Advanced Persistent Threats – The invisible threat

Advanced Persistent Threats – The invisible threat

What do the Olympic Winter Games, the Information Network Berlin-Bonn and large companies as well as SMBs have in common? They were and still are targets of highly evolved cyber-attacks that are aiming to spy on and sabotage internal processes and to steal and copy important and secret data. The realization happens as undetected as possible and over a longer period of time. These types of attacks are commonly known as “Advanced Persistent Threat” (APT).

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

The attacks are presumed as “advanced” because the attacker has large amounts of time and money available and thus gives himself an advantage in terms of access to information and development capacities. For victims, the infiltration of their IT infrastructure is hardly traceable and difficult to discover, so that the intruder can act undetected in the internal network for several weeks or even months. Cybercriminals are often a group of individuals that operate together, and it is not unusual that competitors, organizations or even states are the initiators of those ingenious attacks.

Their objectives differ and range from copying as much detailed information as possible about company internals as well as military and political facts to financial enrichment in terms of financial and credit card theft. In Germany, the Federal Office for the Protection of the Constitution recently warned against a renewed wave of APT attacks targeting German media companies and organizations in the field of chemical weapons research.

In general, cybercrime increases with the ongoing digitalization in companies. According to a recent study by Bitkom on digital espionage, sabotage and data theft, 68 % of the companies surveyed in Germany stated that they had been affected by cybercrime in the last two years (as of October 2018).

Five Stages of an APT Attack

Unlike “common” virus and spam attacks, in which hackers send a large number of infected emails to hit random victims, an APT grouping deliberately seeks a high-ranking target chosen for its objectives. The attackers proceed according to a classic pattern, which can be divided into 5 stages:

1. Exploring and researching

Once a target has been selected, the first phase of the attack is to gather as much information as possible about the company or organization. Hackers are particularly likely to access corporate websites, social media and other sources open to the public to find possible points of entry into the target’s systems.

2. Invasion of the system

If the attacker has gathered a conception of the structure of his target and knows which IP addresses, domains and systems are connected in which way, he will be able to search for vulnerabilities in detail. To finally gain access to the systems of the target, the hackers use various methods: Social engineering, such as CEO fraud & phishing as well as ransomware, blended and targeted attacks are among the best known. Cyber security is not just about computer systems and networks – APT groupings often use the “human factor” as a vulnerability by exploiting human traits such as helpfulness and trust. A recent survey conducted by the Federal Office for Information Security (BSI) revealed that one in six employees would respond to a fake email from the executive floor and disclose sensitive company information.

3. Spying out and spread

As soon as the hackers have access to the system, they usually operate as carefully as possible so as not to attract attention. The company’s security measures and deployed software are identified so that further security holes can be exploited to extend attackers’ access to the network. With the help of keyloggers and the found data, an attempt to find out passwords and thus gain access to other data records and systems is made.

4. Execution of the attack

The perpetrators access the unprotected systems and start to act according to their motivation and objectives for this attack. For example, sensitive company data can be collected over a long period and/or malware can be installed to the IT system. Also, the paralyzing of systems and thus of the operational procedures is an option.

5. Filtering and analysis of the data

The data and information collected is sent to the APT Grouping’s base for analysis. To have further access to the infected system of the company at any time and especially unnoticed, a kind of “back door” can be installed by the attackers.

Detecting and preventing APTs

Regarding such individualized and manual procedures in particular, the focus of IT security should rest on targeted detection and immediate reaction to possible attack attempts. With the daily flood of incoming and outgoing emails, manual monitoring of individual attachments or content indicating CEO fraud, for example, cannot be handled.

With Hornetsecurity Advanced Threat Protection, innovative forensic analysis engines provide real-time monitoring of corporate communications and immediately prevent attacks. The APT service is directly integrated into Email Security Management and offers protection mechanisms such as sandboxing, URL rewriting, URL scanning, freezing and targeted fraud forensics in addition to the spam and virus filter. In the event of an attack, it is important to that a company’s IT security team is immediately notified with specific details about the nature and target of the APT attack, the sender and why the email was intercepted. Thanks to Real Time Alerts, Hornetsecurity ATP is able to inform a company’s IT security team about current attacks. This up-to-date information can be used for countermeasures, so that security gaps can be effectively closed in the shortest possible time and additional protective measures can be set up.

