There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.

“The Future of the enterprise is private”: This was announced by none other than Broadcom CEO Hock Tan in a blog post. Broadcom, in particular, has so far tried to push the many VMware customers into the cloud with a very aggressive pricing policy. Now it seems they want to stop doing that. Virtualization on-premises – and with it, to some extent, a return to the private cloud – is back in fashion. This change at Broadcom was triggered by customer feedback, which makes it particularly interesting.

Technology users want to master the three Cs: complexity, costs and control. Every solution scenario must face this – in particular, this also applies to cloud offerings. If the dependency on a proprietary product offering is significantly greater than with an open source product anyway, this applies even more to a cloud offering. 

Complexity

Especially if the corresponding offers do not follow open standards, which is usually the case, the portability of solutions is difficult. As a result, hyperscalers increasingly see themselves as “Platform as a Service” providers rather than as “Infrastructure as a Service” providers. Those who succumb to the lure of technically sophisticated components are left at the mercy of the provider’s pricing model. More and more companies are realizing this and are therefore opting for greater sovereignty.

Costs

Cloud infrastructures are becoming increasingly complex, and anyone who has seen how the costs of containerization and “clustering” skyrocket increasingly wants simpler virtualization. In critical applications, such as security solutions, hardware is still in demand. 

Control

The strongest argument, however, is probably “control”. It combines costs and complexity and adds another important aspect. Dependency and control are mutually exclusive. Every organization using technology must retain at least as much control as it takes responsibility for security and availability. If it also wants to use its freedom of action, it needs independence. 

The challenge for IT managers is increasingly to find the balance between using self-made solutions and ready-made services. While there has been a clear trend towards the latter in recent years, we are now seeing the first indicators that this trend is weakening. Above all, moving everything into clouds does not appear to be a solution.

Perspectives

Surprisingly, the rapidly growing Artificial Intelligence (AI) sector shows how it can be done without clouds. More and more companies and organizations are asking themselves whether they really need the large language model and whether its use justifies the associated data drain. This may not be critical in an advertising agency, but in security-relevant industries, data sovereignty is more and more becoming an issue.

As a result, there is growing demand in the military sector, for example, for mobile AI solutions that require significantly fewer resources. AI on edge devices is not the solution for everything, but it often can be. Private clouds are also a good alternative to ChatGPT & Co. On-premises is becoming an increasingly prominent topic even in the hyped area of AI, because data sovereignty and transparency play a special role there. The development of ever more efficient models is also contributing to the move out of the cloud. In addition to the aspects of cost, control and complexity, these models have another major advantage: they require significantly less energy. Perhaps a “green AI” will be the next hype. 

The Singapore International Cyber Week (SICW) is one of the most important cybersecurity events worldwide. We were able to present our solutions to an international audience – and recieved great interest, inspiring discussions and valuable feedback. Three successful days in Singapore and an important step in strengthening our international presence!

Since its launch, SICW has been bringing together leading companies, start-ups, government organizations and security authorities from around the world every year. The aim is to share knowledge, promote partnerships and present innovative solutions that meet the growing challenges in the field of cybersecurity. The event, organized by the Cyber Security Agency of Singapore (CSA), was launched in 2016 and has been held annually in Singapore ever since.

This year, Greenbone had the honor of being present at SICW as a technology partner of Huawei. During three exciting days, we presented our Enterprise Appliances to an international audience and were thrilled by the response.

Great Interest in Greenbone Solutions

We were overwhelmed by the positive feedback from visitors to our solutions – for us a strong signal that our cybersecurity solutions are also very important for the Asian market. In numerous discussions, we repeatedly noticed how great the interest is in a vulnerability scanner with excellent feed that focuses on the essentials while also allowing connection to other systems via its API.

VIP Visitors and Inspiring Talks

We were particularly pleased to welcome prominent personalities to our booth. A real highlight was the visit of John Tan, Commissioner of Cybersecurity and Chief Executive of the Cybersecurity Agency of Singapore. His interest and the numerous discussions with potential customers and partners have encouraged us to further expand our presence in Asia.

