Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago.

What else can we do to get as much systems as possible off the public Internet?

Within the software space, we have used responsible disclosures for some time (for example with D-Link earlier this year), so the idea was to apply the same logic.

Still, following that idea wasn’t easy and straight forward, as a couple of concerns had to be addressed.

  • What data shall we use to substantiate the fact that there is a data leak within the organization we address?
  • How do we identify the organization, the right contacts there?
  • What format and method of disclosure shall we use? And finally..
  • What should we say in the disclosure so that it is seen as an information and not as a threat?

We worked along the questions, with the help of friends, partners and valuable insights of security professionals across the globe (thanks to Troy Hunt for the presentation about the topic: https://www.troyhunt.com/fixing-data-breaches-part-3-the-ease-of-disclosure/)

What data to use?

Simple answer: as little as possible, a single data set should be enough, and even this one needs to obscured as we are likely to transmit the information via unsecured channels.

We decided to use a single, current date set from each system for each provider and note it down. No, nothing was downloaded & stored or copied and pasted from these PACS. We don’t want that. Pencil and Paper are our tools here.

How to identify the system owners?

No question, we were not supposed to contact any person within the data to find out about their healthcare provider: “Hey, we got your data from an unsecured system in the Internet can you name me your radiologist?” wouldn’t work well. As the information contained in the PACS also indicates the name of healthcare providers and of physicians, this was our starting point.

We used a list of sites, Google of course, but also:

So, all the work was done using OSINT.

What should be the format?

Letters, Faxes, Emails? We discussed about the pros and cons, and we decided to use Email as the format and method to transmit the responsible disclosure. Email is fast but it is also the main inroad for attack attempts like phishing, so we had to scale down from fancy HTML to plain text. Having the RFC style & format in mind, we drafted some initial versions and circulated them among capable advisers.

What should we say?

Emails talking about data leaks are very often received as threats, “do this, pay that or we will release ..:”. Formulating this email to avoid that specific effect was a bit of a challenge. We kept it as simple and short as possible, suggested actions instead of demanding them (which is anyway nothing we could possibly do). That one took us a bit of work.

Finalization and Concerns

Our full notes were then transferred into a consolidated list of details (already obscured), becoming the source for our little email campaign. As security researchers, we know that some recipients will totally misunderstand our intentions and “shoot the messenger”. That reaction happened in the past, too often.

We will keep you posted…

Below is the final text which we sent out the afternoon on DEC 10th, 2019.

Sent to: email address

Personal Health Information Data Leak – Responsible Disclosure

Attention to

__________

__________

 

With this email, we want to inform you about an identified data leak likely affecting your organization. A server storing medical information of patients affiliated with your organization, a PACS server (Picture Archiving and Communication System), is connected to the public Internet without any protection. We believe this server is affiliated with your organization, and is configured in a way that allows free access to Personal Health Information of patients being treated in your facilities. We work for a team of computer security researchers, and are bringing this matter to your attention through the principles of RESPONSIBLE DISCLOSURE so you may address the exposure and protect your organization and patients.

To substantiate the fact, please see the obscured details of one single data set of a patient below.

Exam date & hour: __________ (exact timing shortened, but available on the system)

Patient name: __________ (obscured for privacy concerns and clear text transmission)

Patient DoB: __________ (shortened to year, if in the system)

Patient ID: __________ (as it appears on the system)

Exam ID: __________ (if and as it appears on the system)

Physician’s name: __________ (obscured, if and as it appears on the system)

Organization’s name: __________ (as identified during our research)

The network address of this system is the following IP address (and tcp-port): __________

In September 2019, we have informed Government authorities across the globe about the systems we identified. You receive this email as part of our efforts to alert more than one hundred organizations in the US affected by that type of data leak. We would like to suggest to you to take the necessary measures to secure the named PACS system. Potential measures can be, among others:

  • Implement access control to the system
  • Verify unnecessary port forwards
  • Deploy VPN access

Please consult with your information security staff, your IT service provider and/or the relevant Government authorities in the US about the range and scope of measures possible in your specific setup.

