As the world of technology grows ever more complex and cybercriminals become more aggressive and exploitative in their tactics, those in positions of responsibility can no longer rely on the traditional IT security protection wall around their corporate networks to ward off cyber threats. Sooner or later an attacker will find a way in and from there it is a matter of containing the damage as much as possible and maintaining core business processes in order to continue providing customers with products and services. These practices are not sustainable and for us at Greenbone, the future of IT security is cyber resilience.

Cyber resilience is on everyone’s lips – the media, businesses, manufacturers and even governments are talking about this successor to classic IT security with increasing intensity. But what exactly is cyber resilience? How can it be implemented? What distinguishes organisations that are already resistant to cyberattacks? We at Greenbone got to the bottom of these questions with a large-scale global study alongside Frost & Sullivan. The results are now available in a report which you can read here.  Below we look at the key objectives and findings of the study:

Cyber Resilience

Core mission of the study: identify resilience characteristics

We have been working intensively in the field of cyber resilience for several years, but what makes it so important? What challenges do organisations in different industries face? Which best practices should the follow? We looked for the answers to these questions as part of the study with Frost & Sullivan.  Indeed, one of our main objectives was to identify particularly resilient organisations and analyse what distinguishes them from less resilient ones. In this way, we hope to offer companies concrete recommendations that they can act on in order to make their operations more resilient. We’ll also use what we’ve learned to further develop our proven vulnerability management technology, which we have recently started offering as a managed service.

Discovery of major data leak in the healthcare sector changed focus of the research

The report pays special attention to those organisations that form part of the Critical National Infrastructure (CNI), from water and energy to finance and healthcare. In the event of a cyberattack, CNI organisations have to take into consideration not only economic losses and reputational damage, but they also have to look at how it will impact wider society and, in extreme cases, if human lives are at risk. For example, if medical equipment is compromised or the power supply to a hospital fails, the knock-on effects could be disastrous. We therefore wanted to enhance the study with real-life examples from the CNI sectors.

As we were searching for examples, we revealed something much larger than we could have imagined: a huge data leak in the healthcare sector, with millions of patient records and associated medical images were freely accessible via a weakness in the PACS (Picture Archiving and Communication Systems) servers. No programming or coding knowledge was necessary to access what included complete medical histories with personal data such as the patient’s name, date of birth, and the attending physician, fully visible.

This discovery was so significant, we couldn’t possibly ignore it. We quickly shifted our focus to help restrict free access to this patient data as quickly as possible, working alongside authorities and IT security specialists around the globe. In cooperation with Bayerischer Rundfunk in Germany and the US investigative platform ProPublica, we helped explain the true extent of the problem. So far we have been very successful in removing access to this patent data, yet some 400 PACS systems are still connected to the Internet, making the patient data stored on them accessible to everyone. For this reason, we continue to maintain close contact with the relevant authorities. Our report on the patient data leak can be downloaded here.

A few key findings

In addition to our work in the healthcare sector, we also reviewed organisations from the energy, finance, telecommunications, transport and water sectors in the report. In total, we surveyed 370 organisations with an average of 13,500 employees from the five largest economies in the world: the United States, the United Kingdom, France, Japan and Germany. From this wide-ranging perspective, we were able to obtain answers to our core questions as well as some other interesting findings:

US companies are at the forefront of cyber resilience:

On average, only 36% of the organisations surveyed were highly cyber resilient. The USA scored highest with 50%, European companies came in around the average, and Japanese organisations were at the lowest end of the scale with only 22%.

Transport sector least resistant to cyberattacks:

Across all the countries surveyed, financial and telecoms organisations (46%) were best equipped against cyberattacks. They were followed by the water (36%), health (34%) and energy (32%) sectors, yet only 22% of transport organisations have achieved a high level of cyber resilience.

Understanding business processes is more important than budget considerations:

Whilst it’s true that the cyber resilient organisations we identified have on average a larger profit turnover and a higher IT budget, the detailed analysis in the study revealed that this is by no means decisive. What we discovered is that a fundamental understanding of the business processes and an awareness of business-critical digital resources play a far more crucial role in organisations being cyber resilient.

Eleven characteristics that distinguish cyber resilient organisations:

In our study we were able to identify three groups of characteristics that increase the cyber resilience of organisations by a factor of two, three and six. From this, we developed a “roadmap” with which organisations can increase their level of IT maturity and create a high level of cyber resilience.