Additional information:


Email archiving and DSGVO – the biggest myths at a glance

Email archiving and DSGVO – the biggest myths at a glance

Citizens of the European Union have reason to relax: The introduction of the General Data Protection Regulation (GDPR) since May 2018 significantly strengthens the protection of personal data and at the same time initiates a new era of European data protection. But one man’s meat is another man’s poison. Not everyone agrees with the “strictest data protection law in the world”. Companies and organizations that have to implement numerous new policies and guidelines, are annoyed by the significant additional effort and the partly non-transparent regulations.

Since the GDPR also has a direct effect on the handling of emails, there are a few things to consider as well – especially with regard to the issue of email archiving. We show how the GDPR and legally compliant email archiving can be combined and explain the most important myths.

The devil is in the detail

As a company, do I really have to archive all emails and if so, for how long at all? These are typical questions asked by those responsible for implementing the GDPR. At this point, the GoBD (principles for proper management and storage) [only in Germany] play an important role. These principles specify how long emails with certain contents must be archived. It is not uncommon for archiving to be confused with backup, but clear differences must be made here.

While a backup ensures the temporary availability of data and its recovery, archiving has a different function: it guarantees the long-term storage of data on a separate storage medium for documentation purposes. According to the GoBD, an email always has to be archived if it operates instead of a commercial or business letter or a booking document. If the email is only a means of transport and contains, for example, an accounting document as an attachment, only the attached file as such must be retained, but not the email itself. However, a printout of the invoice is not sufficient.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

The required retention period for business emails is six to ten years. However, small businesses are excluded from this regulation. The exact storage obligations for the different types of documents can be found in the tax code as well as in the commercial code. The situation is different with private emails: Companies, in which the private use of emails is at least tolerated, may under no circumstances monitor or store the private email communication of employees.

The GoBD also specifies that emails must be archived unmodified. This means that a simple storage of digitized documents at this point is not sufficient. Another misbelief is the storage via the email client. Simply creating a folder and manually moving all emails, that are required to be archived, is not sufficient either. The proper protection against loss or theft is simply missing here. But how can a company implement all these regulations as cost-effectively as possible and save time and resources?

The solution lays in the cloud

If you want to be on the safe side, you can rely on modern email archiving via the cloud. Cloud-based email archiving solutions offer several advantages for companies: they are fully automated, legally compliant and operate without the intervention of internal IT.

Hornetsecurity’s email archiving service, for example, ensures that emails are transferred to the archive fully automatically. A very precise distinction is made between clean mails and spam as well as info mails. The latter of course do not end up in the email archive. The complicated and time-consuming search for archived emails is also prevented by Hornetsecurity’s email archiving service.

Thanks to perfectly coordinated search algorithms, emails can be easily retrieved and filtered via the Hornetsecurity Control Panel. The administration is made easy for IT managers: Only a few clicks are required to manage Aeternum – regardless of whether this involves the import or export of emails or basic settings for the duration of archiving.

Additional information:

Spam emails – There’s life in the old dog yet

Spam emails – There’s life in the old dog yet

Laurence Canter certainly didn’t expect to go down in history one day as a pioneer of spam email. In 1994, the US lawyer was the first person ever to send messages that resemble the character of a spam email today. A computer specialist engaged by Canter and his wife flooded over 6,500 newsgroups on the Internet with advertising for their company. But this was only the beginning of a story that has now been going on for 25 years.

In this blog post you will learn everything about the history of email spam, the damage and dangers it causes and the right protection against unwanted messages.

Key figures on email spam


of global email traffic is spam


of all dangerous spam emails end up in German email inboxes

About Spam, Cybercriminals and Monty Python

Three things that couldn’t be more different: What has Spam got to do with cyber criminals and the comedy group Monty Python? The answer is: a lot. At least if you take a look at the history of email spam.