Please note also:

  • We recently conducted and published a research about this type of data leak, which lead to this disclosure. More information can be found here [1] and here [2].
  • Our research paper describes ways how to verify this data leak for yourself [3].
  • This email is written in plain text and contains no attachments.
  • Should you require further information, please feel free to contact us. Within limits imposed by the situation, we will try to help. There is no demand for compensation related to this.
  • This is a responsible disclosure; again, there is no demand of compensation for it or any intent to publish the data or details of your organization.
  • This is not a cyber-attack, it is about systems connected to the public Internet without any protection at all, allowing uncontrolled access to personal health data.

With best regards

Greenbone Networks GmbH
Dirk Schrader
(CISSP, CISM, ISO/IEC 27001 Practitioner)
Mobile: +49-172-4152461
Office: +49-541-760278-0
http://www.greenbone.net/
Greenbone Networks GmbH
Neumarkt 12
49074 Osnabrück, Germany
AG Osnabrück, HR B 202460
Managing Director: Dr. Jan-Oliver Wagner

 

[1] https://www.propublica.org/article/millions-of-americans-medical-images-and-data-are-available-on-the-internet

[2] https://www.warner.senate.gov/public/index.cfm/2019/9/warner-seeks-answers-in-light-of-negligent-cybersecurity-practices-by-health-care-company

[3] https://www.greenbone.net/wp-content/uploads/Confidential-patient-data-freely-accessible-on-the-internet_20190918.pdf

60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.

1.19 billion images

That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.

Is it ignorance or negligence?

“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.

There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.

“Good, bad, and ugly”

Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.

  • The “Good”
    Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
  • The “Bad”
    Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
  • The “Ugly”
    That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.

New datapoints

For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.

Extra focus: USA

The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.

One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.

Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).

The following graphic highlights the situation in the US, per state affected.

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.

Recommended actions

In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.

The report

Greenbone’s updated report can be downloaded here [1].

Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Outlook

The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely

  • Health
  • Finance
  • Transport
  • Energy
  • Water
  • IT&Telecommunications

More to come in our blog.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] Greenbone Security Report – Unprotected Patient Data, a review

[2] Greenbone Whitepaper – Health Sector

15th October, 2019 Greenbone, a leading provider of vulnerability management solutions, has today extended its security feed capabilities in order to detect unprotected Picture Archiving and Communication Systems (PACS) in use by medical professionals to store and share scans, x-rays and other medical images. In September 2019, Greenbone revealed that approximately 700 million images – relating to more than 24 million patient records – were exposed on the internet due to poorly secured PACS servers.

Sensitive patient data requires complete protection yet Greenbone’s research identified some 2,300 medical image archiving systems visible on the public internet. A significant proportion of these servers allowed unsecured access to image files containing sensitive data such as patient names, birth and examination dates, as well as the reason for the examination.

The new Greenbone vulnerability tests are designed to help hospitals, radiology clinics and other healthcare facilities avoid data leaks in the future. Included in the security feed of Greenbone’s vulnerability management solution, these tests enable healthcare customers to identify unprotected PACS servers within their image archives. They will also receive notifications about whether an encrypted connection is used, if patient data is retrievable, and whether any authentication is configured. Customers can also check the Application Entity Titles (AET) of these systems. These titles control access to certain image databases but often follow standardised formats, making them susceptible to brute force attacks.

Crucially, the tests check whether it is possible for the public to access these PACS servers, together with the data and images they contain. If the test is positive, administrators can take immediate action to close any gaps in security.

Dirk Schrader, cyber resilience architect at Greenbone, commented: ‘Several security researchers have criticised PACS servers for being readable and vulnerable to attack, but what shocked us was the true extent of the problem. Our analysis uncovered unsecured PACS systems in use all over the world; a situation that simply cannot be allowed to continue. By extending the capabilities of the Greenbone Security Feed to test for unprotected PACS, we hope to make it much easier for health providers to protect confidential patient data and images, both now and well into the future.’

These new tests are available to customers using Greenbone Security Manager (GSM), Greenbone Community Edition (GCE) or Greenbone Vulnerability Management (GVM). Users of the Greenbone Community Feed can find further information on the community page or can contact Greenbone support for general information on how to fix vulnerabilities and the Vulnerability Tests (VT) provided as part of the Security Feed.

Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.

The starting position

X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.

Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.

Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.

Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.

The weaknesses

As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.

In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.

This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.

Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.

The extent of the problem

The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.

