Tag Archive for: it security

Markus Feilner

Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Portrait of Prof. Dr. Dennis-Kenji Kipker, expert in IT law and cyber security, in an interview on the implementation of the NIS2 Directive

Prof. Dr. Dennis-Kenji Kipker

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

February 2025 Threat Report: Tectonic Technology

Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities [T1190] continue to top the list. Another key observation is that attackers are weaponizing public information faster, converting CVE (Common Vulnerabilities and Exposures) disclosures into viable exploit code within days or even hours. Once inside a victim’s network, they are executing precision second-stage objectives faster too, deploying ransomware within minutes.

In this month’s edition of the Greenbone Threat Report, we will briefly review the disclosed chats of the Black Basta ransomware group and highlight Greenbone’s coverage of their now exposed techniques. We will also review a report from Greynoise about mass exploitation attacks, a new actively exploited vulnerability in Zimbra Collaboration Suite and new threats to edge networking devices.

The Era of Tectonic Technology

If security crises are like earthquakes, then the global tech ecosystem is the underlying tectonic plates. The global technology ecosystem would be best represented as the Paleozoic Era of geological history. Rapid innovative and competitive market forces are pushing and pulling at the fabric of IT security like the colliding supercontinents of Pangea; continuous earthquakes constantly forcing continental shift.

Entirely new paradigms of computing such as generative AI and quantum computing are creating advantages and risks; volcanoes of value and unstable ground. Global governments and tech giants are wresting for access to citizen’s sensitive personal data, adding gravity. These struggles have significant implications for privacy, security and how society will evolve. Here are some of the major forces destabilizing IT security today:

  • Rapidly evolving technologies are driving innovation, forcing technical change.
  • Organizations are both forced to change as technologies and standards depreciate and motivated to change to remain competitive.
  • Fierce market competition has accelerated product development and release cycles.
  • Strategic planned obsolescence has been normalized as a business strategy for reaping financial gain.
  • Pervasive lack of accountability for software vendors has led to prioritization of performance over “security-first” design principles.
  • Nation-states weaponize technology for Cyber Warfare, Information Warfare and Electronic Warfare.

Due to these forces, well-resourced and well-organized cyber criminals find a virtually unlimited number of security gaps to exploit. The Paleozoic Era lasted 300 million years. Hopefully, we won’t have to wait that long for product vendors to show accountability and employ secure design principles [1][2][3] to prevent so-called “unforgivable” vulnerabilities of negligence [4][5]. The takeaway is that organizations need to develop technical agility and efficient patch management programs. Continuous prioritized vulnerability management is a must.

Black Basta Tactics Revealed: Greenbone Has Coverage

Leaked internal chat logs belonging to Black Basta ransomware group have provided insight into the group’s tactics and inner workings. The logs were leaked by an individual using the alias “ExploitWhispers” who claimed the release was in response to Black Basta’s controversial targeting of Russian banks, allegedly creating internal conflicts within the group. Since its emergence in April 2022, Black Basta has reportedly amassed over $100 million in ransom payments from more than 300 victims worldwide. 62 CVEs referenced in leaked documents reveal the group’s tactics for exploiting known vulnerabilities. Of these 62, Greenbone maintains detection tests for 61, covering 98% of the CVEs.

The Greynoise 2025 Mass Exploitation Report

Mass exploitation attacks are fully automated network attacks against services that are accessible via internet. This month, Greynoise published a comprehensive report summarizing the mass exploitation landscape including the top CVEs attacked by the largest botnets (unique IPs), the most exploited product vendors and top CVEs included in the CISA’s (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerabilities) catalog and exploited by botnets. Greenbone Enterprise Feed has detection tests for 86% of all CVEs (86 total) referenced in the report. When considering only CVEs issued in 2020 or later (66 total), our Enterprise Feed has 90% detection coverage.

Additional findings include:

  • 60% of CVEs exploited in mass exploitation attacks were published in 2020 or later.
  • Attackers are exploiting vulnerabilities within hours of disclosure.
  • 28% of vulnerabilities in CISA KEV are exploited by ransomware threat actors.

