15th October, 2019 Greenbone, a leading provider of vulnerability management solutions, has today extended its security feed capabilities in order to detect unprotected Picture Archiving and Communication Systems (PACS) in use by medical professionals to store and share scans, x-rays and other medical images. In September 2019, Greenbone revealed that approximately 700 million images – relating to more than 24 million patient records – were exposed on the internet due to poorly secured PACS servers.

Sensitive patient data requires complete protection yet Greenbone’s research identified some 2,300 medical image archiving systems visible on the public internet. A significant proportion of these servers allowed unsecured access to image files containing sensitive data such as patient names, birth and examination dates, as well as the reason for the examination.

The new Greenbone vulnerability tests are designed to help hospitals, radiology clinics and other healthcare facilities avoid data leaks in the future. Included in the security feed of Greenbone’s vulnerability management solution, these tests enable healthcare customers to identify unprotected PACS servers within their image archives. They will also receive notifications about whether an encrypted connection is used, if patient data is retrievable, and whether any authentication is configured. Customers can also check the Application Entity Titles (AET) of these systems. These titles control access to certain image databases but often follow standardised formats, making them susceptible to brute force attacks.

Crucially, the tests check whether it is possible for the public to access these PACS servers, together with the data and images they contain. If the test is positive, administrators can take immediate action to close any gaps in security.

Dirk Schrader, cyber resilience architect at Greenbone, commented: ‘Several security researchers have criticised PACS servers for being readable and vulnerable to attack, but what shocked us was the true extent of the problem. Our analysis uncovered unsecured PACS systems in use all over the world; a situation that simply cannot be allowed to continue. By extending the capabilities of the Greenbone Security Feed to test for unprotected PACS, we hope to make it much easier for health providers to protect confidential patient data and images, both now and well into the future.’

These new tests are available to customers using Greenbone Security Manager (GSM), Greenbone Community Edition (GCE) or Greenbone Vulnerability Management (GVM). Users of the Greenbone Community Feed can find further information on the community page or can contact Greenbone support for general information on how to fix vulnerabilities and the Vulnerability Tests (VT) provided as part of the Security Feed.

Are cyber weapons worth it? A look at the economics of hacking back

On 12 May 2017, WannaCry was released into the wild and an epic story began to unfold.

Spawned from a cyber weapon that had been lost by a government agency, WannaCry was a major wake up call for industries around the globe, reminding them in the very loudest way possible that their dependency on tech carries existential risks to their operations.

Yet despite the fallout of WannaCry, governments still contemplate the idea of collecting, storing and using cyber weapons for so-called ‘hack backs’, where they counter-attack an adversary to destroy, disable or snoop on their servers and data.

This grey market for vulnerabilities and cyber weapons is already a highly lucrative one. To provide some context, potent vulnerabilities and their related exploits already reach (and can even exceed) sums of $1m if they target Windows desktops and servers. The figure can double for exploits affecting mobile devices (notably, Apple). 

If governments follow through with their plans to ‘hack back’, we can expect this market to become even more profitable in the future.

The story of EternalBlue

Eternal Blue, was name given to a Microsoft vulnerability ‘discovered’ by the National Security Agency at some point in 2011 or 2012. The NSA didn’t share its knowledge of the vulnerability with Microsoft, at least not until it was forced to.

By mid-2016, information about the vulnerability and how it can be exploited had somehow been lost by the NSA, and leaked to a hacking group called Shadow Brokers. Shadow Brokers tried (unsuccessfully) to sell this information in August 2016, deciding to publish the files around the turn of the year.

With the cat out of the bag, the NSA’s hand was forced. It had little choice but to come clean about the vulnerability. It informed Microsoft about EternalBlue in March 2017 and, mid-way through the same month, Microsoft released a series of patches to plug the exploit.

Fast forward to almost two months later; WannaCry was wreaking havoc on many organisations all across the globe, exploiting this very same vulnerability. News channels, TV and radio stations, online media, all covered the immediate impact and fallout. Some were even impacted themselves.

