Tag Archive for: it security

Joseph Lee

Understanding CSAF 2.0 Stakeholders and Roles

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.

Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary

1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

Diagram of the CSAF 2.0 stakeholders: On the left, the upstream producers such as software vendors, authorities, and researchers; on the right, the downstream consumers such as CERTs, SOC teams, and security platforms – connected through the CSAF 2.0 advisory format.

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

Diagram of the CSAF 2.0 upstream roles, showing the groups Issuing Parties (Producer, Provider, Trusted Provider) and Data Aggregators (Lister, Aggregator), who forward cybersecurity advisories to downstream consumers.

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Stop the Standstill: how Greenbone Helps Protect Against DoS Attacks

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Understanding Mass Exploitation Attacks

If an organization has high value, you can bet that bad actors are contemplating how to exploit its IT weaknesses for financial gain. Ransomware attacks are the apex threat in this regard, rendering a victim’s data unusable, extorting them for a decryption key. Highly targeted organizations need to understand exactly where their risk lies and ensure that critical assets are exceptionally well protected. However, all organizations with IT infrastructure – even small ones – benefit from assessing their attack surface and mitigating vulnerabilities.

Mass Exploitation attacks are automated campaigns continuously scanning the public Internet looking for easy victims. These campaigns are carried out by bots, executing automated cyber attacks at scale. CloudFlare claims that only 7% of the Internet traffic is malicious bots, while other reports claim malicious bots account for as much as 32% of all Internet activity. Once breached, attackers misuse these compromised assets for malicious activities.

What Happens to Assets Compromised in Mass Exploitation Campaigns?

Once an attacker gains control of a victim’s IT infrastructure, they assess the value of their newly acquired spoils and determine how to best capitalize. The dark web is an underground ecosystem of cybercrime services with its own economy of supply and demand for illicit deeds. Within this ecosystem, Initial Access Brokers (IAB) sell unauthorized access to Ransomware as a Service (RaaS) groups who specialize in ransomware execution; encrypting a victim’s files and extorting them. Mass Exploitation is one way that these IABs gain a foothold.

Compromised assets with lower extortion value may become part of the IAB’s “zombie botnet”; co-opted to continuously scan the Internet for vulnerable systems to compromise. Otherwise, hijacked systems may be used to send malspam and phishing emails, infected with crypto-mining malware, or become an inconspicuous host for command-and-control (C2) infrastructure to support more targeted attack campaigns.

How Mass Exploitation Works

By exploring Mass Exploitation through the lens of the MITRE ATT&CK framework’s tactics, techniques and procedures (TTP) defenders can better understand attacker behavior. If you are not familiar with MITRE ATT&CK, now is a good time to review the MITRE ATT&CK Enterprise Matrix, since it will serve as a reference point for how attackers operate.

Mass exploitation targets large numbers of systems with sophisticated tools that can scan many IP addresses and automatically execute cyber attacks when vulnerabilities are found. These attacks aim to exploit vulnerabilities in software that is commonly exposed to the public Internet, especially software used to host websites and access webservers remotely.

Here’s how Mass Exploitation works:

  • Reconnaissance [TA0043]: Attackers collect sources of vulnerability information such as NIST NVD where CVEs are published with severity scores and reports that include technical details. Attackers also discover sources of exploit code such as exploit-db, GitHub, or other sources such as dark web marketplaces. Alternatively, attackers may develop their own malicious exploits.
  • Weaponization [TA0042]: Attackers build cyber weapons designed to automatically identify and exploit vulnerabilities [T1190] without the need for human interaction.
  • Active Scanning [T1595]: Attackers conduct active scans of the public Internet at scale to discover listening services and their versions [T1595.002]. This process is similar to how cyber defenders conduct vulnerability scans of their own infrastructure, except instead of fixing identified vulnerabilities, attackers plan strategies to exploit them.
  • Attack Deployment and Exploitation: Once an active vulnerability has been found, automated tools attempt to exploit them to control the victim’s system remotely [TA0011] or cause Denial of Service (DoS) [T1499]. A variety of software weaknesses may be involved such as: exploiting default account credentials [CWE-1392], SQL injection [CWE-89], buffer overflows [CWE-119], unauthorized file uploads [CWE-434] or otherwise broken access controls [CWE-284].
  • Assessment and Action on Objectives [TA0040]: Post-compromised, the attacker decides how to best impact the victim for their own gain. Attackers may decide to conduct further reconnaissance, attempting to move laterally to other connected systems in the network [TA0008], steal data from the victim [TA0010], deploy ransomware [T1486] or sell the initial access to other cyber criminals with specialized skills [T1650].

How to Defend Against Mass Exploitation

Defending against Mass Exploitation attacks requires a proactive approach that addresses potential vulnerabilities before they can be exploited. Organizations should adopt fundamental IT security best practices including regular assessments, continuous monitoring, and timely remediation of identified weaknesses.

