Joseph Lee

August 2024 Threat Tracking: Threats on the Rise

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

KPI for Measuring Vulnerability Management Performance

Every business has mission critical activities. Security controls are meant to protect those critical activities to ensure business operations and strategic goals can be sustained indefinitely. Using an “Install and forget”-approach to security provides few assurances for achieving these objectives. An ever-changing digital landscape means a security gap could lead to a high stakes data breach. Things like privilege creep, server sprawl, and configuration errors tend to pop-up like weeds. Security teams who don’t continuously monitor don’t catch them – attackers do. For this reason, cyber security frameworks tend to be iterative processes that include monitoring, auditing, and continuous improvement.

Security officers should be asking: What does our organization need to measure to gain strong assurances and enable continuous improvement? In this article we will take you through a rationale for Key Performance Indicators (KPI) in cyber security outlined by industry leaders such as NIST and The SANS Institute and define a core set of vulnerability management specific KPIs. The most fundamental KPIs covered here can serve as a starting point for organizations implementing a vulnerability management program from scratch, while the more advanced measures can provide depth of visibility for organizations with mature vulnerability management programs already in place.

Cyber Security KPI Support Core Strategic Business Goals

KPI are generated by collecting and analyzing relevant performance data and are mainly used for two strategic goals. The first is to facilitate evidence-based decision making. For example, KPI can help managers benchmark how vulnerability management programs are performing in order to assess the overall level of risk mitigation and decide whether to allocate more resources or accept the status-quo. The second core strategic goal that KPIs support is to provide accountability of security activities. KPI can help identify causes of poor performance and provide an early warning of insufficient or poorly implemented security controls. With proper monitoring of vulnerability management performance, the effectiveness of existing procedures can be evaluated, allowing them to be adjusted or supplemented with additional controls. The evidence collected while generating KPIs can also be used to demonstrate compliance with internal policies, mandatory or voluntary cyber security standards, or any applicable laws and regulations by evidencing cyber security program activities.

The scope of measuring KPI can be enterprise-wide or focused on departments or infrastructure that is critical to business operations. This scope can also be adjusted as a cybersecurity program matures. During the initial stages of starting a vulnerability management, only basic information may be available to build KPI metrics from. However, as a program matures, data collection will become more robust, supporting more complex KPI metrics. More advanced measures may also be justified to gain high visibility for organizations with increased risk.

Types of Cyber Security Measures

NIST SP 800-55 V1 (and it’s predecessor NIST SP 800-55 r2) focuses on the development and collection of three types of measures:

  • Implementation Measures: These measure the execution of security policy and gauge the progress of implementation. Examples include: the total number of information systems scanned and the percentage of critical systems scanned for vulnerabilities.
  • Effectiveness/Efficiency Measures: These measure the results of security activities and monitor program-level and system-level processes. This can help gauge if security controls are implemented correctly, operating as intended, and producing a desirable outcome. For example, the percentage of all identified critical severity vulnerabilities that have been mitigated across all operationally critical infrastructure.
  • Impact Measures: These measure the business consequences of security activities such as cost savings, costs incurred by addressing security vulnerabilities, or other business related impacts of information security.

Important Indicators for Vulnerability Management

Since vulnerability management is fundamentally the process of identifying and remediating known vulnerabilities, KPI that provide insight into the detection and remediation of known threats are most appropriate. In addition to these two key areas, assessing a particular vulnerability management tool’s effectiveness for detecting vulnerabilities can help compare different products. Since these are the most logical ways to evaluate vulnerability management activities, our list has grouped KPI into these three categories. Tags are also added to each item indicating which purpose specified in NIST SP 800-55 the metric satisfies.

While not an exhaustive list, here are some key KPIs for vulnerability management:

Detection Performance Metrics

  • Scan Coverage (Implementation): This measures the percentage of an organization’s total assets that are being scanned for vulnerabilities. Scan coverage is especially relevant at the early stages of program implementation for setting targets and measuring the evolving maturity of the program. Scan coverage can also be used to identify gaps in an organization’s IT infrastructure that are not being scanned putting them at increased risk.
  • Mean Time to Detect (MTTD) (Efficiency): This measures the average time to detect vulnerabilities from when information is first published and when a security control is able to identify it. MTTD may be improved by adjusting the frequency of updating a vulnerability scanner’s modules or frequency of conducting scans.
  • Unidentified Vulnerabilities Ratio (Effectiveness): The ratio of vulnerabilities identified proactively through scans versus those discovered through breach or incident post-mortem analyses. A higher ratio suggests better proactive detection capabilities.
  • Automated Discovery Rate (Efficiency): This metric measures the percentage of vulnerabilities identified by automated tools versus manual discovery methods. Higher automation can lead to more consistent and faster detection.