You can download the Exec Summary and request for complete report, including the roadmap here:

How to become cyber resilient

In a world of growing digital complexity, and as technology becomes more ingrained in our everyday lives, hackers and cybercriminals have sought to take advantage of the situation, aggressively going after new vulnerabilities and flaws that have arisen out of this widening sphere of technological adoption. The likes of Advanced Persistent Threats and ransomware attacks have grown in sophistication and frequency, as has the damage they have caused to organisations and individuals alike.

As a result of these new attack vectors, and as organisations grow to rely on technology to keep varied operations running, IT and business leaders have sought to find a new way to protect themselves. This is where cyber resilience plays a crucial part.

I recently ‘sat down’ with The Times/Raconteur to discuss the current state of business risk, the rise of cyber resilience and to look at what organisations can do to become truly resilient. Below is a brief overview of what was discussed and the link to the article is here:

A new type of cybersecurity

The term ‘cyber resilience’ is relatively new – for us, it means that organisations are still able to function and deliver their business services even when facing an adverse cyber incident. Many organisations seek to become cyber resilient yet many of them are falling behind. This is what we learned in our recent report, conducted alongside Frost & Sullivan, which found that only 36% of organisations across six key industries in the US, UK, Germany, France and Japan are considered to be highly cyber resilient.

The report also revealed that understanding what your key business assets are is more important than budgetary considerations. Whilst certainly the cyber resilient organisations we identified tended to have an higher IT budget, the study revealed that this is by no means the final word. In fact, we discovered that having a fundamental understanding and an awareness of business-critical assets plays a far more crucial role in organisations being cyber resilient.

Indeed, our core objective with this report was to identify resilient characteristics so that we can offer companies concrete recommendations about how they can go about becoming more cyber resilient. This in turn will help us develop our proven vulnerability management technology, which we have recently started offering as a managed service.

You can read the results in the full 52-page report here: Business Risk & Cyber Resilience

During the past year, we’ve made considerable progress at Greenbone. We have added virtual machines to our solutions portfolio and have entered into new distribution partnerships to help us target the North American market, amongst others. We have grown our team significantly and continue to recruit. Currently, we are preparing to launch our first cloud-based managed service platform giving companies the choice over whether to deploy our technology as a service, by virtual appliance or by physical appliance, depending on their needs and requirements. Our goal is to always stay one step ahead of attackers and make businesses of all sizes more resilient to cyber attacks through effective resilience and vulnerability management (RVM).

Sophisticated cyber attacks are commonplace, and it’s inevitable that organizations will be targeted by hackers. This means companies need to find a way to remain operational even in the event that they are attacked. Business disruption from cyber attacks are among the greatest risks facing companies today.

Effective RVM plays a crucial role in an organisation’s business continuity planning. To make companies more resilient, our technology enables them to identify, classify and eradicate threats to their infrastructures. We continuously scan the entire enterprise network for weak points and possible attack vectors. At the same time, we help organizations identify and visualize the various risks to their operations, allowing them to prioritize those that threaten their critical business processes and associated assets. Leveraging a high degree of automation and scanning as widely and deeply as possible, we help our customers establish a state of sustainable resilience.

Our customers recognize the benefits of RVM. However, opinions do differ on how the technology is integrated into their own IT environments. And rightly so, after all, every company has its own competencies, preferences and compliance requirements. Our new cloud-based services, together with our more established physical and virtual appliances, will ensure our customer have wider choice over how to deploy and manage their RVM solution.

We also continue to take our responsibility seriously and provide our technology as a transparent, open solution. Critical infrastructures, in particular, remain an important focus of our security research. Last year, our research into vulnerable imaging servers used by healthcare providers all over the world, helped open the sector’s eyes to a considerable yet largely unknown privacy and security risk. Following this research, we helped hundreds of healthcare facilities bolster their defenses and protected the data of millions of patients. We intend to carry on along this path, making the digital world more secure for everyone.