Zimbra Collaboration Suite

CVE-2023-34192 (CVSS 9.0) is a high-severity Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) version 8.8.15. The flaw allows authenticated remote attackers to execute arbitrary code via crafted scripts targeting the `/h/autoSaveDraft` function. CISA added CVE-2023-34192 to its KEV catalog, indicating that it has been actively exploited in real-world attacks. Proof-of-concept (PoC) exploit code is publicly available, allowing low-skilled attackers to join the fray. CVE-2023-34192 has held a very high EPSS since its disclosure in 2023. For defenders leveraging EPSS for remediation prioritization, this indicates a high priority to patch.

Zimbra Collaboration Suite (ZCS) is an open-source office productivity platform that integrates email, calendar, contacts, tasks and collaboration tools but holds a niche market share of less than 1% of all email and messaging platforms.

Living on the Edge: New Critical Networking Device Flaws

In our monthly threat report we have been tracking the persistent threat to edge network devices. Earlier this-month, we reported on a perfect security storm affecting end-of-life (EOL) Zyxel routers and firewalls. In this section we will review new security risks that fall into the “edge networking” category. Greenbone has detection capabilities for all CVEs discussed below.

Chinese Hackers Exploit Palo Alto’s PAN-OS for Ransomware

CVE-2024-0012 (CVSS 9.8), a vulnerability in Palo Alto PAN-OS disclosed last November, is considered one of the most exploited vulnerabilities of 2024. The CVE is also reportedly being used by Chinese state-backed threat actors for ransomware attacks. Another new flaw affecting PAN-OS, CVE-2025-0108 (CVSS 9.1), was just disclosed this month and immediately tagged as actively exploited by CISA. CVE-2025-0108 is an authentication bypass in the management web-interface and can be chained together with CVE-2024-9474 (CVSS 7.2), a separate privilege escalation vulnerability to gain unauthenticated root control over an unpatched PAN-OS device.

SonicWall Patches a Critical Actively Exploited CVE in SonicOS

CVE-2024-53704, a critical severity vulnerability in SonicWall devices, has been recently added to CISA’s KEV list. Astoundingly, CISA lists 8 SonicWall CVEs that are known to be actively exploited in ransomware attacks. CVE-2024-53704 (CVSS 9.8) is an Improper Authentication vulnerability [CWE-287] in the SSLVPN authentication mechanism of SonicWall’s SonicOS versions 7.1.1-7058 and older, 7.1.2-7019, and 8.0.0-8035. It allows remote attackers to bypass authentication and and hijack active SSL VPN sessions, potentially gaining unauthorized network access. A full technical analysis is available from BishopFox. An advisory from SonicWall also names additional high severity CVEs in SonicOS that have been patched along with CVE-2024-53704.

Sophos’ CyberroamOS and EOL XG Firewalls Actively Exploited

Sophos, which acquired Cyberoam in 2014, has issued an alert and patch for CVE-2020-29574. CyberoamOS is part of Sophos’ product ecosystem. Aside from this CVE, Sophos XG Firewall, soon to be EOL, is also the subject of an active exploitation alert.

  • CVE-2020-29574 (CVSS 9.8): A critical SQL injection [CWE-89] vulnerability identified in the WebAdmin interface of CyberoamOS versions up to December 4, 2020. This flaw allows unauthenticated attackers to remotely execute arbitrary SQL statements, potentially gaining complete administrative access to the device. A hotfix patch has been issued, which also extends to some affected end-of-life (EOL) products.
  • CVE-2020-15069 (CVSS 9.8) is a critical Buffer Overflow vulnerability in Sophos XG Firewall versions 17.x through v17.5 MR12, allowing unauthenticated RCE via the HTTP/S Bookmarks feature for clientless access. This vulnerability, published in 2020 is now being actively exploited and has been added to CISA KEV indicating heightened risk. Sophos released an advisory in 2020 when the vulnerability was disclosed, along with a hotfix affected firewalls. The XG Series hardware appliances are soon scheduled to reach end-of-life (EOL) on March 31, 2025.

PrivEsc and Auth Bypasses in Fortinet FortiOS and FortiProxy

Fortinet disclosed two critical vulnerabilities, both affecting FortiOS and FortiProxy. The Canadian Center for Cybersecurity and the Belgian Center for Cybersecurity have issued advisories. Fortinet acknowledges active exploitation of CVE-2024-55591 and has released official guidance that includes details on affected versions and recommended updates. ​

  • CVE-2024-55591 (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Multiple PoC exploits are available [1][2] increasing the risk of exploitation by low-skilled attackers.
  • CVE-2024-40591 (CVSS 8.8): Allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin by connecting the targeted FortiGate device to a malicious upstream FortiGate under their control.

