The New Year has brought more solutions to improve the security of the Polish Internet. One of them is Artemis, a tool developed by the CERT Polska team and initiated by the KN Cyber science club of Warsaw University of Technology. Artemis was designed to look for websites misconfigurations and vulnerabilities on a mass scale. We use it to verify infrastructure of entities for which, according to the National Cyber Security System Act, incident handling is coordinated by CSIRT NASK.
How Artemis works?
Artemis scans services exposed to the Internet to look for common vulnerabilities and configuration errors. Regular scanning of entities that fall under the constituency of CSIRT NASK, such as schools, hospitals, or local authorities, allows us to monitor and improve their cybersecurity. This is important because of the nature of these organizations – they are used by citizens on a daily basis and any incidents affect them as well.
The scan results are not shared publicly – they are instantly forwarded to the administrators of the systems in question. The data is then used to address vulnerabilities and to detect similar issues in other parts of the infrastructure. As a part of the scanning process CERT Polska also verifies whether the identified vulnerabilities were fixed correctly.
One important aspect of the created tool is that it enables administrators to easily distinguish scanning activity as conducted by CERT Polska. This helps minimize the unwanted effects like unnecessary attack mitigation. All relevant information is accessible to administrators on a dedicated page: https://cert.pl/skanowanie/.
The scanning results, aside from improving the security of a specific entity, help us to create a better view of the current cybersecurity landscape and designate our resources where they are needed the most at the moment.
Why do we need it?
Since the introduction of the National Cybersecurity System Act (an act that implements the NIS directive), CERT Polska has been tasked with some of responsibilities of CSIRT NASK – one on the three national-level CSIRTs. Some of our responsibilities include:
- monitoring of cyber threats and incidents on the national level;
- relaying information about incidents and risks to other entities of the National Cybersecurity System;
- conducting advanced malware and vulnerabilities analyses;
- monitoring of cyber threats indicators;
- development of tools and methods that support the detection and mitigation of cyber threats;
- conducting activities that improve cybersecurity awareness;
- creation and sharing of tools that facilitate cooperation and data exchange regarding cyber threats and incidents;
Therefore, Artemis is another method of fulfilling our responsibilities. At the same time, it allows us to effectively help to secure entities that are targeted by criminals and state actors.
Who benefits from it?
In accordance with the National Cybersecurity System Act, CERT Polska focuses on supporting entities such as:
- research institutes,
- local government units.
The organizations are not chosen at random – we want our efforts to cover as much of our constituency as possible. We utilize publicly available databases of entities of specific type, e.g. schools and universities, to gather information about the used domains and contact information.
We use a single IP address to conduct the scans. The tool works in a way that allows administrators to easily confirm that a given request was initiated by us. Vulnerability reports are sent from the email address [email protected] All of these steps aim to assure that our activity wouldn't be considered as malicious by mistake.
What was achieved so far?
The scanning process began on 2nd of January and has already produced some results. We've scanned close to 2000 domains and subdomains of local governments and we were able to detect few hundred websites based on outdated software. We've also dealt with numerous cases where configuration files that included passwords, backup archives and data records were publicly accessible. We've also found a few dozen of incorrectly configured directories that contained the page source code and in some cases access credentials.