Enormous demand for Vulnerability Management-as-a-service and as a virtual application

We are currently beta testing our new Greenbone Managed Service Platform, and have been for many weeks. From April, we will be able to offer our proven vulnerability management solution as a cloud service, which customers can use for a monthly fee. Smaller businesses, such as local medical practices, will be able to protect their networks quickly and easily, without in-house expertise. For global corporations, managed services are an interesting option as they make it easy to equip new locations with effective vulnerability management without any great expense. We have recruited an entire team of experts to develop and manage these cloud-based services for our customers. They are configuring these services with great care and diligence, and will, of course, pay particular attention to secure data exchange.

Our mid-range Greenbone Security Manager virtual appliances have been available since mid-2019 and have helped us increase revenues from our virtual solutions by almost ten times between 2018 and 2019. Although the greatest control over security data is still offered by physical appliances, confidence in virtualization solutions has grown significantly as they have advanced. As our CEO, Jan-Oliver Wagner, says: “This cross-architecture flexibility helps our customers meet their own requirements for a Resilience & Vulnerability Management solution in a targeted and efficient way.”

New distributors support international growth

Growing customer demand has validated our decision to offer a wider range of virtual appliances.To help meet this demand, we entered into a strategic partnership with the value-added distributor (VAD) ADN in 2019. This complements our long-standing cooperation with Exclusive Networks, which are distributors specializing in physical systems. In the DACH region, we now have strong distribution partners for both our physical and virtual systems.

We are also expanding more and more into the English-speaking world. For example, we recently signed a deal with InfoSec Industries, based in Florida, which gives us increased access to the North American market in particular, but also support in Central and South America.

New colleagues and a bigger HQ

To meet higher demand, we’ve also increased our headcount. Indeed, in 2019, we welcomed 21 new colleagues to the Greenbone team. This additional expertise has helped us to develop the professional service we offer. With the appointment of Elmar Geese as Chief Operating Officer (COO), we have gained a capable leader with a strong entrepreneurial background who will help us evolve our strategy, process optimization and operational controls.

In order to accommodate our rapidly growing team, we have once again significantly expanded our Osnabrück headquarters.

Conclusion: Focus on customer cyber security and more customers

Cyber attacks can have extremely serious consequences. Our mission is to provide companies of all sizes – from local medical practices to international corporations – with effective vulnerability management that is straightforward to deploy and manage. The considerable international demand for our virtual machines and the already substantial interest in our new managed service platform shows that we are on the right track. We will continue to do everything in our power to stay one step ahead of future attacks.

It’s four months since Bayerischer Rundfunk and ProPublica ran reports on our research, which revealed that vast numbers of Picture Archiving & Communication Systems (PACS) – which are widely used by health providers to share and store medical scans – were leaking confidential patient data.

X-rax from 19th century, source WikiCommons

X-rax from 19th century, source WikiCommons

During the last days we sent faxes (haven’t used fax in years) to more than 40 institutions, which should help to secure about 10 million studies and 460 milllion images from unprotected access.

We think that now’s the time for a new instalment and, while this blog post isn’t a new report, it does shine a spotlight on a few barely mentioned aspects of the data leak. It also highlights some extra noteworthy things that have happened since September 17th 2019.

A bit of history

It was Spring 2019 when we found the first example of a PACS system leaking data. We weren’t searching for one specifically, we were actually conducting some different research at the time.  However, because we discovered it, our first step was to alert the affected organization about the problem (they acted quickly and removed the system). We didn’t think much more about it at the time, other than writing the words “PACS server” on a Post-It and pinning it on our notice board.

In August 2019, we decided to revisit the topic and initial work began by establishing a base data set of connected and accessible (aka unprotected) PACS systems. We soon realized the immense scale of the issue and it became obvious that we would need the help of authorities and media outlets around the globe to draw much-needed attention to the problem. Simply put, it wouldn’t have been possible to get so many systems off the public Internet without their help. (This process still remains very much a ‘work in progress,’, as January’s story on TechCrunch highlights.

I’m thankful for the work done by so many around the globe; from authorities in Germany, the United Kingdom, France, Switzerland, the United States, Malaysia, and many other countries. This extends to all the news outlets that highlighted the need to check and change PACS systems, as well as to the hospitals and clinics who took their responsibilities seriously, and asked for specific advice. We have also spoken with quite a few information security professionals, and they all deserve kudos too. THANK YOU!

Some untold chapters

While on the topic of history, one particularly interesting aspect of our research was the sheer volume of historic medical data that was freely available on the Internet, and how this could be used to generate medical profiles.

