Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

November 2024 Threat Report: Vulnerability Management is Becoming Crucial

The world may be entering into a new phase of cyber, and a new technological paradigm. So-called “industry leading” or “enterprise grade” software is perpetually shown to be vulnerable with new critical vulnerabilities exposed and evidence of active exploitation on a weekly basis. Fancy new features keep us engaged but, considering the risk of fast-moving technologies, it’s important to work with organizations that keep things simple, stick to their core competencies and do things right.

In this November 2024’s edition of the Greenbone vulnerability report, we examine some recently released reports from the BSI and CISA to see what government cybersecurity agencies make of the current threat environment, then we follow up with news of the most pressing and actively exploited vulnerabilities in this month. Considering the high degree of risk presented by the current landscape of cybersecurity threats, it’s important to prioritize the fundamentals of IT security – and software design – to avoid building operations on a proverbial house of cards.

BSI Releases Its Annual IT Security Summary for 2024

Policy in the EU continues to rapidly evolve in response to increasing cyber risk. Cybersecurity for all requires cross-border cooperation on many levels. According to the 2024 summary report, the German Federal Office for Information Security (BSI) is focused on harmonizing national specifications with cybersecurity best practices while considering the economic and technical feasibility of new measures. Referred to as the “Europeanisation of Cybersecurity”, European standardisation and Germany’s collaboration with the three European Standardisation Organisations CEN, CENELEC and ETSI promote a risk-based approach to enforcing security best practices among critical infrastructure and providers of virtually all digital products.

Regarding the Cyber Resilience Act (CRA), each member state will have authority to remove non-compliant products from the market and penalise offending vendors. “Important products” (Class I), such as password managers and routers, must follow harmonised European standards (hEN). Regarding NIS2, the BSI received 726 reports representing 141 incidents from critical infrastructure facilities so far in 2024. This includes sectors like healthcare, energy, water, food, IT and telecommunications, financial and insurance services, among others.

The BSI also observed an overall increase in new malware variants and 256% increase in malware exploiting Windows. Reading the full report relays trends in attacker behaviors such as an increase in Bring Your Own Vulnerable Driver (BYOVD) attacks capable of disabling EDR security products. There were also ongoing efforts to sinkhole botnets that contribute to mass exploitation attacks at scale, and the continuing fragmentation of cybercrime activities into initial access brokering and second stage ransomware groups.

How do these observations pertain to Greenbone and vulnerability management in general? While effective vulnerability management and compliance auditing are only one piece of the enterprise cybersecurity puzzle, closing known security gaps and regularly attesting strong security configurations is a critical core competency that all organizations need to master.

CISA’s Most Exploited Vulnerabilities of 2023 Are Revealing

The 2023 Top Routinely Exploited Vulnerabilities report from the Cybersecurity & Infrastructure Security Agency (CISA) observed an increase in exploited zero-day vulnerabilities compared to 2022 and their use in attacks on high-priority targets. Other than zero-days, the report lists the top 47 CVEs (Common Vulnerabilities and Exposures) exploited by attackers. Networking (40%) and productivity software (34%) make up the vast majority of highly targeted CVEs. There is also a strong trend in the type of software flaws most exploited. Mishandling untrusted input accounts for 38% of the most attacked software flaws, while improper authentication and authorization make up 34%. Sadly, considerations for securing these flaws are elementary, covered in application design 101. Also, 90% of the top exploited vulnerabilities in the report are in closed source proprietary products indicating that cyber criminals are not hindered by reverse engineering barriers.

While the EU is motivated to improve security via legal requirements, CISA continues its plea for software vendors to employ Secure by Design principles during development stages. They also suggest that more pay-to-hack bug bounty programs could incentivize ethical security researchers.

Multiple Critical Flaws in Palo Alto Products Attacked

On November 8, 2024, Palo Alto Networks issued a security advisory revealing a zero-day remote code execution (RCE) vulnerability affecting its PAN-OS operating system. The advisory was soon updated after evidence of active exploitation emerged. Here is a summary of new vulnerabilities in Palo Alto products disclosed in November 2024.

