plugin, but also a malware called Smoke Loader. It allows the attacker to gather information about the infected machine and, among other things, redirect its DNS queries. We wrote an article about that malware, when we were informing about the infected sites in the gov.pl domain. Here we describe some features of Smoke Loader that seem new to us.
Read more

CyberROAD – Invitation to participate in project surveys #2 & #3

Date of publication: 24/07/2015, CERT Polska

CyberROAD

CERT Polska along with 19 other partners from 11 countries have joined forces for CyberROAD – a 7FP project aimed to identify current and future issues in the fight against cyber-crime and cyber-terrorism in order to draw a strategic roadmap for cyber security research. A detailed snapshot of the technological, social, economic, political, and legal scenario on which cyber crime and cyber terrorism do develop will be first provided. Then, cyber-crime and cyber-terrorism will be analyzed in order to indentify research gaps and priorities.

Read more

Slave, Banatrix and ransomware

Date of publication: 03/07/2015, Łukasz Siewierski

loveletter1In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by the same group of authors that are responsible for previously described Banatrix and a ransomware/Android malware campaign. This means that those authors are most certainly fluent in Polish.

Read more