For example, we selected a few systems, each allowing access to data that goes way back in time. The youngest archive in the sample dated from December 11th 2007.

The following graph & timeline visualizes what we found on those selected systems.


(click here for a hires version, usage is allowed given that the copyright is properly displayed).

By ‘history-building’ in this way we could see:

  • a person who had their first examination back in March 1987 and has since had 55 other radiology examinations, most recently in December 2019
  • another person who had more than 130 radiology examinations over a span of 22 years
  • The oldest data set which dated back to January 3rd, 1980; an examination that took place in the evening.

We also uncovered some further aspects that, although they don’t necessarily place patients at risk of medical identity fraud, are still important from a data privacy perspective, for example:

  • one PACS system contained usual data like the patient’s full name, DoB and examination details, however, the origin of the data was from a range of prisons and correction centers dating back to 2007. You could easily work out if someone had served prison time, which could be a clear breach of their privacy
  • Some archives contained so much historical data that it was possible to establish full family trees. One system, belonging to a local medical center, contained over 400 entries for the same family name over a span of 19 years. This type of information is ripe for social engineering.

It’s not just past data that’s at risk, its future information too. One system we found offered a very easy way to view future appointments, with each patient’s full name and DoB on display.  And because this PACS server was used by a regional health provider, it could be relatively easy to find out the patient’s address, phone number, work place and any other details, thanks to the amount of information that’s readily available to view on Facebook, Instagram, etc.


Some extra plot twists

As we are talking about the future, which includes the bright new world of Artificial Intelligence, its noteworthy that we were even contacted by vendors of medical AI solutions asking us for access the data, presumably so they could use the data to improve their algorithms. We obviously said no, not just because of EU privacy laws, but also to protect patient security and on ethical grounds. It might be better to leave that piece of the story as it is.

When we first published our research, a typical reaction from medical interest groups was: “No, no that can’t be. System used by veterinarians maybe, or education/university systems. But our hospitals and doctors take good care of privacy.” We did indeed find 72 vulnerable PACS systems being used by vets, but we didn’t use them for our research. While there is a chance that these servers hold a good amount of personal data (i.e. billing information), the health of animals is a different story than the health of people. Diligence was also needed to distinguish between the abbreviations VET and PET, as the former can relate to both veterinarians and veterans, while the latter could be a technical term for a scan: PET-CT.

It will come as no surprise that were also contacted by lawyers seeking class-action lawsuits. We did not – and will never – share details of our methodology or any detailed findings; that’s not our business.

While speaking about legal aspects, when we sent out the 140+ individual responsible disclosures to the effected health providers, we prepared ourselves to receive a bunch of ‘cease and desist’ letters. But we haven’t received any. Those organizations who received the disclosure and contacted us for more information, all (re)acted with  intent to remedy the problem and not to ‘shoot the messenger’. I’d like to thank Troy Hunt again for his work on how to handle responsible disclosures, it helped us a lot.

Randomly, we even received a message over Twitter, asking whether we found images of bone spurs. No, we didn’t, but then again, we didn’t search for any.

What’s next

We will keep an eye on the issue of unprotected PACS systems around the globe and will certainly help data protection and law enforcement authorities worldwide with their ongoing work to get the identified systems off grid. There are still more than 400 PACS systems unprotected out there, with more than 27 million studies affecting an estimate of 9 million persons.

For us, this exercise was an important example of how information security and data privacy isn’t always about highly sophisticated APTs, devious social engineering tricks, and BlackHats doing some code magic. It’s about being diligent with the basics. And basic is exactly how we kept it: no coding, no automation, no scripting. Anyone would have been able to do it.

We intend to keep this approach in mind as we conduct future research into the resilience of other critical national infrastructures.

Since we published our summarized findings about the data leaks related to unsecured PACS servers across the globe, one question remained when looking at the situation and the continued access we have to the majority of the systems we found and measured more than 3 months ago. What else can we do to get as […]

60 days later, the overall status of unprotected PACS system around the globe isn’t getting better. The situation is the US seems to be an unstoppable information security and data privacy desaster.

1.19 billion images

That is the number of images associated with all the unprotected medical studies we found in our review of the global status of medical archives connected to the internet, a 60% increase (up from 737 million). There are more details in our updated report about how the global status of medical picture archives has developed since or first research 60 days ago, but that number of images related to now more than 35 million studies (plus 40%, up from 24.5 million) of patients across the globe is – simply put – frightening.

