Critical Infrastructure

Critical infrastructure – Critical cybersecurity

/in /by

Critical infrastructure in Germany is currently particularly at risk when it comes to cybersecurity. According to the Frankfurter Allgemeine Sonntagszeitung, 141 successful cyber attacks were reported until the beginning of November 2020. Of these, 43 were directed at healthcare providers. Last year there were 121 successful attempts in the critical infrastructure report and only 62 in 2018.

In addition to the healthcare sector, energy and water suppliers, banks, and insurance companies are also affected. In most cases, such incidents are so-called ransomware attacks, which result in a ransom demand for the decryption of data.

Experts cite the crisis resulting from the Corona pandemic as one of the reasons for the increased number of cyberattacks on companies in the so-called critical infrastructure. Medical institutions in particular still have an increased need for action in the area of IT and cybersecurity. At least 15 percent of IT investments should be spent on IT and cybersecurity.

In this article, we have summarized why the healthcare system is so at risk and what exactly such an investment could look like. Viruses in hospitals – Cybersecurity in the Corona pandemic

Because, of course, similar protection scenarios apply to critical facilities as to the health care system.

CRITIS as a worthwhile target

The advance of digitalization also opens up potential security gaps for attackers. While states were initially particularly interested in overriding the security mechanisms of “enemy” states, this is now increasingly being observed by private groups. Securing the IT systems of CRITIS operators is not an easy task. On the one hand, these are private-sector companies of various sizes. On the other hand, the IT structures used have a long life cycle, which is why they often do not have the necessary security updates or do not have them promptly. Since 2016, all operators of companies that are part of CRITIS have been required to provide a 2-year security proof of their infrastructure. However, considering the frequency with which malicious software is developed, it is strongly recommended that relevant security updates be carried out more frequently. And to initiate in-depth preventive measures to secure your systems.

Especially the protection of the attack target “human” is part of a valid security concept. Because often the technical security measures are high and strong; but they do not protect against the intervention of the (inexperienced) user. These include successful phishing attacks, especially so-called spear-phishing campaigns, which make targeted use of social engineering techniques. We, therefore, recommend regular and in-depth employee training. As well as the establishment of strong multi-factor authentication rules to protect your system from the human factor in the best possible way.

Webinar

Webinar – Cybersecurity for the “human factor” in medium-sized businesses

/in , /by

Surely you have already encountered the terms “social engineering”, “phishing” or “CEO fraud” and you have a rough idea of the consequences of such attacks on your company. But how do hackers operate? How severe is the threat of Social Engineering for German SMEs? And above all: What measures should you take to increase your cybersecurity?

In our webinar, we will give you an overview of the threats so that you can make a realistic risk assessment. The focus of this webinar will be the human factor, without which cyber attacks today can hardly be performed.

We will show you typical manipulative procedures as well as simple and straightforward measures for prevention and protection. After all, it is important to act proactively to prevent a Cyberattack: That saves you time, money, and nerves!

 

Date: 11.12.2020

Time: 11:00 AM

Place: online

Referent: Marc Pantalone, Business Development Manager, HWS Informationssysteme GmbH

Register by writing an email to

 

The webinar will be in the German language.

We are looking forward to meeting you!

Mimikatz

Mimikatz – a cute name, but a dangerous Offensive Security Tool

/in , /by

The Windows security tool Mimikatz may have a cute name – but it also has a great potential for damage. It was originally developed to demonstrate the security vulnerabilities of Windows systems, as there is a gap in the authentication process. It quickly evolved from a tool for white-hat hackers to one for black-hat hackers. Nevertheless, even today, admins still use the tool to detect and then close security holes in their own systems. Therefore, Mimikatz is one of the best known Offensive Security Tools (OST), which is freely available as open-source.

How does Mimikatz work?

With the help of Mimikatz, it is possible to read passwords, PINs, and Kerberos tickets from Windows systems, which is why it is often used by malware attackers. For this purpose, Mimikatz uses the Windows Single-Sign-On function, which has the so-called “WDigest” feature. This feature is used to load encrypted passwords and their keys into memory. Especially companies or other organizations use this feature to authenticate user groups. Although WDigest is disabled by default in Windows 10, anyone with administrative rights can enable it. And thus read out the passwords of the user groups using Mimikatz.