Cisco Flaws Implicated as Initial Access Vectors in Telecom Hacks

In the past few months, China’s Salt Typhoon espionage group has routinely exploited at least two critical vulnerabilities in Cisco IOS XE devices to gain persistent access to telecommunications networks. Victims include Italian ISP, a South African telecom, and a large Thai telecom, and twelve universities worldwide including UCLA, Indonesia’s Universitas Negeri Malang and Mexico’s UNAM among others. Previously, Salt Typhoon had compromised at least nine U.S. telecoms, including Verizon, AT&T and Lumen Technologies. U.S. authorities claim Salt Typhoon’s goal is surveilling high-profile individuals, political figures and officials related to Chinese political interests.

CVEs exploited by Salt Typhoon include:

  • CVE-2023-20198 (CVSS 10): A privilege escalation flaw in Cisco IOS XE’s web interface. Used for initial access, allowing attackers to create an admin account.
  • CVE-2023-20273 (CVSS 7.2): Another privilege escalation flaw, used after gaining admin access to escalate privileges to root and establish a GRE (Generic Routing Encapsulation) tunnel for persistence.

Also, two other CVEs in Cisco products entered the radar in February 2025:

  • CVE-2023-20118 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers allows authenticated, remote attackers to execute arbitrary commands with root-level privileges by sending crafted HTTP requests. CISA added CVE-2023-20118 to its KEV catalog, indicating evidence of active exploitation.
  • CVE-2023-20026 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series allows authenticated, remote attackers with valid administrative credentials to execute arbitrary commands on the device. The flaw is due to improper validation of user input within incoming HTTP packets. While CVE-2023-20026 is not known to be exploited in any active campaigns, Cisco’s Product Security Incident Response Team (PSIRT) is aware that PoC exploit code for this vulnerability exists.

Ivanti Patches Four Critical Flaws

Four critical vulnerabilities were identified, affecting Ivanti Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). No reports of active attacks in the wild or PoC exploits have emerged yet. Ivanti advises users to promptly update to the newest versions to address these critical vulnerabilities.

Here is a brief technical summary:

  • CVE-2025-22467 (CVSS 8.8): Attackers with credentials can achieve remote code execution (RCE) due to a stack-based buffer overflow [CWE-121] flaw in ICS versions prior to 22.7R2.6.
  • CVE-2024-38657 (CVSS 9.1): Attackers with credentials can write arbitrary files due to an external control of file name vulnerability in ICS versions before 22.7R2.4 and IPS versions before 22.7R1.3.
  • CVE-2024-10644 (CVSS 9.1): A code injection flaw in ICS (pre-22.7R2.4) and IPS (pre-22.7R1.3), allows arbitrary RCE to authenticated administrators. ​
  • CVE-2024-47908 (CVSS 7.2): An operating system command injection vulnerability [CWE-78] in CSA’s admin web console (versions before 5.0.5), allows arbitrary RCE to authenticated administrators.

Summary

This month’s Threat Report highlights key cybersecurity developments, including the evolving tactics of ransomware groups like Black Basta and the pervasive critical threat to edge network devices. With the support of AI tools, attackers are exploiting vulnerabilities faster-sometimes within hours of disclosure. Organizations must remain vigilant by adopting proactive security measures, continuously updating their defenses and leveraging threat intelligence to stay ahead of emerging threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

January 2025 Threat Report: Fortune Favors the Prepared

This year, many large organizations around the world will be forced to reckon with the root-cause of cyber intrusions. Many known vulnerabilities are an open gateway to restricted network resources. Our first Threat Report of 2025 reviews some disastrous breaches from 2024 and then dives into some pressing cybersecurity vulnerabilities from this past month.

However, to be clear, the vulnerabilities discussed here merely scratch the surface. In January 2025, over 4,000 new CVEs (Common Vulnerabilities and Exposures) were published; 22 with the maximum CVSS score of 10, and 375 rated critical severity. The deluge of critical severity flaws in edge networking devices has not abated. Newly attacked flaws in products from global tech giants like Microsoft, Apple, Cisco, Fortinet, Palo Alto Networks, Ivanti, Oracle and others have been appended to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) catalog.

