As feared by many security experts, Emotet has learned something new – again. As reported by CERT-Bund on Twitter, the malware is now capable of creating authentic replies to existing emails, encouraging unsuspecting recipients to open infected attachments or click on fake links.

The German Federal Office for Information Security (BSI) has, in the past, issued several warnings about the Emotet malware, which spreads by sending credible-looking spam emails from an infected account to address book contacts. Once it has infected a system, the malware can generate further malicious code, with possible dire consequences for companies. It could cause a halt in production or a complete infrastructure failure, and may even require company networks to be rebuilt entirely.

Hackers have now made the malware even more sophisticated. Indeed, CERT-Bund tweeted that Emotet no longer only uses the sender’s addresses, but can also produce fake replies to emails by making use of ‘read message’ content. It also embeds authentic links to the domain of the supposed sender. The malware makes use of “spear phishing” techniques in which information about the victim’s contacts and communication behaviour is collected in order to create as authentic an email response as possible with malicious code attached. Emotet has automated this process and is therefore able to send a huge amount of authentic emails in a short space of time, spreading malware at high speed.

Even though this malware is becoming more sophisticated, organisations still have an opportunity to act and protect themselves before it’s too late.

Companies can and should deploy counteractive measures

On a technical level, taking a closer look at the structure of malware reveals that there are fundamental ways to protect against an attack. The Emotet infection process uses a number of elements that a resilient infrastructure with a flexible and preventive security architecture can defend against. Having this resilience in place means that the infection is not transmitted immediately, for example, when the email recipient opens an attachment, but only when the associated macros in the attached file, such as a Word document, are executed. This means that with standard MS Office settings, a user must manually activate the malware in the attachment in order to transfer it to the network.

What’s more, most employees don’t even need macros for normal day-to-day business. It is therefore advisable to deactivate them completely by default, preventing manual execution by assigning the appropriate rights. A good vulnerability management tool can help here as they can help identify and manage which user accounts can allow the execution of macros. The same is true for PowerShell or administrator rights, as these are also required for Emotet to load.

Detect reloading of Emotet tools

Even if Emotet has already infected the IT system, there are still defence measures that can be put in place. For example, the malware reloads various tools to spy on access data or encrypted data. These standard tools can be used as indicators of compromise. A vulnerability management tool such as the Greenbone Security Manager can also be used to determine whether reloaded Emotet tools are active in the company’s own IT infrastructure.

Emotet is also distributed from the infected system via the so-called SMB vulnerability, which was made infamous in the WannaCry and Eternal Blue attacks. This vulnerability can be closed with the corresponding update but after the WannaCry outbreak (although many companies made their networks inaccessible to SMB communication from the outside), not all secured their internal communications. Here an examination to pinpoint corresponding weak points is the best way to find any gaps in the system.

Conclusion: Small security measures have a big impact

Large-scale computer failures caused by the Emotet malware can have catastrophic consequences, especially for critical infrastructures such as hospitals as they not only cause economic damage, but also pose a threat to people. Organisations should therefore act before it’s too late and protect their IT infrastructures in the best possible way. To become resistant to phishing attacks from advanced malware such as the new Emotet type, a few coordinated measures, such as deactivating unnecessary macros and closing known vulnerabilities as quickly as possible, are often enough.

New OS versions to be released on April 30th and October 31st every year

In 2019, we will be switching to a new release scheme for updated versions of the Greenbone OS – the Greenbone Security Manager (GSM) operating system – with fixed release dates every year, giving our customers, partners, and the Greenbone development team more planning certainty.

The new fixed dates will be April 30th and October 31st each year. However, during 2019, as we transition to this new scheme, we will introduce GOS 5.0 in two staged releases, with ENTRY/SME scheduled for April 30th and MIDRANGE/ENTERPRISE/SENSOR set for June 30th. GOS 6.0 will then be released for all GSM devices in a single step in accordance with the new scheme. From 2020 onwards, the new time-based release system will apply in full.

The scheme is based on hard deadlines for new features, new GSM types and new hardware. If a feature does not make it to a release date, it will be included in the subsequent release.


OS updates tested over one-month phase in the Greenbone community

In addition, our Greenbone Vulnerability Management (GVM) system will undergo a one-month test phase in conjunction with each GOS release. Before the April 30th and October 31st release dates, the Source Edition will be made available on the GVM system within the Greenbone community. As a result, any bugs can be found and eliminated before our customers and partners put the new GOS into operation.

Another advantage of having two new major OS versions per year is that our customers can benefit from our latest innovations much more quickly. Users will be able to jump to new GOS versions faster, either every six months on the official release dates (our innovation cycle), or every 12 months during a three-month migration phase (May/June/July or November/December/January) when they can skip a GOS generation (a more conservative cycle).

Serious vulnerability discovered in D-Link routers

UPDATE: patch available for users on D-Link support pages

In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.

Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.

Design errors make the DWR and DAP models vulnerable to attack

In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.

The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.

Access to routers without authentication possible

D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.

But it’s not just the potential number of customers that could be impacted that make this vulnerability significant.  According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.