At the time Canter had his advertising emails sent, the Internet was hardly commercialized. It was therefore absolutely unusual for users to be confronted with advertising in such a direct way. This was reflected in particular in the reaction of the recipients. Therefore the lawyer was very soon confronted with fierce criticism. One user even called for “spam and coconuts to be sent to Canter and Co”. But “Spam” here, however, meant canned meat produced by the food company Hormel Foods, whose product name is an artificial marketing word made up of “spiced ham”. The angry user’s request can therefore be interpreted as an allusion to the content, which is as “soft” in coconuts and canned meat as it is in advertising emails.

The British comedy company Monty Python also contributed to the naming of the spam email. They did a sketch in the 1970s that was set in a pub. The guests of the pub can choose from several dishes, but each one contains spam. Then a horde of Vikings, also dining in the restaurant, starts singing “Spam, Spam, Spam, Spam, Spam, Spam, Spaaaam!”. The frequent and penetrating appearance of the word “spam” within the sketch, finally prompted the usenet forum administrator Joel Furr in 1992 to declare the increasing “garbage contributions” in his forums as “spam”. From then on the term prevailed.

Legendary spam sketch of the British comedy group “Monty Python”

Spam emails in the course of time

If you think that spam emails are a thing of the past, you are wrong. Although cyber criminals are increasingly trying to make life difficult for us with other lucrative fraud methods, such as phishing or ransomware, sending spam emails is still very popular. To put it in numbers: Between July 2017 and July 2018, the proportion of spam e-mails in companies was more than half of the total amount of e-mail traffic generated worldwide. In Germany alone, sending spam consumes as much electricity as a small city.

As if this wasn’t unpleasant enough, the proportion of dangerous spam emails of all email traffic is also increasing significantly. The increased risk potential of modern spam emails is primarily due to significantly improved targeting by spammers. Through targeted addressing and country-specific topics, spam emails appear much more authentic than a few years ago. Not only the quality of spam emails, but also the spammers’ preferred targets have changed.

While only 10 years ago the United States was the main target of attacks, another country has now moved past them: Germany. The proportion of spam emails in Germany has doubled compared to 2010. The main reason for this is probably the very good financial situation of the German population. Spammers expect the most lucrative sources of income here.

How dangerous are spam emails today?

While cybercriminals in the 1990s and 2000s mainly sent emails with advertising intentions, the situation is different today. Especially the sending of ransomware or other malware in email attachments has become very common among criminals.

Spammers use a fake identity to try to force the target to click on an email attachment infected with malicious code. They often claim that there is an unpaid invoice in the appendix. However, when the target opens the file, the ransomware it contains is activated, encrypting all files stored on the hard disk.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Another scam that is often carried out by means of spam emails is phishing. For example, the cybercriminals pretend to be well-known credit institutions. They claim that the customer’s bank account has been blocked for security reasons. To unlock it, the victim has to confirm his access data again. To do this, the target person has to click on a URL that is very similar to the real URL of the bank.

It can only be distinguished from the original by certain additions or another Top Level Domain. Amateurs often have no suspicion and will be forwarded to a website based on the design of the bank via the link. If they comply with the requests and reveal their data there, the cyber criminals will have direct access to the information. Some of the “fake websites” look so deceptively real that they are indistinguishable from the bank’s regular websites.

How do spammers get to my email address?

In order to protect oneself optimally against the flood of unwanted messages, one must first understand under which circumstances they end up in our digital mailbox. The fact is, if you keep your email address to yourself, you should normally not receive any spam emails. We only become the target of spammers when we make our email address publicly accessible on the Internet or entrust it to dubious service providers. But how do spammers actually collect our email addresses?

Spammers use so-called “harvesters”, also known as “spambots”, to search the Internet for specific email addresses. If you still want to publish your email address on the Internet, you can have it converted to Unicode with the help of free service providers on the Internet. Spam bots will then no longer be able to read them.

