SECURITY INSIGHTS | August 01, 2023
Myra's monthly security highlights provide IT decision-makers and security professionals with the most relevant topics from the world of cybersecurity. Current trends, defense strategies and news on cyberattacks, attack campaigns and more can be found here in a clearly arranged format.
BSI on the move: The German Federal Office for Information Security (BSI) has a new boss. Following the dismissal of long-time BSI President Arne Schönbohm last fall, mathematician Claudia Plattner is now taking over as head of the IT security agency. Most recently, Plattner worked at the European Central Bank (ECB) in Frankfurt as director general for information systems, where she was also responsible for cybersecurity and managing all aspects of a digital transformation.
In an interview with the Rheinische Post newspaper shortly after taking office, the new BSI chief warned that the threat level was currently higher than ever. The BSI is seeing a general increase in cyberattacks in Germany. In addition to government agencies, companies are also affected.
To be able to react appropriately to the increased threat situation, the NIS-2 Implementation Act (NIS2UmsuCG) provides for stricter IT security requirements for regulated companies as well as new competencies and sanction options for the BSI. For example, the Federal Office is to be able to disempower the responsible executives of regulated companies (particularly important institutions) if they fail to comply with the official directives in a timely manner.
With the Trans-Atlantic Data Privacy Framework, a new data protection agreement between the EU and the US has come into force three years after the Privacy Shield was discontinued. It remains to be seen whether this will provide legal certainty in the long term. According to the assessment of Austrian data protection expert and legal expert Max Schrems, the new data protection framework is essentially based on the predecessor agreements Safe Harbor and Privacy Shield, both of which were declared invalid by the ECJ. It can therefore be assumed that the Trans-Atlantic Data Privacy Framework will not withstand a challenge either, he said. The NGO noyb, of which Schrems is chairman, has already announced legal action against the new agreement.
Federal Office for Information Security (BSI), Claudia Plattner, has warned of the current cyber threat situation. This is “as high as it has ever been,” she told the Rheinische Post newspaper. The number of cyberattacks has generally increased. Attackers are increasingly targeting data in order to blackmail companies and authorities.
“The threat of cybercrime has been on the rise for years and is causing massive economic and social damage in some cases,” Holger Münch, president of the Federal Criminal Police Office (BKA), told the Funke Mediengruppe newspapers. In addition to public administrations, criminals are increasingly targeting universities and doctors' offices. In general, they were targeting institutions where the technical hurdles were comparatively low.
Security researchers have come across an AI-based attack tool for creating phishing campaigns on the darknet. This is a chatbot called “FraudGPT” that is offered as a SaaS solution for $200 per month. In addition to creating phishing emails, the tool is said to be useful for writing malicious code, creating malware, finding leaks and vulnerabilities, and more.
A recent elaboration by IBM and the Ponemon Institute found that the average cost of cyber incidents runs into the millions. The recently released “Cost of a Data Breach Report 2023” study says the impact of a data breach costs German companies an average of $4.67 million. For the financial sector, the cost is said to be $5.90 million.
The accounts were hosted by Microsoft, which was ultimately able to disrupt the attacks. Microsoft attributes the attacks to the group "Storm-0558" from China, which specializes in espionage and data theft. The attackers are said to have penetrated email accounts of 25 organizations and government agencies, including apparently the U.S. State Department.
Saxony's Ministry of Health and Social Affairs has fallen for a fraudulent e-mail and is thus likely to be left with several hundred thousand euros in damages. The phishing attack was related to a delivery of materials for protective fencing to contain African swine fever. After placing the order, the ministry received an email with a fake invoice and changed bank details, to which it transferred the purchase sum.
Diebold Nixdorf informed its customers about a cyberattack that took place, according to media reports. The attackers targeted a service provider of the payment system manufacturer. Data is said not to have been leaked as a result of the attack. According to a company spokesperson, the law enforcement authorities have been called in.
Due to serious security vulnerabilities in the MOVEit data transfer software, attackers were able to access the systems of the financial services provider Majorel and tap into sensitive data of thousands of bank customers. The affected company provides account switching services for Deutsche Bank, Postbank, ING and Comdirect, among others.
A flaw in the payment system of fintech bank Revolut allowed cybercriminals to derive more than $20 million undetected for months. As reported by the Financial Times, the gap has since been closed; the provider's US systems were affected.
IT security expert Lilith Wittmann has discovered a serious security flaw in the Schufa app Bonify. The flaw allowed the retrieval of tenant information under someone else's name. As evidence of the vulnerability, Wittmann published information from former German Health Minister Jens Spahn.
Under the NIS 2 Implementation Act (NIS2UmsuCG), the German Federal Office for Information Security (BSI) is to be given significantly more powers and opportunities to act. If regulated companies (particularly important institutions) fail to comply with BSI orders in a timely manner, the authority will in future even be able to temporarily prohibit the responsible executives from managing the organization.
In an interview, Dr. Sibel Kocatepe, expert for IT supervision at BaFin, explains the financial supervisory authority's view of the rapidly advancing digital transformation in the industry and the associated risks.
The Digital Operational Resilience Act (DORA) significantly tightens the technical and procedural requirements for the information security of banks and associated IT service providers. Here is an overview of the key requirements for the cloud environment.
A security researcher at the Rheinische Friedrich-Wilhelms-Universität in Bonn has investigated the question of how the cybersecurity of open source and proprietary software should be evaluated and where there is potential for improvement.
The new transatlantic data protection framework was actually supposed to provide legal certainty after its predecessors were overturned by the European Court of Justice (ECJ). But Max Schrems and his data protection organization nyob have already announced that they will also take legal action against the new agreement because it is largely a copy of the failed Privacy Shield.
A critical vulnerability puts all AMD Zen 2 architecture processors at risk and allows attackers to tap sensitive data. Even the content on virtual machines or containers can be compromised via the flaw. The manufacturer AMD is already working on firmware updates.
Always up to date
with Myra Security