Tag Archive for: Blast-RADIUS

Greenbone AG

Greenbone Reduces the Blast Radius of a Cyber Breach

Cyber attacks, like other types of security incidents, range dramatically in scope and impact. When defenders are prepared, an incident may be contained, damage limited, and recovery swift. When caught unprepared, a single incident may result in days or weeks of downtime, lost revenue, tarnished reputation, regulatory penalties or class action settlements [1][2]. In May 2024, Change Healthcare forecasted an expected loss of 1.6 billion Dollar. As of January 2025, the total cost of the Change Healthcare ransomware attack has reached almost 3 billion Dollar [3][4].

The totality of damage caused by an IT security breach, known as the “blast radius”, depends on many factors. These factors include whether vulnerabilities are being managed, if a defense in depth approach to cybersecurity has been applied, network segmentation, effective backup strategies and more. Negligent security hygiene is an open invitation to attackers, resulting in more costly outcomes like extensive data theft, ransomware extortion and even destructive wiper attacks used for industrial sabotage. A recent report found that once inside a network, attackers now deploy ransomware within 48 minutes on average and CVE disclosures are being weaponized into exploits within 18 days.

This article explores the concept of a cyber attack “blast radius” and the role that effective Vulnerability Management plays in containing the fallout from cyber intrusions. With the right controls in place, the damage from a cyber breach can be minimized and worst-case outcomes prevented

What is the “Blast Radius” of a Cyber Breach?

The term “blast radius” is military jargon referring to the physical area damaged by an exploding bomb. In digital systems, the term similarly refers to the extent of damage caused by a cyber attack. How many systems did an attacker compromise? Were they able to subsequently compromise critical systems after initial access? Did they breach adjacent networks or cloud assets?

Far-reaching damage is not a foregone conclusion when hackers gain initial access. Defenders can effectively cut off the attack at an early stage, preventing malicious actors from achieving their ultimate objectives or causing far reaching damage.

The Consequences of a Bigger Blast Radius

While forfeiting unauthorized access to an adversary is bad, it’s the subsequent stages of an attack that keeps IT security managers up at night. The latter stages of a cyber breach such as installing malware on critical assets, exfiltrating sensitive data, or encrypting files have the most profound implications for organizations. As blast radius increases, it is much more likely that an organization will experience a significantly negative impact.

Increased blast radius can result in:

  • Longer “Dwell Time”: Lateral movement and persistence techniques can allow attackers to remain undetected for extended periods, gathering intelligence and preparing subsequent attacks.
  • Increased financial losses: Service disruptions and ransomware attacks contribute to higher financial losses, lost revenue from downtime, risk of regulatory penalties and erode business relationships.
  • Increased operational downtime: The impact of operational downtime can reverberate across an organization causing delays, frustration and desynchronizing operations.
  • Loss of sensitive data: Attackers seek to exfiltrate sensitive data to support espionage campaigns or extort victims into paying ransom.
  • Compromised trust: Unauthorized access to messaging systems or third-party assets can erode trust among stakeholders, including customers, employees and business partners.

Greenbone Reduces the Blast Radius of a Cyber Breach

Vulnerability Management is a powerful factor in reducing the so-called “blast radius”. Effective mitigation of security gaps can leave an adversary with no easily accessible means to extend their initial foothold. Vulnerability management is most efficiently and effectively implemented by automatically scanning for security weaknesses throughout a network infrastructure and remediating the attack surface. In doing so, organizations can greatly reduce the potential blast radius of a successful cyber attack and also reduce probability of being breached in the first place.

Threat Mapping helps IT security teams understand their attack surfaces, the locations where adversaries may be able to enter a network. Greenbone’s core capabilities support Threat Mapping efforts with system and service discovery scans and by scanning both network and host attack surfaces allowing defenders to reduce their attack surface by 99%. Furthermore, Greenbone provides real-time reporting and alerts to keep security teams informed of emerging threats, enabling a proactive cybersecurity posture and timely remediation. This proactive, layered approach to cybersecurity reduces the potential blast radius and results in better security outcomes. Defenders are afforded more time to detect an attacker’s presence and eliminate it before catastrophic damage can be done.