You should also be careful with unknown Internet providers who promise to make us disclose our data. A good example are websites that lure with competitions and possible money profits. Unfortunately, it is not uncommon that the alleged profit does not even exist and is only used as an excuse. Here, too, you can frequently go directly to the mailing lists of the spammers.

Perfectly protected against email spam – this is how it works

Without a doubt, the proportion of spam emails was significantly higher a good ten years ago at around 90%, but one should not be deceived by this development. Because it’s all about the sophistication of the spammers. They continuously ensure that the risk potential of spam emails increases. Without a professional spam filter which also detects viruses and other threats, employees not only spend a lot of time organizing emails, but are also exposed to constant threats. In addition to links to malicious websites, spam emails may contain malware and phishing links.

Only professional spam filters for companies such as Hornetsecurity’s spam filter service ensure absolutely “clean” mailboxes with spam detection rates of 99.9%. In combination with Advanced Threat Protection, even the most fraudulent attack methods, such as CEO fraud, ransomware and spearphishing are effortlessly excluded. Just during July 2018, about half of all emails scanned by “Advanced Threat Protection” were classified as malicious. The largest part of these emails, more than 90% of malicious emails, is due to dangerous threats, as stated in the Hornetsecurity ATP Analysis of July 2018. Thanks to the intervention of the Hornetsecurity Spamfilter Service and Hornetsecurity ATP, the recipients of these emails were not only fully able to concentrate on their tasks, they were also not exposed to the risk of a “wrong click”. This finally brings peace and quiet to your email inbox.

Additional information:


Successful Product CEO-Fraud – An old scam yet the danger remains present

Successful Product CEO-Fraud – An old scam yet the danger remains present

The publicity around CEO Fraud may have calmed down, yet it is not yet extinct and still remains a serious threat. CEO Fraud, also known as ‘bogus boss’, still leads to digital larceny by deception, and thus causing displeasure and high economic damage for several companies such as a German company in the hessian rural district Groß-Gerau. Unknown cyber criminals were able to capture a sum of $380,000 Euro by successfully using CEO-Fraud. In 2016 alone, the total amount of monetary loss worldwide caused by this scam method was about $3.1 billion US dollars. That matched the profit made by Volkswagen in 2017.

Key figures on CEO Fraud in companies

Million euros a year, a group of cybercriminals captured by CEO Fraud in Germany between 2014 and 2017


success rate in CEO fraud attacks according to Info Security Magazine

How is it possible that the success rate of cyber criminals is still extraordinarily high even several years after its discovery as a tool used by cyber criminals? In the following text we will look at the procedures and the sophisticated fraud techniques of the offenders in order to improve the comprehension of the success of the scam.

Perfect Planning is half the battle: The Preparatory Stage of the CEO-Fraud

The target of CEO-Fraud is usually one single person. In most cases, an employee in the accounting department with direct authority to execute bank transfers. In order to execute the scam and make it appear as authentic as possible, extraordinarily good preparation is needed at the start of the scam. The magic word here is Social Engineering. Social Engineering means cyber criminals try to gather as much information as possible about their victim. They find such information on social media channels like Facebook, Linkedin or Xing. Most of the time, it’s easy to acquire personal information such as job title, place of work or even the complete organigram of a company.

Cheating and Feinting: The Offensive Stage of CEO Fraud

If the blackmailer has gathered enough information on their target they make the first contact and begin the offensive stage of CEO Fraud. The offenders now must accomplish a certain familiarity with the targeted subject. They do this by referring to current topics of the company in their email. This topic could be an upcoming acquisition or the latestsales figureswhich can be withdrawn from previous press releases.

To put the crown on the scam, some cyber criminals create an email address that is similar to the one of the CEO. In this connection, it is a perfidious trick to replace certain letters with letters that look extraordinarily similar. The letter L in mueller@examplecompany can for instance be easily replaced by a capital I. For the ordinary person, this scam also known as Spoofing can only be recognized by close scrutiny.