Remediation Performance Metrics

  • Mean Time to Remediate (MTTR; Efficiency): This measures the average time taken to fix vulnerabilities after they are detected. By tracking remediation times organizations can gauge their responsiveness to security threats and evaluate the risk posed by exposure time. A shorter MTTR generally indicates a more agile security operation.
  • Remediation Coverage (Effectiveness): This metric represents the proportion of detected vulnerabilities that have been successfully remediated and serves as a critical indicator of effectiveness in addressing identified security risks. Remediation coverage can be adjusted to specifically reflect the rate of closing critical or high severity security gaps. By focusing on the most dangerous vulnerabilities first, security teams can more effectively minimize risk exposure.
  • Risk Score Reduction (Impact): This metric reflects the overall impact that vulnerability management activities are having to risk. By monitoring changes in the risk score, managers can evaluate how well the threat posed by exposed vulnerabilities is being managed. Risk Score Reduction is typically calculated using risk assessment tools that provide a contextual view of each organization’s unique IT infrastructure and risk profile.
  • Rate Of Compliance (Impact): This metric represents the percentage of systems that comply with specific cyber security regulations, standards, or internal policies. It serves as an essential measure for gauging compliance status and provides evidence of this status to various stakeholders. It also serves as a warning if compliance requirements are not being satisfied, thereby reducing the risk of penalties and ensuring the intended security posture put forth by the compliance target.
  • Vulnerability Reopen Rate (Efficiency): This metric measures the percentage of vulnerabilities that are reopened after being marked as resolved. Reopen rate indicates the efficiency of remediation efforts. Ideally, once a remediation ticket has been closed, the vulnerability does not issue another ticket.
  • Cost of Remediation (Impact): This metric measures the total cost associated with fixing detected vulnerabilities, encompassing both direct and indirect expenses. Cost analysis can aid decisions for budgeting and resource allocation by tracking the amount of time and resources required to detect and apply remediation.

Vulnerability Scanner Effectiveness Metrics

  • True Positive Detection Rate (Effectiveness): This measures the percentage of vulnerabilities that can be accurately detected by a particular tool. True positive detection rate measures the effective coverage of a vulnerability scanning tool and allows two vulnerability scanning products to be compared according to their relative value.
  • False Positive Detection Rate (Effectiveness): This metric measures the frequency at which a tool incorrectly identifies non-existent vulnerabilities as being present. This can lead to wasted resources and effort. False positive detection rate can gauge the reliability of a vulnerability scanning tool to ensure it aligns with operational requirements.

Key Takeaways

By generating and analyzing Key Performance Indicators (KPIs), organizations can satisfy fundamental cybersecurity requirements for continuous monitoring and improvement. KPI also supports core business strategies such as evidence-based decision making and accountability.

With quantitative insight into vulnerability management processes, organizations can better gauge their progress and more accurately evaluate their cyber security risk posture. By aggregating an appropriate set of KPIs, organizations can track the maturity of their vulnerability management activities, identify gaps in controls, policies, and procedures that limit the effectiveness and efficiency of their vulnerability remediation, and ensure alignment with compliance with internal risk requirements and relevant security standards, laws and regulations.

