Cybercrime Trends 2018: Upcoming dangers in the coming year

Cybercrime Trends 2018: Upcoming dangers in the coming year

A look into the future can be worthwhile. Especially with regards to cybercrime, it is advantageous if companies already know at least approximately what they can expect in the year to come. Because so far each year was characterized individually by different scenarios of threats.

For example, the year 2016 was still considered the golden age of phishing, as can be seen from an article by heise online. 2017 brought us a change in trend and was particularly strongly influenced by ransomware attacks such as WannaCry, Bad Rabbit and NotPetya. So what can or should we expect for 2018? Let’s take a glimpse.

Cryptocurrencies in the focus

At least one thing can already be said: In 2018, new and more complex methods of attack will set new standards again. The cryptojacking attacks, which are already growing rapidly in numbers, could for example be influential for the coming year. Cryptojacking is an attack method in which cybercriminals hijack foreign computers in order to dig for cryptocurrencies, mostly bitcoins.

It can be enough to visit one of more than 50,000 websites that contain the malicious code. They contain a tiny javascript piece of the cryptomining service “Coinhive”, which automatically causes the computers to “dig” cryptocurrencies for the hackers. The performance of the processor of affected devices is demanded in such a way that they can hardly be used for other activities.

Given the persistently high price of cryptocurrencies, it is also likely that there will be new types of ransomware in 2018 that specialize in blackmailing Bitcoin and others. New targets could be smart devices such as televisions or mobile phones with Android system software, as these are particularly easy to hijack for hackers.

Macros and exploits still cause trouble

The attacks with harmful scripts that cybercriminals particularly like to hide in Office files, will probably continue to accompany us in 2018.

They tend to communicate consistently with compromised websites from different devices. For example, the attackers use PowerShell to perform command-and-control activities to achieve the desired effect that way.

In particular, our security lab gives warning of attacks that use exploits. Unlike macros, these require less or even no user interaction to infect the system. This method often exploits vulnerabilities in popular software shortly after they are released. If the victims’ systems have not been updated yet, then the hackers will have an easy job.

The “Internet of Things” is much loved – also among cybercriminals

The “Internet of Things” has by now been on everyone’s lips. The interconnection of objects is not only popular among technophiliacs. Increasingly, cybercriminals also take their pleasure in it. This is simply due to the fact that many of the wireless connected devices are not quite up to date in terms of safety.

The “Mirai botnet” has already shown us impressively, how vulnerable unsafe configured IoT devices can be. It seized millions of Internet-related everyday devices such as routers, observation cameras and even toasters. This was followed by a large-scale of DDoS attacks, which even occasionally led to disruptions at Amazon, Netflix or Twitter, therefore even striking very popular Internet services.

Even branches such as the medical sector are taking more and more use of the Internet of Things. Because it is convenient to connect medical devices to the Internet, for example to digitize medical records. However, the resulting dangers should not be underestimated.

Conclusion: Taking the right precautions saves a lot of trouble

As threatening as the new developments may seem: Companies that already use a sophisticated and proven IT security concept have only little to fear.

By contrast, the mere use of antivirus software does not ensure a safe IT infrastructure. On the contrary, the use of traditional anti-virus programs can even have a negative impact on a company’s IT security, as we have previously reported.

In fact, considerably more things matter: Efficient IT security concepts are based in particular on prevention and the use of effective IT security solutions. Cloud-based IT security solutions, such as the services provided by Hornetsecurity, play an increasing role in this. They safeguard you against even the most sophisticated cyberattacks, so that not even ransomware and others can throw your business off track.

Additional information:

DDoSage too high for your own protection measures

DDoSage too high for your own protection measures


When Denial-of-Service-attacks paralyze organizations


You often read news reports which state that a DDoS attack was responsible for the breakdown of a company’s website. Such an attack uses hijacked systems to intentionally generate a flood of data which paralyzes a company. Amongst others, email servers are frequently subject to DDoS attacks.


These attacks lead to the unavailability of websites and other services for a certain period of time. This outage of service can span from a few minutes to a few hours and even multiple days. Downtime – a nightmare for every organization.


DDoS attacks are not only able to hit the IT-structures of big international firms, which usually have well-engineered security concepts, they can harm smaller companies as well. Public institutions, administrations and authorities are also targets of these attacks. The reasons behind them are manifold: They can be traced back to the pure enjoyment of ‘destruction’, but the intentional harm of competitors or foreign governments can also be motives for these actions. Even hate and vengeance often cannot be ruled out here. For this reason, resorting to a reliable security system is inevitable.