This makes the software a powerful tool for hackers

Root Access is required to successfully introduce Mimikatz into a system. Once the software is in the system, there are different ways how Mimikatz can work:

Pass-the-hash – In earlier versions, Windows saved passwords in a so-called NTLM hash when logging in. Attackers can therefore use Mimikatz to copy this exact hash string and use it on the target computer to log in. The password does not even have to be known for this, since this character string is sufficient for authentication.

Pass-the-Ticket – Newer versions of Windows no longer use an NTLM hash for authentication, but so-called Kerberos tickets. Mimikatz is now able to read this ticket and pass it on to another computer so that you can log in there as this user.

Over-Pass the Hash (Pass-the-Key) – With the help of the key obtained in this way, hackers can pretend to be users who can be accessed via a domain controller.

Kerberos Golden Ticket – A golden ticket gives you domain administration rights for each computer on the network. Perfidious: Golden tickets do not expire.

Kerberos Silver Ticket – Kerberos gives a user a TGS ticket that is used to log on to all services on the network. This is possible because Windows does not check TGS tickets at every login.

Pass-the-Cache– In general, this is the same tactic as a pass-the-ticket attack. However, no Windows system is compromised here, but the stored and entered login data is used on a Mac, UNIX, or Linux system.

To protect your system

Ideally, Mimikatz should not be able to access your system at all. A prerequisite for an initially secure Windows system is an upgrade to Windows 10 (or at least 8.1). If this is not possible, it is at least advisable to disable WDigest manually, although this should probably only be a small hurdle for a skilled attacker. Regardless of the Windows version used, a configuration of the Local Security Authority (LSA) is necessary.

Unfortunately, an overriding admin password is still common practice in companies today, although this is a well-known security hole. Every Windows machine needs its own unique administrator password. The combination of LSASS and safe mode makes Mimikatz ineffective under the newer Windows versions.

You should also educate your employees about the dangers of phishing emails and limit the use of macros,

Discover mimic cat

Detecting facial expressions is a difficult task since most detection solutions do not work with the software. The only real solution to reliably identify Mimikatz is to specifically examine your own system for it. The use of a manual network monitoring component is therefore highly recommended.

So what to do?

In the end, Mimikatz remains a highly dangerous and efficient tool for hackers that can easily slip past automated security checks. It is therefore the human being’s duty to remain vigilant. Simple security installations like unique admin passwords for each machine. Only necessary admin and remote access and multi-factor authentication, which does not work with the logic of Windows systems, form a strong hurdle.

Black Friday

Black Friday – How Cybercriminals are hunting for your data

/in , , /by

It’s the end of November and thus bargains time for most of us: Under names like Black Friday, Black Week, Cyber Week, Cyber Friday – or other creative names – companies are now luring us bargain hunters in the fight for pre-Christmas business. But the bargains not only attract us as consumers but also cybercriminals. And these in turn lure us with “offers” via e-mail or online ads, to elicit our data unnoticed. The British National Cyber Security Centre (NCSC) has now renewed its warning on the occasion of the Shopping Week to be careful when shopping online. Consumers should be particularly careful where they store and what data they disclose when they do so, especially in the rush to buy and find bargains.

Black Friday offers via phishing e-mails

However, this mindfulness begins even before the actual shopping experience. Because under the flood of actual offer e-mails from various providers, one or the other phishing e-mail can also be hidden. Of course, everyone wants to participate in the pre-Christmas business, but these phishing emails are out to get usernames, passwords, or credit card information – for nothing in return, of course. You’d better be wary of receiving offers from merchants you don’t know. Or when direct links to bargain items are offered. In any case, it’s better to manually enter the merchant’s site into the search box to make sure you end up on the right homepage. The offer will be there already if it is a real offer from the dealer. Because often enough the rule is: If the offer is too good to be true, then it probably is!

More information?! – Then better no information

There is nothing to be said against trying out smaller and unknown retailers and not always buying from the same well-known multinational supplier. But there are a few clues that help to distinguish serious websites from dubious ones. For example, the payment process should be clearly arranged and no personal information should be requested that is not necessary. Additional security details such as a codeword or a secret question may sound trustworthy at first – but they are not at all. During the payment process, you should really not be asked for your mother’s maiden name, your first pet, or your brother’s place of residence. At this point at the latest, you should cancel the purchase process. Ideally, before you have given your bank details.