It’s been reported that WannaCry and other malware variants exploiting EternalBlue – NotPetya being perhaps the next most famous – caused $9bn worth of damage in just one year. The world’s largest shipping company, Maersk, was hit to the tune of $300m, while costs to the UK National Health Services (NHS) exceeded $100m.

There were many other victims too. Airplane maker, Boeing, was hit in March 2018, while chip manufacturer TSMC fell victim in August 2018. Indeed, TSMC estimated it suffered $170m worth of damage; a figure that can be added to the $9bn total price tag mentioned earlier.

The story of EternalBlue isn’t over yet. Research indicates that millions of computers connected to the internet are still vulnerable.

The economics of the cyber weapons market

There’s no doubt that spending time and money on finding vulnerabilities is financially rewarding. Take the CryptoWall virus – in all its various guises – as an example. CryptoWall v3 alone has generated ‘revenues’ of more than $325m.

The business model and margins in the retail and wholesale of cyber weapons, not to mention the revenue opportunities from offering ‘Cybercrime-as-a-Service’, don’t just make economic sense; they are relatively risk free. Different countries’ cyber legislation is so diverse that a cybercriminal can operate from a safe harbour without fear of prosecution or extradition.

As already stated, vulnerabilities that fulfill certain criteria are particularly sought after and large sums are paid for them. The easier it is to use and the more systems and devices it will affect, the better. In turn, the higher the price it will command.

Selling a high-profile vulnerability to a single user seems to be the least profitable way of running this ‘business’. Instead, the seller will more likely try to sell a vulnerability more than once. On the flipside, any buyer – regardless of their motivation for making the purchase – will want exclusive use of the vulnerability. Requests for exclusivity will increase the price tag placed on any vulnerability. There are no documented cases for this, but an educated guess would suggest the price would go up by a factor of ten, or even more.

If a vulnerability is sold to multiple customers or governments (it doesn’t matter whether they are allies as this can quickly change in politics), the likelihood of losing the vulnerability due to leaks or because it is discovered in the wild is large. That will put deflationary pressure on the price tag and the seller has to maintain a balance between how often a vulnerability is sold and the money requested for it from each buyer.

A game-changing approach is to build up a service model around vulnerabilities. Instead of selling the vulnerability, the cybercriminal licenses its use, simply by providing a platform for ransomware or botnets. This shared use of a vulnerability by many, with all buyers paying a ‘fair’ share (up to 50%) of their own returns to the platform provider, is the modern way of running a cybercrime business. The actors behind this can afford to pay the developers maintaining the platform (even adopting an ‘Amazon’-style approach with recommendations written by happy users) and can also pay for hackers to search for new vulnerabilities, thereby increasing the platform’s coverage and usability.

There are many examples of these ‘as-a-service’ platforms, called CERBER, SATAN, or DOT. It is difficult to gauge their success. But the figures discussed around CryptoWall give some indication of the amount of money that is on the table.

State-sanctioned, state-sponsored, or state-owned

The relationship between these actors and nation states must be put under the microscope.

It makes no difference whether these actors are owned and directed by a government, whether they are funded by a government but act outside the legal controls of an agency setup, or whether they are state-sanctioned. Whatever the nature of the relationship, they have some sort of motivation to support a certain government’s political goals.

Every state-driven actor must maintain its own list of cyber weapons to use as and when needed. There is an intrinsic danger to this, as EternalBlue depicts. Even if that actor is able to maintain the secrecy of such an exploit (and history suggests secrets tend to surface), there will always be other state actors doing exactly the same thing, looking for the same high-profile vulnerabilities to use.

Governments must question whether the likely costs of their societies being impacted by a vulnerability, which once was or still is a national secret, outweigh the benefits of keeping it. There are many government committees around the world discussing the pros and cons of hacking back and keeping vulnerabilities undisclosed. Those in favour cite ‘interests of national security,’ yet what happens if an undisclosed vulnerability – that was previous known to the state – turns against its own critical infrastructure? This is exactly what happened with EternalBlue and WannaCry, but perhaps those lessons have still to be learnt.