References

National Institute of Standards and Technology. Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures. NIST, January 2024, https://csrc.nist.gov/pubs/sp/800/55/v1/ipd

National Institute of Standards and Technology. Performance Measurement Guide for Information Security, Revision 2. NIST, November 2022, https://csrc.nist.gov/pubs/sp/800/55/r2/iwd

National Institute of Standards and Technology. Assessing Security and Privacy Controls in Information Systems and Organizations Revision 5. NIST, January 2022, https://csrc.nist.gov/pubs/sp/800/53/a/r5/final

National Institute of Standards and Technology. Guide for Conducting Risk Assessments Revision 1. NIST, September 2012, https://csrc.nist.gov/pubs/sp/800/30/r1/final

National Institute of Standards and Technology. Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology Revision 4. NIST, April 2022, https://csrc.nist.gov/pubs/sp/800/40/r4/final

SANS Institute. A SANS 2021 Report: Making Visibility Definable and Measurable. SANS Institute, June 2021, https://www.sans.org/webcasts/2021-report-making-visibility-definable-measurable-119120/

SANS Institute. A Guide to Security Metrics. SANS Institute, June 2006, https://www.sans.org/white-papers/55/

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Greenbone Basic – Vulnerability Management for SMEs

Greenbone Basic: Small Businesses Can Now Easily Protect Themselves from Vulnerabilities Cyber attacks have become the greatest threat to modern businesses of all sizes. An abundant amount of attacks have caused a stir, cost billions, and resulted in production downtime and significant damage all over the world. Not a lot has changed in 2024, and […]

Read more
/by
Greenbone AG

Save the date: it-sa 2024

On October 22, the “it-sa Expo&Congress” will open its doors again in Nuremberg. The trade fair is now one of the largest platforms for IT security solutions worldwide. Last year, it set new records with 19,449 trade visitors from 55 countries and 795 exhibitors from 30 countries. This year, Greenbone will be at the ADN partner stand in Hall 6, booth 6-346. Our CEO Jan-Oliver Wagner will be giving a live presentation at the Forum 6-B on the opening day (11:00 – 11:15).

Greenbone at it-sa 2024 in Nuremberg: Hall 6, Booth 6-346 from October 22-24, 2024.

  • Opening hours: 
    • Tuesday, October 22, 2024: 09:00 – 18:00
    • Wednesday, October 23, 2024: 09:00 – 18:00
    • Thursday, October 24, 2024: 09:00 – 17:00
  • Location: Nuremberg, Exhibition Center 
  • Information: Tickets, exhibitors, hall plan

Visit us at our booth or schedule an appointment with the security experts from Greenbone. We look forward to seeing you at the fair!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

July 2024 Threat Tracking: Summer Break for Vulnerabilities?

Vulnerability disclosures took a summer vacation in July; only 3,135 new CVES were published, down almost 40% from May 2024’s record setting month. Last month we talked about cybersecurity on the edge, referring to the increasing number of attacks against perimeter network devices. That post’s title also hinted that globally, IT may be skirting catastrophic failure. Greenbone’s CMO Elmar Geese compiled a nice assessment of CrowdStrike’s failed update that crashed Windows systems around the world on Friday, July 19th.

Back in 2021, Gartner predicted that rampant cyber attacks would be causing death and mayhem by 2025. The bad news is we are ahead of Gartner’s schedule, but the further bad news is that we didn’t need a cyber attack to get there. In this month’s threat tracking news, we will review some of the top actively exploited vulnerabilities and critical risks introduced in July 2024.

Ransomware Distributed via VMware Vulnerability

This month, two vulnerabilities in VMware’s ESXi hypervisor and vCenter Server products were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and one, CVE-2024-37085 in ESXi, was observed distributing Akira and Black Basta ransomware. VMware’s virtualization solutions are critical to the global IT ecosystem. In the past, the vendor has claimed over 80 percent of virtualized workloads operate on its technology including all the Fortune 500 and Fortune Global 100 enterprises.

CVE-2024-37085 (CVSS 6.8 Medium) was discovered by Microsoft who revealed that ESXi is wildly insecure by design, granting full administrative access to any user in an Active Directory (AD) domain group named “ESX Admins” by default without proper validation. Just in case you can’t believe what you just read, I’ll clarify: any user in an arbitrary AD group named “ESX Admins” is granted full admin rights on an ESXi instance – by design. We should all be aghast and thunderstruck.

Considering CVE-2024-37085 is being leveraged for ransomware attacks, be reminded that maintaining secured backups of production ESXi hypervisor configurations and virtual machines, and conducting table-top and functional exercises for incident response can help ensure a swift recovery from a ransomware attack. Closing security gaps by scanning for known vulnerabilities and applying remediation can help prevent ransomware attacks from being successful in the first place.