DDoS attack: Digital vandalism impairs reputation


Each second in which, for instance, a mail server or certain kinds of website services are unavailable is expensive for an organization. This is especially true for companies which primarily process their transactions and offer their products and services online. The same goes for business divisions which handle their customer support services using email. The costs, however, do not only derive from the lost revenue during downtime. Having to quickly take measures of defense and potentially needing assistance from external experts can likewise become a cost driver. On top of everything, the impairment of the company’s reputation is another problem.


A company which the customer does not trust will not be able to have a solid long-term business base. For this reason, it is understandable that nearly 50 percent of affected companies keep quiet in the event of a cyber-attack. The fear of having to publicly admitting to a damage of their image is too severe.


This form of damage control might work in cases of simple cyber-crimes. It does not suffice however when it comes to DDoS attacks or forms of attacks that are a lot more complex. That is because these attacks do not only disrupt the activities and processes of the business unit, but often also cut through to the outside. Customers then notice these disruptions since they are directly affected by them as well.


Reliable IT security concepts are the solution


Companies should therefore be ready for DDoS attacks and every other form of cyber-attack. Security solutions such as the Hornetsecurity spam filter service are able to recognize a DDoS attack on a mailing server early enough and to fend them off. In the case of more complex forms of attack, like ransomware or identity theft, it is recommendable to use Advanced Threat Protection. This is a security solution which reliably recognizes and inhibits ransomware, blended and targeted attacks as well as digital espionage. Advanced Threat Protection’s (ATP) special analysis engines ensure this process. You can learn more about this here.


How can companies protect themselves from a DDoS attack?


But back to DDoS attacks. To prevent these, companies and authorities should take certain security precautions. What to do to effectively protect oneself from a DDoS attack.


1. The explosiveness of a DDoS attack


In principle, every organization can become the target of such an attack. Ultimately every firm and every administration must ask itself: “What would be the consequences of an outage of the mail server for me?” This question is important as the force of a DDoS attack can take shape in different strengths in the business environment. Downtime will be severely worse for a retailer who manages his shop online, compared to a local craftsman’s establishment. The result however is not much different for either of them. In the end, both want to maintain communication with their customers via email. For this reason a security concept is absolutely essential.


2. IT risk management


It is also important that the company takes precautions and implements specific courses of action in case of a DDoS attack. Should it come to a cyber-attack, a contact person should be immediately available. This could be an IT security officer in the company itself or an external employee of an IT service company, which offers appropriate security services and looks after IT security management.


3. Response to blackmail


Similar to ransomware, a successful DDoS attack, as a popular method, can be attached to a claim for money. This is a profitable business model for cyber criminals. This is especially true because the affected companies often agree to the offenders’ claims to avoid allegedly severe consequences. The BSI advises not to be susceptible to blackmail and to refuse to pay these respective sums of money. Instead, those affected should get the police involved and get support from professional IT security experts.


4. Implementation of defensive measures


The most important measure to avoid a DDoS attack is to not let it occur in the first place. For this purpose a competent IT security solution is vital – ideally, one that is cloud-based. The reason for this is that these providers have a much more powerful infrastructure and are able to parry even severe attacks without problem. In addition to that, customers do not have to worry about the installation and maintenance of the hard and software.


Additional information:




Security breach in Microsoft Office – Hornetsecurity filters harmful documents

Security breach in Microsoft Office – Hornetsecurity filters harmful documents

A short while ago, security experts discovered the security breach CVE-2017-11882 in the Microsoft Office suite. Microsoft reacted quickly and closed the breach with a security update. Due to the publication of the exploit, however, attackers are now aware of the breach and target systems that haven’t been patched yet.


All Office versions besides Office 365 are affected by the security breach. The exploit is located in the Equation editor of Microsoft, which is a former version of the formula editor. It uses a buffer overflow which allows the attacker to execute his hazardous code on the user’s system. Through this, it is possible to download malware from the Internet and to install them.


Breach existed for 17 years


The Equation editor was compiled in 2000 and since then never reconditioned. Due to this, it is not fulfilling current security standards and allows a buffer overflow to happen which leads to the exploit. Even though the causing formula editor was replaced in Office 2007, it is still part of the package in order to ensure backward compatibility with older document versions, where the 17-year-old piece of software is needed to display and edit mathematical formula.


The only interaction necessary for the exploit to be executed is for a user to open the infected document. After that, the hazardous code will be executed automatically. Only the protected view, the so-called sandbox of the Office programs, is prohibiting its execution.


Hornetsecurity detects exploit in documents


Since the security breach was published, attackers are increasingly trying to distribute infected Office documents using the exploit. However, Hornetsecurity adapted its filters so it can detect infected documents before they appear in the mailbox. Nevertheless, we advise you to perform the security update as soon as possible.


Attack of the encryption trojan Bad Rabbit

Attack of the encryption trojan Bad Rabbit

Some time has passed since the last huge wave of ransomware attacks has been detected. Now, a new type has appeared and it is causing considerable damage. Especially in Eastern Europe and Russia the trojan was successful and infected several companies. But Germany has seen those attacks, too.

