Trending Topics Cybersecurity – October 2023

The "Rapid Reset" vulnerability in the HTTP/2 network protocol allows attackers to carry out extremely powerful DDoS attacks with immense packet rates using manageable resources. Investigations by the DDoS testing experts at zeroBS have shown that a packet rate 12 times higher than that of classic botnets is possible using this method. Attacks are already being carried out on vulnerable web servers using Rapid Reset. Rapid reset attacks have also been observed in Myra's Security Operations Center (SOC) and have been completely repelled by our IT security experts.

Just how acute and real the threat of DDoS attacks is in the public sector was demonstrated in mid-October by a series of orchestrated attacks on the administrative portals of various cities. The websites of the cities of Bielefeld, Dortmund, Dresden, Frankfurt am Main, Hanover, Cologne and Nuremberg were affected by the attacks. Some of the attacked administrative portals were able to go back online after a few hours, while others had to remain offline for several days due to persistent attacks. It is not yet known who is responsible for the attacks.

The top IT security topics in October:

"Rapid Reset": New DDoS method enables extremely high attack volume

A new DDoS attack technique called "Rapid Reset", which exploits a vulnerability in the HTTP/2 network protocol, is currently putting countless servers at risk. The method enables very high attack volumes with manageable resource consumption on the part of the attackers. The first security patches are already available.

Critical infrastructure operators still need to improve their IT security

In a survey conducted by the BSI, operators of critical infrastructure have acknowledged the need for improvement in some areas of IT security. While the implementation of technical security measures is already well advanced, the introduction of organizational measures is still lagging behind. The main reasons for this are a lack of money and personnel.

Valuable vulnerabilities: Millions are paid for zero-day vulnerabilities

Research by the Techcrunch editorial team has revealed that prices for zero-day vulnerabilities on the black market run into the millions. Documents viewed show that between 1.7 and 8 million US dollars are paid for remote control vulnerabilities in WhatsApp.

TAN procedure of many banks classified as insecure

In its ruling on a fraud case in which money was stolen via a phishing attack, the Heilbronn Regional Court found that the use of app-based TAN procedures that are executed on the same device as the banking app violates the principle of two-factor authentication (2FA). The ruling could call into question the common practice of many banks that allow the use of both applications on one device.

iLeakage: Critical vulnerability in Apple processors allows passwords, emails and text content to be intercepted

Security researchers have discovered a serious security vulnerability that affects all modern Apple devices with ARM chipsets. The iLeakage exploit targets Safari's WebKit engine and allows attackers to remotely access accessed emails, credit card information, passwords, autofill fields and other information. The attack can be carried out on Macs, iPhones and iPads with Apple A- or M-series chips. The attack surface is larger on iOS and iPadOS because all available browsers must use the WebKit engine.

Websites of several German cities offline after DDoS attacks

In mid-October, several city portals were unavailable for hours or even days as a result of DDoS attacks. Among those affected were the websites of the cities of Bielefeld, Dortmund, Dresden, Frankfurt am Main, Hanover, Cologne and Nuremberg. It is still unclear who is behind the attacks.

Lockbit allegedly stole data from Boeing

The cyber group Lockbit claims to have stolen a large amount of sensitive data from the aircraft manufacturer Boeing. A Boeing spokesperson told the news agency Reuters that the case is currently being investigated. The US-based Boeing Group is active in both the civil and military sectors as a manufacturer of aerospace technology and processes highly sensitive data.

Attack on municipal IT service provider: 72 towns and municipalities affected

Due to a cyber attack on the municipal IT service provider "Südwestfalen-IT" on October 30, the IT systems of 72 municipalities in South Westphalia have been severely affected. The attackers infected the IT service provider's systems with ransomware. To prevent the encryption Trojan from spreading further, the data center's connection to and from all of the association's municipalities was cut.

Cyber attack on Degenia: IT infrastructure offline

Due to a serious cyberattack, the cover concept provider Degenia was forced to take its IT infrastructure offline at the beginning of October. The measure was intended to prevent further damage as a result of the attack. The recovery work on the systems is still ongoing (as of 26.10.2023).

Another data theft from NATO portals

For the second time in just a few months, attackers have apparently succeeded in penetrating NATO's IT systems and stealing sensitive information. According to the group Siegedsec, this time they managed to steal 9 GB of data, which they subsequently published. The more than 3,000 files allegedly originate from six different NATO web portals.

After cyber attack: Frankfurt University Hospital struggles with massive restrictions in hospital operations

Frankfurt University Hospital has been offline for weeks following a cyberattack. Although the basic IT systems within the hospital continue to function, they are disconnected from the internet. This makes online appointments, email communication and reading health cards impossible. However, there are no restrictions on patient care.

Cyberattack on utility companies in the Sauerland region

The municipal utilities Hochsauerlandwasser (HSW) and HochsauerlandEnergie (HE) were the target of a cyberattack at the beginning of October, in which parts of the IT infrastructure were infected with malware. As a result, some services for customers were only available to a limited extent. The billing service and financial accounting were also affected. However, the supply of water, electricity and gas was not at risk at any time.

University of Karlsruhe only partially accessible after cyberattack

Karlsruhe University of Applied Sciences (HKA) was hit by a cyberattack at the beginning of October. For security reasons, the university took its entire IT infrastructure offline as a precaution. As a result, HKA's website, e-learning platform and email server were unavailable for weeks.

Basic protection: BSI provides cybersecurity checklists for local authorities

The German Federal Office for Information Security (BSI) has launched the "Weg in die Basis-Absicherung" (WiBA) project. To make it easier for local authorities to get started with IT baseline protection, the BSI is offering 19 checklists for download. Using simple test questions, local authorities can identify and implement the most urgent security measures themselves.

BaFin launches information platform on DORA regulation

The German Federal Financial Supervisory Authority (BaFin) is offering a new information platform for the most important regulations and news relating to the European DORA regulation. The Digital Operational Resilience Act has been in force since the beginning of the year and aims to strengthen the operational resilience of banks, financial service providers and insurers. To this end, the regulation introduces a harmonized set of rules that addresses the following key areas: ICT risk management, reporting, resilience testing, third-party ICT risks, information sharing and governance.

Investigating authorities dismantle Ragnar Locker infrastructure

International investigative authorities have succeeded in striking a blow against the ransomware group Ragnar Locker. Among other things, server infrastructure in Germany, the Netherlands and Sweden was seized. In Germany alone, the group is responsible for damage amounting to at least 760,000 euros, according to the LKA Saxony.

International Criminal Court strengthens IT security measures

Following a cyber attack on its IT systems in September, the International Criminal Court has expanded its defensive measures. According to the court, the evidence available so far points to "a targeted and advanced attack with the aim of espionage". However, there is no reliable information about the attackers as yet.

Field report: How the city of Witten dealt with a ransomware attack

In October 2021, there was a ransomware attack on the city of Witten in North Rhine-Westphalia. As a result, all data and systems were encrypted and no longer functional. It took around a year to rebuild and replace the IT systems. The former IT manager describes how he dealt with this incident in a personal experience report.