23.11.2021 - The number of reports received by the NCSC remains high. The NCSC received a report about a development server that was misused for mining cryptocurrency. In the attack on the travel operator FTI Group, Swiss citizens' data also fell into the hands of hackers. In addition, the NCSC assigned the internationally valid CVE (Common Vulnerability and Exposure) identifier to the Blacksmith vulnerability that was published last Monday.
Copies of Swiss passports leaked during a ransomware incident
On Friday, it emerged that copies of passports, including Swiss ones, had been published on the darknet. The data was stolen during a ransomware attack involving a German-based travel company. The cybercriminals published the data after attempting so-called double extortion, which is an attack whereby the attackers first encrypt the data and then offer to decrypt it again if the victim pays (first extortion). In the second extortion attempt, the attackers threaten the company with the publication of the data, which they stole before they encrypted it.
Once the data is published online, it is virtually impossible to remove. The NCSC has taken appropriate measures.
- If fraudsters have obtained copies of your ID documents, you should report this to the ID office of your commune and discuss with them how to proceed. You may need to have new documents issued.
When the server mines cryptocurrency
Cybercriminals use every trick in the book to obtain money. A good example is a report that the NCSC received last week. A user reported that its development server – a GitLab instance – had been hacked and misused for mining cryptocurrency.
It is worth bearing in mind that the creation of cryptocurrency needs a large number of calculations. Mining requires such a huge processing effort that very high performance graphics cards are used. In this case, the hackers solved the problem by having other people's servers do the work for them. This was made possible by a GitLab software vulnerability with the identifier CVE-2021-22205, which was discovered in May 2021. The GitLab instance's operators had not applied the latest update to their software.
- Always keep your software up to date – especially if it communicates with the internet – and follow the software supplier's instructions.
- Subscribe to newsfeeds about the software you use to ensure that you are informed of vulnerabilities in good time.
- Take action if your computer reacts unpredictably, such as working very slowly or displaying new messages, etc. In such cases, have your computer checked by a specialist.
Blacksmith vulnerability has been given the first CVE identifier assigned by the NCSC
CVE stands for Common Vulnerability and Exposure. The CVE identifier is composed of a four-digit year code and a serial number component, and allows vulnerabilities to be clearly identified worldwide. In September, the NCSC obtained recognition as a Numbering Authority for the assignment of CVE identifiers. Last week, it assigned its first CVE identifier. The Blacksmith vulnerability was assigned the identifier CVE-2021-42114.
The vulnerability affects memory chips and describes how, through targeted activation and deactivation, they can be used to trigger errors in adjacent memory cells. These fields can then be misused for an attack. The vulnerability was discovered by ETH Zurich and reported to the NCSC.
- Report any vulnerabilities you find via the reporting button on the homepage, or use this link.
Current statistics
Last week's reports by category:
Last modification 23.11.2021