With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.

D-Link publishes security update on March 19, 2019

Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.

After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.

Manufacturers must act

Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.

The EU directive on the security of Network and Information Systems (NIS) was approved in August 2016, giving member states 21 months to embed the directive into their respective national laws. The directive became UK law in May this year and all organizations deemed ‘Operators of Essential Services’ (OES) must have complied and will do so from this date forward – if they fail they could face a fine of up to £17m.

A matter of vulnerability management

With the directive now in place, each state needs to ensure the continuity of their essential services besides any cause that could affect the networks and information systems enabling  those critical infrastructures. What this really means is that those services need to improve not only their resistance to cyber attacks, but their resilience which refers to the ability to continuously deliver the intended business objective despite adverse cyber events.

Critical infrastructures – example transportation systems

Critical infrastructures, like energy, health, finance and transportation, share one common prerequisite: they mostly consist of converged technologies. It is this interdependency of industry control systems (ICS) and IT systems that increase the attack surface drastically. A major element of resilience as I mentioned above, then, is to minimize the attack surface of the overall infrastructure by identifying vulnerabilities which could be exploited by an adversary. So far, so good. But how do organizations tackle this?

We have outlined information on steps organizations need to take to address their vulnerabilities – taking into account their business needs at all times. The first issue in a series of whitepapers to come from us looks at the systems and processes of the transportation industry. In the light of the new EU directive, how can internal security guidelines be changed due to the new regulations?

Learn more: Download our Whitepaper ‘Sustainable Cyber Resilience for Critical Infrastructures – Transportation Systems and Networks’ here for free.

On July 5, 2018, the European Union Parliament advised the EU Commission to suspend the so-called EU-US Privacy Shield. This renews and hardens the EU Parliament’s position on Privacy Shield’s privacy policy for US companies, that process and store data of EU citizens. Already in October 2017, the European Parliament published a list of 10 recommendations, which pointed to gaps and weaknesses in the Privacy Shield.

In its recommendation to the EU Commission, the Parliament pointed out that the US administration has failed to implement two core elements of the Privacy Shield. For example, there is still no ombudsman who leads the U.S. Privacy Civil Liberties Oversight Board (PCLOB), let alone any other members in this board. Thus, EU citizens lack a contact person in the event of data breaches and thus the ability to make their own rights in the US heard at all.

Privacy Shield replaces Safe Harbor

As a reminder, Privacy Shield was introduced as a replacement for the Safe Harbor Agreement. Safe Harbor fell because the European Court of Justice granted the claim of the Austrian lawyer Maximilian Schrems in 2015. The Safe Harbor rules should create a ‘safe data port’ for sensitive data outside the EU, so that this data can be processed for example in the US. Triggered by the Snowden publications (notably PRISM), this agreement was reviewed and finally replaced by Privacy Shield.

EU Parliament confirms assessment: Sensitive data is not safe at US companies

As explained in my last blog post, sensitive but also security-relevant data of a company should not leave Europe. Parliament’s assessment reinforces the urgency of data protection. Security-related data such as intellectual property or administrative access such as domain passwords should not be given to cloud providers in the US. The Cloud Act and Privacy Shield are incompatible.

More information on the resolution of the European Parliament is published here, an analysis can be found here.

In March of this year, the US Congress passed the so-called Cloud Act. This allows US authorities worldwide access to data from US companies – even if their servers are located in the EU. For this reason, the IT Security of companies who store data with US providers is at stake.

The so-called “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) commits US companies to provide data to US authorities on request, irrespective of location. US legislation thus places American law in an EU member state above EU law. Therefore, US companies are in a dilemma in future: if they deny access, they break American law and vice versa European.

Microsoft fought and lost

One of the reasons for the decision was Microsoft. The matter goes back to 2013. At that time, the US Department of Justice investigated drug crime and asked Microsoft for access to a suspect’s e-mail account. However, as the server with the data was in Ireland, Microsoft invalidated the search warrant. It came to a process that Microsoft lost in the first instance and won second place. Due to the new Cloud Act, this case has now been declared done. The question of how an acceptable solution between the US and the EU or the individual member states can look like is currently being discussed.

Sensitive Data are no longer safe at US companies

But what does that mean for companies, that uses services by US companies? First and foremost, they must be aware that true compliance with the EU GDPR can fail. Taking the next step, the Cloud Act also allows US authorities to arbitrarily gain access to all data of a company stored at a US partner or services provider – including business and enterprise secrets or information about IT Security measures.

Security-relevant Data should not leave the company

Companies, that sources IT security services such as Vulnerability Management from US providers and store sensitive data with them, should now take action. For a maximum of security, they should at least switch to a European partner, who only stores data in data centers within the EU. Finally, this raises the fundamental question of whether safety-related data should or have to leave the company at all. After all, there are certainly IT security service providers in the market whose solutions work exclusively within the company IT and do not transfer data either to the cloud or to the provider.

An example of this is our Greenbone Security Manager. It scans IT networks for vulnerabilities and forwards data and reports only within the secure enterprise network.

