Posts in category: Business

Researchers have investigated an unusual and sophisticated attack on an unnamed bank: Unknown hackers placed a Raspberry Pi with a 4G modem directly into the bank’s internal network. The aim was to gain access to the ATM switching system – the switching point that controls cash transactions.

Objective: Control over the ATM switching system

The mini-computer was connected to the same switch that supplies the bank’s ATMs. This gave the attackers a perfect starting position to target the hardware security module (HSM). This module is actually there to protect highly sensitive data such as PINs or digital signatures. Successful access would have meant: manipulation of transactions and unauthorized cash withdrawals.

UNC2891 – Professionals with a long history

The attacker group is known as UNC2891 and has been active since at least 2017. It specializes in targeted attacks against banks, particularly via Linux, Unix and Solaris systems.

Mandiant (Google) had already described the group in 2022 and uncovered its CakeTap rootkit. This manipulated transactions in the ATM network to enable fake withdrawals with compromised cards. Other in-house developments such as SlapStick and TinyShell are also known – all with a focus on invisible, long-term access.

How the attack worked

1. Physical implantation

A Raspberry Pi with a 4G modem was installed unnoticed in the network. The mobile connection allowed the hackers to bypass all perimeter security (firewalls, IDS, VPNs).

2. Persistence through mail server

At the same time, they compromised an internal mail server. This had constant Internet access and served as an alternative backdoor in case the Raspberry device was removed.

3. Monitoring server as an intermediate station

To further conceal their tracks, the attackers used the network monitoring server as a relay between the Raspberry Pi and the mail server. As this server had access to almost all systems in the data center, it was an ideal springboard.

4. Hide and seek: process camouflage & bind mounts

– The malware disguised itself as “lightdm” – a legitimate Linux display manager.

– With realistic-looking command line arguments, the process appeared credible.

– The attackers also used a previously undocumented technique in the cybercrime environment: Linux bind mounts. This allowed them to make processes in the file system invisible – similar to a rootkit.

– The technology has now been incorporated into the MITRE ATT&CK matrix.

5. Detection through anomalies

– During the analysis, the researchers noticed beaconing from the monitoring server every 10 minutes.

– Forensic tools were initially unable to identify the processes. Only memory dumps revealed that “lightdm” was running in an unusual location – and was in fact a disguised backdoor.

Attack stopped before it became expensive

The attack was detected and neutralized in time – before the hackers were able to fully compromise the ATM switching system and install CakeTap. Nevertheless, the incident impressively demonstrates how physical vulnerabilities combined with unconventional techniques can jeopardize even highly secured banks.

As you read this, countless companies and private individuals around the world are being subjected to cyberattacks. Hackers are infiltrating networks, stealing confidential data, encrypting systems and demanding high ransoms in cryptocurrencies. The financial damage caused by such criminal activities is enormous – it exceeds the economic losses caused by natural disasters many times over.

The global damage caused by cybercrime amounts to several trillion Swiss francs every year, as was presented at the Swiss Cyber Security Days (SCSD) media conference. The specialist event, which takes place in Bern in February, brings together leading international experts to discuss current threats, new attack techniques and effective protection strategies.

Cyberattacks are not a question of “if”, but “when”

Companies and public institutions must strengthen their IT security without compromise – cyber criminals exploit every weak point. Unsecured networks, outdated software or unprotected interfaces offer ideal targets. Those who ignore security gaps not only risk immense financial losses, but also reputational damage and the complete standstill of business-critical processes.

A lack of resources or insufficient expertise should not be a justification for inadequate protective measures. Companies that do not have the necessary know-how must call in external security experts. They identify vulnerabilities, simulate attacks and implement effective protection mechanisms – before an actual attack occurs. Half-hearted protection is no longer an option.

International experts discuss in Bern

The Swiss Cyber Security Days offer a high-caliber platform for interdisciplinary exchange on the most pressing challenges in cyber security. Renowned representatives from business, science and public authorities – including experts from the FBI and specialists from the Portuguese Cyber Security Center – will speak on topics such as cyber defence, quantum computing and combating disinformation.

In addition to over 100 specialist presentations, the program includes interactive formats such as an AI art installation, a start-up zone and a specially set up hacklab for practical insights into the world of cyber security.

The event will take place on February 18 and 19 at Bernexpo and is aimed at specialists, companies and anyone who would like to find out more about the risks and solutions in the field of cyber defense.