Is it ignorance or negligence?

“Check again” is one of the mantras of cybersecurity and specifically for vulnerability management. You do ‘check again’ to see how your cyber security status evolves, whether the measures and tools you’ve implemented work and actually provide the benefit you’ve wanted them to. Its this reasoning, why we decided to do a review quite soon after the first report and to do so 60 days later as mandated in the US (being largely affected by this specific data leak). But to find even more studies, with more images related to them, isn’t what we expected to see. The question about ignorance and/or negligence can only be answered this way. From our point of view, it is both in an unhealthy combination. For most of the systems we scrutinized, we had – and still have – continued access to the personal health information.

There is sort of hope as a few countries managed to get the identified systems off the public Internet. But that hope is diminished by the overall numbers of accessible studies and images and additional, and new countries added to the list.

“Good, bad, and ugly”

Speaking about hope, we do see that the total number of systems has decreased by 43. But that is only a fraction of the total number (<10%). When going into the details, there are three groups of countries within our data.

  • The “Good”
    Countries which have (a.m. above) managed to get the systems off the public Internet. The situation has changed to ‘good’.
  • The “Bad”
    Countries, where we still see many systems, unchanged situations or only a slight decrease in the numbers. The situation is still ‘bad’.
  • The “Ugly”
    That group consist of a few countries, where the numbers went up and the situation hasn’t improved at all. It became ‘ugly’.

New datapoints

For the ‘ugly’ group of countries, we added new data points. One set is about the location of each archiving system, which we summarized by state or province for each country. Another set is the number of medical institutions and physicians referenced in the base data. Both data points are difficult to handle, as they are only approximating and might lead to incorrect interpretation, so we advise to take them with a bit of salt. For example, the location of a system doesn’t mean that all PII stored in it is from citizens living close to that location (that is why we don’t name cities, just states). As with our initial report, we have analyzed the data in run-time and nothing has been stored on our systems. Only the summaries, counts, and indicators for location were noted and stored.

Extra focus: USA

The United States of America is the country which is affected most by this kind of data leak, so it is only natural to put some extra focus on the situation there. Not only did the aggregated numbers rise to a disturbing level, we also found some alarming data sets stored in unprotected PACS systems located in the US.

One very large archive allows full access to PHI including all images related to the 1.2 million examinations, in addition – for about 75% of the individual names stored – it also discloses the social security numbers. The potential risk for medical identity theft for the affected individuals sums up to about $ 3.3 billion. That amount is almost two third of the overall financial risk calculated for this type of exploitation and the PACS identified.

Another archive appears to hold data from military personnel including their DoD ID, when the names of the institutions are used as an indicator. Although the number of data sets isn’t huge, the fact itself provides for means of exploitation (some of the described in the initial report).

The following graphic highlights the situation in the US, per state affected.

(click here for a hires version, usage is allowed given that the copyright is properly displayed).

The overall situation with PACS systems in the US confirms our findings about the key capabilities driving high cyber resiliency for that region which will be another Greenbone report about to be published.

Recommended actions

In the report, we also list some recommended actions for each ‘stakeholder’. The actions revolve around simple steps towards an increased likelihood to discover devices connected to the public Internet unnecessarily, plus – for individuals – how to make sure that your medical service providers, your physician really understand that they have to take the security and privacy of your data seriously.

The report

Greenbone’s updated report can be downloaded here [1].

Our white paper [2] is there for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

As stated before, due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.


The mentioned study about those capabilities which lead to high cyber resiliency will be published soon. The report covers the largest economies of the world and spreads across 6 sectors considered as critical national infrastructures, namely

  • Health
  • Finance
  • Transport
  • Energy
  • Water
  • IT&Telecommunications

More to come in our blog.

We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] Greenbone Security Report – Unprotected Patient Data, a review

[2] Greenbone Whitepaper – Health Sector

Medical systems and processes in the healthcare sector are becoming increasingly digital. Medical providers and hospitals – like all other industries – are using internet technologies to speed up and improve the quality of the patient care they provide. Our new analysis of medical image archiving systems being used across the globe shows that this can go wrong.