Software Supply Chain: the User’s Responsibility

We are all running software we didn’t design ourselves. This places a huge emphasis on trust. Where trust is uncertain – whether due to fears of poor diligence, malice or human error – cybersecurity responsibility still rests on the end-user. Risk assurances depend heavily on technical knowledge and collective effort. Defenders need to remember these facts in 2025.

When supply chain security fails, ask why! Did the software vendor provide the required tools to take control of your own security outcomes? Is your IT security team executing diligent vulnerability discovery and remediation? Are your resources segmented with strong access controls? Have employees been trained to identify phishing attacks? Are other reasonable cybersecurity measures in place? Organizations need to mature their ransomware-readiness, implement regular vulnerability assessments and prioritized patch management. And they should verify reliable backup strategies can meet recovery targets and prioritize other fundamental security controls to protect sensitive data and prevent downtime.

Fortune Favors the Prepared

Assessing 2024, the UK’s NCSC (National Cyber Security Center) annual review painted a grim picture; significant cyberattacks had increased three times compared to 2023. For a birds-eye view, CSIS (The Center for International Strategic & International Studies) has posted an extensive list of the most significant cyber incidents of 2024. The landscape has been shaped by the Russia Ukraine conflict and an accelerated shift from globalization to adversarialism.

Check Point Research found that 96% of all vulnerabilities exploited in 2024 were over a year old. These are positive findings for proactive defenders. Entities conducting vulnerability management will fare much better against targeted ransomware and mass exploitation attacks. One thing is clear: proactive cybersecurity reduces the cost of a breach.

Let’s review two of the most significant breaches from 2024:

  • The Change Healthcare Breach: Overall in 2024, breaches of healthcare entities were down from 2023’s record setting year. However, the ransomware attack against Change Healthcare set a new record for the number of affected individuals at 190 million, with total costs so far reaching 2,457 billion Dollar. The State of Nebraska has now filed a lawsuit against Change Healthcare for operating outdated IT systems that failed to meet enterprise security standards. According to IBM, breaches in the healthcare industry are the most costly, averaging 9.77 million Dollar in 2024.
  • Typhoon Teams Breach 9 US Telecoms: The “Typhoon” suffix is used by Microsoft’s threat actor naming convention for groups with Chinese origins. The Chinese state-sponsored adversary known as Salt Typhoon infiltrated the networks of at least nine major U.S. telecommunications companies, accessing user’s call and text metadata and audio recordings of high-profile government officials. Volt Typhoon breached Singapore Telecommunications (SingTel) and other telecom operators globally. The “Typhoons” exploited vulnerabilities in outdated network devices, including unpatched Microsoft Exchange Server, Cisco routers, Fortinet and Sophos Firewalls and Ivanti VPN appliances. Greenbone is able to detect all known software vulnerabilities associated with Salt Typhoon and Volt Typhoon attacks [1][2].

UK May Ban Ransomware Payments in Public Sector

The UK government’s framework to combat ransomware has proposed a ban on ransom payments by public sector entities and critical infrastructure operators with hopes to deter cyber criminals from targeting them in the first place. However, a new report from The National Audit Office (NAO), the UK’s independent public spending watchdog, says “cyber threat to UK government is severe and advancing quickly”.

The FBI, CISA and NSA all advise against paying ransoms. After all, paying a ransom does not guarantee the recovery of encrypted data or prevent the public release of stolen data, and may even encourage further extortion. On the flip side IBM’s security think-tank acknowledges that many SME organizations could not fiscally survive the downtime imposed by ransomware. While both sides make points here, could enriching cyber criminals while failing to shore-up local talent result in a positive outcome?

Vulnerability in SonicWall SMA 1000 Actively Exploited

Microsoft Threat Intelligence has uncovered active exploitation of SonicWall SMA 1000 gateways via CVE-2025-23006 (CVSS 9.8 Critical). The flaw is caused by improper handling of untrusted data during deserialization [CWE-502]. It could allow an unauthenticated attacker with access to the internal Appliance Management Console (AMC) or Central Management Console (CMC) interface to execute arbitrary OS commands. SonicWall has released hotfix version 12.4.3-02854 to address the flaw.

