Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone Networks’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.

As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.

The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.

Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.

Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.

Companies can and should deploy counteractive measures

On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.

What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.

Detect reloading of Emotet tools

Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.

Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.

Conclusion: Small security measures have a big impact

Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.

New OS versions to be released on April 30th and October 31st every year

In 2019, we will be switching to a new release scheme for updated versions of the Greenbone OS – the Greenbone Security Manager (GSM) operating system – with fixed release dates every year, giving our customers, partners, and the Greenbone development team more planning certainty.

The new fixed dates will be April 30th and October 31st each year. However, during 2019, as we transition to this new scheme, we will introduce GOS 5.0 in two staged releases, with ENTRY/SME scheduled for April 30th and MIDRANGE/ENTERPRISE/SENSOR set for June 30th. GOS 6.0 will then be released for all GSM devices in a single step in accordance with the new scheme. From 2020 onwards, the new time-based release system will apply in full.

The scheme is based on hard deadlines for new features, new GSM types and new hardware. If a feature does not make it to a release date, it will be included in the subsequent release.

OS updates tested over one-month phase in the Greenbone community

In addition, our Greenbone Vulnerability Management (GVM) system will undergo a one-month test phase in conjunction with each GOS release. Before the April 30th and October 31st release dates, the Source Edition will be made available on the GVM system within the Greenbone community. As a result, any bugs can be found and eliminated before our customers and partners put the new GOS into operation.

Another advantage of having two new major OS versions per year is that our customers can benefit from our latest innovations much more quickly. Users will be able to jump to new GOS versions faster, either every six months on the official release dates (our innovation cycle), or every 12 months during a three-month migration phase (May/June/July or November/December/January) when they can skip a GOS generation (a more conservative cycle).

Serious vulnerability discovered in D-Link routers

UPDATE: patch available for users on D-Link support pages

In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.

Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.

Design errors make the DWR and DAP models vulnerable to attack

In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.

The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.

Access to routers without authentication possible

D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.

But it’s not just the potential number of customers that could be impacted that make this vulnerability significant.  According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.

With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.

D-Link publishes security update on March 19, 2019

Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.

After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.

Manufacturers must act

Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.