CVE-2022-22948 (CVSS 6.5 Medium), also actively exploited, is another insecure-by-design flaw in VMware products, this time vCenter Server caused by improper default file permissions [CWE-276] allowing the disclosure of sensitive information.

Greenbone can actively detect vulnerable versions of VMware ESXi and vCenter Server with separate vulnerability tests for CVE-2024-37085 [1] and CVE-2022-22948 [2] since it was first disclosed in 2022.

New Batch of Cisco CVEs Includes one Actively Exploited plus two Critical Severity

In July 2024, 12 total vulnerabilities, two of critical and three of high severity, were disclosed in 17 different Cisco products. CVE-2024-20399 in Cisco NX-OS is being actively exploited and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA also referenced CVE-2024-20399 in a secure-by-design alert released in July. The alert advises software vendors to inspect their products for OS (operating system) command injection vulnerabilities [CWE-78]. Greenbone includes a remote version check for the actively exploited CVE-2024-20399.

Here is a summary of the most impactful CVEs:

  • CVE-2024-20399 (CVSS 6.7 Medium): A command-injection vulnerability in Cisco NX-OS’s Command-Line Interface (CLI) allows authenticated administrative users to execute commands as root on the underlying OS due to unsanitized arguments being passed to certain configuration commands. CVE-2024-20399 can only be exploited by an attacker who already has privileged access to the CLI. Greenbone includes a remote version check for CVE-2024-20399.
  • CVE-2024-20419 (CVSS 10 Critical): The authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) allows an unauthenticated, remote attacker to change the password of any user, including administrators, via malicious HTTP requests. Greenbone includes a remote version detection test for CVE-2024-20419.
  • CVE-2024-20401 (CVSS 10 Critical): A vulnerability in the content scanning and message filtering features of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to overwrite arbitrary files on the device via e-mail attachments if file analysis and content filters are enabled. CVE-2024-20401 allows attackers to create users with root privileges, modify the device configuration, execute arbitrary code, or disable the device completely. Greenbone is able to detect vulnerable devices so defenders can apply Cisco’s recommended mitigation.

Other CVEs disclosed for flagship Cisco products in July 2024 include:

CVE

Product

VT

CVE-2024-20400 (CVSS 5.0 M)

Cisco Expressway Series

detection test

CVE-2024-6387 (CVSS 8.1 H)

Cisco Intersight Virtual Appliance

detection test

CVE-2024-20296 (CVSS 5.8 M)

Cisco Identity Services Engine (ISE)

detection test

CVE-2024-20456 (CVSS 6.5 M)

Cisco IOS XR Software

detection test

CVE-2024-20435 (CVSS 6.8 M)

Cisco Secure Web Appliance

detection test

CVE-2024-20429 (CVSS 7.7 H)

Cisco Secure Email Gateway

detection test

CVE-2024-20416 (CVSS 7.7 H)

Cisco Dual WAN Gigabit VPN Routers

detection test

ServiceNow Actively Exploited for Data Theft and RCE

As July closed, two critical vulnerabilities in ServiceNow – CVE-2024-4879 and CVE-2024-5217, were added to CISA’s KEV list. Both CVEs are rated CVSS 9.8 Critical. ServiceNow was also assigned a third on the same day, July 10th; CVE-2024-5178 (CVSS 6.8 Medium). The trio are being chained together by attackers to achieve unauthenticated Remote Code Execution (RCE). Data from over 100 victims is reportedly being sold on BreachForums; a cybercrime platform for exchanging stolen data.

ServiceNow is a leading IT service management (ITSM) platform featuring incident management, problem management, change management, asset management, and workflow automation, and extending into general business management tools such as human resources, customer service, and security operations. ServiceNow is installed either as a Software as a Service (SaaS) or self-hosted by organizations themselves. Shodan reports roughly 20,000 exposed instances online, and Resecurity has observed attacks against private sector companies and government agencies globally.

Greenbone included vulnerability tests (VTs) [1][2] for all three CVEs before active exploitation was alerted by CISA. Hotfixes are available [3][4][5] from the vendor and self-hosting customers should apply them with urgency.