Another trick utilized by cyber criminals is the use of an existing emal communication. For example, if the offender knows with which person the CEO of a company usually communicates with and what topics are usually discussed, the perpetrator can counterfeit such communication. Fake logos and email signatures complete the picture of a completely legitimate email communication.

It’s in the email itself where cyber criminals dig deep into their bag of psychological tricks in order to initiate the transactions they desire. A commendation for the work of the targeted subject or the buildup of pressure can be used to trick the subject. Often, the offenders pretend to need a transfer of money to be sent as quickly as possible because an important and discreet deal could fail. It must be discreetso the targeted subject does not inform other colleagues about this affair which could end the scam.

What accounts for the success of the scam?

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

In most cyber attacks, employees are the largest risk factor. The Federal Office for Security and IT (in German: Bundesamt für Sicherheit und Informationstechnik, short: BSI) has previously warned the public about the careless handling of personal data. However, companies contribute to this by publishing a multitude of information on social networks for marketing purposes. Just like that, the offenders have little difficulty accumulating a substantial amount of information to assist in the success of their scam.

Another crucial factor of the scam is the psychological component. Cyber criminals specifically and shamelessly exploit emotions like respect and trust for a manager or owner of a business in order to manipulate their victims.

How do I protect my company from CEO Fraud?

A healthy amount of skepticism and the right education are the essentials in the battle against the bogus boss. From the perspective of a company, it makes sense to work against the ignorance of many employees with regular cyber threat information or training events. This way, the tricks of the scammers like the scrambled letters or fake signatures can be specifically pointed out.

Also, the use of an email encryption service provides relief since a fake or missing signature automatically attracts attention. For thosewho are not sure despite all these precautionary measures a telephonic reinsurance from the pretended sender of the email is useful. This requires a smallinvestment of time and can prevent a possible scam from even taking place.

Meanwhile, there are instruments and methods to deter such fraudulent emails ending up in the inboxes of the employees. Managed Security Services, like the Advanced Threat Protection by Hornetsecurity are able to see through complex attack patterns like the CEO-Fraud and block it in the forefront using sophisticated forensic systems. Once an attack is detected, ATP sends an automatic notification to the security personnel responsible for thwarting such an attack. The result, CEO-Fraud and other scams have no chance of success and your employees can focus all of their attention on their important tasks once again.

Additional information:


With multiple levels of protection to be on the safe side

With multiple levels of protection to be on the safe side

Anti-virus solutions alone are not enough – but they still make sense

The world has become more complex, not only in politics and business but also in the field of IT security. Multi-layered defense measures are a must for companies if they want to effectively protect their IT infrastructure because cyber threats have also become much more versatile and professional. “Simple” solutions by themselves are no longer enough, yet still have their reason for being.

Until a few years ago it was relatively easy to organize the protection of your IT systems. And even today, there are still companies that rely on a few established defensive measures. Together with a firewall and a spam filter, classic AV solutions are still the standard to protect against intruders, and one of the main reasons this type of protection is generally accepted as a proven mechanism against malware. Antivirus products are highly automated and do not require extensive attention from IT administrators or security specialists, which saves money, time and effort.

Modern malware outwits classic AV products

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

On the other hand, the discussion has been smoldering for some time as to whether anti-virus solutions are still effective against malware at all or perhaps do more harm than good and should therefore be abandoned. The fact is, classic products for defending against malware no longer offer adequate protection. Classic AV scanners fail to recognize all malware specimens and many specimens are not recognized at all, even after many weeks or even months.

Strengths and weaknesses in malware detection are widely distributed among the various AV providers. In addition, new types of cyber-attacks are making life increasingly difficult for classic AV scanners. Polymorphic viruses, e.g. in the form of ransomware, are evading signature-based detection mechanisms in slightly modified forms. Classic AV scanners have little or no chance against file-less attacks such as CEO fraud as these do not contain any suspicious objects for investigation.

Equally problematic are links in documents that can lead to downloads of malware. Companies that solely rely on the use of classic security solutions weigh themselves in false security. Nevertheless, the use of classic AV scanners is necessary and sensible.