The starting position

X-rays and other imaging methods such as CT and MRI scans are an integral part of everyday hospital life. These images help doctors and other professionals make accurate diagnoses, work out treatment plans as well as assess how effectively these treatments are working.

Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is.

Put simply, this data leak affects a standard that was developed in the 1980s. This standard, called DICOM (Digital Imaging and Communications in Medicine), dictates how medical imaging devices are networked in order to exchange and archive information about patients and images. PACS servers use this standard, which includes the IP protocol. This means that these systems can also be found on the internet.

Our analysis looked at the IP addresses of PACS servers to see which were vulnerable, as well as assess how much confidential patient data is readily available on the internet today.

The weaknesses

As soon as a system or device is connected to the public internet, questions arise about how to protect them from unauthorized access. One key question is ‘who is authorized to use the system and how is this access enforced?’ As PACS servers store highly confidential data pertaining to the medical records of individuals, access should be heavily restricted so that only certain personnel can view it. However, for many of the archiving systems included in this study, nothing could be further for the truth. Anyone can access a significant number of these systems and, what’s more, they can see everything that’s stored on them.

In particular, these vulnerable archives contain sensitive medical and personal information for millions of people worldwide. Names, dates of birth, dates and details of examinations, , treating physicians, clinics, and the scans themselves are searchable and, in some cases, available to download. In the US, these data sets also include some Social Security Numbers.

This data is accessible because of the careless configuration of these systems. Many have no protection, aren’t password protected or encrypted; indeed, even regular, everyday internet users could gain access with a few simple actions.

Greenbone did not have to write any special code to see what patient data was accessible, nor did any software vulnerability have to be exploited, or a zero-day attack carried out. As such, you don’t need to be a hacker to gain access to this highly sensitive data, it’s all visible with the help of freely available tools. To view and – if desired – download this data, you only need a list of IPs and a corresponding viewer. Both are available for download on the net.

The extent of the problem

The number of accessible patient records is frightening. Altogether, we unearthed more than 24 million records which, combined linked to more than 700 million images. Of these scans, 400 million were actually downloadable. These unprotected systems are located in 52 countries around the world. In addition to the general “openness” of the systems, they also have thousands of “real” vulnerabilities, i.e. outdated web server versions and vulnerable database instances. In some cases, the PACS servers even allow patient data and images to be viewed via http and a web browser.

The report

Greenbone has written a complete report which can be downloaded here [2]. The report contains further summaries of the overall situation, an analysis of the hazard potential associated with this data leak, and an estimate of the potential price of this dataset on the Darknet. The white paper [3] is suitable for a deeper introduction into the digital resilience of critical infrastructures, which include the health sector.

Due to the sensitivity of the data, in order to comply with data protection regulations in each country, and as a way not to encourage attacks, we are only disclosing the details of the individual vulnerable systems to authorized bodies.

We have not downloaded datasets, archives or any other available information, even though this would have been possible at any time. Instead, our report focuses on the number of records that are visible on, or could have been downloaded from, vulnerable servers.

[1] and CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning

[2] Greenbone Security Report – Confidential patient data freely accessible on the internet

[3] Greenbone Whitepaper – Health Sector

Are cyber weapons worth it? A look at the economics of hacking back

On 12 May 2017, WannaCry was released into the wild and an epic story began to unfold.

Spawned from a cyber weapon that had been lost by a government agency, WannaCry was a major wake up call for industries around the globe, reminding them in the very loudest way possible that their dependency on tech carries existential risks to their operations.

Yet despite the fallout of WannaCry, governments still contemplate the idea of collecting, storing and using cyber weapons for so-called ‘hack backs’, where they counter-attack an adversary to destroy, disable or snoop on their servers and data.

This grey market for vulnerabilities and cyber weapons is already a highly lucrative one. To provide some context, potent vulnerabilities and their related exploits already reach (and can even exceed) sums of $1m if they target Windows desktops and servers. The figure can double for exploits affecting mobile devices (notably, Apple). 

If governments follow through with their plans to ‘hack back’, we can expect this market to become even more profitable in the future.

The story of EternalBlue

Eternal Blue, was name given to a Microsoft vulnerability ‘discovered’ by the National Security Agency at some point in 2011 or 2012. The NSA didn’t share its knowledge of the vulnerability with Microsoft, at least not until it was forced to.