While no publicly available exploit code has been identified, numerous government agencies have issued alerts including Germany’s BSI CERT-Bund, Canadian Center for Cybersecurity, CISA, and the UK’s NHS (National Health Service). Greenbone is able to detect SonicWall systems impacted by CVE-2025-23006 by remotely checking the version identified from the service banner.

CVE-2024-44243 for Persistent Rootkit in macOS

January 2025 was a firestorm month for Apple security. Microsoft Threat Intelligence has found time to security test macOS, discovering a vulnerability that could allow installed apps to modify the OS System Integrity Protection (SIP). According to Microsoft, this could allow attackers to install rootkits, persistent malware and bypass Transparency, Consent and Control (TCC) which grants granular access permissions to applications on a per-folder basis. While active exploitation has not been reported, Microsoft has released technical details on their findings.

As January closed, a batch of 88 new CVEs, 17 with critical severity CVSS scores were published affecting the full spectrum of Apple products. One of these, CVE-2025-24085, was observed in active attacks and added to CISA’s KEV catalog. On top of these, dual speculative execution vulnerabilities in Apple’s M-series chips dubbed SLAP and FLOP were disclosed but have not yet been assigned CVEs. For SLAP, researchers leveraged chip flaws to exploit Safari WebKit’s heap allocation techniques and manipulated JavaScript string metadata to enable out-of-bounds speculative reads, allowing them to extract sensitive DOM content from other open website tabs. For FLOP, researchers demonstrated that sensitive data can be stolen from Safari and Google Chrome; bypassing Javascript type checking in Safari WebKit and Chrome’s Site Isolation via WebAssembly.

Furthermore, five high severity vulnerabilities were also published affecting Microsoft Office for macOS. Each potentially forfeiting Remote Code Execution (RCE) to an attacker. Affected products include Microsoft Word (CVE-2025-21363), Excel (CVE-2025-21354 and CVE-2025-21362) and OneNote (CVE-2025-21402) for macOS. While no technical details about these vulnerabilities are yet available, all have high CVSS ratings and users should update as soon as possible.

The Greenbone Enterprise Feed includes detection for missing macOS security updates and many other CVEs affecting applications for macOS including the five newly disclosed CVEs in Microsoft Office for Mac.

6 CVEs in Rsync Allow Both Server and Client Takeover

The combination of two newly discovered vulnerabilities may allow the execution of arbitrary code on vulnerable rsyncd servers while having only anonymous read access. CVE-2024-12084, a heap buffer overflow and CVE-2024-12085, an information leak flaw are the culprits. Public mirrors using rsyncd represent the highest risk since they inherently lack access control.

The researchers also found that a weaponized rsync server can read and write arbitrary files on connected clients. This can allow theft of sensitive information and potentially execution of malicious code by modifying executable files.

Here is a summary of the new flaws ordered by CVSS severity:

Collectively, these flaws present serious risk of RCE, data exfiltration and installing persistent malware on both rsyncd servers and unsuspecting clients. Users must update to the patched version, thoroughly look for any Indicators of Compromise (IoC) on any systems that have used rsync, and potentially redeploy file sharing infrastructure. Greenbone is able to detect all known vulnerabilities in rsync and non-compliance with critical security updates.

CVE-2025-0411: 7-Zip Offers MotW Bypass

On January 25, 2025, CVE-2025-0411 (CVSS 7.5 High) was published affecting 7-Zip archiver. The flaw allows bypassing the Windows security feature Mark of the Web (MotW) via specially crafted archive files. MoTW tags files downloaded from the internet with a Zone Identifier alternate data stream (ADS), warning when they originate from an untrusted source. However, 7-Zip versions before 24.09 do not pass the MotW flag to files within nested archives. Exploiting CVE-2025-0411 to gain control of a victim’s system requires human interaction. Targets must open a trojanized archive and then further execute a malicious file contained within.

Interestingly, research from Cofence found government websites around the world have been leveraged for credential phishing, malware delivery and command-and-control (C2) operations via CVE-2024-25608, a Liferay digital platform vulnerability. This flaw allows attackers to redirect users from trusted .gov URLs to malicious phishing sites. Combining redirection from a trusted .gov domain with the 7-Zip flaw has significant potential for stealthy malware distribution.

Considering the risks, users should manually upgrade to version 24.09, which has been available since late 2024. As discussed in the introduction above, software supply chain security often lies in a grey zone, we all depend on software beyond our control. Notably, prior to the publication of CVE-2025-0411, 7-Zip had not alerted users to a security flaw. Furthermore, although 7-Zip is open-source, the product’s GitHub account does not reveal many details or contact information for responsible disclosure.