Here are some key security measures to defend against Mass Exploitation:

  • Build an IT asset inventory: Building a comprehensive inventory of all hardware, software, and network devices within your organization ensures no systems are overlooked during risk and vulnerability assessments and patch management.
  • Conduct a risk assessment: Prioritize assets based on their importance to business operations and determine how preventative efforts should be focused. Regular risk assessments help ensure that the most critical threats are addressed, reducing the chances of a high impact breach.
  • Scan all assets regularly and fix identified vulnerabilities: Perform regular vulnerability scans on all IT assets, especially those exposed to the public internet and with a high risk context. Promptly apply patches or alternative mitigation measures to prevent exploitation. Track and measure vulnerability management progress in a quantified way.
  • Remove unused services and applications: Unused software presents additional attack surface, which may offer attackers an opportunity to exploit vulnerabilities. By minimizing the number of active services and installed applications, potential entry points for attackers are limited.
  • Education and training: Education is important to promote IT security awareness within an organization’s culture. Awareness training also goes a long way towards preventing malspam and phishing attacks from impacting an organization.
  • Employ Anti-Malware solutions: Malware is often distributed through automated malspam and phishing campaigns at scale. Ensure all systems have up-to-date anti-virus software and implement spam filtering to detect and quarantine malicious files.
  • Enforce strong authentication policies: Credential stuffing attacks are often automated components of Mass Exploitation campaigns. By following password best practices, such as using strong randomly generated passwords and not reusing passwords between accounts there is less risk posed by stolen passwords. Implementing password rotation policies, multi-factor authentication (MFA), and using password managers also strengthen password security.
  • Use firewalls and IPS: Firewalls and Intrusion Prevention Systems (IPS) can block malicious traffic by using rules or patterns. Configure rulesets as strictly as possible to block unnecessary inbound traffic from scanning sensitive services. Regularly review and update firewall and IPS configurations to account for current threats.

Summary

Mass Exploitation refers to automated cyber attack campaigns that use bots to scan the public Internet for vulnerable systems. These attacks target a wide range of victims, exploiting known vulnerabilities in software that is commonly exposed to the internet. Once compromised, attackers use the breached systems for various malicious purposes, including launching ransomware attacks, selling access to other criminal groups or further extending botnets. Mass exploitation is a major threat as it allows attackers to operate at scale with minimal effort.

To defend against Mass Exploitation, organizations must implement proactive security measures such as regular vulnerability scanning, timely patch management, strong access controls and network monitoring. Additionally, ensuring that staff have adequate security training can help reduce the risk of becoming a victim of Mass Exploitation campaigns.

Contact Test Now Buy Here Back to Overview

/by
Andreas Bergler

Greenbone at it-sa 2024: Three Exciting Days at the Trade Fair and a Record Number of Visitors 

it-sa 2024 in Nuremberg was a great success not only for the organizers but also for us: three days full of inspiring conversations, new contacts and important insights into the current security requirements of existing and potential customers. As one of the most important trade fairs for IT security in Europe, it-sa was the ideal platform for us to present the latest developments to a broad audience. Our keynote, held by CEO Dr. Jan-Oliver Wagner, attracted numerous trade visitors. Under the title “Be secure and stay secure”, he provided insights into the importance of our portfolio for proactive corporate security.

The Greenbone team at the partner stand at it-sa 2024 in Nuremberg.”

The Greenbone team at it-sa 2024 was pleased to welcome twice as many visitors as in the previous year.

 

Keynote: Vulnerability Management as the Basis for Cyber Security

In his keynote, Jan-Oliver Wagner spoke about the growing importance of vulnerability management as the fundamental building block of a comprehensive security strategy. Companies and organizations of all sizes are facing the challenge of dealing with the ever-increasing threat of cyber attacks. Especially because the number of attacks has increased dramatically in recent years and that high tens of millions have already been paid in cyber extortion, it is clear that cybersecurity is no longer just “nice to have”, but essential for survival. 

Jan-Oliver Wagner called for threats to be detected as early as possible and for risks to be managed proactively. He presented vulnerability management as “the first line of defense” against attackers. With Greenbone solutions, companies can continuously check their IT infrastructure for security vulnerabilities: “Vulnerability management is the basis of a sustainable and highly effective security strategy.” Security teams are often faced with the difficult task of assessing risks appropriately and making the right decisions. “The goal is to stay one step ahead of attackers. Our solutions not only identify security vulnerabilities, but also help prioritize which vulnerabilities need to be addressed most urgently.”

Inspiring Conversations and New Contacts: the Trade Fair Highlights

The trade fair enabled us to engage directly with industry visitors, customers and partners, answer their questions and better understand their perspectives. With many technical discussions in just three days, the number of visitors to our partner stand at ADN more than doubled compared to last year, reports Ingo Conrads, Chief Sales Officer: “We were particularly pleased about the many new prospects and partners with whom we were able to discuss many new business opportunities.” 

