Trending Topics Cybersecurity – November 2023

According to the German Federal Office for Information Security (BSI), the cyber threat situation in Germany remains tense. At the presentation of the latest BSI report on the state of IT security in Germany, BSI President Claudia Plattner spoke of a "worrying threat situation". In the reporting period, the BSI registered around 250,000 new variants of malware and 21,000 systems infected with malware every day. In addition, there are 70 new security vulnerabilities per day on average, every second one of which is classified as high or critical. This corresponds to an increase of 24% compared to the previous year.

According to the BSI, attackers are becoming increasingly professional in their approach, which is reflected in the increased work-sharing processes and the targeted use of AI tools. Ransomware continues to be the most dangerous type of attack with the biggest malicious potential. Ransomware attacks target companies as well as administrations, local authorities and municipal businesses. In addition, public institutions in particular are repeatedly affected by DDoS attacks.

In November, for example, twelve municipalities in Swabia suffered severe service disruptions following an attack on their joint IT service provider. Other cyber attacks led to disruptions at the German Energy Agency, ChatGPT, the KaDeWe department store and Toyota Financial Services.

The top IT security topics in November:

BSI report: Cybercrime threat greater than ever before

The President of the Federal Office for Information Security (BSI), Claudia Plattner, described the current cyber threat situation as "worrying" at the report's presentation. Attackers are becoming increasingly professional. During the reporting period, the BSI registered an average of around 250,000 new malware variants every day.

Municipalities and administrations increasingly targeted by cyber criminals

According to a report by the magazine Protector, the generally heightened cyber threat situation is reflected above all in the increasing number of attacks on municipal institutions and administrations. Smaller municipalities in particular are popular targets because they often have insufficient IT security and cyber defense due to a lack of human and financial resources.

Four out of five SMEs are not adequately protected against cyber attacks

Only 78% of small and medium-sized enterprises (SMEs) fulfill all basic technical IT security measures. This is the result of a Forsa survey commissioned by the German Insurance Association (GDV). However, the perception of risk is apparently different: 80% of the IT decision makers surveyed consider their company to be sufficiently protected.

Cyber extortionists use missed reporting obligations as leverage

Legal regulations such as the GDPR require companies to report cyberattacks to the supervisory authorities. If attacked companies fail to comply with this obligation, they face fines. Cyber extortionists have recently taken advantage of this fact: if an attacked target does not comply with its reporting obligation on time, the criminals themselves inform the responsible supervisory authority about the attack and the failure to report it.

Attack on IT service provider in Swabia: Twelve municipalities affected

Due to a cyber attack on the special-purpose association for municipal data processing in the district of Neu-Ulm, the services of twelve affiliated municipalities have been severely disrupted. The attackers demanded a ransom. At the end of October, a similar attack paralyzed over 70 municipalities in South Westphalia.

OpenAI: DDoS attacks repeatedly cause ChatGPT outages

In November, the AI chatbot ChatGPT experienced repeated outages. The operator OpenAI attributed the recurring disruptions to DDoS attacks that affected both ChatGPT itself and the associated API. Shortly afterwards, the Anonymous Sudan group claimed via Telegram that it was responsible for the outages caused by the attacks.

German Energy Agency unable to work after cyber attack

Criminals have attacked the server infrastructure of the German Energy Agency (Dena). As a result, the company said it was "technically unable to work for the most part" and could not be reached by phone or email. Data was apparently also leaked during the attack, potentially even sensitive information such as account details.

In response to cyber attack: Targobank blocks access to thousands of customer accounts

After Targobank detected unauthorized attempts to access customer accounts, it blocked the online banking access of thousands of customers. Around 6,000 of those affected had to obtain new credentials in order to access their accounts again via the app or website. No further damage is said to have been caused.

Berlin luxury department store switches to offline emergency operation after cyber attack

The Kaufhaus des Westens (KaDeWe) in Berlin was the target of a cyber attack at the beginning of November but was able to fend off the attack at an early stage. Nevertheless, as a precautionary measure, all IT systems were temporarily put into offline emergency mode. As a result, customers were temporarily only able to pay in cash. According to the KaDeWe Group, the ransomware group Play was behind the attack.

Ransomware attack on US subsidiary of major Chinese bank

Following a ransomware attack, a US subsidiary of the largest Chinese bank ICBC had to temporarily shut down and isolate affected systems. According to the Financial Times, some transactions could not be carried out as a result. In the meantime, this also had a certain impact on the liquidity of the US government bond market.

Cyber extortionists demand millions from Toyota

In an attack on the German branch of Toyota Financial Services (TFS), cyber criminals apparently stole data for which they subsequently demanded a ransom of 8 million US dollars. The stolen information includes financial documents, purchase invoices, contracts, user IDs and passwords.

Attackers infect MySQL servers and Docker hosts with DDoS malware

Security researchers have warned that attackers are currently trying to infect MySQL servers and Docker hosts with the "Ddostf" malware to abuse them as bots for DDoS attacks. The criminals first scan the internet for publicly available MySQL servers that use TCP port 3306. Then they compromise the servers by exploiting weak passwords or known vulnerabilities.

"Elex 23": EU conducts cyber security exercise for upcoming European elections

EU institutions and member states have tested crisis and response plans for possible cyber incidents during next year's European elections in the joint security exercise "EU Elex 23". "European democracy, and the European elections in particular, are exposed to serious hybrid threats," commented Dita Charanzová, Vice-President of the European Parliament. These include cyber attacks and disinformation.

International collaboration leads to dismantlement of ransomware group

Law enforcement authorities from seven countries, in cooperation with Europol and Eurojust, have arrested several suspected members of the Hive ransomware group in Ukraine. One of the suspects is believed to have played a leading role in the cybercrime organization. The group is said to have encrypted over 250 servers belonging to large companies in 71 countries, causing damage amounting to hundreds of millions of euros.

ECB plans cyber stress test for European banks

The European Central Bank (ECB) wants to carry out a stress test at the beginning of next year to examine how well prepared European banks are against cyber attacks. More than 100 institutions regulated by the ECB will have to deal with a specific crisis scenario and respond to it in accordance with the applicable regulations. Accordingly, banks should prepare themselves now for the cyber stress test, both professionally and technically.

FBI shuts down botnet proxy network IPStorm

The FBI has succeeded in shutting down the infrastructure of the IPStorm botnet, which is said to have infected thousands of systems in Asia, Europe, North and South America in recent years. The hijacked devices were converted into proxy servers which could be hired by people who wanted to hide their internet activities. The operator, who has pleaded guilty, is said to have earned at least 550,000 US dollars with this scheme.

CVSS 4.0: Vulnerability scoring system updated

Version 4.0 of the Common Vulnerability Scoring System (CVSS) for assessing IT security vulnerabilities is now available. The CVSS helps IT managers to assess the threat situation. The highest possible score of 10 applies, for example, to critical vulnerabilities that can be exploited remotely without authentication to inject malicious code. In version 4.0, the metrics for calculating the score were changed to better reflect the actual risk.