Cloud Act calls for action

Once again, the Cloud Act shows that the US attaches far less importance to privacy than the EU: while the Europeans consider data security as human rights, in the United States it is “only” a civil right – which therefore only refers to Americans. In the American legislation, the interest of European citizens will therefore continue to receive little or no consideration in future. Companies have to adjust that. They should use the Cloud Act as an opportunity to bring sensitive data outside the reach of American authorities. This can happen for example by switching to European or German service provider. However, the best option for IT security is to choose solutions in which sensitive data does not even leave the company.

Spectre and Meltdown cause trouble worldwide

Currently, reports are accumulating about insecure processors that have been used for years. The two attack scenarios, Meltdown and Spectre exploit these vulnerabilities. Especially explosive: Every operating system on which more than one user is working is affected. Thus the “unprivileged user” is able to read each memory area of the RAM, as long as he can run the software at the system. An attacker can do this by placing malicious code on a website called from a web browser.

How massive the scale really is becomes clear when you realize that the vulnerability “Meltdown” affects every Intel-CPU since the Pentium II in 1997. Furthermore, “Spectre” affects ARM and AMD microprocessors. with similar influence to PCs, laptops, tablets, servers and smartphones. By taking advantage of these gaps, hackers are able to avoid barriers between user program and RAM to extract sensitive data such as passwords.

Cloud solutions are also affected: Office 360 or AWS data can be read by unauthorized users, as they usually are not encrypted in RAM. As long as Microsoft, Amazon and IBM have not patched and restarted their entire clouds, cloud applications should not be used for confidential information.

Greenbone‘s solution is protected

The Greenbone Security Manager is not affected by these vulnerabilities! Our authorization concept and system hardening does not allow users to exploit the proof-of-concept gap. In addition, since JAN 5th 2018 the security feed of our solution identifies unpatched systems and supports the user to quickly recognize and remediate the vulnerabilities.

31 million users of Ai.type entrusted their personal data to the app provider. It turned out to be a bad idea. A huge security leak handed user data – i.e. names, email addresses, IMEI and phone numbers, as well as contacts directories – to hackers, spammers and cyber criminals on a silver platter.

You can only shake your head when you read news like the data leak from the app Ai.type. The developer simply forgot to secure a MongoDB database that was 577 GB in size and thus threw the gates wide open for information thieves. Admittedly, everybody knows that mistakes can happen. The more serious element is the second failure: It seems the app provider had not implemented any security measures or test mechanisms to detect vulnerabilities like that – before they can be exploited by attackers.

However, preventive security tools have long been part of standard security strategies to secure the IT network. This also includes a comprehensive vulnerability management tool that continuously checks the IT infrastructure, detects and reports vulnerabilities to those who are in charge of. This way, an open database like the one in Ai.type would have been noticed very fast. Let’s hope that other providers deal with sensitive customer data in a much more responsible way. From next May onwards at the latest, there will be even more reasons to do so as the GDPR will come into force and costly penalties can be imposed.

The Adobe Patch Day in August must have caused quite a stir in IT departments: 80 vulnerabilities were detected in Adobe flashplayer, Adobe acrobat and reader, as well as in the experience manager, 46 of which were deemed critical. This very clearly shows that the sporadic closure of vulnerabilities does not meet the standards of current strict data protection laws.

Not being able to trace whether the update was installed on all network devices poses yet another risk. The only guaranteed way to know is to continuously run automated and complete scans throughout your network with vulnerability management software. Daily updates contain vulnerability tests to find running threats and security gaps. Take a look at the current situation here.

Beware of legacy technology

Many believe Flash is dead. That is true and false at the same time. Contrary to all predictions, Flash and other technologies are still being used. And that is why it is important to know where in your own network they can cause harm and create a risk. An automated scan helps you find out and ultimately gives you more security.

Large-scale cyber attacts like WannaCry can bring on a real panic. The Greenbone Community Edition is just what you need to ease the situation: The tool is free of charge, checks the network and detects weaknesses – before malware exploits them.

The worldwide ransomware attacks have affected tens of thousands of computers in almost 100 countries: The attackers block data access with the help of the trojan WannaCry. Then demand a ransom for decoding the now encrypted data. Networks with a vulnerability in the network protocol Server Message Block Version 1 (SMBv1) are the prime target of these cyber criminals. This was known for quite some time. Which is why our Greenbone security research team already issued a network vulnerability test at the beginning of February, pointing out this weakness for customers and users. This early warning raised user awareness for the problem and prevented worse from happening.

The feedback came mainly from the users of our free Greenbone Community Edition. It can do a lot more than just look for WannaCry in the network. The free platform detects other Microsoft vulnerabilities, too. At the same time, users can check the complete IT infrastructure including other software packages, routers, switches, access points, printers and further equipment for vulnerabilities. There is no time limit on the use of the Community Edition. For professional-grade support, users can always switch to the Greenbone Security Manager. Please look here for a detailed comparison.

By the way, the crypto mining malware Adylkuzz, which has been around since April, exploits the same weak point. So a quick check is definitely worth your time. A free download is available here.