The report

Greenbone has written a complete report which can be downloaded here [2]. The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper [3] is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

Note:
We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] McAfee.com and CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

[2] Greenbone Security Report – Confidential patient data freely accessible on the internet

[3] Greenbone Whitepaper – Health Sector

Are cyber weapons worth it? A look at the economics of hacking back

On 12 May 2017, WannaCry was released into the wild and an epic story began to unfold.

Spawned from a cyber weapon that had been lost by a government agency, WannaCry was a major wake up call for industries around the globe, reminding them in the very loudest way possible that their dependency on tech carries existential risks to their operations.

Yet despite the fallout of WannaCry, governments still contemplate the idea of collecting, storing and using cyber weapons for so-called ‘hack backs’, where they counter-attack an adversary to destroy, disable or snoop on their servers and data.

This grey market for vulnerabilities and cyber weapons is already a highly lucrative one. To provide some context, potent vulnerabilities and their related exploits already reach (and can even exceed) sums of $1m if they target Windows desktops and servers. The figure can double for exploits affecting mobile devices (notably, Apple). 

If governments follow through with their plans to ‘hack back’, we can expect this market to become even more profitable in the future.

The story of EternalBlue

Eternal Blue, was name given to a Microsoft vulnerability ‘discovered’ by the National Security Agency at some point in 2011 or 2012. The NSA didn’t share its knowledge of the vulnerability with Microsoft, at least not until it was forced to.

By mid-2016, information about the vulnerability and how it can be exploited had somehow been lost by the NSA, and leaked to a hacking group called Shadow Brokers. Shadow Brokers tried (unsuccessfully) to sell this information in August 2016, deciding to publish the files around the turn of the year.

With the cat out of the bag, the NSA’s hand was forced. It had little choice but to come clean about the vulnerability. It informed Microsoft about EternalBlue in March 2017 and, mid-way through the same month, Microsoft released a series of patches to plug the exploit.

Fast forward to almost two months later; WannaCry was wreaking havoc on many organisations all across the globe, exploiting this very same vulnerability. News channels, TV and radio stations, online media, all covered the immediate impact and fallout. Some were even impacted themselves.

It’s been reported that WannaCry and other malware variants exploiting EternalBlue – NotPetya being perhaps the next most famous – caused $9bn worth of damage in just one year. The world’s largest shipping company, Maersk, was hit to the tune of $300m, while costs to the UK National Health Services (NHS) exceeded $100m.

There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage; a figure that can be added to the $9bn total price tag mentioned earlier.

The story of EternalBlue isn’t over yet. Research indicates that millions of computers connected to the internet are still vulnerable.

The economics of the cyber weapons market

There’s no doubt that spending time and money on finding vulnerabilities is financially rewarding. Take the CryptoWall virus – in all its various guises – as an example. CryptoWall v3 alone has generated ‘revenues’ of more than $325m.

The business model and margins in the retail and wholesale of cyber weapons, not to mention the revenue opportunities from offering ‘Cybercrime-as-a-Service’, don’t just make economic sense; they are relatively risk free. Different countries’ cyber legislation is so diverse that a cybercriminal can operate from a safe harbour without fear of prosecution or extradition.

As already stated, vulnerabilities that fulfill certain criteria are particularly sought after and large sums are paid for them. The easier it is to use and the more systems and devices it will affect, the better. In turn, the higher the price it will command.

Selling a high-profile vulnerability to a single user seems to be the least profitable way of running this ‘business’. Instead, the seller will more likely try to sell a vulnerability more than once. On the flipside, any buyer – regardless of their motivation for making the purchase – will want exclusive use of the vulnerability. Requests for exclusivity will increase the price tag placed on any vulnerability. There are no documented cases for this, but an educated guess would suggest the price would go up by a factor of ten, or even more.

If a vulnerability is sold to multiple customers or governments (it doesn’t matter whether they are allies as this can quickly change in politics), the likelihood of losing the vulnerability due to leaks or because it is discovered in the wild is large. That will put deflationary pressure on the price tag and the seller has to maintain a balance between how often a vulnerability is sold and the money requested for it from each buyer.

A game-changing approach is to build up a service model around vulnerabilities. Instead of selling the vulnerability, the cybercriminal licenses its use, simply by providing a platform for ransomware or botnets. This shared use of a vulnerability by many, with all buyers paying a ‘fair’ share (up to 50%) of their own returns to the platform provider, is the modern way of running a cybercrime business. The actors behind this can afford to pay the developers maintaining the platform (even adopting an ‘Amazon’-style approach with recommendations written by happy users) and can also pay for hackers to search for new vulnerabilities, thereby increasing the platform’s coverage and usability.

