May 13th: BKA Germany 2021 Cybercrime Report ++ Critical Vulnerability in f5 BIG-IP Systems ++ Microsoft Domain Controller – Update Immediately!

BKA Germany 2021 Cybercrime Report

It’s that time of the year again: Germany’s Federal Criminal Police Office published their report on the country’s cybercrime rates, facts and figures. The current report unfortunately shows, once again, that the development of recent years has unfortunately continued.

The question on which topics belong on the roadmap and how these can be tackled constantly keeps popping up among our customers. Especially with EDR and MDR, there have been strong developments with many providers. Those enable access for smaller companies and increase the level of security – but there is often a focus on technical topics while areas such as ISMS, an IT emergency plan or awareness are easily forgotten. Meanwhile, we should be raising the overall level of security, technically and organizationally, according to the risk classification. Don’t nail the door shut and leave the window open.

But back to the BKA cybercrime report. Here’s what you need to know:

Recorded cybercrimes continue to rise – by over 12% in 2021
Meanwhile, the clear up rate is just under 30%. Possible explanations for this development include an increase in numbers of actual cybercrime incidents and the fact that perpetrators are making use of crime opportunities offered by the underground economy. The Corona pandemic is being defined as a possible “accelerant” due to the surge in digitization it brought into our everyday workflows. The questions remains whether crimes are shifting from the analog into the digital space. And whether an increased acceptance in the reporting of crimes led to the growing statistics – knowing fully well that there is still a considerable number of unreported cases out there.

Ransomware carries the highest damage potential in the area of cybercrime
The threat potential of ransomware unfortunately continues to grow and is posing an immense threat. In addition to the enormous damage potential, ransomware is also gaining relevance in the field of cybercrime due to constantly rising case numbers. Double extortion has now established itself as a standard modus operandi – in that case, the extortion is carried out by encrypting the systems while simultaneously threatening to publish sensitive data.

A booming underground economy
The underground economy refers to platforms and services used by (cyber)criminals to offer or take advantage of data, know-how or tools and jobs for criminal purposes. The BKA states that incriminated goods and services increase in scope and quality – meanwhile, entry barriers on the part of offenders are crumbling. A whole new model of cybercrime has been defined as “Crime-as-a-Service” – as for example Initial Access Brokers. In case you didn’t already know: IABs act as middlemen to breach company networks for crypto mining or to steal data. Here, again, the Corona pandemic comes into play with a whole new market for fake vaccination certificates having kept the Feds busy.

DDoS attacks continue to rise in quantity and quality
The number of DDoS attacks shows strong seasonal fluctuations. The first and last quarters of 2021 had the highest average number of attacks, likely connected to the increased relevance of e-commerce platforms around Black Friday and Christmas. In 2021, more multi-vector attacks, so-called carpet-bombing and a combination of DDoS and ransomware attacks were detected. The detectable execution of downstream DDoS attacks after infection with ransomware gives DDoS attacks even greater relevance than in the previous year.

Broad range of targets
Almost every industry has become a target of cybercrime in 2021. According to a representative survey conducted by Bitkom e.V. 88% of the commercial companies surveyed stated that they had been affected by cybercrime, espionage or sabotage. In 2019, this figure was still at 75%. The probability for companies to be targeted and affected by cybercrime keeps increasing.

Billions worth of damage – and the trend is rising
The cybercrime losses in Germany calculated by the industry association Bitkom e.V. totaled EUR 223.5 billion in the 2020/2021 reporting period, which is more than twice as much as in 2018/2019. In the area of ransomware alone, the number of the damage among respondents has increased to EUR 24.3 billion since the last Economic Protection Report 2019. Damage resulting from data leaks is not directly quantifiable in this context. The scale of the damage caused by cyberattacks clearly shows that they can lead to existentially threatening situations and emergencies, especially for companies.

State-of-the-art technology paired with innovative methodology enable investigative successes
While law enforcement and companies know each other, but only cooperate to a limited extent, criminals do not know each other, but cooperate trustingly – even across national borders. There is hope, though: In particular, the investigations against the Emotet network show ways to be able to continue to take action against malware infrastructures in the future. A decisive factor for its success was primarily the outstanding cooperation on a national level and between law enforcement agencies, IT security authorities and the private sector.