The malware Bad Rabbit, named after a specific site in the darknet, where the victims are supposed to pay the ransom. It encrypts local data and demands 0,05 Bitcoins to provide the decryption key. Considering the recent change rates this amounts to 293 USD or 255 Euro.

Down the Rabbit-Hole

The crypto-trojan spreads mainly through compromised news sites. By using so called watering hole attacks, the cyber criminals can target certain user groups and companies. If a user visits an infected website, an automated drive-by-download is initiated and a forged Adobe Flash update is downloaded. As soon as this file is executed, Bad Rabbit enters the system and all data are encrypted after a forced reboot of the computer.



Bad Rabbit Trojaner

Payment page in the TOR network


Click on the image to enlarge



Like WannaCry and Petya before, Bad Rabbit can spread within a network. However, instead of using the EternalBlue exploit in the Version 1.0 of the SMB protocol, the malware infects other computers through the Windows Management Instrumentation (WMI). To prevent a local distribution of Bad Rabbit, it is advisable to deactivate WMI if it is not in use.

Hornetsecurity recognizes the malware and protects with URL rewriting

The URL rewriting feature of Hornetsecurity Advanced Threat Protection recognizes Bad Rabbit on compromised websites and blocks it. Using Hornetsecurity ATP, you can continue clicking on news links in your emails without fearing to catch the malware.


Our recommendations

Nevertheless, we recommend you to create backups on a regular basis and to not download unknown files or even execute them. Especially Adobe Flash updates should only be downloaded from the software producer itself. In case of an infection, do not pay the ransom, because it is unclear whether you will receive the keys necessary to recover your files.

Analyzing the maliciousness of a VBA macro spam campaign

Analyzing the maliciousness of a VBA macro spam campaign

We currently observe a spam campaign that delivers MS Office 2007 Open XML document attachments containing a malicious VBA macro.

This file format is basically a Zip archive encapsulating a set of XML files. The email attachments are trojan downloaders that load a malicious binary from a presumably hacked website and execute them on the victims’ machines. This post will show how to get the malware samples by statically analyzing the documents of the spam campaign.


The first step is to extract the VBA code from the document, which can be done with olevba from the oletools [1]. This tool deflates the document, analyzes its data streams, and extracts the VBA macros. Olevba is also useful to get first hints regarding the maliciousness of the used VBA elements, as shown below:



From this analysis we can already guess that the macro is executed via the AutoClose method, once the document is closed. We will confirm this later by looking at the VBA code.
The extracted VBA code is obfuscated to hide its purpose. All variables and functions are named after animals or landscapes. The following code snippet tries to hide a WScript.Shell call by aggregating a string:



Furthermore, the code is bloated with garbage methods, that either have no functionality, or just wrap around atomic VBA methods like RTrim, Asc, Len, Mid, AscB, or ChrW to obfuscate them. Deobfuscation can reveal the real purpose of the code. As the macros are rather short with around only 60 lines of code, it is possible to deobfuscate the most parts statically by hand by refactoring unnecessary function calls and removing the garbage bloating, as in this example:



It is easier to analyze the atomic VBA function calls dynamically to get the correct return values. The execution of VBA snippets can easily be done with the Visio editor [2], which is part of Microsoft Word (Open Word and search for it). When testing this method, always take some precautions and only run the code snippets on a disconnected analysis virtual machine to prevent unintended system infections. A clean snapshot can be restored after the analysis to remove all malicious sample parts.



After some deobfuscation, only one core method is left. It is conspicuous that the return value of this method is passed to run WScript.Shell, therefore the method probably returns a shell command:



The method can be pasted into the Visio editor, but instead of infecting the system by executing the return value, it can be passed to a print method to be printed out. This reveals the malicious call of the macro containing an URL from which the malware binary can be downloaded for further analysis.



Fortunately, our ATP customers are protected against this campaign, as Hornetsecurity Advanced Threat Protection [3] detects and filters out the malicious spam mails. In most cases, it is easier to let the sandbox engine gather the malware samples automatically through dynamic analysis, but the described proceeding is useful for understanding the attack and for improving the detection methods.


[1] Oletools:
[2] Visio editor:
[3] Hornetsecurity ATP:

Encrypted connections – yes or no?

Encrypted connections – yes or no?

Security has become a major issue for everyone by now. Be it security in your own country, at home, or in daily communication via the Internet. When we feel safe, we can go about our lives without worries. When it comes to daily communication via the Internet, the word “encryption” is frequently heard. Does encryption really provide protection against curious pilferers, or does it merely give us a feeling of safety while cybercriminals use it as a hidden back door?