Check the security of the payment process

Completely different from an unnecessary security query, the question of multi-factor authentication is to be evaluated. Multi-factor authentication serves to identify you as the buyer. Without entering a second factor in addition to the password – usually, a code sent to you by e-mail or SMS – nobody can place an order. This ensures that only those who have access to your e-mail address or your smartphone can carry out this process. However, not all serious online stores offer this: If you want at least a little security, check the address bar of your browser before entering your data. If there is a padlock symbol there, it means that the connection to the merchant is secure. Of course, this does not mean that the dealer is legitimate, but at least the connection is secure.

And if the store asks you to save your payment data, do so only if you are really sure that you want to order there again. Otherwise, this information is absolutely unnecessary. And creates another factor of low security.

Black(out) Friday and Amazon Phishing Day

A similar phenomenon as around Black Friday can also be found on Amazon Prime Day: Here, too, cybercriminals take advantage of an event and the bargaining mood of the customers around it to obtain passwords, credit card data, and the like. In their phishing campaigns, cybercriminals use a similar structure to their fake Amazon site and often use similar actions as the “real” Amazon. These actions are especially perfidious because the URLs also want to come as close as possible to the original and have at least “amazon” in their name. Often the URL is unnecessarily long so that it is not obvious at first glance that this is a completely different page, which seems to belong to Amazon, but is ultimately hosted somewhere else.

You should always be suspicious if you are not supposed to enter a password at Amazon – but other personal information, including your credit or debit card number. Security experts therefore strongly recommend that you always start on the actual page and never from an email link, even for special promotions such as Amazon Prime Day or Black Friday. Also, if you enter your information differently than usual, you may be dealing with a fraudulent fake site. And pay attention to details: Does the page look the way you are used to? Is the shopping cart icon in the same place as usual? Are all pictures in focus? Can you get to the store’s homepage by clicking on the store’s logo? Is continuous navigation in the store possible? Is the URL complete and logical? Only when all these things are correct should you start the payment process.

cybersecurity in the healthcare system

Data protection and cybersecurity in the healthcare system

/in , , /by

The digitalization of our healthcare system is progressing massively: The German federal government is promoting the networking of medical facilities through the so-called telematics infrastructure Telematik Infrastruktur, TI). As a result of the corona crisis, the need for online communication between doctors and patients has increased. In addition to these developments, the electronic patient file will be introduced in January 2021.

With such networking of our healthcare system, it is time to take a critical look at the security of the systems and thus of our data. The importance of cybersecurity for the protection of patient records is unfortunately demonstrated by those cases in which attackers have succeeded in penetrating an institution’s system, paralyzing it, or – in the worst case – even stealing data records.

There have also been many reports of major attacks on hospital IT worldwide in recent times. However, it should not be forgotten that cyberattacks can affect not only large medical institutions. It also affects small, independent doctor’s offices – such a singular attack can threaten their existence for various reasons. And it also involves risks for us consumers.

Securing IT structures in the healthcare system properly

Basics of secure IT systems

First of all, medical institutions, more than any other, must carefully select and maintain their IT infrastructure. An up-to-date operating system with all relevant security updates, a functioning hardware firewall, and an up-to-date and intelligent anti-virus program should be standard. Besides, there should be regular security updates and, ideally, daily backups that cannot be processed from the system. In this way, facilities can be up and running again quickly in the event of a ransomware attack. And the loss of data in your own systems is at least limited.

But password security is also an important point that all too often gets lost in everyday professional life: For many physicians in private doctor’s office, it is necessary to find a compromise between security and practicability. Especially because computers at reception or in laboratories may be used by several people. Nevertheless, even these shared passwords should comply with security standards and be renewed regularly. We also recommend the introduction of a practicable multi-factor authentication.

Since this is a sensitive infrastructure, clear rules for IT use in the workplace should also be established: May private mails be checked? Are online purchases or other surfing behavior allowed? May own storage media be brought and used? Are there special devices that are not connected to the doctor’s office network? It is important here to increase awareness of possible security gaps that could arise from this behavior. Employee training courses on cybersecurity, phishing, or social engineering should therefore be held regularly.