  • CVE-2024-0012 (CVSS 9.8 High): An authentication bypass in PAN-OS allows unauthenticated access to administrator privileges. Attackers may perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  • CVE-2024-9474 (CVSS 7.2 High): A privilege escalation vulnerability in PAN-OS software allows PAN-OS administrators to perform actions on the firewall with root privileges.
  • CVE-2024-9463 (CVSS 7.5 High): An OS command injection vulnerability in Expedition allows an unauthenticated attacker to run arbitrary OS commands as root. This allows unauthorized disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1 High): SQL injection could allow an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations and device API keys, or create and read arbitrary files on the Expedition system.
  • CVE-2024-5910 (CVSS 9.8 High): Missing authentication for a critical function in Expedition can lead to admin account takeover remotely and expose configuration secrets, credentials and other data.

Greenbone is able to detect all new CVEs published in Palo Alto devices in November 2024. Ideally, ensure networking management interfaces are not accessible via the public Internet and for best practices, use firewall configuration to prevent access from unauthorized internal network endpoints.

US Critical Telecom Infrastructure Breached

The recent breaches involving major US telecom providers serves as a stark warning to all organizations operating complex IT infrastructure at scale. Blame has been laid on Chinese backed hacking groups who reportedly used the access to intercepted U.S. political officials’ calls, SMS text-messages and intercepted mobile metadata. According to Adam Meyers, vice president of intelligence at CrowdStrike, by compromising the telecoms directly, threat actors circumvent the need for breaching the individual networks of their targets. Considering the sheer number of critical vulnerabilities in products from US networking vendors such as Palo Alto Networks, Oracle, Cisco, Citrix, Ivanti, Broadcom, Microsoft and Fortinet more intensive application security testing would greatly reduce the risk to their core customers – US companies at home and abroad, and other large global firms.

Liminal Panda, Salt Typhoon, Volt Typhoon and others are known to attack “shadow IT” – legacy mobile protocols that IT administrators are not aware is still active or actively monitoring. Sophisticated, highly skilled APT actors are highly adaptable and have the resources to develop malware for virtually any known vulnerability that is exploitable, as well as actively develop zero-day exploits yet unknown.

5 Privilege Escalation Flaws Found in Ubuntu’s Needrestart

A flaw in Ubuntu’s Needrestart feature could allow an unprivileged local attacker to execute shell commands as root user. The new CVEs impact all versions of Needrestart going back to 2014. Needrestart determines whether any processes need to be restarted after systemwide packages are updated to avoid a full reboot and is invoked by the apt package manager. The vulnerability is caused when untrusted data such as environment variables are passed unsanitized to the Module::ScanDeps library which executes as root. These user-level environment variables can also influence Python and Ruby interpreters during Needrestart’s execution.

The vulnerabilities can be mitigated by updating Needstart to a patched version or by disabling the interpreter scanning feature by setting $nrconf{interpscan} = 0 in the needrestart.conf configuration file. Greenbone includes detection for all CVEs related to Needrestart feature [1][2][3].

Here is a brief description the newly disclosed CVEs:

  • CVE-2024-11003 (CVSS 7.8 High): Unsanitized data passed to the Module::ScanDeps library could allow a local attacker to execute arbitrary shell commands.
  • CVE-2024-10224 (CVSS 5.3): Unsanitized input passed to the Module::ScanDepscan library allows execution of arbitrary shell commands by opening a “pesky pipe” (such as passing “commands|” as a filename) or by passing arbitrary strings to eval().
  • CVE-2024-48990 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking Needrestart into running the Python interpreter via the PYTHONPATH environment variable.
  • CVE-2024-48991 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by winning a race condition and pointing Needrestart to a fake Python interpreter instead of the system’s real Python interpreter.
  • CVE-2024-48992 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter via the RUBYLIB environment variable.

Is Third Time the Charm for VMware vCenter Critical RCE Flaws?

VMware has been grappling with the challenge of effectively patching critical vulnerabilities in its vCenter server products. Broadcom, which owns VMware, initially released patches in September for two significant vulnerabilities in vCenter, CVE-2024-38812 (CVSS 9.8 High) classified as a heap-overflow vulnerability in the implementation of the DCERPC protocol, and CVE-2024-38813 (CVSS 9.8 High) which offers privilege escalation via ​​specially crafted network packets.

However, these initial patches were insufficient, prompting a second round of patches in October. Despite these efforts, it was confirmed in November that the CVEs were still vulnerable and had been exploited in the wild. vCenter is a prime target for attackers due to its widespread use, and the situation highlights ongoing security challenges. VMware users should apply patches promptly. When CVEs such as these in VMware vCenter are updated with new information, Greenbone’s team of security analysts reviews the changes and updates our vulnerability tests accordingly.