What do we take away from this?
We’d rather tell you that we have a solution for you that will keep you safe and protected, but in all honesty, there is never a 100% guarantee. What we can do, though, is to define what steps you can take in order to protect yourself and your company as best as you can. Let’s connect and see how we can support you in securing your data and thus your company’s success!

If you love statistics as much as we do and want to take a deep dive into the report, find it here (German version only, so far):

Bundes­lage­bild Cyber­crime 2021 | bka.de

Critical Vulnerability in f5 BIG-IP Systems – Update Immediately

Last week, the network equipment manufacturer f5 published the vulnerability with the CVE-2022-1388 CVE – CVE-2022-1388 (mitre.org). The vulnerability allows unauthenticated attackers with network access to the BIG-IP system via the management port or IP address to execute arbitrary system commands, create or delete files, but also disable services.

Due to the severity of the vulnerability and the widespread use of BIG-IP products in critical environments, CISA (Cybersecurity and Infrastructure Security Agency) has issued a warning.

See affected versions below:

  • BIG-IP versions 16.1.0 to 16.1.2
  • BIG-IP versions 15.1.0 to 15.1.5
  • BIG-IP versions 14.1.0 to 14.1.4
  • BIG-IP versions 13.1.0 to 13.1.4
  • BIG-IP versions 12.1.0 to 12.1.6
  • BIG-IP versions 11.6.1 to 11.6.5

It looks like BIG-IQ Centralized Management, F5OS-A, F5OS-C and Traffic SDC don’t seem to be affected.

How can I fix the security vulnerability?

f5 has introduced fixes in v17.0.0, v16.1.2.2, v15.1.5.1, v14.1.4.6, and v13.1.5. According to our sources, the 12.x and 11.x branches won’t receive a fix patch.

Possibilities to mitigate damage:

  • update, if possible
  • block iControl REST access through the self IP address
  • iControl REST access should also be blocked through the management interface
  • modify the BIG-IP httpd configuration
  • search for IOC

Threat actors have begun to massively exploit what has been identified as a vulnerability affecting multiple versions of all F5 BIG-IP modules to drop malicious payloads. This type of attack could be used to steal corporate data or deploy ransomware to all devices on the network. So better act now and update your system immediately!

As always, if you want to find out more, visit our source sites:

F5 Releases Security Advisories Addressing Multiple Vulnerabilities | CISA

BIG-IP iControl REST vulnerability CVE-2022-1388 | f5.com

Hackers exploiting critical F5 BIG-IP bug, public exploits released | bleepingcomputer.com

Jetzt patchen! F5 BIG-IP-Systeme werden aktiv angegriffen | heise online

Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen | heise online

Hackers exploiting critical F5 BIG-IP bug, public exploits released | bleepingcomputer.com

Critical F5 BIG-IP vulnerability exploited to wipe devices | bleepingcomputer.com

Calling all Admins: Update Microsoft Domain Controller Immediately

The Microsoft Windows vulnerabilities published on May 10th are currently being actively exploited by attackers.

Admins of Windows-based domain controllers should pay special attention and patch their systems quickly. Due to errors in the log-on of domain controllers (CVE-2022-26925 – Security Update Guide), an attacker could gain access to the logical network path. By calling a certain method of the LSARPC interface, attackers might make domain controllers authenticate themselves to them via NTLM. In this man-in-the-middle position, they are able to eavesdrop on connections. This is the scenario that attackers are currently exploiting. The extent of the attacks is unknown for now.

This method can be combined with the NTLM Relay attack. Due to the combination, the threat level is considered “critical”. To prevent this, admins should follow the mitigation report:

ADV210003 – Security Update Guide – Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)

Client, Windows Kerberos and Windows Network File System as critical. Still publicly known are a vulnerability (CVE-2022-22713 “medium”) in Hyper-V and in Magnitude Simba Amazon Redshift ODBC Driver (CVE.2022-29972). Anyone using this third-party solution should take a look at the Microsoft article on the problem: Vulnerability mitigated in the third-party Data Connector

Not updated YET? What are you waiting for!?

Stay safe and – if you love diving in deeper – check out our source material:

Microsoft patches Windows LSA spoofing zero-day under active attack | Help Net Security

Microsoft Warns of Active Exploitation of CVE-2022-26925 | Binary Defense

The things that are better left unspoken | dirteam.com

Microsoft Releases Fix for New Zero-Day with May 2022 Patch Tuesday Updates | thehackernews.com


Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.