Criminal hackers do not take summer breaks, as various Swiss companies discovered during the last weeks. According to the Swiss Federal Reporting and Analysis Centre for Information Assurance (MELANI), a number of businesses were attacked, their corporate networks successfully infiltrated, and their data encrypted to blackmail them. The attack scenarios are known; defensive measures can be taken.
According to media reports, affected companies include banking software provider Crealogix and building technology firm Meier Tobler. Crealogix has confirmed that the infiltrated malware paralyzed internal Windows workstations. Customers, computer center services, or the source code of proprietary software have not been affected, and the attack has been quickly brought under control. Apparently Meier Tobler was hit harder; after an attack by a crypto trojan, the company was largely paralyzed: the central enterprise resource planning system SAP, the warehouse control system, the fixed-line telephony, the website and all e-mail accounts were blocked. Meanwhile, operations are up and running again; according to the company's website the company is working at full speed to rebuild its infrastructure in accordance with existing emergency plans.
Spear Phishing at Swiss businesses
Cyberattacks on Swiss companies are not a new problem. However, according to MELANI, an increasing number of cyberattacks have recently been reported in which attackers have adopted a new approach. The following attack scenarios are known:
- Attackers send targeted malicious e-mails to Swiss companies (Spear Phishing)attempting to infect them with ransomware. These messages usually contain a link to a malicious website or file attachment.
- There are Internet forums where access to infected computers in Swiss companies is offered for sale. The systems in question are usually infected with "Emotet", "TrickBot" or occasionally "Qbot". Criminal groups will pay for access to these infected computers in order to infiltrate the network of the target company on a large scale.
- Attackers scan the Internet to find open VPN and terminal servers and attempt brute force attacks to gain access to them.
- Through all of these procedures, the attackers use additional attack tools such as Cobalt Strike or Metasploit to gain the necessary access rights for the target company’s systems. If successful, ransomware is installed on these systems, which then fully encrypts all data.
Prevention is better than cure
Due to the current danger situation, MELANI is again urgently warning Swiss companies against ransomware and strongly recommending the implementation of the following measures as soon as possible:
- Create regular backups of your data, for example on an external hard disk. Make sure that you physically disconnect the backup media from the computer or network after the backup is complete. Otherwise, there is a danger that the attackers could also gain access to your backup data and encrypt or delete it.
- With cloud-based backup solutions, you should ensure that they are out of reach of ransomware, for example by requiring two-factor authentication for critical operations. Check the quality of your backups and practice importing them so that you don't lose precious time in an emergency.
- Operating systems as well as all programs installed on your computers or servers require consistent and immediate updating. Use a second factor to protect all resources accessible from the Internet (especially terminal servers as well as RAS and VPN accesses). Place terminal servers behind a VPN portal. Block the receipt of dangerous email attachments at your email gateway. This includes Office documents with macros. A list of file attachments to be blocked can be found here.
UMB can analyze your security situation
UMB can detect vulnerabilities on your systems and analyze and monitor traffic on your network with advanced log and risk management technologies. We can uncover your attackers' profiles and find hidden threats before they damage your business. Contact me for your security analysis today.