Furthermore, the CVE has triggered DFN-CERT and BSI CERT-Bund advisories [1][2]. Greenbone is able to detect the presence of vulnerable versions of 7-Zip.

Summary

This edition of our monthly Threat Report reviewed major breaches from 2024 and newly discovered critical vulnerabilities in January 2025. The software supply chain presents elevated risk to all organizations large and small from both open-source and closed-source products. However, open-source software offers transparency and the opportunity for stakeholders to engage proactively in their own security outcomes, either collectively or independently. While cybersecurity costs are significant, advancing technical capabilities will increasingly be a determinant factor in both enterprise and national security. Fortune favors the prepared.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

#GreenboneGoesGlobal: Strong Presence at ITASEC 2025 in Bologna

ITASEC, Italy’s most important conference for cyber security, takes place in Bologna from February 3 to 8, 2025. As a platinum sponsor, Greenbone is sending a strong signal for European cooperation and digital security. This step demonstrates our commitment to a global presence and direct customer interaction.

Street scene in the old town of Bologna with a view of the medieval 'Due Torri' towers, venue of the IT security conference ITASEC 2025

The “Due Torri”, two medieval towers, shape the image of the historic old town of Bologna. (Photo: Markus Feilner, CC-BY 2016)

 

New Perspectives in Italy and Worldwide

“At Greenbone, we are increasingly realizing how important our vulnerability management is for customers throughout Europe and how important it is for these customers to be able to communicate with us directly on site,” explains Chief Marketing Officer Elmar Geese. To meet this demand, Greenbone has established the Italian subsidiary OpenVAS S.R.L. At the same time, Greenbone is expanding into other regions. A new subsidiary in the Netherlands and an increased engagement in the Asian market are on the agenda.

We will not only be present at ITASEC with a booth, but will also contribute to the content: Dirk Boeing, Senior Consultant and cybersecurity expert at Greenbone, will speak on February 6th at 11:00 a.m. on the panel “Security Management in the NIS2 Era”.

Visit Us in Bologna!

The annual ITASEC takes place on the campus of the “Alma Mater Studiorum Università di Bologna”, the oldest university in Europe, which has been writing science history since 1088 – an ideal place for a conference dedicated to security in the digital future. The fair is organized by the CINI Cybersecurity National Lab, with a special focus in 2025 on the topic of security and rights in cyberspace. This is also reflected in the cooperation with the SERICS conference (Security and Rights in the Cyber Space), which is supported by the SERICS foundation as part of the almost 200 billion euro Italian „National Recovery and Resilience Plan“ (NRRP).

ITASEC at the University of Bologna offers an excellent opportunity to experience Greenbone live and learn more about our solutions. And this is just the beginning: in 2025 we will be in Italy, for example, at CyberSec Italia in Rome on March 5 and 6. And from March 18 to 19, Greenbone will be at the „Digitaler Staat“ congress in Berlin, and from March 19 at secIT in Hanover. We look forward to your visit!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

December 2024 Threat Report: Sunsetting a Record Year for IT Risk

In 2024, geopolitical instability, marked by conflicts in Ukraine and the Middle East, emphasized the need for stronger cybersecurity in both the public and private sector. China targeted U.S. defense, utilities, internet providers and transportation, while Russia launched coordinated cyberattacks on U.S. and European nations, seeking to influence public opinion and create discord among Western allies over the Ukrainian war. As 2024 ends, we can look back at a hectic cybersecurity landscape on the edge.

2024 marked another record setting year for CVE (Common Vulnerabilities and Exposures) disclosures. Even if many are so-called “AI Slop” reports [1][2], the sheer volume of published vulnerabilities creates a big haystack. As IT security teams seek to find high-risk needles in a larger haystack, the chance of oversight becomes more prevalent. 2024 was also a record year for ransomware payouts in terms of volume and size, and Denial of Service (DoS) attacks.

It also saw the NIST NVD outage, which affected many organizations around the world including security providers. Greenbone’s CVE scanner is a CPE (Common Platform Enumeration) matching function and has been affected by the NIST NVD outage. However, Greenbone’s primary scanning engine, OpenVAS Scanner, is unaffected. OpenVAS actively interacts directly with services and applications, allowing Greenbone’s engineers to build reliable vulnerability tests using the details from initial CVE reports.