Critical Vulnerability in Adobe Commerce and Magento eCommerce Platforms

Adobe Commerce and Magento versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by CVE-2024-34102 (CVSS 9.8 Critical), resulting from improper restriction of XML External Entity Reference (‘XXE’) [CWE-611]. An attacker could exploit the weakness without user interaction by sending a malicious XML file to read sensitive data from within the platform.

CVE-2024-34102 is being actively exploited and a basic proof-of-concept exploit code is available on GitHub [1]. Malicious exploit code [2] for the CVE has also been removed from GitHub due to the platform’s policies against malware, but attackers are actively sharing it via dark-web forums and hacker channels on Telegram. Also, the CVE’s Exploit Prediction Scoring System (EPSS) score increased prior to its induction into CISA KEV, giving credit to EPSS as an early warning metric for vulnerability risk.

Magento is an open-source PHP-based eCommerce platform for small to medium-sized businesses. Acquired by Adobe in 2018, Adobe Commerce is essentially the enterprise version of Magento Open Source with additional features for larger businesses. Being an e-commerce platform, there’s risk that attackers may be able to steal payment card information or other sensitive personal information from a website’s customers in addition to inducing costly downtime due to lost sales for the site owner.

Greenbone includes an active check and version detection vulnerability tests (VTs) for identifying vulnerable versions of this high risk vulnerability.

GeoServer Actively Exploited for Remote Code Execution

A CVSS 9.8 Critical CVE was found in GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2. GeoServer is an open-source application for sharing, editing, and displaying geospatial data. Tracked as CVE-2024-36401, the vulnerability is being actively exploited and can lead to arbitrary Remote Code Execution (RCE). Exploit code is publicly available [1][2] compounding the risk. CERT-EU has issued an alert for all EU institutions, agencies, and member states. Greenbone includes remote detection tests to identify CVE-2024-36401 allowing users of affected GeoServer products to be notified.

The vulnerability, classified as “Dependency on Vulnerable Third-Party Component” [CWE-1395], lies in the GeoTools component – an open-source Java library that serves as the foundation for various geospatial projects and applications, including GeoServer. Therefore, similarly to how Log4Shell impacted an unknown number of applications using the Log4j 2.x library, the same is true for GeoTools. Various OGC (Open Geospatial Consortium) request parameters (including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests) forfeit RCE since the GeoTools library API unsafely passes property/attribute names to the commons-jxpath library which has the capability to execute arbitrary code [CWE-94].

Users should update to GeoServer versions 2.23.6, 2.24.4, or 2.25.2 which contain a patch for the issue. For those who cannot update, removing the ‘gt-complex-<version>.jar’ file will eliminate the vulnerable code, but may break functionality if the gt-complex module is required.

Summary

July 2024 saw a decline in vulnerability disclosures, yet significant threats emerged. Notably, CVE-2024-37085 in VMware’s ESXi was observed being exploited for ransomware attacks, due to insecure design flaws. Cisco’s new vulnerabilities include CVE-2024-20399, actively exploited for command injection, and two critical flaws in its products. ServiceNow’s CVEs, including CVE-2024-4879 and CVE-2024-5217, are being used to distribute ransomware and steal data. Adobe Commerce’s CVE-2024-34102 and GeoServer’s CVE-2024-36401 also pose severe risks. Organizations must prioritize patching, vulnerability management, and incident response to mitigate these threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Helsinki Education System Breached via Unpatched Vulnerability

The cybersecurity threat environment has never been hotter or the stakes higher, and the cybersecurity community forecasts more of the same.  But, while there are more vulnerabilities for attackers to exploit, analysts also report that perpetrators are exploiting vulnerabilities faster, weaponizing new security advisories in a matter of days, maybe even hours after their publication.  This means that organizations have more risk and need to increase both their visibility and remediation efficiency.

In this article we will review a recent cybersecurity breach of the Helsinki Education System via an unpatched vulnerability that led to the theft of tens of millions of files representing the sensitive personal information of roughly 80,000 individuals. Forensic analysis of the attack indicates Russian threat actors may be responsible.

Overview of the Helsinki education system data breach

On 02. May 2024, the City of Helsinki’s Education Division was breached via an unpatched vulnerability in a remote access server. According to City Manager Jukka-Pekka Ujula: “A hotfix patch has been available to eliminate this vulnerability, but it is not currently known why this hotfix was not installed on the server.”