Artificial intelligence (AI) has long since found its way into our everyday lives – from recommendation systems and chatbots to decision-making processes in companies. With this development, the need for clear guidelines for the safe and ethical use of AI is also growing. The EU AI Act is the world’s first comprehensive regulation for AI and is intended to steer these technologies responsibly in Europe. In addition, the ISO/IEC 42001 standard provides a framework for AI management systems that supports companies in implementing and optimizing their AI processes.

Dear customers, partners and friends,

As we say goodbye to 2024, we would like to pause and say thank you from the bottom of our hearts. Your trust, support and cooperation have made this year something special.

Thanks to your partnership, we were able to realize innovative projects, master new challenges and make progress together this year. Every meeting and every project has helped to further strengthen our commitment to quality, safety and innovation.

A look ahead.

The year 2025 promises new opportunities and exciting paths that we would like to explore together with you. We look forward to continuing to support your goals, develop innovative solutions and further expand our partnerships.

We wish you and your families a healthy, successful and happy new year 2025. May it be a year full of positive developments, inspiration and success.

Thank you for being part of our journey – here’s to a great 2025!

With best wishes,

Your cybrius team

A recently discovered method combines wireless electronic surveillance with artificial intelligence (AI) to spy on computer screens.
Researchers in Uruguay have developed a method that makes it possible to monitor the displays of computer screens using AI systems.
They intercept and decode the electromagnetic radiation emitted by the HDMI cable between the computer and monitor.
According to the researchers, this method could already be used in practice.

Screen monitoring by AI

A team of computer security researchers from the University of the Republic in Montevideo, Uruguay, has shown how screen content can be spied on while the user is entering encrypted messages, bank details or other confidential information.
This is done by intercepting the HDMI cable.
Santiago Fernández Emilio Martínez, Gabriel Varela and Pablo Musé Federico Larroca have published their research results on Cornell Tech’s ArXiv platform.

The study shows that it is possible to train an AI system to interpret minute variations in the electromagnetic radiation of the HDMI signal.
Although HDMI is a wired and digitally encrypted standard, the cables emit sufficient radiation to detect it without direct access.

The attacks can be carried out in various ways, for example by using antennas positioned outside a building to pick up HDMI signals.
Alternatively, a discrete signal capture device could be placed inside the target building.

Test the attack method

To verify the accuracy of the attack, the researchers used text recognition software to analyze the content recovered by the AI system.
The extracted text was then compared with the original screen content.
The tests showed that the AI was able to reconstruct text from a computer screen with an accuracy of 70%.

Although the researchers’ approach is not yet comparable with conventional recording methods, it shows a 60% improvement on previous projects.
The method is sufficient to understand the main content of the displayed text and could even capture passwords and sensitive data.
This is possible completely wirelessly, without physical access to the target computer and even from outside a building.

Historical context and new threats

The concept of using wireless electromagnetic signals for surveillance is not new. According to Der Spiegel, the technique of “compromising radiation”, known as “Tempest”, was previously used to reconstruct data from the radiation of computer monitors.

In the past, computers and monitors were connected via VGA ports with analog signal transmission, which made it easier for hackers to read them. Today, data is transmitted digitally via HDMI cable. Digital transmission includes encryption, which is why HDMI cables were considered secure. However, the researchers’ AI-supported “Deep-TEMPEST” attack method shows that digital transmissions can also be vulnerable.

Possible goals and protective measures

The researchers suspect that these or similar systems are already being used by government and industrial spies. Due to the complexity of the technology and the need to be close to the target system, normal users are unlikely to be affected. However, government agencies and large companies with sensitive data should consider protective measures against electromagnetic surveillance.

The malware downloader Fakeupdates remains the leading threat in June according to the malware ranking of the cyber security company Check Point. The most frequently exploited vulnerability last month was the “Check Point VPN Information Disclosure”.

In a recent development, dated September 12, 2023, it is being discussed whether operators of critical facilities should be obliged to report not only cyber attacks but also serious security breaches to the authorities in the future. This issue has led to controversial debates between the legislative bodies. The national legislator has now presented a compromise proposal.

An important decision was made on September 12, 2023. Should operators of critical infrastructures not only have to report cyber attacks in future, but also significant security vulnerabilities in their computer systems? This issue still divides the two chambers of the legislature. The national legislator, who had originally called for the reporting of security vulnerabilities, has now taken a step in the direction of the Federal Council, which had previously voted against this proposal.