Not entirely unexpected star of our appearance was “the Beast”, our company logo as a plush toy. It put a smile on the faces of many visitors to our stand and often served as a friendly icebreaker, facilitating lively and valuable discussions. 

Conclusion: Momentum for the Future

SICW was a great success for Greenbone. We were not only able to present our solutions to a broad audience, but also establish valuable connections and noticeably increase interest in the Asian market. The great popularity and high demand for our “Beast” shows that our brand is also very well received emotionally – and we look forward to continuing to build on this momentum.

We’re excited to announce the coming release of Greenbone Enterprise Appliance (GEA) version 24.10, with new front-end features to enhance your vulnerability management activities, and performance enhancing back-end features. Our GEA product line includes a wide range of enterprise vulnerability management solutions including dedicated hardware appliances and virtual machine (VM) configurations suitable for enterprises of all sizes.

This newest release of GEA reflects Greenbone’s commitment empowering fundamental cybersecurity best practices, allowing organizations to close security gaps before threat actors can exploit them. With improved performance, enhanced scanning capabilities, and refined user experience, GEA 24.10 offers a robust solution for proactive, comprehensive cybersecurity. In this post, we’ll delve into the latest features and improvements that make GEA 24.10 a vital upgrade for enterprise exposure management and cybersecurity compliance.

What’s New in GEA Version 24.10?

From a high-level vantage, the Greenbone Security Assistant (GSA) web-interface has a totally new look. GSA is the IT administrator’s doorway into security visibility, and GEA 24.10 features a modern minimalist look and feel, emphasizing utility and keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as Digital Operational Resilience Act (DORA), Network and Information Security Directive 2 (NIS2)  and the Cyber Resilience Act (CRA) require organizations to take more actions. Other forces such as cybersecurity insurance and the need for stronger third party oversight are impacting how companies oversee their cybersecurity operations.

GEA 24.10 includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The new compliance view allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a vulnerability being exploited in the wild using historical data to predict which new CVEs are highest risk.

EPSS data is now integrated into GEA 24.10 directly, bringing current exploitation probabilities for every currently active CVE into the Greenbone platform. This enables administrators to leverage up-to-date exploit probability scores and percentiles, in addition to the traditional CVSS Common Vulnerability Scoring System) severity, empowering them to focus on vulnerabilities that are most likely to be actively targeted by attackers.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility, making it easy to fit unique organizational needs. With GEA 24.10, we’ve introduced JSON formatted report exporting capabilities. Users can also customize the fields to be included in exported CSV or JSON reports. Reports can now be configured to match requirements more precisely, to focus on what’s essential for analysis, compliance, or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, GEA 24.10 introduces several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The GEA 24.10 backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • GEA now supports JSON-based CVE, CPE, EPSS and CERT feeds and gzip data compression.

Summary

With the coming release of GEA 24.10, Greenbone takes its leading vulnerability management solution to the next level. Get ready for a modernized, user-friendly GSA web interface and a compliance-focused audit report view that brings even greater transparency. Enhanced CSV and JSON export features give you complete control over your report data. New to this version: AI-based EPSS for intelligent vulnerability risk prioritization. Powerful backend optimizations also ensure seamless compatibility with new CPE formats and JSON-based feeds. With these new features, Greenbone offers a robust, flexible solution that empowers organizations to stay proactive against threats and strengthen their cybersecurity strategy.

Webinar on the Major Release

Find out everything you need to know about the new release 24.10. in the webinar. In just 30 minutes, our experts will show you how to keep an even better eye on security requirements with the new functions. Experience the next generation of IT security with Greenbone!

Dates:
Tuesday, November 26, 2024, 9:00 AM – 9:30 AM CET
Tuesday, November 26, 2024, 4:00 PM – 4:30 PM CET

Register now

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.


Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary


1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

The basic flow CSAF 2.0 cybersecurity advisories from upstream producers to downstream consumers

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

A high-level diagram showing the relationship between Issuing Parties and Data Aggregators

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

If an organization has high value, you can bet that bad actors are contemplating how to exploit its IT weaknesses for financial gain. Ransomware attacks are the apex threat in this regard, rendering a victim’s data unusable, extorting them for a decryption key. Highly targeted organizations need to understand exactly where their risk lies and ensure that critical assets are exceptionally well protected. However, all organizations with IT infrastructure – even small ones – benefit from assessing their attack surface and mitigating vulnerabilities.

Mass Exploitation attacks are automated campaigns continuously scanning the public Internet looking for easy victims. These campaigns are carried out by bots, executing automated cyber attacks at scale. CloudFlare claims that only 7% of the Internet traffic is malicious bots, while other reports claim malicious bots account for as much as 32% of all Internet activity. Once breached, attackers misuse these compromised assets for malicious activities.

What Happens to Assets Compromised in Mass Exploitation Campaigns?

Once an attacker gains control of a victim’s IT infrastructure, they assess the value of their newly acquired spoils and determine how to best capitalize. The dark web is an underground ecosystem of cybercrime services with its own economy of supply and demand for illicit deeds. Within this ecosystem, Initial Access Brokers (IAB) sell unauthorized access to Ransomware as a Service (RaaS) groups who specialize in ransomware execution; encrypting a victim’s files and extorting them. Mass Exploitation is one way that these IABs gain a foothold.

Compromised assets with lower extortion value may become part of the IAB’s “zombie botnet”; co-opted to continuously scan the Internet for vulnerable systems to compromise. Otherwise, hijacked systems may be used to send malspam and phishing emails, infected with crypto-mining malware, or become an inconspicuous host for command-and-control (C2) infrastructure to support more targeted attack campaigns.

How Mass Exploitation Works

By exploring Mass Exploitation through the lens of the MITRE ATT&CK framework’s tactics, techniques and procedures (TTP) defenders can better understand attacker behavior. If you are not familiar with MITRE ATT&CK, now is a good time to review the MITRE ATT&CK Enterprise Matrix, since it will serve as a reference point for how attackers operate.

Mass exploitation targets large numbers of systems with sophisticated tools that can scan many IP addresses and automatically execute cyber attacks when vulnerabilities are found. These attacks aim to exploit vulnerabilities in software that is commonly exposed to the public Internet, especially software used to host websites and access webservers remotely.

Here’s how Mass Exploitation works:

  • Reconnaissance [TA0043]: Attackers collect sources of vulnerability information such as NIST NVD where CVEs are published with severity scores and reports that include technical details. Attackers also discover sources of exploit code such as exploit-db, GitHub, or other sources such as dark web marketplaces. Alternatively, attackers may develop their own malicious exploits.
  • Weaponization [TA0042]: Attackers build cyber weapons designed to automatically identify and exploit vulnerabilities [T1190] without the need for human interaction.
  • Active Scanning [T1595]: Attackers conduct active scans of the public Internet at scale to discover listening services and their versions [T1595.002]. This process is similar to how cyber defenders conduct vulnerability scans of their own infrastructure, except instead of fixing identified vulnerabilities, attackers plan strategies to exploit them.
  • Attack Deployment and Exploitation: Once an active vulnerability has been found, automated tools attempt to exploit them to control the victim’s system remotely [TA0011] or cause Denial of Service (DoS) [T1499]. A variety of software weaknesses may be involved such as: exploiting default account credentials [CWE-1392], SQL injection [CWE-89], buffer overflows [CWE-119], unauthorized file uploads [CWE-434] or otherwise broken access controls [CWE-284].
  • Assessment and Action on Objectives [TA0040]: Post-compromised, the attacker decides how to best impact the victim for their own gain. Attackers may decide to conduct further reconnaissance, attempting to move laterally to other connected systems in the network [TA0008], steal data from the victim [TA0010], deploy ransomware [T1486] or sell the initial access to other cyber criminals with specialized skills [T1650].

How to Defend Against Mass Exploitation

Defending against Mass Exploitation attacks requires a proactive approach that addresses potential vulnerabilities before they can be exploited. Organizations should adopt fundamental IT security best practices including regular assessments, continuous monitoring, and timely remediation of identified weaknesses.