By mid-2016, information about the vulnerability and how it can be exploited had somehow been lost by the NSA, and leaked to a hacking group called Shadow Brokers. Shadow Brokers tried (unsuccessfully) to sell this information in August 2016, deciding to publish the files around the turn of the year.

With the cat out of the bag, the NSA’s hand was forced. It had little choice but to come clean about the vulnerability. It informed Microsoft about EternalBlue in March 2017 and, mid-way through the same month, Microsoft released a series of patches to plug the exploit.

Fast forward to almost two months later; WannaCry was wreaking havoc on many organisations all across the globe, exploiting this very same vulnerability. News channels, TV and radio stations, online media, all covered the immediate impact and fallout. Some were even impacted themselves.

It’s been reported that WannaCry and other malware variants exploiting EternalBlue – NotPetya being perhaps the next most famous – caused $9bn worth of damage in just one year. The world’s largest shipping company, Maersk, was hit to the tune of $300m, while costs to the UK National Health Services (NHS) exceeded $100m.

There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage; a figure that can be added to the $9bn total price tag mentioned earlier.

The story of EternalBlue isn’t over yet. Research indicates that millions of computers connected to the internet are still vulnerable.

The economics of the cyber weapons market

There’s no doubt that spending time and money on finding vulnerabilities is financially rewarding. Take the CryptoWall virus – in all its various guises – as an example. CryptoWall v3 alone has generated ‘revenues’ of more than $325m.

The business model and margins in the retail and wholesale of cyber weapons, not to mention the revenue opportunities from offering ‘Cybercrime-as-a-Service’, don’t just make economic sense; they are relatively risk free. Different countries’ cyber legislation is so diverse that a cybercriminal can operate from a safe harbour without fear of prosecution or extradition.

As already stated, vulnerabilities that fulfill certain criteria are particularly sought after and large sums are paid for them. The easier it is to use and the more systems and devices it will affect, the better. In turn, the higher the price it will command.

Selling a high-profile vulnerability to a single user seems to be the least profitable way of running this ‘business’. Instead, the seller will more likely try to sell a vulnerability more than once. On the flipside, any buyer – regardless of their motivation for making the purchase – will want exclusive use of the vulnerability. Requests for exclusivity will increase the price tag placed on any vulnerability. There are no documented cases for this, but an educated guess would suggest the price would go up by a factor of ten, or even more.

If a vulnerability is sold to multiple customers or governments (it doesn’t matter whether they are allies as this can quickly change in politics), the likelihood of losing the vulnerability due to leaks or because it is discovered in the wild is large. That will put deflationary pressure on the price tag and the seller has to maintain a balance between how often a vulnerability is sold and the money requested for it from each buyer.

A game-changing approach is to build up a service model around vulnerabilities. Instead of selling the vulnerability, the cybercriminal licenses its use, simply by providing a platform for ransomware or botnets. This shared use of a vulnerability by many, with all buyers paying a ‘fair’ share (up to 50%) of their own returns to the platform provider, is the modern way of running a cybercrime business. The actors behind this can afford to pay the developers maintaining the platform (even adopting an ‘Amazon’-style approach with recommendations written by happy users) and can also pay for hackers to search for new vulnerabilities, thereby increasing the platform’s coverage and usability.

There are many examples of these ‘as-a-service’ platforms, called CERBER, SATAN, or DOT. It is difficult to gauge their success. But the figures discussed around CryptoWall give some indication of the amount of money that is on the table.

State-sanctioned, state-sponsored, or state-owned

The relationship between these actors and nation states must be put under the microscope.

It makes no difference whether these actors are owned and directed by a government, whether they are funded by a government but act outside the legal controls of an agency setup, or whether they are state-sanctioned. Whatever the nature of the relationship, they have some sort of motivation to support a certain government’s political goals.

Every state-driven actor must maintain its own list of cyber weapons to use as and when needed. There is an intrinsic danger to this, as EternalBlue depicts. Even if that actor is able to maintain the secrecy of such an exploit (and history suggests secrets tend to surface), there will always be other state actors doing exactly the same thing, looking for the same high-profile vulnerabilities to use.

Governments must question whether the likely costs of their societies being impacted by a vulnerability, which once was or still is a national secret, outweigh the benefits of keeping it. There are many government committees around the world discussing the pros and cons of hacking back and keeping vulnerabilities undisclosed. Those in favour cite ‘interests of national security,’ yet what happens if an undisclosed vulnerability – that was previous known to the state – turns against its own critical infrastructure? This is exactly what happened with EternalBlue and WannaCry, but perhaps those lessons have still to be learnt.

