“The biggest bunker won’t help if the key’s left in the lock.”

| 11 juli 2019

In the age of digitalisation, it is not a matter of whether a company will be attacked, but rather only a matter of time before companies become victims of a cyber-attack. According to a study conducted by Bitkom Research[1], two thirds of all companies in Germany have already been attacked by cyber criminals. Philipp Zeh, Manager Competence Center & Professional Services IT Security at Konica Minolta Business Solutions Deutschland GmbH, explains what the most common cyber risks are for companies and how they can protect themselves.

Interview with Philipp Zeh, Manager Competence Center & Professional Services IT Security, Konica Minolta Business Solutions Deutschland GmbH








Mr. Zeh, what attacks can companies expect?
Classic ransomware attacks in particular have taken place quite frequently in recent years. Affected persons receive an e-mail with an attachment, an invoice, for example. If employees click on this attachment, they start a macro. This in turn starts a script that implements a service and reloads the actual malware that encrypts the data. If no backup is available, the only option available to the company is to pay the ransom so that the data can be released again. However, we do not advise this because paying the ransom is risky and shows the cyber criminals that a second blackmail attempt could probably also be successful.

Why doesn’t the antivirus software detect the malware?
At the time the service is activated, it is not a virus, so it will not be detected. For the system, this is a permitted Office function.

As a security service provider, how do you help your customers deal with these types of problems?
We try to isolate and contain the ransomware. If there is a backup, we use it to recover the files. However, practice shows that unfortunately backups do not always exist. We had such a case, for example, with a large maintenance service provider. Here, too, there were no backups. Although we were able to identify the infected system, we were unable to recover the data that the company absolutely needed. As we learned later, the customer ultimately transferred tens of thousands of euros to the blackmailer.

How does such a payment take place?
The encrypted files usually contain an information file. It tells you where to go. In the case of our customer, the information file contained a telephone number for him to call. At the other end of the line, there was a very friendly, nice lady who gave him the account details for the ransom transfer. After the money was transferred, he got the key to release the data again.

Isn’t it possible to find the ransom blackmailer by tracking the phone number?
If the owner was based in Germany, that would definitely be possible. But the ransom blackmailers are mostly located abroad, in Eastern Europe, for example. It may still be possible to determine a location via the geo-location, but since they use pre-paid numbers that are not registered anywhere, the holder cannot be identified. Moreover, the German public prosecutor’s office and police have no authority there.

What other cyber-attacks affect your customers?
The EMOTET banking Trojan is currently a major threat. Some of our customers have already been hit by it. Actually, this Trojan has been around for more than a year, but it has become “smarter” and therefore even more dangerous. If a system is infected, EMOTET automatically reads the address books and sends itself to the people with whom the victim has particularly close contact. At the same time, the Trojan analyses past e-mails with these persons and creates an e-mail text based on the most frequently used words. This makes it difficult for the recipient to recognise that an e-mail is a Trojan.

What does EMOTET do in concrete terms?
We had a case where a customer had sent a PDF invoice to one of his customers. When he then found no receipt of payment, he contacted his contact person. He was able to prove that the money had been transferred to the bank account on the invoice. However, EMOTET was active and intercepted the invoice as a man-in-the-middle attack. The footer of the invoice was changed and other bank data was entered. The end customer thus transferred money directly to the account of the attacker, who immediately deducted it from it. Therefore, no chargeback was possible. Companies then often have to bear the costs they have suffered. Even if they have insurance, it usually rejects a reimbursement because it can prove gross negligence or a lack of protection mechanisms.

How can companies protect themselves against these cyber-attacks?
There’s no such thing as one hundred percent protection. Due to the increased and highly complex danger situation, it is advisable to ensure the necessary reaction speed and transparency by taking a strategic approach. Only when companies discover an attack can they react to it. In addition to appropriate monitoring, they also need a suitable process chain to analyse incidents. The basis for this is a strategic approach consisting of processes, people and technologies. Only if these three aspects are integrated can the level of security be increased. One very important aspect is sensitising employees. This is because a ransom product is usually installed because employees click on something or open e-mail attachments without worrying about the risks involved. That’s why it’s so important to educate employees – including how to assign passwords. We have often found out with penetration tests at our customers that passwords are far too weak. In fact, the password “12345” is still often assigned. Such a password can be cracked with an appropriate programme within seconds. There is no point in building the largest bunker if the key is left in the lock. That should be clear to everyone. Unfortunately, practice still shows a different picture.

So, employees are still a risk for companies?
In particular, older employees who have not grown up with computers and the Internet, do not have an awareness of the current cyber dangers. In addition, there is another aspect: there are also employees who deliberately want to harm their company. This is not as rare as one would think. For example, we had a case in which an employee sabotaged his company by simply making complete bookings in the system disappear after the goods had been delivered. Our customer then wondered why he had not received any payment for his delivery. The end customer in turn informed him that he could not pay because the delivery had arrived without a delivery note and invoice. When our customer searched his ERP system for the transaction, he discovered that it had been deleted by the administrator. This could be traced in the system in an audit-proof manner. Since only three people had admin rights, the culprit was found quickly, but it was impossible to prove he was guilty. Our customer then actually had to pick up the goods from his customer at high cost, re-book them and then repeat the entire process. This is just one example of what employees with admin rights can do.

And what can companies do in such a case?
It is very important to regulate access rights clearly. Every employee should only be allowed to do what he needs for his job. This already makes it possible to limit a lot of potential problems. Of course, employees who have admin rights are given special freedoms, but these must also be controlled. But one thing should always be clear: If a person wants to harm a company, he will always find a way to do so.

Are companies still too naive in this respect?
Yes, unfortunately we often see that especially small and medium-sized enterprises are not aware of the dangers. For example, we were commissioned by a customer to carry out a penetration test in order to determine the sensitivity of networks or IT systems to intrusion and manipulation attempts through targeted attacks. Here, similar methods and techniques are used as those used by cyber criminals to penetrate a system without authorization. We found a network area at the customer’s site where IP access was possible without entering a password. This enabled us to directly access the production plant and view the machine control surface online. If we had wanted to, it would have been easy for us to manipulate the machine or switch it off completely. Such a failure can be life-threatening for SMEs. Our customer didn’t even know that these accesses existed. We then contacted the manufacturer of the machine, who confirmed that these were maintenance accesses. He thought if he didn’t tell anyone about it, nobody would know and so nobody would have access to it. But that’s far from true. With today’s scanners, it’s relatively easy to find and use these access points.

Larger corporations, on the other hand, are generally better protected and have a more holistic security concept. A simple collection of security products is no longer enough to contain today’s cyber threats. Companies must take a strategic approach to corporate security. External security experts such as Konica Minolta help companies to implement a sustainable security concept.

[1] Bitkom research 2017: Status quo IT-Sicherheit in deutschen Unternehmen