Here are some key security measures to defend against Mass Exploitation:

  • Build an IT asset inventory: Building a comprehensive inventory of all hardware, software, and network devices within your organization ensures no systems are overlooked during risk and vulnerability assessments and patch management.
  • Conduct a risk assessment: Prioritize assets based on their importance to business operations and determine how preventative efforts should be focused. Regular risk assessments help ensure that the most critical threats are addressed, reducing the chances of a high impact breach.
  • Scan all assets regularly and fix identified vulnerabilities: Perform regular vulnerability scans on all IT assets, especially those exposed to the public internet and with a high risk context. Promptly apply patches or alternative mitigation measures to prevent exploitation. Track and measure vulnerability management progress in a quantified way.
  • Remove unused services and applications: Unused software presents additional attack surface, which may offer attackers an opportunity to exploit vulnerabilities. By minimizing the number of active services and installed applications, potential entry points for attackers are limited.
  • Education and training: Education is important to promote IT security awareness within an organization’s culture. Awareness training also goes a long way towards preventing malspam and phishing attacks from impacting an organization.
  • Employ Anti-Malware solutions: Malware is often distributed through automated malspam and phishing campaigns at scale. Ensure all systems have up-to-date anti-virus software and implement spam filtering to detect and quarantine malicious files.
  • Enforce strong authentication policies: Credential stuffing attacks are often automated components of Mass Exploitation campaigns. By following password best practices, such as using strong randomly generated passwords and not reusing passwords between accounts there is less risk posed by stolen passwords. Implementing password rotation policies, multi-factor authentication (MFA), and using password managers also strengthen password security.
  • Use firewalls and IPS: Firewalls and Intrusion Prevention Systems (IPS) can block malicious traffic by using rules or patterns. Configure rulesets as strictly as possible to block unnecessary inbound traffic from scanning sensitive services. Regularly review and update firewall and IPS configurations to account for current threats.

Summary

Mass Exploitation refers to automated cyber attack campaigns that use bots to scan the public Internet for vulnerable systems. These attacks target a wide range of victims, exploiting known vulnerabilities in software that is commonly exposed to the internet. Once compromised, attackers use the breached systems for various malicious purposes, including launching ransomware attacks, selling access to other criminal groups or further extending botnets. Mass exploitation is a major threat as it allows attackers to operate at scale with minimal effort.

To defend against Mass Exploitation, organizations must implement proactive security measures such as regular vulnerability scanning, timely patch management, strong access controls and network monitoring. Additionally, ensuring that staff have adequate security training can help reduce the risk of becoming a victim of Mass Exploitation campaigns.

it-sa 2024 in Nuremberg was a great success not only for the organizers but also for us: three days full of inspiring conversations, new contacts and important insights into the current security requirements of existing and potential customers. As one of the most important trade fairs for IT security in Europe, it-sa was the ideal platform for us to present the latest developments to a broad audience. Our keynote, held by CEO Dr. Jan-Oliver Wagner, attracted numerous trade visitors. Under the title “Be secure and stay secure”, he provided insights into the importance of our portfolio for proactive corporate security.

The Greenbone team at it-sa 2024 was pleased to welcome twice as many visitors as in the previous year.

 

Keynote: Vulnerability Management as the Basis for Cyber Security

In his keynote, Jan-Oliver Wagner spoke about the growing importance of vulnerability management as the fundamental building block of a comprehensive security strategy. Companies and organizations of all sizes are facing the challenge of dealing with the ever-increasing threat of cyber attacks. Especially because the number of attacks has increased dramatically in recent years and that high tens of millions have already been paid in cyber extortion, it is clear that cybersecurity is no longer just “nice to have”, but essential for survival. 

Jan-Oliver Wagner called for threats to be detected as early as possible and for risks to be managed proactively. He presented vulnerability management as “the first line of defense” against attackers. With Greenbone solutions, companies can continuously check their IT infrastructure for security vulnerabilities: “Vulnerability management is the basis of a sustainable and highly effective security strategy.” Security teams are often faced with the difficult task of assessing risks appropriately and making the right decisions. “The goal is to stay one step ahead of attackers. Our solutions not only identify security vulnerabilities, but also help prioritize which vulnerabilities need to be addressed most urgently.”