The Strongest Defenses with Greenbone Enterprise Feed

The strongest defenses come from Greenbone’s industry leading Enterprise Vulnerability Feed. In total, the Greenbone Enterprise Feed has approximately 180,000 vulnerability tests and counting which can detect both general security compliance weaknesses and application specific vulnerabilities. Our Enterprise Feed adds hundreds of new tests each week to detect the newest emerging threats.

Here is a list of IT assets that Greenbone is designed to scan:

  • Internal network infrastructure: Scanning internal network devices with any type of exposed service, such as databases, file shares, SNMP enabled devices, firewalls, routers, VPN gateways and more.
  • On-premises and cloud servers: Attesting server configurations to ensure compliance with security policies and standards.
  • Workstations: Greenbone scans workstations and other endpoints across all major operating system (Windows, Linux, and macOS) to identify the presence of known software vulnerabilities attesting compliance with cybersecurity standards like CIS Benchmark
  • IoT and peripheral devices: IoT and peripheral devices, such as printers, use the same network protocols for communication as other network services. This allows them to be easily scanned for device and application specific vulnerabilities and common misconfigurations similarly to other network endpoints.

Reducing Network Attack Surface

Network attack surface consists of exposed network services, APIs and websites within an organization’s internal network environment and public facing infrastructure. To scan network attack surfaces, Greenbone builds an inventory of endpoints and listening services within target IP range(s) or a list of hostnames, then scans for known vulnerabilities.

Greenbone’s network vulnerability tests (NVTs) consist of version checks and active checks. Version checks query the service for a version string and then compare it for matching CVEs. Active checks use network protocols to interact with the exposed service to verify whether known exploit techniques are effective. These active checks use the same network communication techniques as real world cyber attacks, but do not seek to exploit the vulnerability. Instead, they simply notify the security team that a particular attack is possible. Anything an attacker can reach via the internet or local network, Greenbone can scan for vulnerabilities.

Reducing Host Attack Surface

Host attack surface is the software and configurations within individual systems that cannot be accessed directly via the network. Reducing the host attack surface minimizes what an attacker can do with initial access. Greenbone’s authenticated scans conduct Local Security Checks (LSC) to assess a system’s internal components for known weaknesses and non-compliant configurations that could allow attackers to escalate their privilege level, access sensitive information, install additional malware or move laterally to other systems.

Greenbone’s Enterprise Feed includes families of LSC for each major operating system including Ubuntu, Debian, Fedora, Red Hat, Huawei, SuSE Linux distributions, Microsoft Windows, macOS and many more.

Post-Breach Tactics: the Second Stage of Cyber Intrusions

Once attackers gain a foothold within a victim’s network, they engage in secondary exploitation techniques to deepen their access and achieve their objectives. In the modern cybercrime ecosystem, Initial Access Brokers (IABs) specialize in gaining unauthorized access. IABs then sell this access to other cybercriminal groups that specialize in second-stage attack tactics such as deploying ransomware or data theft. Similar to breaching the walls of a fortress, after initial access, an organization’s internal network becomes more accessible to attackers.

Some tactics used during the second stage of cyber attack include:

  • Privilege escalation [TA0004]: Attackers seek ways to elevate their access rights, allowing them access to more sensitive data or to execute administrative actions.
  • Lateral movement [TA0008]: Attackers compromise other systems within the victim’s network, extending their access to high-value resources.
  • Persistent remote access [TA0028]: Creating new accounts, deploying backdoors or using compromised credentials, attackers seek to maintain their access even if the initial vulnerability is remediated or their presence is detected.
  • Credential theft [TA0006]: Stolen sensitive data can be processed offline by attackers attempting to crack passwords, break into protected resources or plan social engineering attacks.
  • Accessing messaging systems [T1636]: Accessing organizational messaging platforms or collaboration tools gives access to sensitive information which can be used to conduct social engineering attacks such as spear phishing, even targeting external partners or customers.
  • Encryption for impact [T1486]: Identifying critical assets, financially motivated adversaries seek to maximize impact by deploying ransomware and extorting the victim to return access to the encrypted data.
  • Data exfiltration [TA0010]: Downloading a victim’s sensitive data can be used for espionage and also gives attackers leverage to extort victims into paying to not release it publicly.
  • Denial of Service attacks [T0814]: Service disruption can be used for further extortion or as a distraction to execute other attacks within the victim’s network.

