David Gugelmann: ‘We expect an increasing number of data breaches, compromised servers, and ransomware attacks’
25.03.2021
Earlier in March, hackers gained access to organizations’ email accounts through vulnerabilities in the Microsoft Exchange Servers: Even though Microsoft issued security patches, the large-scale attack affected tens of thousands of computers and led to service outages around the world. The Exchange software is widely used, and hackers continue to infect as many computers as possible before companies are able to secure their systems. Zurich-based software startup Exeon Analytics helps protect companies against cyberattacks, and we talked to Exeon Analytics founder and CEO Dr. David Gugelmann to learn more about the Microsoft attack and his company’s innovative solutions.
 Exeon Analytics founder and CEO Dr. David Gugelmann
|
 |
David Gugelmann founded Exeon Analytics in 2016. The Venture Kick winner, Venture Leader, and TOP 100 Startup has developed ExeonTrace, which uses AI to leverage a company’s existing IT infrastructure to detect and eliminate cyber threats quickly.
David, earlier in March, Microsoft reported one of the most significant cyberattacks on their Exchange servers to date. How would you describe the last few weeks?
Obviously, there have been large-scale attacks against authorities and organizations in the past, but the severity of this latest issue is of a totally new dimension. Microsoft is an almost uncontested market leader in its field, which in turn means that this security incident is unprecedented. Thankfully, both Microsoft and authorities in the US and Europe alike very quickly realized the severity of this attack and have started urging Microsoft clients to patch as soon as possible. Still, hackers had plenty of time already to plant web shells within countless Exchange installations giving them the opportunity to access those companies’ IT networks in the future as well. This, in turn, means that we expect an increasing number of data breaches, compromised servers, and ransomware attacks moving forward.
Were you surprised by the attack?
Attacks have been increasing with regards to both numbers and severity for many years now, and the approach that hackers have been using with this recent instance is nothing new. We have seen a couple of frightening security breaches in the past that have worked quite the same. What is new, though, is the scale of possible incidents and victims this attack has created because Microsoft Exchange is such a popular product.
The attackers used web shells. For anyone not working in IT, what are web shells, and why are they so dangerous?
Traditionally the term “shell” refers to the interface through which users interact with a PC’s operating system (or rather, its “kernel,” i.e., core). Web shells, in general, work the same way as regular shells, only across the world wide web, in a way that it enables people to remotely execute commands on these computers and servers—say, via a web browser. For this to work, web shells need to be uploaded to the server or PC that is to be targeted first. Uploading the web shell is normally prevented by the server, but the recent weakness in the Exchange server allows attackers to circumvent this protection. Hackers have been using this technique for years to infiltrate servers they want to control—with the recent attack being the most prominent one of its kind.
How does Exeon Analytics detect servers that were hacked, and how do you help to protect servers from future attacks?
Our technology uses two different angles to identify and highlight suspicious activity: by analyzing network traffic with the support of artificial intelligence to detect irregular data flows and patterns occurring when attackers try to spread within a network. And by visualizing the data flows of the Exchange Servers, helping to find anomalies. Both of those features are core elements of our software ExeonTrace. As ExeonTrace is deployable in less than a day, our customers get insights into their network traffic and potential anomalies within very short notice.
Germany and Switzerland were among the countries that were most affected. Why are our servers a popular or easy target for hackers?
Various media report that Germany and Switzerland made up for no less than 30% of all targets, which is an incredible amount. It is actually difficult to say why this scale is that high – however, what we generally see is that on-premise installations are more popular in the DACH region than in other regions. And as the on-premise servers have been compromised, I would assume this to be one possible reason.
Since the beginning of the pandemic and the increase of remote work, cyberattacks have been increasing. What do you want people to learn from this attack?
Cyberattacks have been occurring before the pandemic, but the situation certainly has not changed for the better. Organizations need to understand that IT security not only needs to be a top priority but also that the traditional approach of only setting up some kind of “firewall” against intruders has stopped working long ago. Be it through this Exchange server hack, through the Solarwinds attack we saw earlier this year, or through phishing mails—the probability of having intruders in company networks has dramatically increased. It is therefore paramount to set up systems that are capable of finding any attackers fast and reliable—before they find valuable corporate data.
David, earlier in March, Microsoft reported one of the most significant cyberattacks on their Exchange servers to date. How would you describe the last few weeks?Obviously, there have been large-scale attacks against authorities and organizations in the past, but the severity of this latest issue is of a totally new dimension. Microsoft is an almost uncontested market leader in its field, which in turn means that this security incident is unprecedented. Thankfully, both Microsoft and authorities in the US and Europe alike very quickly realized the severity of this attack and have started urging Microsoft clients to patch as soon as possible. Still, hackers had plenty of time already to plant web shells within countless Exchange installations giving them the opportunity to access those companies’ IT networks in the future as well. This, in turn, means that we expect an increasing number of data breaches, compromised servers, and ransomware attacks moving forward.
Were you surprised by the attack?
Attacks have been increasing with regards to both numbers and severity for many years now, and the approach that hackers have been using with this recent instance is nothing new. We have seen a couple of frightening security breaches in the past that have worked quite the same. What is new, though, is the scale of possible incidents and victims this attack has created because Microsoft Exchange is such a popular product.
The attackers used web shells. For anyone not working in IT, what are web shells, and why are they so dangerous?
Traditionally the term “shell” refers to the interface through which users interact with a PC’s operating system (or rather, its “kernel,” i.e., core). Web shells, in general, work the same way as regular shells, only across the world wide web, in a way that it enables people to remotely execute commands on these computers and servers—say, via a web browser. For this to work, web shells need to be uploaded to the server or PC that is to be targeted first. Uploading the web shell is normally prevented by the server, but the recent weakness in the Exchange server allows attackers to circumvent this protection. Hackers have been using this technique for years to infiltrate servers they want to control—with the recent attack being the most prominent one of its kind.
How does Exeon Analytics detect servers that were hacked, and how do you help to protect servers from future attacks?
Our technology uses two different angles to identify and highlight suspicious activity: by analyzing network traffic with the support of artificial intelligence to detect irregular data flows and patterns occurring when attackers try to spread within a network. And by visualizing the data flows of the Exchange Servers, helping to find anomalies. Both of those features are core elements of our software ExeonTrace. As ExeonTrace is deployable in less than a day, our customers get insights into their network traffic and potential anomalies within very short notice.
Germany and Switzerland were among the countries that were most affected. Why are our servers a popular or easy target for hackers?
Various media report that Germany and Switzerland made up for no less than 30% of all targets, which is an incredible amount. It is actually difficult to say why this scale is that high – however, what we generally see is that on-premise installations are more popular in the DACH region than in other regions. And as the on-premise servers have been compromised, I would assume this to be one possible reason.
Since the beginning of the pandemic and the increase of remote work, cyberattacks have been increasing. What do you want people to learn from this attack?
Cyberattacks have been occurring before the pandemic, but the situation certainly has not changed for the better. Organizations need to understand that IT security not only needs to be a top priority but also that the traditional approach of only setting up some kind of “firewall” against intruders has stopped working long ago. Be it through this Exchange server hack, through the Solarwinds attack we saw earlier this year, or through phishing mails—the probability of having intruders in company networks has dramatically increased. It is therefore paramount to set up systems that are capable of finding any attackers fast and reliable—before they find valuable corporate data.