Utimaco, Crypto Miner and a detection disaster

The German security company Utimaco had a security issue, the effects of which it informed hoist Security. Unknowns managed to place a crypto worker on their website who mined Monero coins on the site’s visitor system.

That would not really be news. Because, as Utimaco assured us when we asked, they discovered the smuggled Javascript code and shut down the affected system for a forensic analysis. Users’ systems were not permanently infected beyond the temporary use of computing power; So far, there has been no evidence that customer data has been compromised. It all sounds consistent and believable so far.

The browser’s developer tools reveal what resources a web page loads. In this case, it was a cryptominer.

(Image: Screenshot)

Nevertheless, there are two points that make the incident worth reporting. On the one hand, there is the company in question. Utimaco is one of the best known German security companies. Their main business is hardware security modules for high security areas. In addition, they supply equipment for lawful eavesdropping; These include the black boxes that providers need to connect to their networks to give criminal prosecutors access to their customers’ data.

Finally, they also offer “Cyber ​​Crime Protection” as a service. And the fact that even such a company is affected by such attacks says a lot about the state of IT security.

Jürgen Schmidt – aka ju – is head of Heise Security and Senior Fellow Security at Heise-Verlag. He is a trained physicist and has worked at Heise for over 25 years and is also interested in the areas of networking, Linux and open source.

The second point that makes this incident newsworthy is the way the victim was treated. I’ve sent the report of the issue along with a screenshot of the active cryptocurrency to the company’s official privacy contact and the email address provided for site abuse. Despite requesting confirmation of receipt and additional information, including how this could have happened. The answer came – nothing at all.

During a routine check, I noticed that the website in question was no longer available, and I checked. The company then confirmed to me that the website had been taken offline. I already knew that – but still! After further probing, she gave me the above details and the information that the cryptominer was only active from April 26th to May 3rd. Utimaco closed the ticket I opened today; I still do not know how the error got into the system.

As a reminder, I had warned the company about a security issue that they were actively using to harm their customers. She was then able to stop it and prevent further damage. This was not an attack, but a free service. Okay – at least I did not go down without explaining myself first. Nevertheless, Utimaco’s handling of reporting security issues still has great optimization potential.

If you find yourself in a similar situation, always acknowledge receipt of such reports and try to create a friendly atmosphere for communication right from the start. Ideally, such a process of disclosure allows both sides to see the world from an unprecedented perspective and learn exciting things.


To the start page

Leave a Comment