Specific technical details about the breach have not yet been disclosed, however, we do know that attackers were able to gain access to network drives containing tens of millions of files and steal them. Jukka-Pekka Ujula further commented: “Our security update and device maintenance controls and procedures have been insufficient”, referring to the lack of vulnerability management activities to ensure that known vulnerabilities are mitigated.

The stolen data includes the Personally Identifiable Information (PII) of roughly 80,000 students, guardians, and personnel including usernames and email addresses, personal IDs, physical addresses of students, as well as other sensitive private information including fees (and their justifications) for customers of early childhood education and care, sensitive information concerning the status of children such as requests for student welfare services or the need for special support, medical certificates regarding the suspension of studies for upper secondary students and sick leave records.

Finland’s national response to the breach

The City of Helsinki’s Chief Digital Officer, Hannu Heikkinen told reporters that early forensic analysis of the breach identified evidence that the attack may have originated from Russia. The attack comes within months of escalating border tensions between Russia and Finland. Although Russian nation-state threat actors and associated groups are known for cyber-military campaigns against their adversaries, none have assumed attribution. In Germany, the Federal Office for Information Security (BSI), has taken the position that Germany needs to realign itself strategically in response to increased cyber attacks from Russian-based threat actors and invest more in cyber security.

The National Cyber Security Centre Finland (NCSC-FI) has published updates and guidance on how to manage such incidents and improve cybersecurity measures across public and private sectors. The Finnish Government has also highlighted the need for systematic development and enhanced cooperation among authorities to improve the country’s cybersecurity resilience​​.

Trafcom, the Finish Transport and Communications Agency provides advice for those whose personal information has been stolen, or anyone who receives suspicious communication related to this breach incident. Anyone affected is asked to report any suspicious communications to kaskotietoturvatilanne@hel.fi or call +358 9 310 27139.

Greenbone supports cybersecurity best practices

The takeaway from this incident and others like this, is that proactive cybersecurity best practices such as vulnerability management reduce the chances of a data breach as associated costs. To defend themselves, organizations need to take a proactive approach by implementing policies, processes, and technologies such as the Greenbone Enterprise Vulnerability Management platform that support cybersecurity best practices. Failure to do so leaves the door open to attackers and comes with risks; both financial, reputational and to privacy.

Greenbone provides high visibility of the systems and software functioning within the organization’s IT infrastructure and ingests cyber-threat intelligence allowing IT security teams to conduct risk driven remediation. As a vulnerability scanning and management platform, Greenbone’s role is to help organizations detect known vulnerabilities in their IT environments and attest compliance with standards such as the BSI minimum standards and CIS security controls.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

#nis2know: BSI launches NIS2 vulnerability test

The German implementation of the EU’s NIS2 directive is becoming more and more defined: End of July, the NIS2 Implementation Act passed the German government’s cabinet, a final decision in the Bundestag is imminent. For all companies and authorities wondering whether this concerns them, the BSI has now launched a comprehensive website with an impact assessment and valuable information under the catchy hashtag #nis2know.

Even if the Bundestag resolution is not yet passed and thus the originally planned date in October will perhaps not be feasible anymore, companies must prepare now, the Federal Office for Information Security (BSI) demands. The BSI is therefore providing companies and organizations of all kinds with an eight-part questionnaire (in German only) to help IT managers and managers find out whether the strict regulations of NIS2 also apply to them. For all companies and organizations that fall under the NIS2 regulation, the BSI also provides further assistance and answers to the question of what they can do now in advance of NIS2 coming into force.

High need, high demand

Demand appears to be high, with both BSI head Claudia Plattner and Federal CIO Markus Richter reporting success in the form of several thousand hits in the first few days (for example on LinkedIn: Plattner, Richter). The NIS2 vulnerability test can be found directly on the BSI website. Here you will find “specific questions based on the directive to classify your company”. The questions are “kept short and precise and are explained in more detail in small print if necessary”. Anyone filling out the BSI’s questionnaire will know within minutes whether their company or organization is affected by NIS2.

