Government

Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers

The German cybersecurity authority has told German organizations to expect ransomware and other cyber-attacks over the Christmas and end-of-year holidays, citing the return of the Emotet botnet and the large number of Microsoft Exchange email servers that have been left unpatched.

The Emotet gang, which began rebuilding its botnet two weeks ago, has often rented access to infected systems to ransomware gangs to serve as springboards for attacks.

Numerous vulnerabilities discovered in Microsoft Exchange email servers this year have been abused throughout 2021 to allow ransomware gangs—such as DearCryBlackKingdomBabuk, and BlackByte—to enter corporate networks and encrypt internal servers.

Hackers prefer major holidays for attacks

“Holidays, vacation times and weekends in particular have been used repeatedly for such attacks in the past, as many companies and organizations are less responsive then,” BSI President, Arne Schönbohm, said on Thursday, urging companies to patch systems and take steps to block Emotet spam.

The BSI warning comes on the heels of a similar alert sent by US CISA last week, ahead of the Thanksgiving weekend.

Attacks over major holidays have become commonplace in recent years, as criminal gangs have realized that IT and security teams are typically off duty or working in reduced capacities.

For example, hackers began exploiting a zero-day in the Accellion file-sharing server just ahead of the 2020 Christmas holiday. Even if the vendor released a patch, most companies didn’t get to install it until the next year, as IT teams were off or delayed installing it to have more time to test and review the code.

Three-quarters of Exchange servers still unpatched

Things are particularly bad this year in terms of the possibility of a major ransomware outbreak due to the high number of critical Exchange vulnerabilities disclosed in 2021, such as ProxyShell, ProxyLogon, ProxyOracle, and so on.

Numbers crunched by security firm Rapid7 in October showed that out of 306,552 Exchange servers connected to the internet, 222,145 (72.4%) were vulnerable to at least one major vulnerability.

Germany is particularly impacted by Exchange vulnerabilities due to the large number of servers deployed inside government agencies and the private sector, second only to the US in terms of Exchange servers, per security firm ESET.

With ransomware gangs leveraging Exchange servers as entry points being spotted as recently as last week, the chances are that some groups will take advantage of the upcoming winter holidays to leave some unwanted gifts under the trees of German companies.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Biden administration launches initiative to protect U.S. water systems from cyberattacks

The Biden administration on Thursday will kick off an effort to protect the country’s water…

1 min ago

DeepDotWeb co-admin sentenced to 8 years in prison

One of the two administrators of the DeepDotWeb portal was sentenced this week to 97…

3 hours ago

Ukrainian government calls out false flag operation in recent data wiping attack

The Ukrainian government said today that it found evidence meant to connect the data wiping…

16 hours ago

Meta’s free mode came with a cost, report says

Meta Connectivity (previously Facebook Connectivity) is facing scrutiny after reports emerged that their Free Basics…

19 hours ago

White House releases final zero-trust strategy for federal government

The White House on Wednesday issued finalized plans for its strategy to move the federal…

21 hours ago

German government warns of APT27 activity targeting local companies

The German government said on Tuesday that a Chinese cyberespionage group known as APT27 has…

23 hours ago