This is a serious warning.
I have written this article for end-users, and not for computer experts.
Within 5 minutes you are good to go.
What has Happened
A big German computer journal has recently become a victim of a computer hacker.
This is how it worked.
On Monday, May 13th, just before 3:00 pm, an employee opened an email related to a quoted genuine business transaction. The mail apparently came from a business partner and asked to check the data in the attached Word document and change it if necessary. When opening the document, a (fake) error message appeared asking to click “Enable Editing”.
This is how harmless the fake error message looked like:
And This is How the Catastrophe Started
This request was followed by the employee – and the disaster took its course.
In the background Emotet infected his Windows system and immediately began to mischief in the Heise network drive. This was initially expressed in some minor infections, which also triggered alarms of the anti-virus software used (Avira and Windows Defender). The administrators that were called in cleaned these systems superficially and were initially convinced that they had a grip on the problem.
That changed on Wednesday afternoon, when in the Firewall logs row after row connections to well-known Emotet servers noticed. A quick check showed that quite a few computers were already communicating via strange connections, for example on TCP port 449. That meant: “RED ALERT!”
Read the entire story here: https://www.heise.de/ct/artikel/Trojaner-Befall-Emotet-bei-Heise-4437807.html
(use the Google Translate option in your Chrome browser if you cannot read German)
The journal ultimately saw the growing avalanche coming and switched to “professional mode”. They are now re-installing their entire (!) computer system.
What I find stunning is that this happened with the most important German computer journal “C´t”. This journal is known for its precise reporting and for its diligent editorials, and it frequently takes the morally high ground in all sorts of data protection matters. One would expect that this journal had an even higher as normal standard when it comes to email data protection issues.
I also find it more than unusual that a user is doing his daily office work under his admin identity. This should not be allowed under any circumstances.
What is even more unusual is that the staff of this computer journal later used admin rights for cleaning their network from that virus. That one is a “no go”. The virus used this mistake and installed further instances of itself, using the powerful admin rights.
All this means nothing less to me that our self-made and uncertified IT wisenheimers are worth nothing when it comes to real problems, and these problems are coming. Hackers become smarter and smarter.
Call to Action
Find out immediately if you or someone in your firm has admin rights on his daily working account. You can do this in at least three ways:
- right click on any Windows app icon. A pop-up box will open, and it has a menu item “Run as administrator”. Click on that menu item. If that can be done without entering a password, you are clearly running your computer as an admin,
- install a new piece of software, e.g. by re-installing the Google Chrome browser, and check whether or not the admin password must be entered for doing so. If that installation can be done without entering a password,
- access the Control Panel, click on the User Accounts option. In User Accounts, you should see your account name listed on the right side. If your account has admin rights, it will say “Administrator” under your account name.
If you find out that this user has admin rights, get these admin rights removed from that user on the next coming workday.
And hire a trained and Microsoft certified IP guy with a proven track record in busting viruses for administrating your computers.
Martin “virus-safe” Schweiger