Malware Archive - DoubleClue

At the end of December, vaccination against the COVID-19 virus began in the European Union; it has now become known that a cyberattack on the vaccination portal of the Association of Statutory Health Insurance Physicians in Thuringia and the Thuringian Ministry of Health had already occurred in December. This was probably a so-called DDoS (Distributed Denial of Service) attack. As the vaccination center announced, the servers were overloaded by a high number of requests and collapsed as a result. Booking vaccination appointments via the site was therefore initially not possible.

What is a DDoS attack?

This form of cyberattack is an attempt to paralyze a server, a website, or even just parts of a website. For this purpose, countless (and pointless) requests are sent to the respective server within a very short time. How many requests are necessary depends on the server’s capacity. In Thuringia, about 158,000 requests were necessary.

The requests are usually sent by a mixture of botnets and reflectors. Botnets are infected devices that can be directly controlled by the hacker by means of malware. These “zombie” computers then send misleading connection requests to other computers, which are then called reflectors. These reflectors do not necessarily have to be infected themselves. Because here, hackers exploit the characteristics of our modern devices to also want to “answer” queries. In this way, they manage to build up a comparatively small botnet and also cover their tracks, since devices that are not involved in themselves now also support the attack.

Who is the target of DDoS attacks?

The good news, if you will, upfront: the target of such attacks is not private individuals. Such attacks usually target large websites and opinion leaders – but also, as the current case shows, the healthcare sector, governments, or banks. In other words, important and critical infrastructure. This is why some security experts classify DDoS attacks in the realm of digital warfare, as they can paralyze critical civilian networks and thus harm society.

It is important to note, however, that a DDoS attack does not primarily have monetary goals. It is often about protesting against a site that does not correspond to one’s own political opinion. Or even just to prove that one has the skills to carry out such hacks. These attacks become really critical when the primary goal is not to cripple the site, but other actions are running in the background. The superficial distraction facilitates the cover-up of a more serious hack in the background. If critical infrastructures are affected, a ransom demand can also follow in order to release the server as quickly as possible and get it up and running again.

For the current case, however, the background of the act is not further known.

How can you protect yourself from a DDoS attack?

Since you as a private individual are not the primary target of such an attack, the sobering answer here is: very little to nothing. However, your primary goal should always be to protect your PC as best as possible against malware being installed. After all, this is how you can at least prevent yourself from becoming part of the botnet. Therefore, always update your virus software on the devices you use in a timely manner. The router also plays an important role in protecting your network and should therefore always be up to date. The same applies to your passwords. Wherever possible, set up modern password protection with multifactor authentication. A password manager can help you keep track of your passwords.

As a web administrator, you basically have options available to defend against such attacks. For example, if you notice an unusual data stream in time, you can redirect it to a “black hole” (= a non-existent server). A bandwidth management tool as well as good virus software will help you in advance to fend off simple DDoS attacks if necessary. The last option is to rent a higher bandwidth to ensure availability despite high traffic. For your users, unfortunately, the only option is to wait until your service is available again.

Digitization has nowadays arrived in all areas of our lives; we use smartphones or smart devices in our private lives on a daily basis as well as business laptops and work computers. But also the electronic payment options in supermarkets or the public rail transport; or in short: our entire public life has been digitized. This penetration of all our living environments makes our everyday life more comfortable. At the same time, it also makes us vulnerable to cyber-attacks.

Therefore, it must be our goal from the very beginning to protect our technical infrastructure as well as possible from malware and other criminal acts.

Cybercrime in Germany

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (BSI)) is responsible for IT security at the federal level. In its recently published situation report on IT security in Germany 2020, the BSI states: Cybercrime is directed against private individuals as well as companies and organizations or institutions. Such attacks are often aimed at tapping personal data and deriving financial benefit from the information gained.

User’s responsibility – the human factor as the greatest risk factor for your IT security

The maintenance of your hardware and software is up to you. Therefore you as the user must check your actions; Next to missed software updates, the interaction with malicious e-mails or websites is still THE security gap in your IT system. To successfully install a malicious program on a device, the (active) help of the user is often required. For example, by carelessly clicking on a link or e-mail attachment that initiates the installation. In the worst case, all this happens without you as the user noticing anything.

