Tag Archive for: cybersecurity

Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

November 2024 Threat Report: Vulnerability Management is Becoming Crucial

The world may be entering into a new phase of cyber, and a new technological paradigm. So-called “industry leading” or “enterprise grade” software is perpetually shown to be vulnerable with new critical vulnerabilities exposed and evidence of active exploitation on a weekly basis. Fancy new features keep us engaged but, considering the risk of fast-moving technologies, it’s important to work with organizations that keep things simple, stick to their core competencies and do things right.

In this November 2024’s edition of the Greenbone vulnerability report, we examine some recently released reports from the BSI and CISA to see what government cybersecurity agencies make of the current threat environment, then we follow up with news of the most pressing and actively exploited vulnerabilities in this month. Considering the high degree of risk presented by the current landscape of cybersecurity threats, it’s important to prioritize the fundamentals of IT security – and software design – to avoid building operations on a proverbial house of cards.

BSI Releases Its Annual IT Security Summary for 2024

Policy in the EU continues to rapidly evolve in response to increasing cyber risk. Cybersecurity for all requires cross-border cooperation on many levels. According to the 2024 summary report, the German Federal Office for Information Security (BSI) is focused on harmonizing national specifications with cybersecurity best practices while considering the economic and technical feasibility of new measures. Referred to as the “Europeanisation of Cybersecurity”, European standardisation and Germany’s collaboration with the three European Standardisation Organisations CEN, CENELEC and ETSI promote a risk-based approach to enforcing security best practices among critical infrastructure and providers of virtually all digital products.

Regarding the Cyber Resilience Act (CRA), each member state will have authority to remove non-compliant products from the market and penalise offending vendors. “Important products” (Class I), such as password managers and routers, must follow harmonised European standards (hEN). Regarding NIS2, the BSI received 726 reports representing 141 incidents from critical infrastructure facilities so far in 2024. This includes sectors like healthcare, energy, water, food, IT and telecommunications, financial and insurance services, among others.

The BSI also observed an overall increase in new malware variants and 256% increase in malware exploiting Windows. Reading the full report relays trends in attacker behaviors such as an increase in Bring Your Own Vulnerable Driver (BYOVD) attacks capable of disabling EDR security products. There were also ongoing efforts to sinkhole botnets that contribute to mass exploitation attacks at scale, and the continuing fragmentation of cybercrime activities into initial access brokering and second stage ransomware groups.

How do these observations pertain to Greenbone and vulnerability management in general? While effective vulnerability management and compliance auditing are only one piece of the enterprise cybersecurity puzzle, closing known security gaps and regularly attesting strong security configurations is a critical core competency that all organizations need to master.

CISA’s Most Exploited Vulnerabilities of 2023 Are Revealing

The 2023 Top Routinely Exploited Vulnerabilities report from the Cybersecurity & Infrastructure Security Agency (CISA) observed an increase in exploited zero-day vulnerabilities compared to 2022 and their use in attacks on high-priority targets. Other than zero-days, the report lists the top 47 CVEs (Common Vulnerabilities and Exposures) exploited by attackers. Networking (40%) and productivity software (34%) make up the vast majority of highly targeted CVEs. There is also a strong trend in the type of software flaws most exploited. Mishandling untrusted input accounts for 38% of the most attacked software flaws, while improper authentication and authorization make up 34%. Sadly, considerations for securing these flaws are elementary, covered in application design 101. Also, 90% of the top exploited vulnerabilities in the report are in closed source proprietary products indicating that cyber criminals are not hindered by reverse engineering barriers.

While the EU is motivated to improve security via legal requirements, CISA continues its plea for software vendors to employ Secure by Design principles during development stages. They also suggest that more pay-to-hack bug bounty programs could incentivize ethical security researchers.

Multiple Critical Flaws in Palo Alto Products Attacked

On November 8, 2024, Palo Alto Networks issued a security advisory revealing a zero-day remote code execution (RCE) vulnerability affecting its PAN-OS operating system. The advisory was soon updated after evidence of active exploitation emerged. Here is a summary of new vulnerabilities in Palo Alto products disclosed in November 2024.

  • CVE-2024-0012 (CVSS 9.8 High): An authentication bypass in PAN-OS allows unauthenticated access to administrator privileges. Attackers may perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  • CVE-2024-9474 (CVSS 7.2 High): A privilege escalation vulnerability in PAN-OS software allows PAN-OS administrators to perform actions on the firewall with root privileges.
  • CVE-2024-9463 (CVSS 7.5 High): An OS command injection vulnerability in Expedition allows an unauthenticated attacker to run arbitrary OS commands as root. This allows unauthorized disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1 High): SQL injection could allow an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations and device API keys, or create and read arbitrary files on the Expedition system.
  • CVE-2024-5910 (CVSS 9.8 High): Missing authentication for a critical function in Expedition can lead to admin account takeover remotely and expose configuration secrets, credentials and other data.

Greenbone is able to detect all new CVEs published in Palo Alto devices in November 2024. Ideally, ensure networking management interfaces are not accessible via the public Internet and for best practices, use firewall configuration to prevent access from unauthorized internal network endpoints.

US Critical Telecom Infrastructure Breached

The recent breaches involving major US telecom providers serves as a stark warning to all organizations operating complex IT infrastructure at scale. Blame has been laid on Chinese backed hacking groups who reportedly used the access to intercepted U.S. political officials’ calls, SMS text-messages and intercepted mobile metadata. According to Adam Meyers, vice president of intelligence at CrowdStrike, by compromising the telecoms directly, threat actors circumvent the need for breaching the individual networks of their targets. Considering the sheer number of critical vulnerabilities in products from US networking vendors such as Palo Alto Networks, Oracle, Cisco, Citrix, Ivanti, Broadcom, Microsoft and Fortinet more intensive application security testing would greatly reduce the risk to their core customers – US companies at home and abroad, and other large global firms.

Liminal Panda, Salt Typhoon, Volt Typhoon and others are known to attack “shadow IT” – legacy mobile protocols that IT administrators are not aware is still active or actively monitoring. Sophisticated, highly skilled APT actors are highly adaptable and have the resources to develop malware for virtually any known vulnerability that is exploitable, as well as actively develop zero-day exploits yet unknown.

5 Privilege Escalation Flaws Found in Ubuntu’s Needrestart

A flaw in Ubuntu’s Needrestart feature could allow an unprivileged local attacker to execute shell commands as root user. The new CVEs impact all versions of Needrestart going back to 2014. Needrestart determines whether any processes need to be restarted after systemwide packages are updated to avoid a full reboot and is invoked by the apt package manager. The vulnerability is caused when untrusted data such as environment variables are passed unsanitized to the Module::ScanDeps library which executes as root. These user-level environment variables can also influence Python and Ruby interpreters during Needrestart’s execution.

The vulnerabilities can be mitigated by updating Needstart to a patched version or by disabling the interpreter scanning feature by setting $nrconf{interpscan} = 0 in the needrestart.conf configuration file. Greenbone includes detection for all CVEs related to Needrestart feature [1][2][3].

Here is a brief description the newly disclosed CVEs:

  • CVE-2024-11003 (CVSS 7.8 High): Unsanitized data passed to the Module::ScanDeps library could allow a local attacker to execute arbitrary shell commands.
  • CVE-2024-10224 (CVSS 5.3): Unsanitized input passed to the Module::ScanDepscan library allows execution of arbitrary shell commands by opening a “pesky pipe” (such as passing “commands|” as a filename) or by passing arbitrary strings to eval().
  • CVE-2024-48990 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking Needrestart into running the Python interpreter via the PYTHONPATH environment variable.
  • CVE-2024-48991 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by winning a race condition and pointing Needrestart to a fake Python interpreter instead of the system’s real Python interpreter.
  • CVE-2024-48992 (CVSS 7.8 High): Allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter via the RUBYLIB environment variable.

Is Third Time the Charm for VMware vCenter Critical RCE Flaws?

VMware has been grappling with the challenge of effectively patching critical vulnerabilities in its vCenter server products. Broadcom, which owns VMware, initially released patches in September for two significant vulnerabilities in vCenter, CVE-2024-38812 (CVSS 9.8 High) classified as a heap-overflow vulnerability in the implementation of the DCERPC protocol, and CVE-2024-38813 (CVSS 9.8 High) which offers privilege escalation via ​​specially crafted network packets.

However, these initial patches were insufficient, prompting a second round of patches in October. Despite these efforts, it was confirmed in November that the CVEs were still vulnerable and had been exploited in the wild. vCenter is a prime target for attackers due to its widespread use, and the situation highlights ongoing security challenges. VMware users should apply patches promptly. When CVEs such as these in VMware vCenter are updated with new information, Greenbone’s team of security analysts reviews the changes and updates our vulnerability tests accordingly.

Helldown Ransomware Exploiting Zyxel and Its Customers

In November 2024, a Linux variant of the Helldown ransomware payload was discovered. Helldown is known to exploit the IPSec VPN of Zyxel devices via CVE-2024-42057 (CVSS 8.1 High) for initial access. After gaining a foothold, Helldown steals any accessible credentials and creates new users and VPN tunnels to maintain persistence. The new variant targets VMware ESXi virtual machines to exfiltrate their data and encrypt them. This technique is shared by other ransomware groups such as the Play gang.

The Helldown ransomware group is considered an emerging threat, claiming over 30 victims since August, including the maker of Zyxel products themselves. Zyxel has issued an article acknowledging the attacks with mitigation instructions and Truesec has published known Helldown TTP (Tactics Techniques and Procedures) from their response efforts. Greenbone is able to detect all vulnerabilities known to be associated with Helldown ransomware attacks including CVE-2024-42057 in Zyxel products [1][2][3] as well as known software vulnerabilities used by other ransomware threat actors to gain initial access, escalate privileges and move laterally to high value targets within the victim’s network.

Summary

From EU policy advancements to CISA’s insights on exploited vulnerabilities: the critical need for better software development practices, effective vulnerability management and defense in depth is evident. November’s events, such as Palo Alto’s zero-days, Ubuntu’s Needrestart flaws and VMware vCenter’s ongoing challenges, emphasize the importance of timely monitoring and patching of critical infrastructure. Emerging threats like Helldown ransomware reinforce the need for proactive defense strategies. Greenbone continues to support organizations by detecting critical vulnerabilities, providing actionable insights and advocating for a security-first approach with fundamental IT security best practices.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Stop the Standstill: how Greenbone Helps Protect Against DoS Attacks

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Understanding Mass Exploitation Attacks

If an organization has high value, you can bet that bad actors are contemplating how to exploit its IT weaknesses for financial gain. Ransomware attacks are the apex threat in this regard, rendering a victim’s data unusable, extorting them for a decryption key. Highly targeted organizations need to understand exactly where their risk lies and ensure that critical assets are exceptionally well protected. However, all organizations with IT infrastructure – even small ones – benefit from assessing their attack surface and mitigating vulnerabilities.

Mass Exploitation attacks are automated campaigns continuously scanning the public Internet looking for easy victims. These campaigns are carried out by bots, executing automated cyber attacks at scale. CloudFlare claims that only 7% of the Internet traffic is malicious bots, while other reports claim malicious bots account for as much as 32% of all Internet activity. Once breached, attackers misuse these compromised assets for malicious activities.

What Happens to Assets Compromised in Mass Exploitation Campaigns?

Once an attacker gains control of a victim’s IT infrastructure, they assess the value of their newly acquired spoils and determine how to best capitalize. The dark web is an underground ecosystem of cybercrime services with its own economy of supply and demand for illicit deeds. Within this ecosystem, Initial Access Brokers (IAB) sell unauthorized access to Ransomware as a Service (RaaS) groups who specialize in ransomware execution; encrypting a victim’s files and extorting them. Mass Exploitation is one way that these IABs gain a foothold.

Compromised assets with lower extortion value may become part of the IAB’s “zombie botnet”; co-opted to continuously scan the Internet for vulnerable systems to compromise. Otherwise, hijacked systems may be used to send malspam and phishing emails, infected with crypto-mining malware, or become an inconspicuous host for command-and-control (C2) infrastructure to support more targeted attack campaigns.

How Mass Exploitation Works

By exploring Mass Exploitation through the lens of the MITRE ATT&CK framework’s tactics, techniques and procedures (TTP) defenders can better understand attacker behavior. If you are not familiar with MITRE ATT&CK, now is a good time to review the MITRE ATT&CK Enterprise Matrix, since it will serve as a reference point for how attackers operate.

Mass exploitation targets large numbers of systems with sophisticated tools that can scan many IP addresses and automatically execute cyber attacks when vulnerabilities are found. These attacks aim to exploit vulnerabilities in software that is commonly exposed to the public Internet, especially software used to host websites and access webservers remotely.

Here’s how Mass Exploitation works:

  • Reconnaissance [TA0043]: Attackers collect sources of vulnerability information such as NIST NVD where CVEs are published with severity scores and reports that include technical details. Attackers also discover sources of exploit code such as exploit-db, GitHub, or other sources such as dark web marketplaces. Alternatively, attackers may develop their own malicious exploits.
  • Weaponization [TA0042]: Attackers build cyber weapons designed to automatically identify and exploit vulnerabilities [T1190] without the need for human interaction.
  • Active Scanning [T1595]: Attackers conduct active scans of the public Internet at scale to discover listening services and their versions [T1595.002]. This process is similar to how cyber defenders conduct vulnerability scans of their own infrastructure, except instead of fixing identified vulnerabilities, attackers plan strategies to exploit them.
  • Attack Deployment and Exploitation: Once an active vulnerability has been found, automated tools attempt to exploit them to control the victim’s system remotely [TA0011] or cause Denial of Service (DoS) [T1499]. A variety of software weaknesses may be involved such as: exploiting default account credentials [CWE-1392], SQL injection [CWE-89], buffer overflows [CWE-119], unauthorized file uploads [CWE-434] or otherwise broken access controls [CWE-284].
  • Assessment and Action on Objectives [TA0040]: Post-compromised, the attacker decides how to best impact the victim for their own gain. Attackers may decide to conduct further reconnaissance, attempting to move laterally to other connected systems in the network [TA0008], steal data from the victim [TA0010], deploy ransomware [T1486] or sell the initial access to other cyber criminals with specialized skills [T1650].

How to Defend Against Mass Exploitation

Defending against Mass Exploitation attacks requires a proactive approach that addresses potential vulnerabilities before they can be exploited. Organizations should adopt fundamental IT security best practices including regular assessments, continuous monitoring, and timely remediation of identified weaknesses.

Here are some key security measures to defend against Mass Exploitation:

  • Build an IT asset inventory: Building a comprehensive inventory of all hardware, software, and network devices within your organization ensures no systems are overlooked during risk and vulnerability assessments and patch management.
  • Conduct a risk assessment: Prioritize assets based on their importance to business operations and determine how preventative efforts should be focused. Regular risk assessments help ensure that the most critical threats are addressed, reducing the chances of a high impact breach.
  • Scan all assets regularly and fix identified vulnerabilities: Perform regular vulnerability scans on all IT assets, especially those exposed to the public internet and with a high risk context. Promptly apply patches or alternative mitigation measures to prevent exploitation. Track and measure vulnerability management progress in a quantified way.
  • Remove unused services and applications: Unused software presents additional attack surface, which may offer attackers an opportunity to exploit vulnerabilities. By minimizing the number of active services and installed applications, potential entry points for attackers are limited.
  • Education and training: Education is important to promote IT security awareness within an organization’s culture. Awareness training also goes a long way towards preventing malspam and phishing attacks from impacting an organization.
  • Employ Anti-Malware solutions: Malware is often distributed through automated malspam and phishing campaigns at scale. Ensure all systems have up-to-date anti-virus software and implement spam filtering to detect and quarantine malicious files.
  • Enforce strong authentication policies: Credential stuffing attacks are often automated components of Mass Exploitation campaigns. By following password best practices, such as using strong randomly generated passwords and not reusing passwords between accounts there is less risk posed by stolen passwords. Implementing password rotation policies, multi-factor authentication (MFA), and using password managers also strengthen password security.
  • Use firewalls and IPS: Firewalls and Intrusion Prevention Systems (IPS) can block malicious traffic by using rules or patterns. Configure rulesets as strictly as possible to block unnecessary inbound traffic from scanning sensitive services. Regularly review and update firewall and IPS configurations to account for current threats.

Summary

Mass Exploitation refers to automated cyber attack campaigns that use bots to scan the public Internet for vulnerable systems. These attacks target a wide range of victims, exploiting known vulnerabilities in software that is commonly exposed to the internet. Once compromised, attackers use the breached systems for various malicious purposes, including launching ransomware attacks, selling access to other criminal groups or further extending botnets. Mass exploitation is a major threat as it allows attackers to operate at scale with minimal effort.

To defend against Mass Exploitation, organizations must implement proactive security measures such as regular vulnerability scanning, timely patch management, strong access controls and network monitoring. Additionally, ensuring that staff have adequate security training can help reduce the risk of becoming a victim of Mass Exploitation campaigns.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

NIS2: Implementation Delayed but Stay on Course

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

September 2024 Threat Tracking: Speed Before Safety?

A 2023 World Economic Forum report surveyed 151 global organizational leaders and found that 93% of cyber leaders and 86% business leaders believe a catastrophic cyber event is likely within the next two years. Still, many software vendors prioritize rapid development and product innovation above security. This month, CISA’s Director Jen Easterly stated software vendors “are building problems that open the doors for villains” and that “we don’t have a cyber security problem – we have a software quality problem”. Downstream, customers benefit from innovative software solutions, but are also exposed to the risks from poorly written software applications; financially motivated ransomware attacks, wiper malware, nation-state espionage and data theft, costly downtime, reputational damage and even insolvency.

However astute, the Director’s position glosses over the true cyber risk landscape. For example, as identified by Bruce Schneier back in 1999; IT complexity increases the probability of human error leading to misconfigurations [1][2][3]. Greenbone identifies both known software vulnerabilities and misconfigurations with industry leading vulnerability test coverage and compliance tests attesting CIS controls and other standards such as the BSI basic controls for Microsoft Office.

At the end of the day, organizations hold responsibility to their stakeholders, customers and the general public. They need to stay focused and protect themselves with fundamental IT security activities including Vulnerability Management. In September 2024’s Threat Tracking blog post, we review the most pressing new developments in the enterprise cybersecurity landscape threatening SMEs and large organizations alike.

SonicOS Exploited in Akira Ransomware Campaigns

CVE-2024-40766 (CVSS 10 Critical) impacting SonicWall’s flagship OS SonicOS, has been identified as a known vector for campaigns distributing Akira ransomware. Akira, originally written in C++, has been active since early 2023. A second Rust-based version became the dominant strain in the second half of 2023. The primary group behind Akira is believed to stem from the dissolved Conti ransomware gang. Akira is now operated as a Ransomware as a Service (RaaS) leveraging a double extortion tactic against targets in Germany and across the EU, North America, and Australia. As of January 2024, Akira had compromised over 250 businesses and critical infrastructure entities, extorting over 42 million US-Dollar.

Akira’s tactics include exploiting known vulnerabilities for initial access such as:

Greenbone includes tests to identify SonicWall devices vulnerable to CVE-2024-40766 [1][2] and all other vulnerabilities exploited by the Akira ransomware gang for initial access.

Urgent Patch for Veeam Backup and Restoration

Ransomware is the apex cyber threat, especially in healthcare. The US Human and Healthcare Services (HHS) reports that large breaches increased by 256% and ransomware incidents by 264% over the past five years. Organizations have responded with more proactive cybersecurity measures to prevent initial access and more robust incident response and recovery, including more robust backup solutions. Backup systems are thus a prime target for ransomware operators.

Veeam is a leading vendor of enterprise backup solutions globally and promotes its products as a viable safeguard against ransomware attacks. CVE-2024-40711 (CVSS 10 Critical), a recently disclosed vulnerability in Veeam Backup and Recovery is especially perilous since it could allow hackers to target the last line of protection against ransomware – backups. The vulnerability was discovered and responsibly reported by Florian Hauser of CODE WHITE GmbH, a German cybersecurity research company. Unauthorized Remote Code Execution (RCE) via CVE-2024-40711 was quickly verified by security researchers within 24 hours of the disclosure, and proof-of-concept code is now publicly available online, compounding the risk.

Veeam Backup & Replication version 12.1.2.172 and all earlier v12 builds are vulnerable and customers need to patch affected instances with urgency. Greenbone can detect CVE-2024-40711 in Veeam Backup and Restoration allowing IT security teams to stay one step ahead of ransomware gangs.