In 2025, fortune will favor organizations that are prepared. Attackers are weaponizing cyber-intelligence faster; average time-to-exploit (TTE) is mere days, even hours. The rise of AI will create new challenges for cybersecurity. Alongside these advancements, traditional threats remain critical for cloud security and software supply chains. Security analysts predict that fundamental networking devices such as VPN gateways, firewalls and other edge devices will continue to be a hot target in 2025.

In this edition of our monthly Threat Report, we review the most pressing vulnerabilities and active exploitation campaigns that emerged in December 2024.

Mitel MiCollab: Zero-Day to Actively Exploited in a Flash

Once vulnerabilities are published, attackers are jumping on them with increased speed. Some vulnerabilities have public proof of concept (PoC) exploit code within hours, leaving defenders with minimal reaction time. In early December, researchers at GreyNoise observed exploitation of Mitel MiCollab the same day that PoC code was published. Mitel MiCollab combines voice, video, messaging, presence and conferencing into one platform. The new vulnerabilities have drawn alerts from the Belgian national Center for Cybersecurity, the Australian Signals Directorate (ASD) and the UK’s National Health Service (NHS) in addition to the American CISA (Cybersecurity and Infrastructure Security Agency). Patching the recent vulnerabilities in MiCollab is considered urgent.

Here are details about the new actively exploited CVEs in Mitel MiCollab:

  • CVE-2024-41713 (CVSS 7.8 High): A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab allows unauthenticated path traversal by leveraging the “…/” technique in HTTP requests. Exploitation can expose highly sensitive files.
  • CVE-2024-35286 (CVSS 10 Critical): A SQL injection vulnerability has been identified in the NPM component of Mitel MiCollab which could allow a malicious actor to conduct a SQL injection attack.

Since mid-2022, CISA has tracked three additional actively exploited CVEs in Mitel products which are known to be leveraged in ransomware attacks. Greenbone is able to detect endpoints vulnerable to these high severity CVEs with active checks [4][5].

Array Networks SSL VPNs Exploited by Ransomware

CVE-2023-28461 (CVSS 9.8 Critical) is a Remote Code Execution (RCE) vulnerability in Array Networks Array AG Series and vxAG SSL VPN appliances. The devices, touted by the vendor as a preventative measure against ransomware, are now being actively exploited in recent ransomware attacks. Array Networks themselves were breached by the Dark Angels ransomware gang earlier this year [1][2].

According to recent reports, Array Networks holds a significant market share in the Application Delivery Controller (ADC) market. According to the ​​IDC’s WW Quarterly Ethernet Switch Tracker, they are the market leader in India, with a market share of 34.2%. Array Networks has released patches for affected products running ArrayOS AG 9.4.0.481 and earlier versions. The Greenbone Enterprise Feed has included a detection test for CVE-2023-28461 since it was disclosed in late March 2023.

CVE-2024-11667 in Zyxel Firewalls

CVE-2024-11667 (CVSS 9.8 Critical) in Zyxel firewall appliances are being actively exploited in ongoing ransomware attacks. A directory traversal vulnerability in the web management interface could allow an attacker to download or upload files via a maliciously crafted URL. Zyxel Communications is a Taiwanese company specializing in designing and manufacturing networking devices for businesses, service providers and consumers. Reports put Zyxel’s market share at roughly 4.2% of the ICT industry with a diverse global footprint including large Fortune 500 companies.

A defense in depth approach to cybersecurity is especially important in cases such as this. When attackers compromise a networking device such as a firewall, typically they are not immediately granted access to highly sensitive data. However, initial access allows attackers to monitor network traffic and enumerate the victim’s network in search of high value targets.

Zyxel advises updating your device to the latest firmware, temporarily disabling remote access if updates cannot be applied immediately and applying their best practices for securing distributed networks. CVE-2024-11667 affects Zyxel ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38 and USG20(W)-VPN series firmware versions V5.10 through V5.38. Greenbone can detect the vulnerability CVE-2024-11667 across all affected products.