Cyber insurance can also minimize the (financial) risks that arise after an attack has taken place. Often good security concepts ensure that the contribution is minimized, and only the compulsion to deal with this topic creates good conditions for the actual implementation of plans.

Increased security thanks to telematics infrastructure (TI)?

With the large-scale introduction of the telematics infrastructure (TI) in German medical doctor’s offices since 2018, the security of the systems was to be further increased. Patient information was to be made available quickly and securely via this secure channel to reduce treatment costs through repeated examinations. However, reports are accumulating that the connection to the network is not as secure as announced.

Which security gaps in TI are described?

Although the TI has been forced to connect to the network, liability in the event of cyber-attacks in particular – and thus for data protection issues – has not been sufficiently clarified. Last year, the IT-expert Jens Ernst from happycomputer already revealed considerable data protection deficiencies when connecting to the telematics infrastructure.

This starts with the way the TI connector is integrated into the network of doctor’s offices. This is where you have the option of choosing between serial and parallel integration. Although serial integration initially requires more installation effort, it offers the advantage that all devices in the doctor’s offices are included in the federal security network. Extra protection on the part of the doctor’s office owners is not necessary according to information of the Gematik. Parallel integration, on the other hand, requires that the physicians make their own efforts to secure their existing systems and devices. This actually only makes sense for larger units that have already integrated many devices into their system before.

Nevertheless, it seems that most units were connected in parallel operation. In this case, the doctor’s office owners themselves would now have to ensure that their own systems were secured. However, many claims that they have not been sufficiently informed about this by their IT provider. Ernst describes that even with the few facilities that have been connected serially, security systems do not function correctly. This is because the firewall of the TI connector in use would not be sufficient to detect an anti-virus test file that he had installed. This means that even in this case there is no security against access by third parties without further security measures. In the vast majority of doctor’s offices, there is therefore no hardware firewall, regardless of how they are integrated. Besides, the virus protection on the computer and the software firewall, which every computer has today, was often switched off.

How can the healthcare system guarantee cybersecurity?

Ernst calls for an open approach to the topic of cybersecurity, which basically rests on three pillars:

  1. A doctor’s office needs a higher security level than just a router, as is often the case today.
  2. Sensitive data should not be sent via a WIFI network. The connector’s LAN network sends data unencrypted; by intruding into the WIFI, it is possible to “listen in”.
  3. Devices that cannot be sufficiently protected due to their design should not be used or operated in a DMZ (Demilitarized Zone).

He also proposes the development of a DMZ in which all TI systems are included. This is currently not even the case for the telematics infrastructure itself. He also criticizes the fact that IT specialists do not need a separate certificate from Gematik to connect the TI. This would ensure that only trained personnel are allowed to carry out the installation and that sufficient educational work is done with the liable physicians.

In summary, Ernst states that the security of all systems can only be guaranteed if the vast majority of surgeries completely remove their computers and devices from the network. Neither the TI connectors nor their own systems would offer any protection whatsoever to safely store consumer data.

As security experts, we too say that security should clearly be the most important starting point for digitization. The security of the systems must be guaranteed before any equipment is connected.

What do you think? Discuss with us.

Cybersecurity in hospitals

Viruses in hospitals – Cybersecurity in the Corona pandemic

/in , , /by

The corona pandemic is pushing hospitals and care facilities to their limits. And this also affects the cybersecurity of many facilities. According to Interpol, an increasing number of attacks on the IT network of hospitals has been reported in recent months.

Particularly in the USA, the FBI has been warning since October about increasing cyber attacks on hospitals and the service providers connected to them. At the end of October, various facilities were successfully infected with so-called ransomware. Due to data encryption, the normal operation of the hospitals was no longer possible. Read more here.

But why do hospitals in particular offer such good targets for cyberattacks?

IoT implementation despite low security standards

Hospital IT is one thing in particular: historically grown. And that is exactly problem, in two respects. Historical means that sometimes not all operating systems and application structures are state-of-the-art. Often important security updates or patches are missing to protect the systems. At the same time, the technical infrastructure in the healthcare sector is growing rapidly due to the digitalization of various processes.

This affects medical devices that can communicate via IoT, but often also with the office network. The latter is potentially high-risk since an attack on office computers also affects the IoT devices in the background. Portable medical devices that remotely monitor patients’ vital signs could fail under certain circumstances. A cyber attack would therefore be life-threatening for patients.

