In the age of digitalisation, it is not a matter of whether a company will be attacked, but rather only a matter of time before companies become victims of a cyberattack. According to a study conducted by Bitkom Research, two thirds of all companies in Germany have already been attacked by cybercriminals. Philipp Zeh, Head of the Competence Center & Professional Services IT Security at Konica Minolta IT Solutions, explains what the most common cyber risks are for companies and how they can protect themselves.
MACRO
Simplification of programming
Macros simplify programming in software development by combining several commands and implementing them together. This speeds up work.
Mr Zeh, what attacks can companies expect?
Classic ransomware attacks in particular have taken place quite frequently in recent years. Affected persons receive an email with an attachment, an invoice, for example. If employees click on this attachment, they start a macro. This in turn starts a script that implements a service and reloads the actual malware that encrypts the data. If no backup is available, the only option available to the company is to pay the ransom so that the data can be released again. However, we do not advise this because paying the ransom is risky and shows the cybercriminals that a second blackmail attempt could probably also be successful.
Why doesn’t the antivirus software detect the malware?
At the time the service is activated, it is not a virus, so it will not be detected. For the system, this is a permitted Office function.
As a security service provider, how do you help your customers deal with these types of problems?
We try to isolate and contain the ransomware. If there is a backup, we use it to recover the files. However, practice shows that unfortunately backups do not always exist. We had such a case, for example, with a large maintenance service provider. Here, again, there were no backups. Although we were able to identify the infected system, we were unable to recover the data that the company absolutely needed. As we learned later, the customer ultimately transferred tens of thousands of euros to the blackmailer.
‘At the same time, the Trojan analyses past emails with those people and creates an email text based on the most frequently used words.’
How does such a payment take place?
The encrypted files usually contain an information file. It tells you where to go. In the case of our customer, the information file contained a telephone number for him to call. At the other end of the line, there was a very friendly, nice lady who gave him the account details for the ransom transfer. After the money was transferred, he got the key to release the data again.
Isn’t it possible to find the ransom blackmailer by tracking the phone number?
If the owner was based in Germany, that would definitely be possible. But the ransom blackmailers are mostly located abroad, in Eastern Europe, for example. It may still be possible to determine a location via the geo location, but since they use prepaid numbers that are not registered anywhere, the holder cannot be identified. Moreover, the German public prosecutor’s office and police have no authority there.
What other cyberattacks affect your customers?
The Emotet banking Trojan was a major threat in December 2018. Some of our customers were hit by it. Actually, this Trojan has been around for more than a year, but it became ‘smarter’ and therefore even more dangerous. If a system is infected, Emotet automatically reads the address books and sends itself to the people with whom the victim has particularly close contact. At the same time, the Trojan analyses past emails with those people and creates an email text based on the most frequently used words. This makes it difficult for the recipient to recognise that an email is a Trojan.
What does Emotet do in concrete terms?
We had a case where a customer had sent a PDF invoice to one of his customers. When he couldn’t find receipt of payment, he got in touch with his contact person. He was able to prove that the money had been transferred to the bank account on the invoice. However, Emotet was active and intercepted the invoice as a man-in-the-middle attack. The footer of the invoice was changed and other bank data was entered. The end customer thus transferred money directly to the account of the attacker, who immediately withdrew it. Therefore, no chargeback was possible. Companies then often have to bear the costs they have suffered. Even if they have insurance, it usually rejects a reimbursement because it can prove gross negligence or a lack of protection mechanisms.
RANSOMWARE
Blackmail software Ransomware is a particular kind of software that is used to blackmail people for ransom money. The programme usually encrypts the victim’s data and then demands money to decrypt it.
How can companies protect themselves against these cyberattacks?
There’s no such thing as one hundred per cent protection. Due to the increased and highly complex danger situation, it is advisable to ensure the necessary reaction speed and transparency by taking a strategic approach. Only when companies discover an attack they can react to it. In addition to appropriate monitoring, they also need a suitable process chain to analyse incidents. The basis for this is a strategic approach consisting of processes, people and technologies. Only if these three aspects are integrated the level of
security can be increased.
Where can companies get started?
One very important aspect is sensitising employees. This is because a ransom product is usually installed because employees click on something or open email attachments without worrying about the risks involved. That’s why it’s so important to educate employees – including how to assign passwords. Through penetration tests with customers we have often found out that passwords are far too weak. In fact, the password ‘12345’ is still often assigned. Such a password can be cracked with an appropriate programme within seconds. There is no point in building the largest bunker if the key is left in the lock.
‘In fact, the password “12345” is still often assigned.’
‘He thought if he didn’t tell anyone about it, nobody would know and so nobody would have access to it.’
So, employees are still a risk for companies?
In particular, older employees who have not grown up with computers and the Internet do not have an awareness about current cyber dangers. In addition, there is another aspect: there are also employees who deliberately want to harm their company. This is not as rare as one would think. For example, we had a case in which an employee sabotaged his company by simply making complete bookings in the system disappear after the goods had been delivered. Our customer then wondered why he had not received any payment for his delivery. The end customer in turn informed him that he could not pay because the delivery had arrived without a delivery note and invoice.
What happened next?
When our customer searched his ERP system for the transaction, he discovered that it had been deleted by the administrator. This could be traced in the system in an audit-proof manner. Since only three people had admin rights, the culprit was found quickly, but it was impossible to prove he was guilty. Our customer then actually had to pick up the goods from his customer at high cost, rebook them and then repeat the entire process. This is just one example of what employees with admin rights can do.
And what can companies do in such a case?
It is very important to regulate access rights clearly. Every employee should only be allowed to do what they need to for their job. This already makes it possible to limit a lot of potential problems. Of course, employees who have admin rights are given special freedoms, but these must also be controlled. But one thing should always be clear: if a person wants to harm a company, he will always find a way to do so.
Are companies still too naive in this respect?
Yes, unfortunately we often see that especially small and medium-sized enterprises are not aware of the dangers. For example, we were commissioned by a customer to carry out a penetration test in order to determine the sensitivity of networks or IT systems to intrusion and manipulation attempts through targeted attacks. Here, similar methods and techniques are used as those employed by cybercriminals to penetrate a system without authorisation. We found a network area at the customer’s site where IP access was possible without entering a password. This enabled us to directly access the production plant and view the machine control surface online. ‘He thought if he didn’t tell anyone about it, nobody would know and so nobody would have access to it.’
What consequences can that have?
If we had wanted to, it would have been easy for us to manipulate the machine or switch it off completely. Such a failure can be life-threatening for SMEs. Our customer didn’t even know that these accesses existed. We then contacted the manufacturer of the machine, who confirmed that these were maintenance accesses. He thought if he didn’t tell anyone about it, nobody would know and so nobody would have access to it. But that’s far from true. With today’s scanners, it’s relatively easy to find and use these access points.
Do large companies face the same problems?
Larger corporations are generally better protected and have a more holistic security concept. A simple collection of security products is no longer enough to contain today’s cyber threats. Companies must take a strategic approach to corporate security. External security experts such as Konica Minolta help even smaller and medium-sized companies to implement a sustainable security concept.