Inspiring Conversations and New Contacts: the Trade Fair Highlights

The trade fair enabled us to engage directly with industry visitors, customers and partners, answer their questions and better understand their perspectives. With many technical discussions in just three days, the number of visitors to our partner stand at ADN more than doubled compared to last year, reports Ingo Conrads, Chief Sales Officer: “We were particularly pleased about the many new prospects and partners with whom we were able to discuss many new business opportunities.” 

Greenbone CEO Dr. Jan-Oliver Wagner giving the keynote “Be secure and stay secure” at it-sa 2024.

Many visitors already knew Greenbone as a brand, partly by OpenVAS in the past. But new products such as Greenbone Basic were also a discovery for many, showing how comprehensive and scalable our solutions have become – from entry-level to enterprise products for the public sector. The diversity of our portfolio and our services in particular generated surprise and interest. An overview of the various possible uses of our solutions is available on our website.

Thank You for the Successful Trade Fair!

it-sa 2024 was a great success and an inspiring experience for us. Once again, the trade fair showed how important vulnerability management has become and that Greenbone is making an important contribution to IT security. Many thanks to our distribution partner ADN for the excellent cooperation at the partner stand – and many thanks to all visitors for the interesting discussions and valuable feedback!

Together we are working to ensure that companies are secure – and stay secure. 

Next week, it-sa, one of the largest platforms for IT security solutions, will kick off. On the opening day, October 22, 2024, from 11:00 a.m., Greenbone’s CEO Dr. Jan-Oliver Wagner will show how companies can remain capable of managing crisis situations. With the “Action” in Forum 6-B “Be secure and stay secure” he shows ways out of the growing threats posed by cyber risks. It is not for nothing that his overview of the possibilities and potential of vulnerability management is not called a “lecture”, but “action”: action is needed!

Take Action!

In times when ransomware gangs are trying to extort tens of millions of dollars, it’s essential for companies and organizations to act as early as possible to ensure the security of their IT systems, data and business operations. Every investment in cyber security pays off many times over when the acquisition costs of a corresponding proactive solution are compared with the costs incurred by a security breach – the costs of paying ransom are devastating. As with any calculation of interest and compound interest: the earlier the investment, the more it pays off. 

Greenbone’s solutions start at the earliest possible point in the history of cyber risks: the proactive detection of security vulnerabilities in your own IT infrastructure. Proactive vulnerability management goes hand in hand with a well-founded security strategy. Security intelligence is continuously provided, systems are monitored and results are compared and matched to known vulnerabilities.

Gaining a Knowledge Advantage

Because criminals make their attacks on their victims’ networks as impactful and widespread as possible in order to maximize their profits, IT managers should make it as difficult as possible in return. Vulnerability management offers companies a decisive advantage in the race against potential attackers. Vulnerabilities are often exploited before they are publicly announced, but once they are known, the race between attacker and the attacked enters the hot phase: attack vectors should be closed faster than cybercriminals can exploit them.

Manage Risks

To prevent the security risk from escalating, Greenbone solutions now access over 180,000 automated vulnerability tests. This reduces the potential attack surface by 99.9% compared to companies that do not use vulnerability management. These immense opportunities for risk minimization require prudent security management. The more vulnerabilities get uncovered, the more pressing the need for action becomes. Which IT systems require immediate help? Which assets and interaction paths in the company are particularly critical and which security measures should be prioritized? 

Only those who have plausible answers to these questions will be able to keep the overall risk of cyber attacks as low as possible in the long term. Jan-Oliver Wagner will identify top priorities and how a corresponding “triage” can be practiced among data and systems in day-to-day operations in the it-sa action “Be secure and stay secure”. Join us!

Visit us at our booth 6-346 or make an appointment right away and get your free ticket to the trade show. We look forward to your visit!

Make an appointment!