Helldown Ransomware Exploiting Zyxel and Its Customers

In November 2024, a Linux variant of the Helldown ransomware payload was discovered. Helldown is known to exploit the IPSec VPN of Zyxel devices via CVE-2024-42057 (CVSS 8.1 High) for initial access. After gaining a foothold, Helldown steals any accessible credentials and creates new users and VPN tunnels to maintain persistence. The new variant targets VMware ESXi virtual machines to exfiltrate their data and encrypt them. This technique is shared by other ransomware groups such as the Play gang.

The Helldown ransomware group is considered an emerging threat, claiming over 30 victims since August, including the maker of Zyxel products themselves. Zyxel has issued an article acknowledging the attacks with mitigation instructions and Truesec has published known Helldown TTP (Tactics Techniques and Procedures) from their response efforts. Greenbone is able to detect all vulnerabilities known to be associated with Helldown ransomware attacks including CVE-2024-42057 in Zyxel products [1][2][3] as well as known software vulnerabilities used by other ransomware threat actors to gain initial access, escalate privileges and move laterally to high value targets within the victim’s network.

Summary

From EU policy advancements to CISA’s insights on exploited vulnerabilities: the critical need for better software development practices, effective vulnerability management and defense in depth is evident. November’s events, such as Palo Alto’s zero-days, Ubuntu’s Needrestart flaws and VMware vCenter’s ongoing challenges, emphasize the importance of timely monitoring and patching of critical infrastructure. Emerging threats like Helldown ransomware reinforce the need for proactive defense strategies. Greenbone continues to support organizations by detecting critical vulnerabilities, providing actionable insights and advocating for a security-first approach with fundamental IT security best practices.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

BSI: More Vulnerability Reports from Healthcare

There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.

Contact Test Now Buy Here Back to Overview

/by
Elmar Geese

Is the Cloud Sliding into the Valley of Disillusionment?

“The Future of the enterprise is private”: This was announced by none other than Broadcom CEO Hock Tan in a blog post. Broadcom, in particular, has so far tried to push the many VMware customers into the cloud with a very aggressive pricing policy. Now it seems they want to stop doing that. Virtualization on-premises – and with it, to some extent, a return to the private cloud – is back in fashion. This change at Broadcom was triggered by customer feedback, which makes it particularly interesting.

Technology users want to master the three Cs: complexity, costs and control. Every solution scenario must face this – in particular, this also applies to cloud offerings. If the dependency on a proprietary product offering is significantly greater than with an open source product anyway, this applies even more to a cloud offering. 

Complexity

Especially if the corresponding offers do not follow open standards, which is usually the case, the portability of solutions is difficult. As a result, hyperscalers increasingly see themselves as “Platform as a Service” providers rather than as “Infrastructure as a Service” providers. Those who succumb to the lure of technically sophisticated components are left at the mercy of the provider’s pricing model. More and more companies are realizing this and are therefore opting for greater sovereignty.

Costs

Cloud infrastructures are becoming increasingly complex, and anyone who has seen how the costs of containerization and “clustering” skyrocket increasingly wants simpler virtualization. In critical applications, such as security solutions, hardware is still in demand. 

Control

The strongest argument, however, is probably “control”. It combines costs and complexity and adds another important aspect. Dependency and control are mutually exclusive. Every organization using technology must retain at least as much control as it takes responsibility for security and availability. If it also wants to use its freedom of action, it needs independence. 

The challenge for IT managers is increasingly to find the balance between using self-made solutions and ready-made services. While there has been a clear trend towards the latter in recent years, we are now seeing the first indicators that this trend is weakening. Above all, moving everything into clouds does not appear to be a solution.

Perspectives

Surprisingly, the rapidly growing Artificial Intelligence (AI) sector shows how it can be done without clouds. More and more companies and organizations are asking themselves whether they really need the large language model and whether its use justifies the associated data drain. This may not be critical in an advertising agency, but in security-relevant industries, data sovereignty is more and more becoming an issue.

