The German Federal Office for Information Security (BSI) recently published its report "The State of IT Security in Germany 2021". This report takes stock of the threat situation of IT security in Germany for the period from June 1, 2020 to May 31, 2021. The BSI focuses on attacks on companies, government and public institutions, and private individuals. At the same time, however, it also wants to contribute to the prevention and combating of these situations.
Every year, the BSI report provides specific examples of security situations and cyber threats from various sectors. The BSI uses these to explain typical methods used by attackers. In addition, the BSI wants to clarify what suitable protective measures are.
The conclusion of the report: The IT security situation in Germany is tense to critical.
Cyber extortionists: protection money, ransom and hush money
Cyber-criminal extortion methods expanded noticeably during the reporting period. This alone is not a particularly new development. However, the threat has recently reached a different quality. The damage that can occur as a result is huge.
A global campaign of cyber extortionists was observed, extorting protection money from their victims under the threat of distributed denial of service (DDoS) attacks.
At the same time, they used the Emotet malware in particular for attacks in order to extort a ransom afterwards with the help of ransomware that encrypts all data.
An extension of this strategy could also be observed. In some cases, attackers stored the data illegally before encryption in order to then extort hush money under threat of publication. This approach could prove effective if the victim showed no interest in paying the ransom for decrypting the data due to their own backup copies of the data. If a ransomware attack now takes place, it must therefore generally be assumed that the data has been compromised.
The biggest gateway for such attacks are probably social engineering attacks. This is an attempt to trick people into clicking on malicious links or downloading attachments that install the malware, for example, using cleverly forged emails.
In order to extort a ransom, some attackers also pretended directly to the end user via spam attacks that data leaks had taken place. They then extorted a corresponding ransom by threatening to publish the victim's data.
In the cybercrime industry, it is becoming increasingly apparent that the division of labor and cyberattacks are being used as a service. There is a real outsourcing of standard tasks, which means that the attackers can focus even more specifically on their financially strong victims and have sophisticated methods at their disposal.
Attacks on "critical infrastructures" (CRITIS), which include, for example, providers of utility services such as electricity and water, are becoming particularly dangerous. According to the BSI, these are almost the order of the day.
Microsoft Exchange security vulnerabilities
At the beginning of March 2021, Microsoft Exchange made headlines with vulnerabilities in the Exchange server. Shortly after the vulnerability became known, large-scale scans could already be seen on the Internet looking for vulnerable Exchange servers. As a result of the fact that around 65,000 servers were affected, the BSI declared the second-highest crisis level for only the third time since its existence.
These gaps were closed promptly by updates, but the BSI considers it plausible that even if the update was installed quickly, some servers were already infected with malware unnoticed. The attackers could activate this infiltrated software at any time, which would turn the servers into ticking time bombs. The BSI describes dealing with such vulnerabilities as "one of the greatest challenges in information security".
Supply Chain Attacks
In a supply chain attack, the attackers attack the software manufacturer in order to attach their malicious code to its software products and thus inject it into the end user. This also occurred during the reporting period and, according to the BSI, proved to be a difficult attack path to control.
Cyber security and pandemic
In its report, the BSI also considered cyber security in the context of the pandemic.
On the one hand, the digitalization of business processes due to the pandemic naturally increased the attack surface (remote access and VPN, videoconferencing systems, use of private devices at work, etc.). On the other hand, however, it was gratifying to note that to date no IT security incidents have been reported in connection with the Corona warning app.
Attacks on the health care system
Various attacks on healthcare institutions caused a particular stir during the reporting period. Among other things, these involved the procurement of internal data on vaccines, which were then published in a manipulated manner, presumably in order to trigger doubts about the vaccine. Individual clinics were also affected, however, and had to reduce their operations accordingly until the attack was over.
In view of this report, the question arises as to how the state, the economy and society can protect themselves from the threats.
Federal Minister of the Interior Seehofer emphasizes that the legislative period was used to massively strengthen cyber security. Not only has the Agency for Innovation in Cybersecurity been established in Halle, but the Central Office for Information Technology in the Security Sector (ZITiS) has also been expanded. He added that the company was better positioned in terms of both technology and personnel.
The BSI also highlights the IT Security Act 2.0, which obliges "companies in the special public interest" to report security incidents and prove their security. It also grants the BSI more extensive powers, which is also viewed critically in some quarters. However, liability for faulty software, which many had called for, did not make it into the law. The BSI therefore limits itself in this area to appealing to the responsibility of developers.
If you would like to expand your information security and have it looked after, please do not hesitate to contact us.