Many defensive measures spoil the attacker’s success

Modern IT security solutions and suites are built on the principle of multiple protection with multiple defense methods and there are good reasons for employing multi-level protection. If the first protective measures complete part of the task in a relatively simple way, the powerful and more complex filters behind it are no longer so heavily loaded and thus perform better.

Subsequent security levels based on heuristic or behavior-based filter systems significantly improve detection performance and thus increase the chance of being spared damage by malware. These include services that detect hidden links in emails or attachments, analyze the behavior of malware in a sandbox, or hold back suspicious email attachments for a certain period of time and then check these attachments again with updated signatures.

Many companies have recognized this and rely on a multi-part defense strategy with several defensive lines in place. This way, they minimize the risk of experiencing a nasty surprise and becoming victims of a cyber-attack.

Additional information:

  1. Hornetsecurity Managed Spamfilter Service for companies
  2. Want to learn more about Advanced Threat Protection? Find out more now!.
  3. Do you already know the Hornetsecurity Knowledge Base? Click here for more information.
Malware Analysis and Defense

Malware Analysis and Defense

Third part of the multipart “Defense against malware”

The workstations of our malware analysts do not differ from others in Hornetsecurity’s offices, even though the Security Lab is referred to as a “laboratory”. Erlenmeyer flasks, test tubes and Bunsen burners are not to be found, but quite normal computers. The work is done virtually, in sandboxes or by analyzing the data traffic. Nevertheless, the importance of malware analysts should not be underestimated, as it ensures that Hornetsecurity’s defense systems are always as up-to-date as possible and maintain the highest quality standard.

But what is the procedure for analyzing malware? Usually there is a very large, continuous stream of data to analyze. The main task is to extract valuable information from the raw data, process it and make it “intelligent”. To this end, analysts use various tools and programs to answer specific questions: What are the objectives of malware? Which characteristics are typical for the investigated malware? Is there any evidence of the attacker(s)? Ideally, actions can be derived from the findings such as writing new filter rules or creating algorithms.

Two different types of analysis

Two ways of analyzing malware are presented in more detail here. In static analysis, the code itself is viewed without executing the malware, while in dynamic analysis, the behavior of the malicious code is tracked in a secure environment.

In the static analysis, the analysts break down the malware to the smallest detail in order to draw conclusions from the code itself. For example, significant strings are extracted or shell scripts are started and further results are generated with disassemblers. Here you can find information on the activities of the malware and which features it shows, the so-called Indicators of Compromise (IoC). Based on the findings, the individual filter systems can be updated to prevent further attacks by this and similar malware as quickly as possible.

One possibility for dynamic analysis is to let the malicious code perform its task in the secure environment of a sandbox. This method can be well automated to obtain certain results. The filter systems can be updated based on these results. Does the code change certain files, does it make changes in the registry or has it generally adapted the system settings to DNS servers, for example? Who does the malware contact? These and other questions can be answered in the following way.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Various possibilities of use

The most obvious application of the data obtained from malware analysis for IT security companies is to improve their defense methods and thus better protect their customers from attacks. To do this, analysts extract certain binary patterns and use them to create so-called Yara rules with which malware samples can be found, categorized and grouped. Behavior signatures applied in the sandbox can detect and categorize certain behavior patterns of malicious code.

An example: In the sandbox, an Office document in the file attachment is opened. There the behavioral signatures recognize that the document to be examined begins to collect and send information about user accounts. If this analysis takes place in a cloud-based environment, it is then possible to intercept the conspicuous emails and thus completely block the attacks.

All of these and many other defense measures should help to intercept and prevent an attack at the earliest possible point so that the damage caused by malware is as small as possible or, better yet, does not occur at all.

Much of the raw data obtained by malware analysis and the findings derived from it are also useful for general prevention. Research projects can benefit from this and make their scientifically-sound results available to the general public. In addition, the publication of malware analyses also serves to educate the public. Increasing knowledge about the approaches of cyber attacks and malware attacks helps to limit their success rates.