Is it worth keeping cyber weapons? A look at the maths

Estimating the global damage of cybercrime each year is not easy, but figures exist. One figure cited is in the range of $6tn, a figure with 12 zeros. Given that cybercrime hits corporate revenues and profits, it follows that this will have a knock-on effect on the amount of corporation tax governments can collect – currently $1.3tn globally.

The maths can be simplified like this:

$6tn in damage multiplied by an average corporate income tax rate of 22 percent, equals $1.32tn in taxes not realized due to reduced income related to damages or costs incurred.

Interestingly the total budget of the five largest western economies is $12.3tn, while their combined budget deficit is $1.23tn.

Is it worth keeping cyber weapons? Given these numbers, the answer must be no.

Serious vulnerability discovered in D-Link routers

UPDATE: patch available for users on D-Link support pages

In November 2018, Greenbone discovered a serious security vulnerability in D-Link routers and drew the company’s attention to it. The vulnerability is easy for hackers to exploit and allows unauthorised access to networks. There is now a patch available from the vendor. Greenbone has been offering its customers a vulnerability test (NVT) as part of its daily security feed since the end of last year.

Routers are pivotal to both home and business networks. They establish an Internet connection for connected laptops and PCs, and also for smart home and industrial applications. But even though so many components of a network converge here, router security is not always adequate. For example, last year, researchers at the American Consumer Institute found known vulnerabilities in 83 percent of the routers it examined as part of the study. Hackers can use these vulnerabilities to gain access to the device itself and therefore to the entire network. In total, the researchers counted more than 30,000 separate vulnerabilities – 7 percent of which represented a critical risk, while 21 percent were high risk.

Design errors make the DWR and DAP models vulnerable to attack

In addition to the already known vulnerabilities in routers, new ones are being found on a near constant basis. In November 2018, Greenbone security researchers found a serious vulnerability in various D-Link routers, particularly the DWR and DAP models. Described as an “Unauthenticated Remote Code Execution”, the vulnerability is a security hole where an attacker can execute commands on the router without any authentication. In the case of the D-Link routers, a hacker can even obtain full administrative rights. It is very likely that the NIST (National Institute of Standards and Technology) will award the highest possible CVSS rating (Common Vulnerability Scoring System) of 10.0.

The cause is probably a design flaw. In the devices we tested, we found an executable file called “EXCU_SHELL” that can be selected from the web browser using a so-called GET request. This is responsible for some useful (yet harmless) operations, such as displaying information about the installed firmware. But if you adjust some of the file’s parameters, it is possible to insert and execute arbitrary commands.

Access to routers without authentication possible

D-Link is one of the top vendors in the global wireless router market and was the market leader in 2017, with a market share of 24.1 percent.

But it’s not just the potential number of customers that could be impacted that make this vulnerability significant.  According to the CVSS basic score calculator, the severity of the vulnerability is high and relatively easy to exploit. The “EXCU_SHELL” file is not password-protected and hackers can therefore access the router and the associated network without authentication. Once infiltrated, all incoming and outgoing Internet traffic can be viewed, modified and controlled. It may even be possible for hackers to spread malware.

With smart home and IoT technologies, such vulnerabilities cause considerable damage. Hackers can open the door to critical infrastructures, such as health care facilities or energy suppliers.

D-Link publishes security update on March 19, 2019

Greenbone reported the vulnerability to D-Link last November. The manufacturer was responsive throughout the process and asked us to take over the CVE application. The D-Link website now provides information for customers and a patch has been made available.

After more than 90 days that have passed since the vulnerability was discovered – the deadline expired on February 11, 2019 – we were acting in accordance with Responsible Disclosure and published all available information to protect users. For Greenbone customers, the gap has been visible via the daily security feed since November 2018.

Manufacturers must act

Given the sheer number of security vulnerabilities on routers, closing the D-Link gap is certainly just a drop in the ocean. While the number of vulnerabilities is intimidating, placing your head in the sand is not an option. Focus must be placed on persuading (or, in some cases, forcing) as many manufacturers as possible to secure their routers.