Two terms that we often encounter in cyberattacks are phishing and social engineering. So-called phishing e-mails are fraudulent e-mails that serve to induce the recipient to commit self-harming acts. To achieve this, the attackers use social engineering techniques. This means the use of psychological tricks, such as exploiting fears, compulsions, or emergencies to achieve either the direct issuing of passwords and access data or the installation of malware by clicks.

Unfortunately, such e-mails are getting better and better, and even trained users can no longer necessarily recognize them as such at first glance. The unknown, missing, rich relative from the most absurd parts of the world has been replaced by deceptively real-looking e.g. PayPal-emails, which try to “fish” out the passwords and credit card data of the users.

Even bad grammar and incorrect vocabulary are hardly found in modern and well-designed malware spam. And – particularly perfidious – according to the BSI, even an https link is no longer a guarantee for security – in about 60% of registered malware spam in 2019/20 https links are already in use. Although the security certificate is supposed to identify secure homepages, it can be licensed free of charge on the Internet. Regardless of whether the content is safe for the consumer.

You should know this kind of malware

According to the BSI, last year (June 2019 – May 2020) an average of around 322,000 new malware variants were created every day. Malicious programs are all programs that are harmful in themselves or that can enable other programs to cause damage. One variant is created by the further development of existing malware. It is particularly dangerous in the beginning, as anti-virus programs may not yet be able to recognize it as a danger.

Ransomware

Ransomware is malware that prevents access to local data or a network. The aim is usually the extortion of ransom money to unlock the data. Another extortion method is the threat of successive publication of sensitive data on the Internet if payment is not made.

Ransomware is usually distributed via links or attachments in e-mails. To achieve an action by the user the distributors rely on advanced social engineering methods. And also exploit professional constraints in particular.

Also, ransom software deliberately exploits weaknesses in remote maintenance and VPN access to penetrate deeper into a company network. According to the BSI, the targets in the last investigation period were especially company networks of financially strong and medium-sized companies. These include, for example, special suppliers for the automotive industry, the financial and health sector, and the aviation industry.

The damage of such attacks – both financially and in terms of reputation – is enormous. Only very few companies are sufficiently protected against ransomware attacks. It is worthwhile to already develop and test preventive plans for possible ransomware attack scenarios.

Emotet – a multi-level malware of new quality

Emotet is a good but at the same time an extremely harmful example of the further development of existing malware. According to the BSI, this software has been reappearing more frequently since September 2019 and accounts for the majority of malware attacks. The malware combines various attack strategies and in its current form can read e-mail contents and generate further spam e-mails using the information gained.

This is particularly dangerous and not necessarily easy to detect even for sensitized users, as the spam e-mails generated in this way come from real and known accounts. Emotet uses advanced social engineering methods for initial and further infection via email. Once installed, the account data is used to further infect other mail accounts through the pyramid scheme. The spying of the mail account, also known as Outlook harvesting, enables the program to send deceptively realistic-looking reply e-mails from the victim to other accounts. And this is usually completely automated.

In addition to expanding the infection network, Emotet infects the system by downloading further malware. For the past year, the BSI has mainly reported about Trickbot, a software that can spy on and sabotage the system. Trickbot can penetrate the user’s Active Directory and read out all user data and administration rights in the Domain Control Center. Besides, Trickbot enables attackers to actively access the system, to create new administration rights. Or to create backdoors, with the help of which information can be forwarded to the attackers unrecognized even over a longer time.

In the last step, attackers use the information obtained to access the system manually using ransomware (usually Ryuk). Here, the same methods are used in a classic ransomware attack.

Prevent malware infections

A first important step towards preventing such attacks is targeted employee training on phishing as well as social engineering. This makes sure, these issues have enough awareness in your company. At the same time, improved backup structures with more frequent and so-called offline backups (i.e. backups that cannot be deleted or changed from the network) are part of a preventive plan against cyber-, especially ransomware attacks. These ensure that you are quickly operational again in the worst case.

Besides, the reduction of externally accessible systems to a minimum as well as an appropriate internal segmentation of the networks represent a further security level. To prevent a deeper infection of your systems, you should also consider an increased requirement for password security with multifactor authentication (MFA). Especially for administrators and those who have remote access rights. You should also reduce their number if possible. Regular and prompt updates of all operating systems, server and application software also increase the basic security of the systems.

DDoS attack on vaccination portal