Also, hospitals are using opportunities for further digital expansion in the area of office IT: new PCs, tablets, or other smart devices are being purchased that can be used to communicate patient data internally. However, these devices may not even be designed for use in a highly sensitive environment such as a hospital and do not comply with data protection laws or cybersecurity standards. Weak points in their security systems are therefore also ideal starting points for compromising the technical infrastructure.

Besides, some institutions are forced to cut costs and often lack the budget for adequate security of their IT systems. Although they invest in the latest technology, they lack the money and know-how for the corresponding security. And sometimes the clinics themselves are not in control of security installations. Whenever they are connected to third-party providers and their systems. Because even if their own IT has very good security standards, this is not necessarily right for external providers.

Cybersecurity – not just a matter of time

Lack of personnel and thus lack of time are unfortunately everyday life in the medical and nursing professions. Often there is not enough time for the actual work – so where do they get the time to deal with cybersecurity? Most people are probably familiar with simple rules such as switching on a lock screen as soon as you leave your desk or checking the sender of an e-mail. But often the necessary time and/or awareness of the dangers involved is lacking in everyday business life. Employee training courses on cybersecurity could help here – if only time and budget were available.

However, increased attention would make sense. Hospitals are public institutions and therefore easily accessible. Even if the measures in the corona period make access more difficult, it should at least be noted that reception in particular poses a potential cybersecurity risk. In an unattended moment, a potential attacker could enter the hospital’s IT system and could unnoticed install malware on the reception PC via a USB stick.

Also, modern hospitals themselves act as IT service providers. WIFI access is provided for patients and visitors. If the systems are not detached from the actual company network, a potential gateway for hackers is left open.

Increasing the endpoint security of the diverse hospital IT landscape

As you can see, hospitals and other medical facilities already have a diverse IT landscape as a unit. These interwoven areas make the entire IT system vulnerable as soon as a weakness becomes apparent. Due to the sensitivity and criticality of the data and the associated devices and procedures, they require very high security standards. Increasing the endpoint security of KRITIS facilities should therefore be a concern.

A mantra that not only we repeat again and again is the active training of employees, which as an organizational unit belongs to endpoint security: Education creates an awareness of possible sources of danger and how to prevent them. A well set up mail protection is also mandatory for a KRITIS institution.

Besides, Internet access should only be available on those devices that need it. RDP ports (Remote Desktop Protocol) should be secured in such a way that access from outside is not possible. And above all: business-critical areas and the visitor and patient WIFI should not be connected under any circumstances!

And – we can’t repeat this often enough – activate Multi-Factor Authentication (MFA) for all applications connected to business-critical networks. This provides a high hurdle against intrusion by unauthorized third parties and above all against compromising the systems by them.

Work from Home and IT security

Work from home – How to secure your IT remotely

/in /by

Since the global epidemic of the new SARS-CoV2 virus in March, our society has faced many challenges. This also affects the way we work and especially where we work. As a result, many companies have suddenly and usually abruptly moved to work at home. According to Bitcom, almost every 2nd employee in Germany was affected by this development. But how well could the IT security be guaranteed? And especially: What could we learn from this for the current 2nd wave of home offices?

IT security or smooth operations while working at home?

This shouldn’t be a decisive question, even though reality has shown that this was indeed the case.

Virtually overnight, the employees – and with them the IT they were using – started to work from home. Many companies were not prepared for such changes, since working at home was long considered to be no alternative to on-site presence. It showed that their IT structures were not designed for this situation. In many cases, the business-critical infrastructure was often the priority when setting up a remote work environment.

The responsibility for the security of the devices used was thus handed over to the employees. Often, however, the basics for IT security, such as training or the necessary infrastructure for working remotely, were already missing.

A survey of Computerbild shows that basic security measures were also not used: Almost two-thirds of those surveyed stated that they had password protection for their computers and installed virus protection programs. However, only just under half of those surveyed said that there was a separation between privately and professionally used devices. VPN connections and Multi-Factor Authentication (MFA) were also only used by about a third of those surveyed.

At the same time, many companies had highly fragmented security systems that operated as silos. At least at the management level, the Corona crisis has certainly created an awareness of new unified security systems. One solution here would be Managed Security Services (MSS), which offer a security solution for all business areas from a single source. It can be assumed that the costs and benefits of security solutions will be reassessed soon. And companies are prepared to move away from old structures in favor of increased security.