According to information from official sources, the larger legislative body has decided to exempt proprietary developments by companies from the reporting obligation. This decision followed a request from the national legislator’s security policy committee. The spokesman for this committee, Gerhard Andrey, justified the request by stating that other operators would not use special in-house developments.

A minority in the chamber, however, argued in favor of following the Federal Council and completely abolishing the obligation to report significant security vulnerabilities in computer systems. The issue will now be referred back to the smaller legislative body.

On June 1, 2023:

Parliament has unanimously endorsed the introduction of a reporting obligation for cyber attacks on important institutions. However, this decision is not yet final, as reported by official sources. The national legislator’s proposal to extend the reporting obligation to significant security vulnerabilities in computer systems was not approved by the Federal Council. This extended proposal was rejected by 31 votes to 13. The smaller legislative chamber followed people like FDP member Hans Wicki, who warned of additional costs for businesses and the registration office. The issue will now be referred back to the national legislator to clarify differences of opinion.

On March 16, 2023:

The national legislator now supports the introduction of a reporting obligation for cyber attacks on important institutions. According to official information, it passed the necessary amendments to the Federal Act on Information Security by 132 votes to 55. As a result, operators of important facilities will in future have to report major cyber attacks to the National Cyber Security Center (NCSC) within 24 hours. If you deliberately fail to do so, you risk a fine.

The national legislator has also proposed extending the reporting obligation to significant security vulnerabilities in computer systems, following a suggestion from its Security Policy Committee. According to the press release, the larger legislative body hopes that this will have a preventive effect. The issue will next go to the Federal Council.

In a statement, a political party in Switzerland criticizes the fact that the NCSC is still intended as a reporting office. This is because the NCSC is being transformed into a federal agency and attached to the Ministry of Defense. It also houses organizations such as the Federal Intelligence Service (FIS) and the army, which the party believes are not acting in the best interests of cyber security. Therefore, the NCSC should no longer be considered trustworthy and an independent reporting office should be created. The party is also calling for the NCSC to be required to inform the public about reported cyber-attacks, rather than just seeing this as a possibility.

On December 2, 2022:

The Federal Council has submitted a proposal to Parliament to amend the Federal Information Security Act. This proposal lays down the legal basis for the obligation of operators of critical facilities to report cyberattacks they have suffered.

The central point of contact for these reports will be the new Federal Office for Cybersecurity.

Original message from May 13, 2022:

The idea of mandatory reporting of cyber attacks on important institutions enjoys strong support in Switzerland. Operators of critical infrastructures could be obliged to report such incidents in future. The proposed legislation, which the Federal Council submitted for consultation in January 2022, has met with broad approval in the business community, research and at cantonal level, according to the National Cybersecurity Center (NCSC).

A total of around 100 comments were received, most of which were in favor of the proposed legislation. A reporting obligation to a central federal office is seen as a useful instrument for strengthening cyber security. It is particularly important to those affected that these notifications can be made without additional bureaucratic effort.

On August 31, 2022, the Swiss government decided that the complete revision of the Data Protection Act, including the new Data Protection Ordinance and the Ordinance on Data Protection Certifications (VDSZ), will finally come into force on September 1, 2023. All business enterprises must implement the updated provisions by this date. This legislation will enable the Federal Data Protection and Information Commissioner (FDPIC) to monitor compliance with data protection guidelines more effectively, whereby violations can be countered with investigations, measures and, if necessary, fines. In addition, data subjects have legal means at their disposal to enforce their rights.

Together with the determination of the entry into force of the revised Data Protection Act, the government published the official text of the Data Protection Ordinance (new abbreviation: DPO). Until now, only a preliminary draft was available, which met with some fierce resistance during the consultation phase. However, the result shows that the concerns have been taken into account in Parliament and a balance is emerging towards more practical and business-friendly requirements. In addition, many provisions have been formulated more precisely.

In the revised draft of the General Data Protection Regulation (GDPR), certain key changes have been made that could potentially have a direct impact on businesses and various organizations, whether public or non-profit. These changes are summarized as follows:

Information obligations: The requirements for information obligations have been significantly relaxed, particularly with regard to the way in which data protection declarations and data protection notices must be formulated. Specifically, some complex duties have been removed:

• The processor’s obligation to provide information, which is difficult to understand, has been removed.
• Private data controllers no longer have to inform recipients of personal data about certain aspects such as “accuracy” or “reliability”; this responsibility has been transferred to the federal authorities (see Art. 29 GDPR).
• Information based on European data protection directives, such as that relating to the correction or deletion of personal data, is no longer required.