Is it worth keeping cyber weapons? A look at the maths

Estimating the global damage of cybercrime each year is not easy, but figures exist. One figure cited is in the range of $6tn, a figure with 12 zeros. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect – currently $1.3tn globally.

The maths can be simplified like this:

$6tn in damage multiplied by an average corporate income tax rate of 22 percent, equals $1.32tn in taxes not realized due to reduced income related to damages or costs incurred.

Interestingly the total budget of the five largest western economies is $12.3tn, while their combined budget deficit is $1.23tn.

Is it worth keeping cyber weapons? Given these numbers, the answer must be no.

Companies from the IT and telecommunications sector, which are operating critical infrastructures, are top targets for hackers. They therefore need to be as secure as possible. This is where sustainable cyber resilience comes in.

Sustainable cyber resilience is a vital defence against cyberattacks. But what exactly does that mean?

It’s become clear that companies can no longer afford to take reactive measures to protect themselves from hackers. They must minimise their attack surface from the outset and, at the same time, ensure that their systems remain operational even in the event of a cyberattack. The sustainable cyber resilience concept goes one step further than IT security and includes both technological and strategic measures. On the technical side, it is necessary to identify and assess risks and close weak points. On the strategic side, business and IT departments must work closely together to make the resilience processes a top priority.

Here are Greenbone Networks’ top five reasons why sustainable cyber resilience is essential for telecoms providers today:

1. Cyberattacks on telecoms companies are on the rise
Ponemon Institute estimates that nine out of ten critical infrastructures have suffered an attack over the past two years. The telecoms sector is particularly at risk, with attacks coming from all sides, including government agencies establishing covert surveillance and cyber criminals in search of highly valuable personal customer data. Indeed, especially with the introduction of 5G and suspicions (rightly or wrongly) surrounding the use of Huawei equipment, UK telecoms providers have been urged to strengthen their cyber security defences by the NCSC to fend off the growing number of attacks.

2. Telecommunications connect all critical infrastructure sectors
If the telecoms infrastructure fails, other critical sectors will also be affected. Many control systems in energy and water utilities can’t function if they can’t transmit or exchange data. The financial system would come to a standstill; so too would the healthcare system. A telecoms sector that is resistant to cyberattacks is absolutely vital to every walk of society.

3. The target area of telecoms infrastructures is becoming larger
As a result of digitisation, more and more telecoms services have shifted to IP networks. The classic fixed network has become obsolete. Telephony, internet, TV and video streaming are now all IP-based. As a result, communication networks and server systems are becoming increasingly unified. But this also means that hackers can cause massive damage by attacking the IP network. Furthermore, mobile is becoming increasingly important. Many IoT devices use mobile networks and, as a result, cybercriminals have more and more points of attack. The new 5G mobile communications standard will bring even more technical complexity and, with it, the need for new IT security requirements.

4. Nested responsibilities make security more difficult
Many different companies and subcontractors are often involved in telecoms infrastructures. Some of them are located in different countries. Whilst this makes it difficult to provide security it also means that it is all the more important to establish a uniform, consistent level of protection with a resilience concept.

5. The EU NIS Directive makes resilience building blocks mandatory
Since May 2018, critical infrastructure companies in the telecoms sector have been obliged to provide evidence of suitable technical and organisational measures to protect against cybercrime. This is prescribed by the EU NIS Directive. ISO 27001 certification provides a good blueprint for resilience. Among other items, it mandates vulnerability management, an important cornerstone of sustainable cyber resilience.

Minimising risks with sustainable resilience
It’s not for nothing that attacks on telecoms infrastructures are so popular with hackers. Here they find a growing, complex attack surface on which they can cause great damage. ICT companies should therefore do everything they can to make their systems sustainably resilient. For a comprehensive concept of Sustainable Cyber Resilience, ICT companies must take the appropriate technical and organisational measures.

This includes vulnerability management.

As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.

The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.

Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.

Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.

Companies can and should deploy counteractive measures

On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.

What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.

Detect reloading of Emotet tools

Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.

Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.

Conclusion: Small security measures have a big impact

Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.