“Unknown hackers” have reportedly spied on three IT companies working for ministries and government agencies. This emerges from a warning letter from the Federal Information Technology Center (ITZ Bund) from the end of April, which is available to Bayerischer Rundfunk (BR). Accordingly, the attackers are said to have “very likely” tapped the e-mail communication at the companies concerned and thus “personal data, telephone numbers and offices, but also current projects, e-mail histories and attached documents”.
In the letter, a member of the board of directors of the Federal Information Technology Center (ITZBund) draws the employees’ attention to the fact that contact data obtained as a result of the attacks could be used for social engineering. Everything a bit different, says the ITZBund.
No data was sent to the ITZBund
The ITZBund confirmed to heise online that there was a letter addressed to the employees. “However, this is purely a letter to raise awareness for our employees. No facts are reported in the letter (…) it is purely a precautionary measure,” the ITZBund said on request. So far, no information has leaked due to social engineering.
There was also no IT emergency caused by a DDOS attack, which, according to BR research, affected customers of the ITZBund, as the ITZ Bund reports to heise online. The Federal Office for Information Security currently sees no “immediate threat to the IT security of the federal administration”.
Adesso, which was mentioned in the report along with three other IT service providers, had been the victim of a cyber attack since May 2022. However, the company “only gained this knowledge afterwards in the course of analyzing the attack”. There was no outflow of data as part of the cyber attack. Adesso’s customers include various federal ministries, but also the health insurance IT service provider Bitmarck, which is also currently affected by a cyber attack.
Confluence zero-day vulnerability
The Berlin company Init, which was also affected, confirmed the cyber attack to heise online; Customers have already been informed that the LKA Berlin is investigating. The cause of the attacks on Adesso and Init was an exploited zero-day vulnerability in the Confluence Atlassian system in June 2022 (CVE-2022-26134). According to IT security researchers, this was one of the most frequently attacked security vulnerabilities that allow malicious code to be injected.
Init patched the vulnerability as soon as it became known, took all Confluence systems available online offline and installed all patches provided. Nevertheless, security analyzes have shown that the vulnerability has already been exploited and that the attackers were able to install “a manipulated plugin for extending functions” via this vulnerability.
Init’s security team recognized an attempt to use this plugin in March 2023 and “took appropriate countermeasures in cooperation with external forensic scientists and the BSI”. The malware detected in the plugin was then removed immediately.
The investigations by the BSI and IT forensic experts are still ongoing. The participants actively search for threats and monitor active data traffic. A compromise of the infrastructure can be ruled out so far. Data was only lost for a few customers. No data leaks have been identified at the third IT company Materna mentioned in the report, and the entry vector was not a vulnerability in Confluence. According to information from the BR, investigations by the State Criminal Police Office of North Rhine-Westphalia are currently underway. The BR research comes to the conclusion that there is a connection between the three attacks.
(mack)