As a result, there is growing demand in the military sector, for example, for mobile AI solutions that require significantly fewer resources. AI on edge devices is not the solution for everything, but it often can be. Private clouds are also a good alternative to ChatGPT & Co. On-premises is becoming an increasingly prominent topic even in the hyped area of AI, because data sovereignty and transparency play a special role there. The development of ever more efficient models is also contributing to the move out of the cloud. In addition to the aspects of cost, control and complexity, these models have another major advantage: they require significantly less energy. Perhaps a “green AI” will be the next hype. 

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

Innovation Meets Resonance: Greenbone Successful at SICW

The Singapore International Cyber Week (SICW) is one of the most important cybersecurity events worldwide. We were able to present our solutions to an international audience – and recieved great interest, inspiring discussions and valuable feedback. Three successful days in Singapore and an important step in strengthening our international presence!

Since its launch, SICW has been bringing together leading companies, start-ups, government organizations and security authorities from around the world every year. The aim is to share knowledge, promote partnerships and present innovative solutions that meet the growing challenges in the field of cybersecurity. The event, organized by the Cyber Security Agency of Singapore (CSA), was launched in 2016 and has been held annually in Singapore ever since.

This year, Greenbone had the honor of being present at SICW as a technology partner of Huawei. During three exciting days, we presented our Enterprise Appliances to an international audience and were thrilled by the response.

Great Interest in Greenbone Solutions

We were overwhelmed by the positive feedback from visitors to our solutions – for us a strong signal that our cybersecurity solutions are also very important for the Asian market. In numerous discussions, we repeatedly noticed how great the interest is in a vulnerability scanner with excellent feed that focuses on the essentials while also allowing connection to other systems via its API.

VIP Visitors and Inspiring Talks

We were particularly pleased to welcome prominent personalities to our booth. A real highlight was the visit of John Tan, Commissioner of Cybersecurity and Chief Executive of the Cybersecurity Agency of Singapore. His interest and the numerous discussions with potential customers and partners have encouraged us to further expand our presence in Asia.

Not entirely unexpected star of our appearance was “the Beast”, our company logo as a plush toy. It put a smile on the faces of many visitors to our stand and often served as a friendly icebreaker, facilitating lively and valuable discussions. 

Conclusion: Momentum for the Future

SICW was a great success for Greenbone. We were not only able to present our solutions to a broad audience, but also establish valuable connections and noticeably increase interest in the Asian market. The great popularity and high demand for our “Beast” shows that our brand is also very well received emotionally – and we look forward to continuing to build on this momentum.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Major Release: Greenbone Enterprise Appliance 24.10 with Hot New Features

We’re excited to announce the coming release of Greenbone Enterprise Appliance (GEA) version 24.10, with new front-end features to enhance your vulnerability management activities, and performance enhancing back-end features. Our GEA product line includes a wide range of enterprise vulnerability management solutions including dedicated hardware appliances and virtual machine (VM) configurations suitable for enterprises of all sizes.

This newest release of GEA reflects Greenbone’s commitment empowering fundamental cybersecurity best practices, allowing organizations to close security gaps before threat actors can exploit them. With improved performance, enhanced scanning capabilities, and refined user experience, GEA 24.10 offers a robust solution for proactive, comprehensive cybersecurity. In this post, we’ll delve into the latest features and improvements that make GEA 24.10 a vital upgrade for enterprise exposure management and cybersecurity compliance.

What’s New in GEA Version 24.10?

From a high-level vantage, the Greenbone Security Assistant (GSA) web-interface has a totally new look. GSA is the IT administrator’s doorway into security visibility, and GEA 24.10 features a modern minimalist look and feel, emphasizing utility and keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as Digital Operational Resilience Act (DORA), Network and Information Security Directive 2 (NIS2)  and the Cyber Resilience Act (CRA) require organizations to take more actions. Other forces such as cybersecurity insurance and the need for stronger third party oversight are impacting how companies oversee their cybersecurity operations.

GEA 24.10 includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The new compliance view allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a vulnerability being exploited in the wild using historical data to predict which new CVEs are highest risk.