Encryption explained in simple terms

The encryption of Internet connections has apparently been well received by the public for years already: according to Google, 80 percent of all websites are already protected. Many messaging services also now rely on encrypted communications. But how are data streams encrypted in the first place?


Explained in simple terms: The term SSL/TLS encryption is often mentioned in relation to this topic. Laypersons do not necessarily understand what this means. The term here refers to transport encryption. This means that the data itself is not encrypted, but is transmitted through an encrypted channel. Before the message is transferred, the communicating servers agree on an encryption standard, also referred to as the Cipher Suite. Consideration is always given to the mutually highest encryption standard for the negotiation. The goal is that only these two servers can exchange data with each other.
Whether or not a website offers this kind of transport encryption has been easy to determine ever since the secure hypertext transfer protocol was introduced: If the URL starts with an “https:”, the website is encrypted. Other indicators are a lock and the green mark. If, for example, a user logs onto a website as shown in the displayed image, the entered data is forwarded to the destination server via an encrypted channel that confirms the correctness or the identity of the user.




Source: Amazon


SSL and TLS – which is which?

TLS is the successor to SSLv3. The slightly improved TLS 1.1 version has, however, not been successful on the market. The significantly more relevant 1.2 version, which Hornetsecurity has already been supporting for years, offers decisive added security value with, among other things, Perfect Forward Secrecy (PFS) and the corresponding Cipher Suites (Elliptic Curve, Diffie Hellman), given appropriate and secure server configuration. Hornetsecurity can even restrict TLS communication to Secure Cipher Suites and Trusted Certs to raise the security level even higher.



The 1.3 version of TLS can currently be viewed as a working draft at This version is expected to include major changes and improvements in the cryptographic hash functions and the handshaking protocol. From a security point of view, it will be good if TLS 1.3 is distributed more quickly after final release than was the case with TLS 1.2, which has been available since 2008.


The back door for malware?

Data streams encrypted via TLS/SSL thus cannot be viewed by third parties, which makes sense after all. On the downside, this allows the undetected transmission of malicious code, since there is no intrinsic analysis for malware.


To counteract this, so-called SSL scanning can be used. Here the connection is interrupted and a fake server certificate, by which the target server is authenticated against the user’s server, is implanted. This approach is comparable to a man-in-the-middle attack. The problem with this method is that third parties can read the unencrypted content. To ensure the browser does not take this as an attack, a one-time incorporation of the root certificate of the runtime-generated certificate for the requested website in the browser’s trust store is required. This is done automatically in large companies via software distribution. SSL scanning or “https breaking” may constitute a conflict between data security and data protection. If companies intend to use SSL scanning, therefore, they should protect themselves legally in advance.
Very often companies do not use this method of analyzing encrypted connections. On the one hand, for reasons of data protection; on the other hand, the computational effort required has till now been too high and too costly. In recent years, however, the overhead (computational effort) incurred by encrypting and decrypting the data, as well as negotiating the connection parameters for TLS, has been drastically reduced by targeted hardware and software measures.


Originally at a level of up to 20 percent, today, given appropriate configuration, it is in the low single-digit percent range, for example with CPU surplus load.


On the hardware side, more powerful CPUs complemented by appropriate computing operation units (e.g. for AES) are now standard for servers, enabling many decryption operations to be executed in parallel and in a high-performance manner.


Many global software libraries have now enormously accelerated the decryption and reduction of network latency, which, given appropriate server configuration, can significantly reduce the overhead.


The website categorization used in the Hornetsecurity web filter is a secure alternative to SSL scanning. It deliberately refrains from breaking up the encrypted channel, since the fine-grained classification of the websites helps minimize the risk using appropriate policies. All the websites are classified into categories. The basis for this is the user-accessible content on the website. Assigning a website to a category gives it a sort of rating. This rating provides information on whether or not it is a safe website. Based on this rating and the preconfigured policies, the web filter service either blocks the requested website and the user receives a warning page, or it is delivered and displayed.



With the help of the categories and other features, company compliance policies can be implemented at both the user and group or enterprise level. This allows administrators to block certain content or allow the use of social networks only during the lunch break. Hornetsecurity also offers its customers SSL scanning as a supplement to its comprehensive web filter service. IT administrators can activate it on their own.




Encryption is positive and recommendable, in principle. The security aspect, however, should not be neglected, as encrypted connections do not automatically guarantee protection against malware. Encryption poses a threat to companies only when this aspect is given little or no consideration.
It is therefore advisable to regularly examine the encrypted connection and develop a watertight security concept.
While web filter categorization provides options for protecting web traffic even when using encrypted connections, the “https breaking” method can also be used on request. Hornetsecurity offers both methods. Most customers make rather sparing use of SSL scanning, since the fine-grained categorization described above provides significant added value.


Curious? Additional information: