Tag Archive for: Vulnerability Scanning

Jan-Oliver Wagner

Cyber attacks are like earth quakes

Earth quakes and cyber attacks have much in common. First: The forces are outside of our control and we can not prevent them to happen.

Second: We are not helplessly at the mercy. We can install early warning, minimize destructive effect and recover quickly. But only if we act BEFORE it happens.

Sure, earth quakes are about human live and cyber attacks are so far usually not. Yet I think this comparison is important in order to make it easier to understand the significance of cyber attacks the the options for action.

Of course there are also differences and the most striking one to me is the average frequency of occurence. This vivid direct comparison shows the parallels:

We have no technology to prevent them to happen, but… Earth quake Cyber Attack
We have prognosis models where they happen most likely Tectonic models Vulnerability intelligence

We have sensors that provide early warnings shortly before it happens

(sometimes they fail though with false positive and false negatives)

 Seismographs Vulnerability scanning and threat intelligence
We have a scale to compare events about potential damage

Richter magnitude scale: Ranges from 1.0 to 9.9

  • Sometimes the effect is just shaking indoor objects and sometimes it is collapse of buildings

Severity Score: Ranges from 0.1 to 10.0

  • Sometimes you have some extra network load and sometimes a remote administrative exploit.
…you can do something to minimize negative impact:
Make you infrastructure stable against this type of force

Obligatory architecture designs

  • Overview and controlling of compliance

Obligatory security policies

  • detection and limitation of attack surface:
  • Vulnerability testing and remediation
  • Vulnerability management and compliance
Have trained teams ready to help recover quickly when it happens
  • Central command center and
  • distributed on-site medical and repair teams
  • Processes and and regular trainings thereof
  • Security operation center and distributed system administrator
  • Dev-ops or suppliers for operational support
  • Processes and and regular trainings thereof
Make all people aware on how to save their lives best when it happens
  • Understandable training materials and
  • regular awareness trainings
  • Understandable training materials and
  • regular awareness trainings


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

German BSI warns of vulnerability in VMware ESXi

A new wave of ransomware attacks has been threatening numerous servers in Europe. The attacks focus on the hypervisors in VMware’s virtualization server ESXi.
Patches are available, Greenbone’s products can protect and help to find the vulnerability.

The German BSI explicitly warns of the vulnerability and in its latest information on the security situation speaks of thousands of servers and a worldwide threat with a focus on Europe, the U.S. and Canada, using a vulnerability that the manufacturer already patched almost two years ago: (CVE-2021-21974).

Not only VMWare servers themselves at risk

According to IT security portal Hackernews, French provider OVHcloud has confirmed the open source implementation of the IETF Service Location Protocol (OpenSLP) as an entry point.

The threat to IT systems in this case is classified as business-critical – a successful attack with ransomware can therefore cause massive disruptions to regular operations. What is particularly serious about attacks of this type is that under certain circumstances not only institutions that use VMware ESXi themselves are affected, but also third parties – for example, via the server systems hosted in VMware virtualization.

France, Italy, Finland, Canada and the U.S.

Suspicions that European organizations and institutions were the main focus of attackers in the latest wave of attacks were also confirmed a few days later, when the Italian National Cybersecurity Agency ACN warned of the vulnerabilities and a “large-scale wave of attacks.” A Reuters report also speaks of attacks in Finland and the United States.

Users can protect themselves, however: The manufacturer VMware advises upgrading to the latest version of its software – and installing the patch. In general, systems like Greenbone Vulnerability Management help prevent such intrusions by finding the unpatched gaps and proactively warning administrators in reports.

Checking with the Greenbone Cloud

Installation of the VMware patch is free, as is an audit of their systems with the Greenbone Cloud Service Trial. In general, administrators should always ensure that all backups are secured against ransomware and examine log files for suspicious system access – the BSI lists six questions on the checklist in its warning that every administrator should ask themselves now.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

ENISA study: Public sector most at risk

In the 10th edition of its ENISA Threat Landscape (ETL), the EU’s cybersecurity agency explicitly warns of increasing threats from hacking attacks on public sector entities.

Around a quarter of all security related incidents target administrative or government entities, the ENISA study reports – making the public sector nearly twice as much at risk as hosters and providers, who come in second at 13 %. More than ever, users should protect their networks – for example, with products from Greenbone.

The number one threat still are extortionate ransomware attacks, followed by malware and social engineering, e.g. where attackers try to obtain passwords from employees via telephone.

Geopolitics doesn’t stop at the public data center

However, things have changed in the last two years – not only the war in Ukraine ensured that “geopolitical aspects have a significantly greater influence” on threat scenarios, the ENISA authors write. Attacks are becoming more destructive, motivated by the armed conflict and are being flanked by targeted disinformation campaigns – which are increasingly directed against public institutions.

Businesses and government agencies, however, are worried by the fact that attackers have gained in skill level, aggressiveness and agility since 2021. The better organizations have adapted their cybersecurity programs and thus their defenses to the threat environment, the more they have forced attackers to adopt newer attack vectors, to the point of developing new, unknown zeroday exploits and more. At the same time, hacker groups are constantly becoming more agile, renaming themselves and continuously regrouping, further complicating attribution (matching an attack to individuals).

Progressive professionalization of attackers

As if that weren’t enough, the hacker-as-a-service model continues to gain traction; people are becoming more professionalized. Attacks are also increasingly targeting the supply chain, managed service providers and are becoming more and more, as they have been doing every year, especially in the upcoming reporting period – the phase at the end of a fiscal year when reports relevant to the stock exchange may have to be prepared.

What is new, however, according to ENISA, is the increase in hybrid threats, which are also fueled by state actors and software. The study specifically cites the spyware “Pegasus” developed by the Israeli government, as well as phishing and attacks on data infrastructures.

Machine learning and artificial intelligence

The professionalization of attacks has had a particularly fatal effect, because they have become much more sophisticated through the use of machine learning and artificial intelligence. For example, there are already bots that act as deep fakes, disrupt chains of command, and are also capable of disabling government institutions with masses of fake comments.

ENISA groups the typical attackers into four categories: State-sponsored, organized crime (cybercrime), commercial hackers (“hackers for hire”), and activists. The goal of all these attackers is usually unauthorized access to data and disruption of the availability of services (and in many cases the associated extortion of ransom money), they said.

Vulnerability Management protects

The only safe option that government agencies and companies have to counter these attacks is Vulnerability Management, which allows them to look at their own IT infrastructure from the outside, from the perspective of a potential attacker. This is the only way to identify and close security gaps before an attacker succeeds.

This is exactly where our Vulnerability Management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an Open Source Vulnerability Management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete action instructions that you can implement immediately.

We work strictly according to German/European law and offer an Open Source solution. This means best data protection compliance and is thus guaranteed free of backdoors.

Greenbone: Many years of experience in the public sector

For many years, Greenbone has been offering customized products for the public sector, e.g. for requirements of higher security levels (classified, VS-NFD and higher).

Even networks that are physically separated from other networks can be scanned for vulnerabilities with Greenbone. Such areas separated by an “air gap” often occur in public authorities when network segments must be operated separately from the Internet and the rest of the public authority network due to a special need for protection. Greenbone’s products support strict airgap via special USB sticks, but also data diodes that allow traffic in one direction only.

No matter if you already have a frame contract with us or if you contact us for the first time, e.g. via the form on our website: We are happy to help you. Greenbone can look back on many years of experience with public authorities and is always ready to help you with words and deeds. Contact us!


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Notus is live! New vulnerability scanner from Greenbone

,

Greenbone, a world leader in open source vulnerability management software, has released its latest scanner, Notus.

“With Notus, a milestone for the performance of extensive comparisons of software versions has been created in recent years,” explains CIO Elmar Geese.

With Notus, Greenbone is also responding to customer requests for better performance in version checks. Whether a security vulnerability is dangerous for a company depends mainly on the installed software versions and their patch level. In very many cases, a vulnerability scanner must therefore match a large number of software versions and detect combinations of these. As the complexity of the setups increases, this test becomes more and more extensive. However, because the overall result of the scan also depends heavily on this data collection, Notus will enable such scans much faster than any of its predecessors.

Faster thanks to JSON

“The scanner rattles off the relevant servers and captures software running there. For the actual scan, it essentially only gets the info about affected and fixed packages,” explains Björn Ricks, Senior Software Developer at Greenbone. “With the previously used scanner and its predecessors, we usually had to start a separate process per version check, meaning a separate manually created script. Generating these scripts automatically is time-consuming.” Notus, on the other hand, only loads the data it needs from JSON files. Ricks sums it up, “Notus is significantly more efficient, requires fewer processes, less overhead, less memory, …”

CIO Geese then also declares the Notus scanner to be a “milestone for our users, it improves the performance significantly. Our well-known high detection quality as well as performance, central goals of our product strategy, will be optimally supported by the new scanner.”

Notus, Greenbone and OpenVAS

The Notus project consists of two parts: a Notus generator, which creates the JSON files containing information about vulnerable RPM/Debian packages, and the Notus scanner, which loads these JSON files and interprets the information from them.

OpenVAS, the Open Vulnerability Assessment System, was created in 2005, when the development team of the Nessus vulnerability scanner decided to stop working under open source licenses and move to a proprietary business model.

Since 2008, Greenbone has been providing professional vulnerability scanning support. For this purpose, Greenbone took over the further development of OpenVAS, added several software components and thus transformed OpenVAS into a comprehensive vulnerability management solution that still carries the values of free software. The first appliances came onto the market in spring 2010.

Contact Free Trial Buy Here Back to Overview
/by
Markus Feilner

Greenbone Extends Compliance Policies for CIS Benchmarks

Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows, Linux: one year after launch, Greenbone brings numerous new compliance policies for CIS Benchmarks in its products. CIS Benchmarks are used by enterprises, organizations or government agencies to verify that all software products, applications, operating systems and other components in use meet secure specifications. Similar to the IT-Grundschutz compendium of the German Federal Office for Information Security (BSI), the Center for Internet Security (CIS), a non-profit organization founded in 2000, provides comprehensive IT security best practices for governments, industry and academia. Greenbone developed its first compliance policies for CIS Benchmarks back in 2021. Now, 18 additional compliance policies are being added.

Compliance policies for CIS Benchmarks

Benchmarks for Corporate Security

The CIS Benchmarks map corporate and government guidelines that serve as benchmarks for compliance. The benchmarks describe configurations, conditions, audits and tests for various setups and systems in detail. After a successful scan, IT admins receive a comprehensive report with a percentage figure that provides information about the compliance of the systems, but also immediate recommendations for further hardening measures.

Compared to the requirements of IT-Grundschutz, CIS Benchmarks often prove to be significantly more detailed, but therefore also more comprehensive. Unlike the many tests in the Greenbone Enterprise Feed, which look for security gaps and vulnerabilities to help defend against attacks, the CIS Benchmarks serve to prove that a company or an authority complies with the applicable compliance regulations at all times and has always done so.

CIS Benchmarks at Greenbone

Already since 2021, Greenbone integrates numerous compliance policies for CIS Benchmarks. These policies are sets of tests that a Greenbone product runs on a target system. In simple terms, for each individual requirement or recommendation from a CIS Benchmark, a vulnerability test is developed to verify compliance with that requirement or recommendation. All tests are combined by Greenbone into scan configurations and added to the Greenbone Enterprise Feed. Since the scan configurations in this case map enterprise or government policies, they are referred to as “compliance policies”.

In 2022, Greenbone is significantly expanding the set of CIS compliance policies included in the Greenbone Enterprise Feed. 18 additional compliance policies for CIS Benchmarks for diverse product families have been added. In addition to a compliance policy for Docker containers, tests are now available for Windows 10 Enterprise, Windows 2019 Server, Centos and distribution-independent Linux benchmarks. In addition, web masters running servers such as Apache (2.2 and 2.4), NGINX, Tomcat, and Microsoft IIS 10, as well as database administrations (MongoDB 3.2 and 3.6, Oracle Community Server 5.6 and 5.7, and PostgreSQL 9.6, 10, 11, and 12) can now access compliance policies for CIS Benchmarks.

CIS Benchmarks: Level 1, 2 and STIG

The CIS Benchmarks are divided into several levels (Level 1, 2 and STIG) and usually include several configuration profiles to be tested. Level 1 provides basic recommendations for reducing an organization’s attack surface, while Level 2 addresses users with special security needs. STIG – the former Level 3 – on the other hand is mainly used in military or government environments. STIG stands for Security Technical Implementation Guide. The US Department of Defense maintains a web page with all the details. The DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides) described there are a requirement of the US Department of Defense.

Certified by CIS

Greenbone is a member of the CIS consortium and is continuously expanding its CIS Benchmark scan configurations. Like all compliance policies developed by Greenbone on the basis of CIS Benchmarks, the latest ones are certified by CIS – this means maximum security when it comes to auditing a system according to CIS hardening recommendations. This not only simplifies the preparation of audits, important criteria can be checked in advance with a scan by a Greenbone product and, if necessary, any weaknesses found can be remedied before problems arise.

Contact Free Trial Buy Here Back to Overview
/by
Markus Feilner

Ransomware as a Service: the Role of Bitcoin and Darknet

Both the cryptocurrency Bitcoin and the darknet have a dubious reputation. The media like to portray both as opaque, criminal parallel worlds. For Ransomware as a Service, Bitcoin and the darknet are welcome tools. Organized crime has been using them for a long time to disguise its business, even if it by no means makes the criminals anonymous and safe from prosecution.

Ransomware became the world’s biggest threat to IT systems in 2021. If you want to successfully protect yourself against it, you also need to understand how the parties involved proceed. Part one of this series of articles focused on the business model of Ransomware as a Service. Part two showed why this “professionalization” also leads to a changed mindset among attackers. Part three now explains why the IT tools that organized crime uses to order and transfer money are far from secure.

Ransomware as a Service: abstract image of Bitcoin logo

Anonymous and Secure?

Bitcoin as a means of payment and the darknet are proving to be practical, helpful and attractive for attackers. Under the cloak of supposed anonymity, they think they are protected from prosecution and shielded from consequences. But this is a common misconception: neither Bitcoin nor the darknet are anonymous in practice.

While cryptocurrency was never designed for anonymity, but explicitly for traceability of transactions even without a reliable central authority, the darknet turns out to be not even remotely as anonymous as its creators would have liked. This is also shown by reports such as the recent ones about KAX17’s “de-anonymization attacks” on the Tor network. Nearly always, classic investigative methods are enough for law enforcement to track down even ransomware actors like the REvil group. This group had collected half a million euros in ransoms in more than 5,000 infections, according to Heise [German only].

Never a Good Idea: Cooperating With Criminals

No matter whether online or offline, anyone who gets involved with blackmailers is abandoned. As in real life, good advice is never to pay a ransom. Regardless of how professional the hotline on the other end seems, trust is not appropriate. The operators of REvils Ransomware as a Service, for example, even stole the extorted ransoms from their clients via a backdoor in the malware.

It all started out so friendly and idealistic. Roger Dingledine and Nick Mathewson laid the foundations for the Tor network in the early 2000s. Based on the idea of onion rings, numerous cryptographically secured layers on top of each other were supposed to ensure reliable anonymity on the web – in their opinion, a fundamental right, analogous to the privacy definition of Eric Hughes “Cypherpunk’s Manifesto”. Then in 2009, Bitcoin saw the light of day, first described by the almost mystical figure of Satoshi Nakamoto.

Darknet and Bitcoin Are Not “Criminal”

Neither the darknet nor Bitcoin were designed to conceal or enable dark schemes. The goal was to create free, independent, supposedly uncontrollable and largely secure structures for information exchange and payment. Like a knife, however, the services can be instrumentalized for both good and evil – and, of course, organized crime knows how to use this to its advantage. The focus is not always on leaving no traces. Most often, the focus is on the simplicity and availability of the means. Bitcoin and the darknet are simply the tools of choice because they are there.

But as in the real world, the easiest way to catch the extortionists is during the money transfer: a blockchain like Bitcoin documents all transactions ever made, including the wallet information (i.e., the Bitcoin owner), and makes it available for viewing at any time. The same applies to the darknet: even if anonymity is technically possible, people regularly fail to meet the simplest requirements. GPS meta-data can be found in photos or UPS codes in the illegal store. The legendary drug store Silkroad was busted because employees made mistakes and confessed.

Digitized, Organized Crime

The darknet and cryptocurrencies are helpful tools for organized crime and thus fire accelerators for the rapidly growing number of serious ransomware attacks. But they are by no means essential, nor are they to blame. Such cyber crime is just the modern IT variant of what we can also experience on the streets of any major city. Ransomware is, so to speak, the modern protection racket, Bitcoin is the garbage can for the handover, and the darknet is the dark bar where deals are made.

The perfidy is not in the tools, but in the methods and the long experience in the “business”. Trend Micro, for example, describes the “double extortion ransomware” approach. Here, attackers first make an image of the data and threaten to publish it if payment is not made (i.e., if it is not decrypted). Organized crime has been in the extortion business not just since Bitcoin or the darknet came into existence. Even though the two technologies now enable cyber criminals to extort large sums of money undetected at first, conventional methods are almost always sufficient for detection. The most important prerequisite here is that enough law enforcement personnel are available, not primarily their technical equipment.

Take Precautions

But at this point, in the company, the horse has already bolted. If you are faced with encrypted data and a ransom demand, the darknet, Bitcoin and the detection rate are probably of secondary importance. Much more important is the question of how to get out of the unfortunate situation. And you can only do that if you were prepared. This includes backups, restore tests and the immediate disconnection of all affected machines (network split) – in other words, proactive risk management, disaster recovery tests and constant maintenance of your own systems. Another important component is multi-factor authentication, which prevents attackers from shimmying from one system to the next using acquired passwords alone.

The most important thing, however, is to avoid critical situations in the first place and to identify vulnerabilities in your own systems and close them quickly. Modern vulnerability management like Greenbone’s does just that: it gives you the ability to close gaps in your systems, making the corporate network unattractive, costly, and thus a deterrent to professional cyber criminals, not just from the Ransomware-as-a-Service world.

Greenbone’s products monitor the corporate network or external IT resources for potential vulnerabilities by continuously and fully automatically examining it and, as Greenbone Enterprise Appliances or the Greenbone Cloud Service (software as a service hosted in German data centers), guarantee security by always up-to-date scans and tests.

How this works is described by Elmar Geese, CIO/CMO at Greenbone, also here in the blog with a post around the Log4j vulnerability. In addition, Geese explains how quickly and securely the administration and management are also informed of the latest vulnerabilities and how exactly the scan for vulnerabilities such as Log4Shell is carried out.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Additional Log4j Vulnerabilities Published

Log4j was affected by a vulnerability that allowed Remote Code Execution (RCE) attacks. In short, user inputs into a software could lead to a code execution on a remote server. This represents a severe security risk. It was named “Log4Shell” (CVE-2021-44228) and immediately addressed by the Log4j team, who provided a fix. In the following days, additional Log4j vulnerabilities were found. While these do not have the same impact as the first one, they can also cause severe damage. For this reason, it is very important to check systems and always update to the latest versions.

Since Log4j is included in numerous software products, the manufacturers of the products had to and still have to provide updates as well. This is still ongoing, and more Log4j vulnerabilities may emerge in the future.

As a moving target, Log4j still gets a lot of attention, under various aspects:

  • New (and luckily still less severe) vulnerabilities are found.
  • New initiatives are emerging proactively to check log4 sources, such as Google’s initiative: Improving OSS-Fuzz and Jazzer to catch Log4Shell
  • At Greenbone, we are creating even more vulnerability tests to get better test coverage, and deploy them to our products on a daily basis.

We have already received a pretty good CVE coverage for the additional Log4j vulnerabilities that have been published in the last few days, including:

  • CVE-2021-44228
  • CVE-2021-4104
  • CVE-2021-45046
  • CVE-2021-45105

As mentioned earlier, we do not stop here. More local security checks will follow today and tomorrow, once Linux distributions have published their advisories.

We already published some facts about Log4j and how to deal with it in our recent posts:


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

Scanning for Vulnerabilities like Log4Shell – How Does It Work?

Greenbone’s vulnerability management finds applications with Log4j vulnerabilities in systems that definitely need to be patched or otherwise protected. Depending on the type of systems and vulnerability, these can be found better or worse. Detection is also constantly improving and being updated. New breaches are found. Therefore, there may always be more systems with Log4Shell vulnerabilities in the network. For this reason, it is worthwhile to regularly update and scan all systems. The Greenbone vulnerability management offers appropriate automation functions for this purpose. But how are vulnerabilities found, and where can they be hidden? Why are vulnerabilities not always directly detectable? The following article will give you a brief insight into how scanning for vulnerabilities like Log4Shell works.

A vulnerability scanner makes specific queries to systems and services and can read from the responses what kind of systems and services they are, but also what products are behind them. This also includes information such as their versions or even settings and other properties. In many cases, this makes it possible to determine whether a vulnerability exists and whether it has already been eliminated. In practice, these are sometimes highly complicated and nested queries, but above all they are also very, very many. Entire networks are scanned for thousands of different vulnerabilities.

The Log4j vulnerability “Log4Shell” (CVE-2021-44228) is a flawed program library used in many web services products. Therefore, partly it is directly visible through a vulnerability scan, but partly it is hidden behind other elements. That is why there is not only one vulnerability test for Log4j, but several. More are added all the time because the manufacturers of the respective products share relevant information and also provide updates to close the gaps. The list of systems affected by Log4Shell is constantly updated at https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592.

Some of the vulnerability tests require an authenticated scan. This means that the scanner must first log into a system and then detect the vulnerability in the system. An authenticated scan can provide more details about vulnerabilities on the scanned system.

The vulnerability tests that are suitable to find the Log4j vulnerability are provided collectively in a scan configuration. Greenbone keeps this “Log4j” scan configuration continuously up-to-date in order to keep adding new tests. As a result, a scan may report a Log4j vulnerability tomorrow that was not found today. It is therefore advisable to configure the Log4j scan to run automatically on a regular basis. This is especially important in the next weeks, when many software vendors are gathering more findings. Greenbone continuously integrates these findings into the tests and the scan configuration.

scanning for vulnerabilities like Log4Shell
Does a Vulnerability Have to Be Exploited to Find It?

Exploiting a vulnerability to find it is not advisable. And fortunately, it is not necessary either. Doing so could cause the very damage that should be avoided at all costs. Moreover, a product vendor that provides vulnerability exploitation as a feature would potentially strongly encourage misuse of that feature, which raises further – not only legal – issues. Therefore, Greenbone’s vulnerability management does not include such features.

Exploitation of the Log4j vulnerability as attackers would do is also not required to prove the existence of the vulnerability. Greenbone has developed several tests to prove Log4Shell, each of which looks at systems in different depths. Several tests can detect the Log4j vulnerability with 100 % certainty, most with 80 % to 97 % certainty. Some tests also collect indicators of 30 % where they do not get close enough to the vulnerability. Each test at Greenbone makes a statement about detection certainty, which is stated as “Quality of Detection.”

What Is the Role of Software Product Vendors?

Manufacturers of a wide variety of products can use Log4j libraries, which are now vulnerable with it. Product manufacturers have included Log4j in different ways. Usually, a deep scan can find Log4j without the vendor’s help. However, most manufacturers also support the process through public vulnerability reports. These can then be used to write vulnerability tests that can provide a reliable vulnerability statement even with less deep scans. The reason for this is that the scans can use simpler configurations through vendor information. In addition, they also run faster.

In principle, however, a vulnerability scanner can also check and find vulnerabilities without the manufacturer publishing a vulnerability report.

Conclusion

Vulnerability management is an indispensable part of IT security. It can find risks and provides valuable information on how to fix them. However, no single measure provides 100 % security, not even vulnerability management. To make a system secure, many elements are used, which in their entirety should provide the best possible security.

This is comparable to a vehicle, where the passenger compartment, seat belts, airbags, brake support, assistance systems and much more increase safety, but can never guarantee it. Vulnerability management makes risks controllable.


Contact Free Trial Buy Here Back to Overview

/by
Elmar Geese

In-Depth Information About Greenbone’s Log4j Vulnerability Test Coverage

Update from 2021-12-20: information about additional vulnerabilities found for Log4j can be found here.

Update from 2021-12-20: vulnerability tests for products running on Microsoft Windows are now available.

Note: The tests check the existence of Log4j and its version. A separate vulnerability test may not be available for each affected application, but all Log4j files are found and reported (/path-to-log4j-file/).

The issued installation paths must be checked and, if necessary, the vendor must be contacted. It must be checked whether updates are already available for the respective application and whether the find is relevant.

PowerShell execution privileges on a target system are required for the account used in an authenticated scan. Some vulnerability tests execute PowerShell commands to increase the accuracy of the results, which require permissions for the duration of a scan.

Update from 2021-12-15: an additional attack vector was identified and reported in CVE-2021-45046. We are working on vulnerability tests for this vector, although our tests are working for this additional case too. We recommend to update to the latest Log4j version. The attack is more complicated and a protection requires a different configuration. But as this is a very new vector, we advise to better be save than sorry. For more information see https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/.

This article collects answers to the most frequently asked questions regarding Greenbone’s Log4j vulnerability test coverage.

What Is this Vulnerability About?

The “Log4Shell” vulnerability affects a software library responsible for recording events (so called “logging”) in software written in the Java programming language. A malicious attacker can use this vulnerability to execute code on the affected systems.

Since this vulnerability can be exploited through the Internet and without any authentication, this can be very critical for affected systems and companies. As the software is also included in a lot of software and services accessible through the Internet, many companies and services are likely to be affected.

More information about this vulnerability can be found here:

Are any Greenbone Products and Services Affected?

We checked the status of potentially affected systems with the highest priority. None of our products or internally and externally provided services are affected.

Can Greenbone Products Detect this Vulnerability?

Yes, detection routines have been integrated into the Greenbone Community Feed and into the Greenbone Enterprise Feed starting with feed version 202112130808. This means that both our appliances and our cloud product are able to detect this vulnerability.

While detection routines are available, the complex nature of this vulnerability means that a detection cannot be guaranteed to find every single affected system or products. This especially applies to unauthenticated “remote” checks, for the following reasons:

  • The product or service may only be vulnerable under very specific circumstances. As the Log4j library is very complex and highly configurable and it is used differently in many products, it is not possible to find all vulnerable instances through a remote check.
  • Security configurations in the customer’s network may prevent a successful verification of the vulnerability.
  • Products and services may also be affected indirectly.

A custom scan configuration for directly detecting this vulnerability as quickly as possible is also available through both feeds. Please note that the current scan configuration only contains active checks (remote and local). Package-version checks are not included to keep the scan configuration, and thus the scan time, minimal.

Is the Detection Included in the Greenbone Community Feed?

Yes. A basic detection for the vulnerability is included in both feeds. Additional vulnerability tests for potentially affected enterprise products are available through the Greenbone Enterprise Feed.

Which Detection Is Included in Which Feed?

Greenbone Enterprise Feed

We are continuously deploying vulnerability tests into the Greenbone Enterprise Feed, so the following list may be incomplete, but reports the status of 12:00 p.m.

Important: To get the most current information regarding your installation, you can search for ~CVE-2021-44228 in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.

  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (Log4Shell)
  • Apache Log4j Detection (Linux/Unix SSH Login)
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (HTTP, Log4Shell) – Active Check
  • Apache Struts 2.5.x Log4j RCE Vulnerability (Log4Shell)
  • Apache Druid < 0.22.1 Multiple Vulnerabilities (Log4Shell)
  • Apache Flink < 1.13.4, 1.14.x < 1.14.1 Log4j RCE Vulnerability (Log4Shell)
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (TCP, Log4Shell) – Active Check
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (UDP, Log4Shell) – Active Check
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (SIP, Log4Shell) – Active Check
  • Apache Solr 7.x, 8.x Log4j RCE Vulnerability (Log4Shell) – Version Check
  • Debian: Security Advisory for apache-log4j2 (DSA-5020-1)
  • Debian LTS: Security Advisory for apache-log4j2 (DLA-2842-1)
  • Elastic Logstash Log4j RCE Vulnerability (Log4Shell)
  • Openfire < 4.6.5 Log4j RCE Vulnerability (Log4Shell)
  • VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell) – Version Check
  • VMware Workspace ONE Access Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
  • VMware vRealize Operations Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
  • VMware vRealize Log Insight Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
  • VMware vRealize Automation Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
  • VMware vRealize Orchestrator Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell)
  • VMware vCenter Server 6.5, 6.7, 7.0 Log4j RCE Vulnerability (VMSA-2021-0028, Log4Shell) – Active Check
  • ArcGIS Server <= 10.7.1 Log4j RCE Vulnerability (Log4Shell)
  • Metabase < 0.41.4 Log4j RCE Vulnerability (Log4Shell)
  • Splunk 8.1.x, 8.2.x Log4j RCE Vulnerability (Log4Shell)
  • Wowza Streaming Engine <= 4.8.16 Log4j RCE Vulnerability (Log4Shell)
  • SonicWall Email Security 10.x Log4j RCE Vulnerability (SNWLID-2021-0032, Log4Shell)
  • IBM WebSphere Application Server Log4j RCE Vulnerability (6525706, Log4Shell)
Greenbone Community Feed

We are continuously deploying vulnerability tests into the Greenbone Community Feed, so the following list may be incomplete, but reports the status of 12:00 p.m.

Important: To get the most current information regarding your installation, you can search for ~CVE-2021-44228 in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.

  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (Log4Shell)
  • Consolidation of Apache Log4j detections
  • Apache Log4j Detection (Linux/Unix SSH Login)
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (HTTP, Log4Shell) – Active Check
  • Debian: Security Advisory for apache-log4j2 (DSA-5020-1)
  • Elastic Logstash Log4j RCE Vulnerability (Log4Shell)
  • Debian LTS: Security Advisory for apache-log4j2 (DLA-2842-1)
  • Openfire < 4.6.5 Log4j RCE Vulnerability (Log4Shell)
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (TCP, Log4Shell) – Active Check
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (UDP, Log4Shell) – Active Check
  • Apache Log4j 2.0.x < 2.15.0 RCE Vulnerability (SIP, Log4Shell) – Active Check

About Authenticated/Unauthenticated Tests

Some version checks require authentication, others do not. Additionally, some could have both.

The respective information is available through the links returned by the search for ~CVE-2021-44228 in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.

The “Quality of Detection” contains information on the detection method. A value of “package (97 %)” indicates an authenticated check, other values like “remote_banner (80 %)” happen unauthenticated.

For more technical information about this see https://docs.greenbone.net/GSM-Manual/gos-21.04/en/reports.html#quality-of-detection-concept.

About Active Tests/Test Checking Version, QoD

You can see if it is an active check based on the QoD and the “Detection Method” on the web interface when viewing the vulnerability test details.

Note: Only systems which are actually logging input which can be modified by an attacker (e.g., specific HTTP request headers, URLs, …) are vulnerable.

The detection method, Quality of Detection, mitigation and lots of further details are available through the links returned by the search for ~CVE-2021-44228 in the “CVE” and “NVTs” section of the “SecInfo” menu on the web interface of your installation.

Scanning for Nodes on Separate VRFs & VLANs

  • Out-of-band (OOB) scanning is currently not possible. Please scan in each segment.
  • We think of such an Out-of-band (OOB) communication/external interaction possibility to be integrated in the future.


Contact Free Trial Buy Here Back to Overview

/by
Markus Feilner

Ransomware as a Service: the Mindset of Cyber Criminals Has Changed

The second part of our series on the ongoing professionalization of attacks on IT systems deals with changes in the attackers’ mindset. Automation, commercialization and cloud computing have also left their mark on the typical profile of cyber criminals that admins and vulnerability management have to deal with. Contrary to common Hollywood clichés, the threat of Ransomware as a Service is usually not (anymore) posed by highly talented script kiddies with a lot of time on their hands or anarchistic world improvers in hoodies. Nor from highly qualified intelligence agencies equipped with seemingly endless resources.

Attacks Are Commissioned Work Today

Today’s most dangerous attacks are increasingly working “on contract,” pursuing a business model, and must also be guided by values such as efficiency or probability of success. Just as cloud computing has become an integral part of most companies’ IT, it now also serves cyber criminals to automate, organize and accelerate attacks. With great success: Ransomware has grown to become the biggest threat, and with Ransomware as a Service, attacks can be booked quite easily.

More and more security professionals are just now developing an understanding of the attackers’ business models: their logic is hardly any different from that of other companies. They invest the same resources in developing exploits and tools and want to achieve the highest possible return on investment (ROI). That is why they often pay close attention to the reusability of their tools.

Faced with limited resources, cyber criminals develop exploits for widely used technologies that offer high profit potential for multiple targets.

The Perspective of Cyber Criminals

The attackers have organized themselves, orders are placed on the darknet, and payment is made via Bitcoin. They are profit-maximized, efficiency-oriented and professionally structured: However, the new, economy-oriented logic can and must also be a key to better defense mechanisms. Especially when security managers see themselves buried under an avalanche of security warnings, it is helpful to understand how cyber criminals “tick”.

In order to secure their own systems, defense must now rethink and think outside the box. Understanding the logic of cyber criminals helps decipher key signals and close gaps. David Wolpoff, CTO of Randori, has formulated six key questions in a blog post on Threatpost that describe the mindset of modern cyber criminals well:

  1. What useful information about a target can be identified from the outside?
  2. How valuable is the target to the attackers?
  3. Is the target known to be easy to hack?
  4. What is the potential of the target and environment?
  5. How long will it take to develop an exploit?
  6. Is there a repeatable ROI for an exploit?

The more knowledge cyber criminals can gather about a technology or a person in a company, the better they can plan the next attack phase. In the first step, they thus ask how detailed the target can be described from the outside. For example, depending on the configuration, a web server may not reveal a server identifier or server names and detailed version numbers. If the exact version of a used service and its configuration is visible, precise exploits and attacks can be executed. This maximizes the chances of success while minimizing the probability of detection and the effort required.

No Longer Random

The increasingly important economic interest ensures that cyber criminals have to consider factors such as effort, time, money and risk more strongly. Accordingly, it is not worthwhile to attack or spy on systems indiscriminately. These days, attackers first clarify the potential value before acting and focus on promising targets such as VPNs and firewalls, credential stores, authentication systems or remote support solutions at the network edge. These could turn out to be master keys and unlock the way into the network or to credentials.

Again and again, reports of critical and incendiary vulnerabilities emerge that apparently no one had exploited for attacks. It sounds unbelievable, but often no one has done the work to program an exploit for a vulnerability. Modern cyber criminals increasingly follow the principle of return on investment and make use of existing proof of concepts (POC).

Complexity Is Unwanted

This sometimes yields surprising findings: modern cyber criminals avoid well-documented vulnerabilities. Extensive research and analysis of a particular vulnerability is more an indicator of unwanted complexity and effort, which one wants to keep to a minimum. RaaS hackers search for available tools or buy exploits already created for a particular object. Attackers want to move unnoticed in the systems they compromise. So they pick targets with few defenses where malware and pivoting tools work, such as desktop phones and VPN apps and other unprotected hardware. Many apps there are built with or for Linux, have a full scope of use, and have trusted pre-installed tools. This promises to keep them usable after an exploit and makes them all the more attractive to cyber criminals.

Surprising Cost-Benefit Calculation

Once the target has been set, attackers need to assess time, cost, and reusability. Vulnerability research also goes beyond simply uncovering unpatched devices. Cyber criminals must assess whether the cost of researching and developing the resulting tools is commensurate with the gain after an attack. Well-documented software or open-source tools that are easy to obtain and test mean a relatively easy target.

Also surprising: overall, the severity of a vulnerability does not play the central role for cyber criminals, according to Wolpoff. Planning an attack is far more complex and requires economic thinking. Recognizing that the other side must also make compromises helps defend cloud environments in a meaningful way. Protecting everything, everywhere, all the time from all attackers is illusory. Thinking more like them, however, makes prioritization easier.

In the third part of this series of articles, it’s all about whether the Ransomware-as-a-Service model would be possible without Bitcoin and darknet, and whether the two technologies actually deliver what the attackers promise in that context.

Contact Free Trial Buy Here Back to Overview
/by