Tag Archive for: Bedrohungserkennung

Markus Feilner

Dwell time: Attackers Are Striking Faster and Disguising Themselves Better

Security experts are observing a worrying trend: the time to exploit (TTE), i.e. the time between a security vulnerability becoming known and being exploited by malicious actors, has been falling dramatically in recent times.

At the same time, attackers are becoming increasingly skilled at concealing their presence in a successfully hacked network. Experts refer to the time it takes to establish a foothold and then gain unauthorized access to company resources before being detected (and removed) as “dwell time”. The shorter this time, the better for those under attack. Even the most talented hacker needs time and can cause more (permanent) damage the longer they remain undetected and unobserved.

The Enemy Is Listening – and May Already Be There

Alarmingly, dwell time is increasingly reaching months or even years, as was the case with Sony and the US Office for Personal Management. There, attackers were able to operate undisturbed for more than twelve months. As a result, more than 10 terabytes of data were stolen from the Japanese technology group.

The fear of hidden intruders is great; after all, no one can say with certainty whether a malicious listener is already on their own network. It happens. In the 2015 Bundestag hack, for example, it was not the Bundestag’s own monitoring system that informed the German authorities about strange activities by third parties (Russian APT hacker groups) on the Bundestag network, but a “friendly” intelligence service. How long and how many actors had already been active in the network at that point remained unclear. The only thing that was clear was that there was more than one, and that the friendly intelligence services had been watching for some time.

Detection, Prevention and Response Increasingly Critical

This makes it more important to ensure that attackers do not gain access to the system in the first place. But this is becoming increasingly difficult: as reported by experts at Google’s Mandiant, among others, the response time available to companies and software operators between the discovery of a vulnerability and its exploitation has fallen rapidly in recent years, from 63 days in 2018 to just over a month in recent years.

Less and Less Time to Respond

In 2023, administrators had an average of only five days to detect and close vulnerabilities. Today it is already less than three days.

But that’s not all. In the past, security vulnerabilities were often exploited after patches became available, i.e., after experienced administrators had already secured their systems and installed the latest patches. These so-called “N-day vulnerabilities” should not really be a problem, as fixes are available.

Improved Discipline with Side Effects: Attackers Learn

Unfortunately, in the past, discipline (and awareness) was not as strong in many companies, and the issue was neglected, inadvertently contributing to the spread of automated attack methods such as worms and viruses. But there is good news here too: in 2022, attacks via N-day vulnerabilities still accounted for 38% of all attacks, but by 2023 this figure will fall to just 30%.

At first glance, this sounds good because administrators can find and fix known vulnerabilities for which patches are available more quickly and effectively. After years of poor discipline and a lack of update and patch strategies, the major and successful ransomware incidents have certainly also helped to convey the scope and importance of proper vulnerability management to the majority of those responsible.

Two-thirds Are now Zero-days

But there is also a downside to these figures: more than two-thirds of all attacks are now based on zero-day vulnerabilities, i.e., security gaps for which there is no patch yet – in 2023, this figure was as high as 70%. Criminal groups and attackers have reacted, learned and professionalized, automated and greatly accelerated their activities.

Without automation and standardization of processes, without modern, well-maintained and controlled open-source software, administrators can hardly keep up with developments. Who can claim to be able to respond to a new threat within three days?

Powerless? Not with Greenbone

When attackers can respond faster to new, previously unknown vulnerabilities and have also learned to hide themselves better, there can only be one answer: the use of professional vulnerability management. Greenbone solutions allow you to test your network automatically. Reports on the success of measures give administrators a quick overview of the current security status of your company.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Andreas Bergler

Greenbone at it-sa 2024: Three Exciting Days at the Trade Fair and a Record Number of Visitors 

it-sa 2024 in Nuremberg was a great success not only for the organizers but also for us: three days full of inspiring conversations, new contacts and important insights into the current security requirements of existing and potential customers. As one of the most important trade fairs for IT security in Europe, it-sa was the ideal platform for us to present the latest developments to a broad audience. Our keynote, held by CEO Dr. Jan-Oliver Wagner, attracted numerous trade visitors. Under the title “Be secure and stay secure”, he provided insights into the importance of our portfolio for proactive corporate security.

The Greenbone team at the partner stand at it-sa 2024 in Nuremberg.”

The Greenbone team at it-sa 2024 was pleased to welcome twice as many visitors as in the previous year.

 

Keynote: Vulnerability Management as the Basis for Cyber Security

In his keynote, Jan-Oliver Wagner spoke about the growing importance of vulnerability management as the fundamental building block of a comprehensive security strategy. Companies and organizations of all sizes are facing the challenge of dealing with the ever-increasing threat of cyber attacks. Especially because the number of attacks has increased dramatically in recent years and that high tens of millions have already been paid in cyber extortion, it is clear that cybersecurity is no longer just “nice to have”, but essential for survival. 

Jan-Oliver Wagner called for threats to be detected as early as possible and for risks to be managed proactively. He presented vulnerability management as “the first line of defense” against attackers. With Greenbone solutions, companies can continuously check their IT infrastructure for security vulnerabilities: “Vulnerability management is the basis of a sustainable and highly effective security strategy.” Security teams are often faced with the difficult task of assessing risks appropriately and making the right decisions. “The goal is to stay one step ahead of attackers. Our solutions not only identify security vulnerabilities, but also help prioritize which vulnerabilities need to be addressed most urgently.”

Inspiring Conversations and New Contacts: the Trade Fair Highlights

The trade fair enabled us to engage directly with industry visitors, customers and partners, answer their questions and better understand their perspectives. With many technical discussions in just three days, the number of visitors to our partner stand at ADN more than doubled compared to last year, reports Ingo Conrads, Chief Sales Officer: “We were particularly pleased about the many new prospects and partners with whom we were able to discuss many new business opportunities.” 

Dr. Jan-Oliver Wagner, CEO of Greenbone, during his keynote speech 'Be secure and stay secure' at it-sa 2024 in Nuremberg.

Greenbone CEO Dr. Jan-Oliver Wagner giving the keynote “Be secure and stay secure” at it-sa 2024.

Many visitors already knew Greenbone as a brand, partly by OpenVAS in the past. But new products such as Greenbone Basic were also a discovery for many, showing how comprehensive and scalable our solutions have become – from entry-level to enterprise products for the public sector. The diversity of our portfolio and our services in particular generated surprise and interest. An overview of the various possible uses of our solutions is available on our website.

Thank You for the Successful Trade Fair!

it-sa 2024 was a great success and an inspiring experience for us. Once again, the trade fair showed how important vulnerability management has become and that Greenbone is making an important contribution to IT security. Many thanks to our distribution partner ADN for the excellent cooperation at the partner stand – and many thanks to all visitors for the interesting discussions and valuable feedback!

Together we are working to ensure that companies are secure – and stay secure. 

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

NIS2: Implementation Delayed but Stay on Course

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

Contact Test Now Buy Here Back to Overview

/by