Summary

Blast radius refers to the scope of damage that an adversary imposes during a cyber attack. As attacks progress, adversaries seek to penetrate deeper, gaining access to more sensitive systems and data. Lack of cyber hygiene gives attackers free reign to steal data, deploy ransomware and cause service disruptions and complicates detection and recovery. Minimizing attack surface is crucial for reducing the potential impact of a cyber breach and helps ensure a better security outcome.

Greenbone’s core contribution to cybersecurity is to increase security visibility in real-time, alerting defenders to vulnerabilities and giving them the opportunity to close security gaps, preventing hackers from exploiting them. This includes both network attack surface: public-facing assets, internal network infrastructure, cloud assets and host attack surface: internal software applications, packages and common misconfigurations.

By delivering industry-leading vulnerability detection, Greenbone empowers real-time threat visibility, empowering defenders to proactively ensure that adversaries are decisively neutralized.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

September 2024 Threat Tracking: Speed Before Safety?

A 2023 World Economic Forum report surveyed 151 global organizational leaders and found that 93% of cyber leaders and 86% business leaders believe a catastrophic cyber event is likely within the next two years. Still, many software vendors prioritize rapid development and product innovation above security. This month, CISA’s Director Jen Easterly stated software vendors “are building problems that open the doors for villains” and that “we don’t have a cyber security problem – we have a software quality problem”. Downstream, customers benefit from innovative software solutions, but are also exposed to the risks from poorly written software applications; financially motivated ransomware attacks, wiper malware, nation-state espionage and data theft, costly downtime, reputational damage and even insolvency.

However astute, the Director’s position glosses over the true cyber risk landscape. For example, as identified by Bruce Schneier back in 1999; IT complexity increases the probability of human error leading to misconfigurations [1][2][3]. Greenbone identifies both known software vulnerabilities and misconfigurations with industry leading vulnerability test coverage and compliance tests attesting CIS controls and other standards such as the BSI basic controls for Microsoft Office.

At the end of the day, organizations hold responsibility to their stakeholders, customers and the general public. They need to stay focused and protect themselves with fundamental IT security activities including Vulnerability Management. In September 2024’s Threat Tracking blog post, we review the most pressing new developments in the enterprise cybersecurity landscape threatening SMEs and large organizations alike.

SonicOS Exploited in Akira Ransomware Campaigns

CVE-2024-40766 (CVSS 10 Critical) impacting SonicWall’s flagship OS SonicOS, has been identified as a known vector for campaigns distributing Akira ransomware. Akira, originally written in C++, has been active since early 2023. A second Rust-based version became the dominant strain in the second half of 2023. The primary group behind Akira is believed to stem from the dissolved Conti ransomware gang. Akira is now operated as a Ransomware as a Service (RaaS) leveraging a double extortion tactic against targets in Germany and across the EU, North America, and Australia. As of January 2024, Akira had compromised over 250 businesses and critical infrastructure entities, extorting over 42 million US-Dollar.

Akira’s tactics include exploiting known vulnerabilities for initial access such as:

Greenbone includes tests to identify SonicWall devices vulnerable to CVE-2024-40766 [1][2] and all other vulnerabilities exploited by the Akira ransomware gang for initial access.

Urgent Patch for Veeam Backup and Restoration

Ransomware is the apex cyber threat, especially in healthcare. The US Human and Healthcare Services (HHS) reports that large breaches increased by 256% and ransomware incidents by 264% over the past five years. Organizations have responded with more proactive cybersecurity measures to prevent initial access and more robust incident response and recovery, including more robust backup solutions. Backup systems are thus a prime target for ransomware operators.

Veeam is a leading vendor of enterprise backup solutions globally and promotes its products as a viable safeguard against ransomware attacks. CVE-2024-40711 (CVSS 10 Critical), a recently disclosed vulnerability in Veeam Backup and Recovery is especially perilous since it could allow hackers to target the last line of protection against ransomware – backups. The vulnerability was discovered and responsibly reported by Florian Hauser of CODE WHITE GmbH, a German cybersecurity research company. Unauthorized Remote Code Execution (RCE) via CVE-2024-40711 was quickly verified by security researchers within 24 hours of the disclosure, and proof-of-concept code is now publicly available online, compounding the risk.