EPSS data is now integrated into GEA 24.10 directly, bringing current exploitation probabilities for every currently active CVE into the Greenbone platform. This enables administrators to leverage up-to-date exploit probability scores and percentiles, in addition to the traditional CVSS Common Vulnerability Scoring System) severity, empowering them to focus on vulnerabilities that are most likely to be actively targeted by attackers.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility, making it easy to fit unique organizational needs. With GEA 24.10, we’ve introduced JSON formatted report exporting capabilities. Users can also customize the fields to be included in exported CSV or JSON reports. Reports can now be configured to match requirements more precisely, to focus on what’s essential for analysis, compliance, or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, GEA 24.10 introduces several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The GEA 24.10 backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • GEA now supports JSON-based CVE, CPE, EPSS and CERT feeds and gzip data compression.

Summary

With the coming release of GEA 24.10, Greenbone takes its leading vulnerability management solution to the next level. Get ready for a modernized, user-friendly GSA web interface and a compliance-focused audit report view that brings even greater transparency. Enhanced CSV and JSON export features give you complete control over your report data. New to this version: AI-based EPSS for intelligent vulnerability risk prioritization. Powerful backend optimizations also ensure seamless compatibility with new CPE formats and JSON-based feeds. With these new features, Greenbone offers a robust, flexible solution that empowers organizations to stay proactive against threats and strengthen their cybersecurity strategy.

Webinar on the Major Release

Find out everything you need to know about the new release 24.10. in the webinar. In just 30 minutes, our experts will show you how to keep an even better eye on security requirements with the new functions. Experience the next generation of IT security with Greenbone!

Dates:
Tuesday, November 26, 2024, 9:00 AM – 9:30 AM CET
Tuesday, November 26, 2024, 4:00 PM – 4:30 PM CET

Register now

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Understanding CSAF 2.0 Stakeholders and Roles

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.

Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary

1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

The basic flow CSAF 2.0 cybersecurity advisories from upstream producers to downstream consumers

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

A high-level diagram showing the relationship between Issuing Parties and Data Aggregators

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Stop the Standstill: how Greenbone Helps Protect Against DoS Attacks

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Understanding Mass Exploitation Attacks

If an organization has high value, you can bet that bad actors are contemplating how to exploit its IT weaknesses for financial gain. Ransomware attacks are the apex threat in this regard, rendering a victim’s data unusable, extorting them for a decryption key. Highly targeted organizations need to understand exactly where their risk lies and ensure that critical assets are exceptionally well protected. However, all organizations with IT infrastructure – even small ones – benefit from assessing their attack surface and mitigating vulnerabilities.

Mass Exploitation attacks are automated campaigns continuously scanning the public Internet looking for easy victims. These campaigns are carried out by bots, executing automated cyber attacks at scale. CloudFlare claims that only 7% of the Internet traffic is malicious bots, while other reports claim malicious bots account for as much as 32% of all Internet activity. Once breached, attackers misuse these compromised assets for malicious activities.

What Happens to Assets Compromised in Mass Exploitation Campaigns?

Once an attacker gains control of a victim’s IT infrastructure, they assess the value of their newly acquired spoils and determine how to best capitalize. The dark web is an underground ecosystem of cybercrime services with its own economy of supply and demand for illicit deeds. Within this ecosystem, Initial Access Brokers (IAB) sell unauthorized access to Ransomware as a Service (RaaS) groups who specialize in ransomware execution; encrypting a victim’s files and extorting them. Mass Exploitation is one way that these IABs gain a foothold.

Compromised assets with lower extortion value may become part of the IAB’s “zombie botnet”; co-opted to continuously scan the Internet for vulnerable systems to compromise. Otherwise, hijacked systems may be used to send malspam and phishing emails, infected with crypto-mining malware, or become an inconspicuous host for command-and-control (C2) infrastructure to support more targeted attack campaigns.

How Mass Exploitation Works

By exploring Mass Exploitation through the lens of the MITRE ATT&CK framework’s tactics, techniques and procedures (TTP) defenders can better understand attacker behavior. If you are not familiar with MITRE ATT&CK, now is a good time to review the MITRE ATT&CK Enterprise Matrix, since it will serve as a reference point for how attackers operate.

Mass exploitation targets large numbers of systems with sophisticated tools that can scan many IP addresses and automatically execute cyber attacks when vulnerabilities are found. These attacks aim to exploit vulnerabilities in software that is commonly exposed to the public Internet, especially software used to host websites and access webservers remotely.