There are many examples of these ‘as-a-service’ platforms, called CERBER, SATAN, or DOT. It is difficult to gauge their success. But the figures discussed around CryptoWall give some indication of the amount of money that is on the table.

State-sanctioned, state-sponsored, or state-owned

The relationship between these actors and nation states must be put under the microscope.

It makes no difference whether these actors are owned and directed by a government, whether they are funded by a government but act outside the legal controls of an agency setup, or whether they are state-sanctioned. Whatever the nature of the relationship, they have some sort of motivation to support a certain government’s political goals.

Every state-driven actor must maintain its own list of cyber weapons to use as and when needed. There is an intrinsic danger to this, as EternalBlue depicts. Even if that actor is able to maintain the secrecy of such an exploit (and history suggests secrets tend to surface), there will always be other state actors doing exactly the same thing, looking for the same high-profile vulnerabilities to use.

Governments must question whether the likely costs of their societies being impacted by a vulnerability, which once was or still is a national secret, outweigh the benefits of keeping it. There are many government committees around the world discussing the pros and cons of hacking back and keeping vulnerabilities undisclosed. Those in favour cite ‘interests of national security,’ yet what happens if an undisclosed vulnerability – that was previous known to the state – turns against its own critical infrastructure? This is exactly what happened with EternalBlue and WannaCry, but perhaps those lessons have still to be learnt.

Is it worth keeping cyber weapons? A look at the maths

Estimating the global damage of cybercrime each year is not easy, but figures exist. One figure cited is in the range of $6tn, a figure with 12 zeros. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect – currently $1.3tn globally.

The maths can be simplified like this:

$6tn in damage multiplied by an average corporate income tax rate of 22 percent, equals $1.32tn in taxes not realized due to reduced income related to damages or costs incurred.

Interestingly the total budget of the five largest western economies is $12.3tn, while their combined budget deficit is $1.23tn.

Is it worth keeping cyber weapons? Given these numbers, the answer must be no.

Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone Networks’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.

As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.

The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.

Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.

Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.

Companies can and should deploy counteractive measures

On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.

What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.

Detect reloading of Emotet tools

Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.

Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.

Conclusion: Small security measures have a big impact

Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.

New OS versions to be released on April 30th and October 31st every year

In 2019, we will be switching to a new release scheme for updated versions of the Greenbone OS – the Greenbone Security Manager (GSM) operating system – with fixed release dates every year, giving our customers, partners, and the Greenbone development team more planning certainty.

The new fixed dates will be April 30th and October 31st each year. However, during 2019, as we transition to this new scheme, we will introduce GOS 5.0 in two staged releases, with ENTRY/SME scheduled for April 30th and MIDRANGE/ENTERPRISE/SENSOR set for June 30th. GOS 6.0 will then be released for all GSM devices in a single step in accordance with the new scheme. From 2020 onwards, the new time-based release system will apply in full.

The scheme is based on hard deadlines for new features, new GSM types and new hardware. If a feature does not make it to a release date, it will be included in the subsequent release.


OS updates tested over one-month phase in the Greenbone community

In addition, our Greenbone Vulnerability Management (GVM) system will undergo a one-month test phase in conjunction with each GOS release. Before the April 30th and October 31st release dates, the Source Edition will be made available on the GVM system within the Greenbone community. As a result, any bugs can be found and eliminated before our customers and partners put the new GOS into operation.

Another advantage of having two new major OS versions per year is that our customers can benefit from our latest innovations much more quickly. Users will be able to jump to new GOS versions faster, either every six months on the official release dates (our innovation cycle), or every 12 months during a three-month migration phase (May/June/July or November/December/January) when they can skip a GOS generation (a more conservative cycle).

Serious vulnerability discovered in D-Link routers

UPDATE: patch available for users on D-Link support pages

In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.

Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.

Design errors make the DWR and DAP models vulnerable to attack

In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.

The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.

Access to routers without authentication possible

D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.

But it’s not just the potential number of customers that could be impacted that make this vulnerability significant.  According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.

With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.

D-Link publishes security update on March 19, 2019

Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.

After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.

Manufacturers must act

Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.