The potential threat to IT security through cyberattacks while working from home

Thread by cyber-attacks

Nevertheless, there is one piece of good news: despite often weak security equipment while working at home, the German Federal Office for Information Security (BSI) initially did not detect an increased increase in (successful) cyber attacks on companies. However, the feared loss of reputation may also have meant that companies do not allow such attacks to get out. Attempted attacks are therefore more likely not to have been reported and the number of unreported attacks could therefore be significantly higher.

Although the number of attacks has not increased, the topics with which aggressors approach companies and their employees have changed. Although malware spam uses always social engineering methods to address people’s fears and worries, the topics have changed. In recent months, the new uncertainties in connection with the Corona crisis have been central topics.

CEO-Fraud / Business Email Compromise (BEC)

CEO-Fraud is not a new concept either, but this phishing tactic was increasingly observed in connection with the Corona crisis. The procedure is always the same: an employee receives a ( presumed) e-mail from a superior. With the request to accept an appointment invitation via a link. Or to transfer a larger sum of money to a specific account. Urgent!

If you are not in constant contact with your manager anyway, then you should be alert. But even in the first case, it’s best to pick up the phone first and have the matter confirmed again. Attackers may have assumed the identity of your manager – with the help of freely accessible data on the Internet and possibly with the help of previous “information campaigns” among internal employees. The latter is particularly true if you are not normally a direct contact for the management level.

Also, check the sender address again: Often, it is not the work e-mail address, but a supposedly “private” one from your employer. But even the official address is not always a grant for a real e-mail. Your manager’s mailbox may have already been taken over by a malicious software attack, e.g. Emotet. With the help of so-called Outlook harvesting, the attackers have now succeeded in sending deceptively real-looking e-mails to additional recipients.

These measures secure your IT

IT-security working from home

As you can see, in addition to the technical components, the human factor must also be taken into account when securing your IT systems.

Short-term measures such as the strict separation of private and professional devices are a good start for the current situation. In the long term, however, you need a holistic strategy that starts with the choice of the technical solutions used. This concerns VPN clients, cloud applications as well as firewall and anti-virus programs. Ideally, these modules go hand in hand, so that the maintenance effort of your IT infrastructure is reduced.

It is also essential that you become even more aware of the importance of human security risk – and take active measures. This begins with training on phishing, which not only addresses the basic problem but also explains technical aspects. Only then can a basic understanding of the dangers of such attacks be developed.

At the same time, we advise you to introduce improved password security in your company. While employing Multifactor Authentication (MFA), users must identify themselves several times when logging on to different applications or devices. This increases security against unauthorized use by third parties. An MFA is especially important for all employees who have administrative or remote access rights to servers and devices of third parties.

We are pleased to be at your disposal as a contact for your IT security.

Do you have questions or additions? Then leave us a comment. We look forward to your feedback.

Malware

Malware-Attacks – what you should know about them

/in , , /by

Digitization has nowadays arrived in all areas of our lives; we use smartphones or smart devices in our private lives on a daily basis as well as business laptops and work computers. But also the electronic payment options in supermarkets or the public rail transport; or in short: our entire public life has been digitized. This penetration of all our living environments makes our everyday life more comfortable. At the same time, it also makes us vulnerable to cyber-attacks.

Therefore, it must be our goal from the very beginning to protect our technical infrastructure as well as possible from malware and other criminal acts.

Cybercrime in Germany

Germany

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) is responsible for IT security at the federal level. In its recently published situation report on IT security in Germany 2020, the BSI states: Cybercrime is directed against private individuals as well as companies and organizations or institutions. Such attacks are often aimed at tapping personal data and deriving financial benefit from the information gained.

User’s responsibility – the human factor as the greatest risk factor for your IT security

Risk

The maintenance of your hardware and software is up to you. Therefore you as the user must check your actions; Next to missed software updates, the interaction with malicious e-mails or websites is still THE security gap in your IT system. To successfully install a malicious program on a device, the (active) help of the user is often required. For example, by carelessly clicking on a link or e-mail attachment that initiates the installation. In the worst case, all this happens without you as the user noticing anything.