In the questions, the respondent must address whether their company is the operator of a critical facility, a provider of publicly accessible telecommunications services or public telecommunications networks, a qualified trust service provider, a top-level domain name registry or a DNS service provider. Even if the company is a non-qualified trust service provider or offers goods and services that fall under one of the types of facilities specified in Annex 1 or 2 of the NIS 2 Directive, it is affected by the NIS 2 regulations.

Anybody who can answer all questions with “No” is not affected by NIS2. For everyone else, however, the BSI offers extensive help and research options on what to do now. A FAQ list explains in detail in nine questions the current status, whether you should wait or already start preparing. Links to sources and contacts can be found here, as well as further information for the impact checks and explanations of terms (for example: What does “important”, “essential” and “particularly important” mean in the context of NIS2?) Also very important are the sections that explain which obligations and evidence affected companies must provide when and where, as well as the still unanswered discussion as to when NIS2 becomes binding.

The BSI’s wealth of information also includes support services for businesses, as well as clear instructions for the next steps and basic explanations on critical infrastructures (KRITIS) in general.

Take action now, despite waiting for the Bundestag

The national implementation of the European NIS2 Directive, which has been the subject of heated debate in some quarters, was recently delayed due to major differences of opinion between the parties involved, meaning that the previously expected date had to be postponed. The Federal Ministry of the Interior had already confirmed weeks ago that it would not come into force in October.

Irrespective of the wait for the Bundestag, those affected should take action now, writes the BSI: responsible persons and teams must be appointed, roles and tasks must be defined, but also an inventory is to be taken and processes are to be set up for continuous improvement. Preparing for the upcoming reporting obligation should be a top priority.

Extensive information also from Greenbone

Greenbone has also devoted numerous blog posts and guides to the topic of NIS2 in recent months, from the Cyber Resilience Act and the threat situation for municipalities to effective measures and basically everything what is needed to know about NIS2 right now.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Medium-sized companies are increasingly investing in vulnerability management

Ransomware, phishing, denial of service attacks: according to a recent study, 84 per cent of the companies surveyed are concerned about the security of their IT systems and see a further increase in the threat situation. For good reason, as companies are also concerned about outdated code, data theft by employees, inadequate protection of company […]

Read more
/by
Greenbone AG

NIS2: What you need to know

NIS2 Umsetzung gezielt auf den Weg bringen!

The deadline for the implementation of NIS2 is approaching – by October 17, 2024, stricter cybersecurity measures are to be transposed into law in Germany via the NIS2 Implementation Act. Other member states will develop their own legislature based on EU Directive 2022/2555. We have taken a close look at this directive for you to provide you with the most important pointers and signposts for the entry into force of NIS2 in this short video. In this video, you will find out whether your company is affected, what measures you should definitely take, which cybersecurity topics you need to pay particular attention to, who you can consult in this regard and what the consequences of non-compliance are.

Preview image for the video 'What you need to know about NIS2' with European star circle and NIS2 lettering - redirects to YouTube

Learn about the Cyber Resilience Act, which provides a solid framework to strengthen your organization’s resilience against cyberattacks. The ENISA Common Criteria will help you assess the security of your IT products and systems and take a risk-minimizing approach right from the development stage. Also prioritize the introduction of an information management system, for example by implementing ISO 27001 certification for your company. Seek advice about IT baseline protection from specialists recommended by the BSI or your local responsible office.

In addition to the BSI as a point of contact for matters relating to NIS2, we are happy to assist you and offer certified solutions in the areas of vulnerability management and penetration testing. By taking a proactive approach, you can identify security gaps in your systems at an early stage and secure them before they can be used for an attack. Our vulnerability management solution automatically scans your system for weaknesses and reports back to you regularly. During penetration testing, a human tester attempts to penetrate your system to give you final assurance about the attack surface of your systems.

You should also make it a habit to stay up to date with regular cybersecurity training and establish a lively exchange with other NIS2 companies. This is the only way for NIS2 to lead to a sustainable increase in the level of cyber security in Europe.

To track down the office responsible for you, follow the respective link for your state.

Austria France Malta
Belgium Germany Netherlands
Bulgaria Greece Poland
Croatia Hungary Portugal
Cyprus Ireland Romania
Czech Republic Italy Slovakia
Denmark Latvia Slovenia
Estonia Lithuania Spain
Finland Luxembourg Sweden

Contact Test Now Buy Here Back to Overview

/by