Here’s how Mass Exploitation works:

  • Reconnaissance [TA0043]: Attackers collect sources of vulnerability information such as NIST NVD where CVEs are published with severity scores and reports that include technical details. Attackers also discover sources of exploit code such as exploit-db, GitHub, or other sources such as dark web marketplaces. Alternatively, attackers may develop their own malicious exploits.
  • Weaponization [TA0042]: Attackers build cyber weapons designed to automatically identify and exploit vulnerabilities [T1190] without the need for human interaction.
  • Active Scanning [T1595]: Attackers conduct active scans of the public Internet at scale to discover listening services and their versions [T1595.002]. This process is similar to how cyber defenders conduct vulnerability scans of their own infrastructure, except instead of fixing identified vulnerabilities, attackers plan strategies to exploit them.
  • Attack Deployment and Exploitation: Once an active vulnerability has been found, automated tools attempt to exploit them to control the victim’s system remotely [TA0011] or cause Denial of Service (DoS) [T1499]. A variety of software weaknesses may be involved such as: exploiting default account credentials [CWE-1392], SQL injection [CWE-89], buffer overflows [CWE-119], unauthorized file uploads [CWE-434] or otherwise broken access controls [CWE-284].
  • Assessment and Action on Objectives [TA0040]: Post-compromised, the attacker decides how to best impact the victim for their own gain. Attackers may decide to conduct further reconnaissance, attempting to move laterally to other connected systems in the network [TA0008], steal data from the victim [TA0010], deploy ransomware [T1486] or sell the initial access to other cyber criminals with specialized skills [T1650].

How to Defend Against Mass Exploitation

Defending against Mass Exploitation attacks requires a proactive approach that addresses potential vulnerabilities before they can be exploited. Organizations should adopt fundamental IT security best practices including regular assessments, continuous monitoring, and timely remediation of identified weaknesses.

Here are some key security measures to defend against Mass Exploitation:

  • Build an IT asset inventory: Building a comprehensive inventory of all hardware, software, and network devices within your organization ensures no systems are overlooked during risk and vulnerability assessments and patch management.
  • Conduct a risk assessment: Prioritize assets based on their importance to business operations and determine how preventative efforts should be focused. Regular risk assessments help ensure that the most critical threats are addressed, reducing the chances of a high impact breach.
  • Scan all assets regularly and fix identified vulnerabilities: Perform regular vulnerability scans on all IT assets, especially those exposed to the public internet and with a high risk context. Promptly apply patches or alternative mitigation measures to prevent exploitation. Track and measure vulnerability management progress in a quantified way.
  • Remove unused services and applications: Unused software presents additional attack surface, which may offer attackers an opportunity to exploit vulnerabilities. By minimizing the number of active services and installed applications, potential entry points for attackers are limited.
  • Education and training: Education is important to promote IT security awareness within an organization’s culture. Awareness training also goes a long way towards preventing malspam and phishing attacks from impacting an organization.
  • Employ Anti-Malware solutions: Malware is often distributed through automated malspam and phishing campaigns at scale. Ensure all systems have up-to-date anti-virus software and implement spam filtering to detect and quarantine malicious files.
  • Enforce strong authentication policies: Credential stuffing attacks are often automated components of Mass Exploitation campaigns. By following password best practices, such as using strong randomly generated passwords and not reusing passwords between accounts there is less risk posed by stolen passwords. Implementing password rotation policies, multi-factor authentication (MFA), and using password managers also strengthen password security.
  • Use firewalls and IPS: Firewalls and Intrusion Prevention Systems (IPS) can block malicious traffic by using rules or patterns. Configure rulesets as strictly as possible to block unnecessary inbound traffic from scanning sensitive services. Regularly review and update firewall and IPS configurations to account for current threats.

Summary

Mass Exploitation refers to automated cyber attack campaigns that use bots to scan the public Internet for vulnerable systems. These attacks target a wide range of victims, exploiting known vulnerabilities in software that is commonly exposed to the internet. Once compromised, attackers use the breached systems for various malicious purposes, including launching ransomware attacks, selling access to other criminal groups or further extending botnets. Mass exploitation is a major threat as it allows attackers to operate at scale with minimal effort.

To defend against Mass Exploitation, organizations must implement proactive security measures such as regular vulnerability scanning, timely patch management, strong access controls and network monitoring. Additionally, ensuring that staff have adequate security training can help reduce the risk of becoming a victim of Mass Exploitation campaigns.

Contact Test Now Buy Here Back to Overview

/by