Veeam Backup & Replication version 12.1.2.172 and all earlier v12 builds are vulnerable and customers need to patch affected instances with urgency. Greenbone can detect CVE-2024-40711 in Veeam Backup and Restoration allowing IT security teams to stay one step ahead of ransomware gangs.

Blast-RADIUS Highlights a 20 Year old MD5 Collision Attack

RADIUS is a powerful and flexible authentication, authorization, and accounting (AAA) protocol used in enterprise environments to validate user-supplied credentials against a central authentication service such as Active Directory (AD), LDAP, or VPN services. Dubbed BlastRADIUS, CVE-2024-3596 is a newly disclosed attack against the UDP implementation of RADIUS, accompanied by a dedicated website, research paper, and attack details. Proof-of-concept code is also available from a secondary source.

Blast-RADIUS is an Adversary in The Middle (AiTM) attack that exploits a chosen-prefix collision weakness in MD5 originally identified in 2004 and improved in 2009. The researchers exponentially reduced the time required to spoof MD5 collisions and released their improved version of hashclash. The attack can allow an active AiTM positioned between a RADIUS client and a RADIUS server to trick the client into honoring a forged Access-Accept response despite the RADIUS server issuing a Access-Reject response. This is accomplished by computing an MD5 collision between the expected Access-Reject and a forged Access-Accept response allowing an attacker to approve login requests.

Greenbone can detect a wide array vulnerable RADIUS implementations in enterprise networking devices such as F5 BIG-IP [1], Fortinet FortiAuthenticator [2] and FortiOS [3], Palo Alto PAN-OS [4], Aruba CX Switches [5] and ClearPass Policy Manager [6], and on the OS level in Oracle Linux [7][8], SUSE [9][10][11], OpenSUSE [12][13], Red Had [14][15], Fedora [16][17], Amazon [18], Alma [19][20], and Rocky Linux [21][22] among others.

Urgent: CVE-2024-27348 in Apache HugeGraph-Server

CVE-2024-27348 (CVSS 9.8 Critical) is a RCE vulnerability in the open-source Apache HugeGraph-Server that affects all versions of 1.0 before 1.3.0 in Java8 and Java11. HugeGraph-Server provides an API interface used to store, query, and analyze complex relationships between data points and is commonly used for analyzing data from social networks, recommendation systems and for fraud detection.

CVE-2024-27348 allows attackers to bypass the sandbox restrictions within the Gremlin query language by exploiting inadequate Java reflection filtering. An attacker can leverage the vulnerability by crafting malicious Gremlin scripts and submitting them via API to the HugeGraph /gremlin endpoint to execute arbitrary commands. The vulnerability can be exploited via remote, adjacent, or local access to the API and can enable privilege escalation.

It is being actively exploited in hacking campaigns. Proof-of-concept exploit code [1][2][3] and an in-depth technical analysis are publicly available giving cyber criminals a head start in developing attacks. Greenbone includes an active check and version detection test to identify vulnerable instances of Apache HugeGraph-Server. Users are advised to update to the latest version.

Ivanti has Been an Open Door for Attackers in 2024

Our blog has covered vulnerabilities in Invati products several times this year [1][2][3]. September 2024 was another hot month for weaknesses in Ivanti products. Ivanti finally patched CVE-2024-29847 (CVSS 9.8 Critical), a RCE vulnerability impacting Ivanti Endpoint Manager (EPM), first reported in May 2024. Proof-of-concept exploit code and a technical description are now publicly available, increasing the threat. Although there is no evidence of active exploitation yet, this CVE should be considered high priority and patched with urgency.

However, in September 2024, CISA also identified a staggering four new vulnerabilities in Ivanti products being actively exploited in the wild. Greenbone can detect all of these new additions to CISA KEV and previous vulnerabilities in Ivanti products. Here are the details:

Summary

In this month’s Threat Tracking blog, we highlighted major cybersecurity developments including critical vulnerabilities such as CVE-2024-40766 exploited by Akira ransomware, CVE-2024-40711 impacting Veeam Backup and the newly disclosed Blast-RADIUS attack that could impact enterprise AAA. Proactive cybersecurity activities such as continuous vulnerability management and compliance attestation help to mitigate risks from ransomware, wiper malware, and espionage campaigns, allowing defenders to close security gaps before adversaries can exploit them.

Contact Test Now Buy Here Back to Overview

/by