Processing regulations: The previous requirement to maintain processing regulations for private companies has been modified, but not completely abolished:

• It only applies to specific cases such as the automated processing of sensitive personal data on a large scale or with a high risk profile (in accordance with Art. 5 GDPR).

These changes reflect a tendency to remove some of the more complex and potentially impractical requirements of the previous draft in order to make the process clearer and more manageable for all parties involved.

In addition to the revisions already mentioned, there are other modifications of essential relevance that require meticulous analysis and implementation. This includes the redesign of the sanction mechanisms, the rationalization of data security requirements and the specified obligations for international data transfers. As a company with in-depth expertise in this field, we are ideally placed to guide our clients through these complex innovations. We offer individualized consultation, assistance with adherence to new guidelines and pragmatic solutions to ensure that your company or institution not only complies with the newly developed data protection requirements, but also uses them to your advantage. Our expert specialists are available to support you in transforming the data protection landscape so you can operate with unwavering confidence and integrity.

In view of the increased sanctions (fines of up to CHF 250,000), it will be crucial to have a precise overview of all data flows to third parties (especially in an international context) in order to be able to take the necessary measures (e.g. conclusion of relevant agreements, risk assessments). The right to information will probably retain its importance, and of course the overarching issue of data and IT security remains highly relevant.

Last year, Apple removed around 1.7 million questionable and harmful apps from its App Store. The company was also able to prevent fraudulent transactions with a total value of more than 2 billion US dollars.

Apple has published a report on its prevention measures against cybercrime. According to the Californian company’s statement, the App Store team was able to avert transactions with a total value of over 2 billion US dollars in 2022 that were classified as potentially fraudulent and stopped almost 1.7 million app registrations.

As part of its ongoing commitment to combat fraudulent activity, the company also deleted 428,000 developer accounts due to suspected fraudulent activity, deactivated 282 million customer accounts deemed to be fraudulent and suspended 105,000 newly created developer accounts due to possible fraudulent activity.

Special challenges in data protection

Of the almost 1.7 million app applications rejected by Apple, 400,000 involved privacy violations. This includes, in particular, apps that attempt to collect users’ personal data without their knowledge or consent.

Furthermore, 153,000 were rejected because they deceived users and were replicas of apps that had already been submitted. Around 29,000 applications were refused inclusion in the App Store because they used undocumented or hidden functions.

“In several cases last year, the App Review team discovered apps that were equipped with malicious code and could steal users’ login data from third-party services. In other cases, the App Review team uncovered several apps that posed as harmless financial management platforms but were able to transform themselves into another app,” Apple reports. Around 24,000 such deceptive apps were blocked.

Apple added that the App Store’s ‘App Review’ team reviews an average of more than 100,000 app submissions each week, of which around 90 percent are reviewed within 24 hours.

Suspicious payments and manipulated ratings

By stopping fraudulent transactions totaling 2.09 billion dollars last year, Apple says it was able to prevent around 714,000 fraudulent accounts from making further transactions.

The company also blocked around 3.9 million stolen credit cards that were used for fraudulent purchases in the App Store. “Apple takes credit card fraud very seriously and remains committed to protecting the App Store and its users from such charges,” the company said.

Most recently, Apple removed more than 147 million fraudulent reviews from the App Store in 2022 after the company reviewed more than 1 billion reviews to identify fraudulent reviews.

According to Apple, the App Store has an average of over 650 million users worldwide every week and offers a global app distribution platform for more than 36 million registered developers.

Virtual agents will soon be part of the Federal Intelligence Service’s arsenal. Equipped with fake identities, they are tasked with collecting data from social networks.

The Federal Intelligence Service (FIS) is strengthening its presence in the digital world. The authority plans to integrate virtual agents into its team by the end of the year. The news service confirmed this to “SRF”.

“In view of the need to strengthen our own capabilities and not be exclusively dependent on the services of our partners, the FIS is currently launching a project to implement virtual agents,” according to the official statement from the intelligence service. In the past, results have already been achieved through the use of virtual agents from foreign partner services.

The virtual agents, equipped with cover identities, are sent out on social networks to collect information for the Swiss intelligence service. The exact number of these cyber agents that the FIS wants to hire and their specific skills were not disclosed to the SRF. According to the FIS, no change in the law is necessary to enable the use of virtual agents.

Prisca Fischer, the head of the independent supervisory authority for intelligence activities, says she wants to closely monitor the project and plan an investigation when the virtual agents are introduced towards the end of the year.