Blast-RADIUS Highlights a 20 Year old MD5 Collision Attack

RADIUS is a powerful and flexible authentication, authorization, and accounting (AAA) protocol used in enterprise environments to validate user-supplied credentials against a central authentication service such as Active Directory (AD), LDAP, or VPN services. Dubbed BlastRADIUS, CVE-2024-3596 is a newly disclosed attack against the UDP implementation of RADIUS, accompanied by a dedicated website, research paper, and attack details. Proof-of-concept code is also available from a secondary source.

Blast-RADIUS is an Adversary in The Middle (AiTM) attack that exploits a chosen-prefix collision weakness in MD5 originally identified in 2004 and improved in 2009. The researchers exponentially reduced the time required to spoof MD5 collisions and released their improved version of hashclash. The attack can allow an active AiTM positioned between a RADIUS client and a RADIUS server to trick the client into honoring a forged Access-Accept response despite the RADIUS server issuing a Access-Reject response. This is accomplished by computing an MD5 collision between the expected Access-Reject and a forged Access-Accept response allowing an attacker to approve login requests.

Greenbone can detect a wide array vulnerable RADIUS implementations in enterprise networking devices such as F5 BIG-IP [1], Fortinet FortiAuthenticator [2] and FortiOS [3], Palo Alto PAN-OS [4], Aruba CX Switches [5] and ClearPass Policy Manager [6], and on the OS level in Oracle Linux [7][8], SUSE [9][10][11], OpenSUSE [12][13], Red Had [14][15], Fedora [16][17], Amazon [18], Alma [19][20], and Rocky Linux [21][22] among others.

Urgent: CVE-2024-27348 in Apache HugeGraph-Server

CVE-2024-27348 (CVSS 9.8 Critical) is a RCE vulnerability in the open-source Apache HugeGraph-Server that affects all versions of 1.0 before 1.3.0 in Java8 and Java11. HugeGraph-Server provides an API interface used to store, query, and analyze complex relationships between data points and is commonly used for analyzing data from social networks, recommendation systems and for fraud detection.

CVE-2024-27348 allows attackers to bypass the sandbox restrictions within the Gremlin query language by exploiting inadequate Java reflection filtering. An attacker can leverage the vulnerability by crafting malicious Gremlin scripts and submitting them via API to the HugeGraph /gremlin endpoint to execute arbitrary commands. The vulnerability can be exploited via remote, adjacent, or local access to the API and can enable privilege escalation.

It is being actively exploited in hacking campaigns. Proof-of-concept exploit code [1][2][3] and an in-depth technical analysis are publicly available giving cyber criminals a head start in developing attacks. Greenbone includes an active check and version detection test to identify vulnerable instances of Apache HugeGraph-Server. Users are advised to update to the latest version.

Ivanti has Been an Open Door for Attackers in 2024

Our blog has covered vulnerabilities in Invati products several times this year [1][2][3]. September 2024 was another hot month for weaknesses in Ivanti products. Ivanti finally patched CVE-2024-29847 (CVSS 9.8 Critical), a RCE vulnerability impacting Ivanti Endpoint Manager (EPM), first reported in May 2024. Proof-of-concept exploit code and a technical description are now publicly available, increasing the threat. Although there is no evidence of active exploitation yet, this CVE should be considered high priority and patched with urgency.

However, in September 2024, CISA also identified a staggering four new vulnerabilities in Ivanti products being actively exploited in the wild. Greenbone can detect all of these new additions to CISA KEV and previous vulnerabilities in Ivanti products. Here are the details:

Summary

In this month’s Threat Tracking blog, we highlighted major cybersecurity developments including critical vulnerabilities such as CVE-2024-40766 exploited by Akira ransomware, CVE-2024-40711 impacting Veeam Backup and the newly disclosed Blast-RADIUS attack that could impact enterprise AAA. Proactive cybersecurity activities such as continuous vulnerability management and compliance attestation help to mitigate risks from ransomware, wiper malware, and espionage campaigns, allowing defenders to close security gaps before adversaries can exploit them.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

August 2024 Threat Tracking: Threats on the Rise

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

/by