Critical Flaws in Apache Struts 2

CVE-2024-53677 (CVSS 9.8 Critical), an unrestricted file upload [CWE-434] flaw affecting Apache Struts 2 allows attackers to upload executable files into web-root directories. If a web-shell is uploaded, the flaw may lead to unauthorized Remote Code Execution. Apache Struts is an open-source Java-based web-application framework widely used by the public and private sectors including government agencies, financial institutions and other large organizations [1]. Proof of concept (PoC) exploit code is publicly available, and CVE-2024-53677 is being actively exploited increasing its risk.

The vulnerability was originally tracked as CVE-2023-50164, published in December 2023 [2][3]. However, similarly to a recent flaw in VMware vCenter, the original patch was ineffective resulting in the re-emergence of vulnerability. CVE-2024-53677 affects the FileUploadInterceptor component and thus, applications not using this module are unaffected. Users should update their Struts2 instance to version 6.4.0 or higher and migrate to the new file upload mechanism. Other new critical CVEs in popular open-source software (OSS) from Apache:

The Apache Software Foundation (ASF) follows a structured process across its projects that encourages private reporting and releasing patches prior to public disclosure so patches are available for all CVEs mentioned above. Greenbone is able to detect systems vulnerable to CVE-2024-53677 and other recently disclosed vulnerabilities in ASF Foundation products.

Palo Alto’s Secure DNS Actively Exploited for DoS

CVE-2024-3393 (CVSS 8.7 High) is a DoS (Denial of Service) vulnerability in the DNS Security feature of PAN-OS. The flaw allows an unauthenticated attacker to reboot PA-Series firewalls, VM-Series firewalls, CN-Series firewalls and Prisma Access devices via malicious packets sent through the data plane. By repeatedly triggering this condition, attackers can cause the firewall to enter maintenance mode. CISA has identified CVE-2024-3393 vulnerability as actively exploited and it’s among five other actively exploited vulnerabilities in Palo Alto’s products over only the past two months.

According to the advisory posted by Palo Alto, only devices with a DNS Security License or Advanced DNS Security License and logging enabled are affected. It would be an easy assumption to say that these conditions mean that top-tier enterprise customers are affected. Greenbone is able to detect the presence of devices affected by CVE-2024-3393 with a version detection test.

Microsoft Security in 2024: Who Left the Windows Open?

While it would be unfair to single out Microsoft for providing vulnerable software in 2024, the Redmond BigTech certainly didn’t beat security expectations. A total of 1,119 CVEs were disclosed in Microsoft products in 2024; 53 achieved critical severity (CVSS > 9.0), 43 were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and at least four were known vectors for ransomware attacks. Although the comparison is rough, the Linux kernel saw more (3,148) new CVEs but only three were rated critical severity and only three were added to CISA KEV. Here are the details of the new actively exploited CVEs in Microsoft Windows:

  • CVE-2024-35250 (CVSS 7.8 High): A privilege escalation flaw allowing an attacker with local access to a system to gain system-level privileges. The vulnerability was discovered in April 2024, and PoC exploit code appeared online in October.
  • CVE-2024-49138 (CVSS 7.8 High): A heap-based buffer overflow [CWE-122] privilege escalation vulnerability; this time in the Microsoft Windows Common Log File System (CLFS) driver. Although no publicly available exploit exists, security researchers have evidence that this vulnerability can be exploited by crafting a malicious CLFS log to execute privileged commands at the system privilege level.

Detection and mitigation of these new Windows CVEs is critical since they are actively under attack. Both were patched in Microsoft’s December patch release. Greenbone is able to detect CVE-2024-35250 and CVE-2024-49138 as well as all other Microsoft vulnerabilities published as CVEs.

Summary

2024 highlighted the continuously challenging cybersecurity landscape with record-setting vulnerability disclosures, ransomware payouts, DoS attacks and an alarming rise in active exploitations. The rapid weaponization of vulnerabilities emphasizes the need for a continuous vulnerability management strategy and a defense-in-depth approach.

December saw new critical flaws in Mitel, Apache and Microsoft products. More network products: Array Networks VPNs and Zyxel firewalls are now being exploited by ransomware threat actors underscoring the urgency for proactive patching and robust detection measures. As we enter 2025, fortune will favor those prepared; organizations must stay vigilant to mitigate risks in an increasingly hostile cyber landscape.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

BSI: More Vulnerability Reports from Healthcare

There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.

Contact Test Now Buy Here Back to Overview

/by