The Federal Criminal Police Office is sending officers to IT specialists whose companies use software with known security vulnerabilities. Some admins were visited in the middle of the night.

A critical security vulnerability in control software from the US manufacturer PTC led to an unprecedented police operation over the past weekend. At the instigation of the German Federal Criminal Police Office (BKA), several state criminal police offices alerted affected companies – not by email or telephone, but with home visits. Some admins were reportedly woken by the doorbell at half past three on Sunday morning.

The officers merely handed over a copy of a letter that PTC had sent to companies the previous day, which contained instructions for a so-called hotfix. This involves closing a single vulnerability before updating the entire application. The affected products were Windchill and Flex PLM, which companies in industry and retail use to monitor and control manufacturing and supply processes.

Several criminal police offices confirmed the approach to the internet magazine Heise Online. The authority in Thuringia stated that the BKA had provided a list of affected companies, whereupon the Central Cybercrime Contact Point had arranged personal visits. Rhineland-Palatinate and Schleswig-Holstein acted in the same way. Hamburg and Lower Saxony, on the other hand, issued warnings by telephone and email. Unofficially, there is talk of more than 1,000 affected customers in Germany.

The coordinated approach is all the more striking given that the responsible specialist authorities remained noticeably reserved. The Federal Office for Information Security (BSI) did not publish a notice in its warning and information service until midday on Monday; operators of so-called critical infrastructures were also informed separately. The US cybersecurity authority remained completely silent; there is no corresponding entry in a list it maintains of known exploited vulnerabilities.

However, specialist magazines classify the vulnerability as a so-called critical zero-day vulnerability. This enables attackers to execute arbitrary malicious code on the servers of the affected companies. There are reportedly indications that functioning malware is already in circulation. There are also reports of attempted – but unsuccessful – attacks.

Meanwhile, the manufacturer PTC stated that there is no evidence of a confirmed exploitation of the vulnerability – but in the same document listed specific signs of a successful compromise of servers belonging to some customers. Users on social media are particularly critical of the fact that the police were deployed because of IT security vulnerabilities.

Published in German in „nd“.

Image: Among others, in Thuringia the state criminal police’s cybercrime contact point arranged personal visits to admins (Südthüringer, CC BY-SA 4.0).