Two terms that we often encounter in cyberattacks are phishing and social engineering. So-called phishing e-mails are fraudulent e-mails that serve to induce the recipient to commit self-harming acts. To achieve this, the attackers use social engineering techniques. This means the use of psychological tricks, such as exploiting fears, compulsions, or emergencies to achieve either the direct issuing of passwords and access data or the installation of malware by clicks.

Unfortunately, such e-mails are getting better and better, and even trained users can no longer necessarily recognize them as such at first glance. The unknown, missing, rich relative from the most absurd parts of the world has been replaced by deceptively real-looking e.g. PayPal-emails, which try to “fish” out the passwords and credit card data of the users.

Even bad grammar and incorrect vocabulary are hardly found in modern and well-designed malware spam. And – particularly perfidious – according to the BSI, even an https link is no longer a guarantee for security – in about 60% of registered malware spam in 2019/20 https links are already in use. Although the security certificate is supposed to identify secure homepages, it can be licensed free of charge on the Internet. Regardless of whether the content is safe for the consumer.

You should know this kind of malware

Code

According to the BSI, last year (June 2019 – May 2020) an average of around 322,000 new malware variants were created every day. Malicious programs are all programs that are harmful in themselves or that can enable other programs to cause damage. One variant is created by the further development of existing malware. It is particularly dangerous in the beginning, as anti-virus programs may not yet be able to recognize it as a danger.

Ransomware

Ransomware is malware that prevents access to local data or a network. The aim is usually the extortion of ransom money to unlock the data. Another extortion method is the threat of successive publication of sensitive data on the Internet if payment is not made.

Ransomware is usually distributed via links or attachments in e-mails. To achieve an action by the user the distributors rely on advanced social engineering methods. And also exploit professional constraints in particular.

Also, ransom software deliberately exploits weaknesses in remote maintenance and VPN access to penetrate deeper into a company network. According to the BSI, the targets in the last investigation period were especially company networks of financially strong and medium-sized companies. These include, for example, special suppliers for the automotive industry, the financial and health sector, and the aviation industry.

The damage of such attacks – both financially and in terms of reputation – is enormous. Only very few companies are sufficiently protected against ransomware attacks. It is worthwhile to already develop and test preventive plans for possible ransomware attack scenarios.

Emotet – a multi-level malware of new quality

Emotet is a good but at the same time an extremely harmful example of the further development of existing malware. According to the BSI, this software has been reappearing more frequently since September 2019 and accounts for the majority of malware attacks. The malware combines various attack strategies and in its current form can read e-mail contents and generate further spam e-mails using the information gained.

This is particularly dangerous and not necessarily easy to detect even for sensitized users, as the spam e-mails generated in this way come from real and known accounts. Emotet uses advanced social engineering methods for initial and further infection via email. Once installed, the account data is used to further infect other mail accounts through the pyramid scheme. The spying of the mail account, also known as Outlook harvesting, enables the program to send deceptively realistic-looking reply e-mails from the victim to other accounts. And this is usually completely automated.

In addition to expanding the infection network, Emotet infects the system by downloading further malware. For the past year, the BSI has mainly reported about Trickbot, a software that can spy on and sabotage the system. Trickbot can penetrate the user’s Active Directory and read out all user data and administration rights in the Domain Control Center. Besides, Trickbot enables attackers to actively access the system, to create new administration rights. Or to create backdoors, with the help of which information can be forwarded to the attackers unrecognized even over a longer time.

In the last step, attackers use the information obtained to access the system manually using ransomware (usually Ryuk). Here, the same methods are used in a classic ransomware attack.

Prevent malware infections

Prevention

A first important step towards preventing such attacks is targeted employee training on phishing as well as social engineering. This makes sure, these issues have enough awareness in your company. At the same time, improved backup structures with more frequent and so-called offline backups (i.e. backups that cannot be deleted or changed from the network) are part of a preventive plan against cyber-, especially ransomware attacks. These ensure that you are quickly operational again in the worst case.

Besides, the reduction of externally accessible systems to a minimum as well as an appropriate internal segmentation of the networks represent a further security level. To prevent a deeper infection of your systems, you should also consider an increased requirement for password security with multifactor authentication (MFA). Especially for administrators and those who have remote access rights. You should also reduce their number if possible. Regular and prompt updates of all operating systems, server and application software also increase the basic security of the systems.