Dr. Jan-Oliver Wagner, CEO of Greenbone, during his keynote speech 'Be secure and stay secure' at it-sa 2024 in Nuremberg.

Greenbone CEO Dr. Jan-Oliver Wagner giving the keynote “Be secure and stay secure” at it-sa 2024.

Many visitors already knew Greenbone as a brand, partly by OpenVAS in the past. But new products such as Greenbone Basic were also a discovery for many, showing how comprehensive and scalable our solutions have become – from entry-level to enterprise products for the public sector. The diversity of our portfolio and our services in particular generated surprise and interest. An overview of the various possible uses of our solutions is available on our website.

Thank You for the Successful Trade Fair!

it-sa 2024 was a great success and an inspiring experience for us. Once again, the trade fair showed how important vulnerability management has become and that Greenbone is making an important contribution to IT security. Many thanks to our distribution partner ADN for the excellent cooperation at the partner stand – and many thanks to all visitors for the interesting discussions and valuable feedback!

Together we are working to ensure that companies are secure – and stay secure. 

Contact Test Now Buy Here Back to Overview

/by
Andreas Bergler

… and Action! Greenbone at the it-sa Expo&Congress

Next week, it-sa, one of the largest platforms for IT security solutions, will kick off. On the opening day, October 22, 2024, from 11:00 a.m., Greenbone’s CEO Dr. Jan-Oliver Wagner will show how companies can remain capable of managing crisis situations. With the “Action” in Forum 6-B “Be secure and stay secure” he shows ways out of the growing threats posed by cyber risks. It is not for nothing that his overview of the possibilities and potential of vulnerability management is not called a “lecture”, but “action”: action is needed!

Take Action!

In times when ransomware gangs are trying to extort tens of millions of dollars, it’s essential for companies and organizations to act as early as possible to ensure the security of their IT systems, data and business operations. Every investment in cyber security pays off many times over when the acquisition costs of a corresponding proactive solution are compared with the costs incurred by a security breach – the costs of paying ransom are devastating. As with any calculation of interest and compound interest: the earlier the investment, the more it pays off. 

Greenbone’s solutions start at the earliest possible point in the history of cyber risks: the proactive detection of security vulnerabilities in your own IT infrastructure. Proactive vulnerability management goes hand in hand with a well-founded security strategy. Security intelligence is continuously provided, systems are monitored and results are compared and matched to known vulnerabilities.

Gaining a Knowledge Advantage

Because criminals make their attacks on their victims’ networks as impactful and widespread as possible in order to maximize their profits, IT managers should make it as difficult as possible in return. Vulnerability management offers companies a decisive advantage in the race against potential attackers. Vulnerabilities are often exploited before they are publicly announced, but once they are known, the race between attacker and the attacked enters the hot phase: attack vectors should be closed faster than cybercriminals can exploit them.

Manage Risks

To prevent the security risk from escalating, Greenbone solutions now access over 180,000 automated vulnerability tests. This reduces the potential attack surface by 99% compared to companies that do not use vulnerability management. These immense opportunities for risk minimization require prudent security management. The more vulnerabilities get uncovered, the more pressing the need for action becomes. Which IT systems require immediate help? Which assets and interaction paths in the company are particularly critical and which security measures should be prioritized? 

Only those who have plausible answers to these questions will be able to keep the overall risk of cyber attacks as low as possible in the long term. Jan-Oliver Wagner will identify top priorities and how a corresponding “triage” can be practiced among data and systems in day-to-day operations in the it-sa action “Be secure and stay secure”. Join us!

Visit us at our booth 6-346 or make an appointment right away and get your free ticket to the trade show. We look forward to your visit!

Make an appointment!

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

NIS2: Implementation Delayed but Stay on Course

While the German government has yet to implement the necessary adjustments for the NIS2 directive, organizations shouldn’t lose momentum. Although the enforcement is now expected in Spring 2025 instead of October 2024, the core requirements remain unchanged. While there remains a lot of work for companies, especially operators of critical infrastructure, most of it is clear and well-defined. Organizations must still focus on robust vulnerability management, such as that offered by Greenbone.

Missed Deadlines and the Need for Action

Initially, Germany was supposed to introduce the NIS2 compliance law by October 17, 2024, but the latest drafts failed to gain approval, and even the Ministry of the Interior does not anticipate a timely implementation. If the parliamentary process proceeds swiftly, the law could take effect by Q1 2025, the Ministry announced.

A recent study by techconsult (only in German), commissioned by Plusnet, reveals that while 67% of companies expect cyberattacks to increase, many of them still lack full compliance. NIS2 mandates robust security measures, regular risk assessments and rapid response to incidents. Organizations must report security breaches within 24 hours and deploy advanced detection systems, especially those already covered under the previous NIS1 framework.

Increased Security Budgets and Challenges

84% of organizations plan to increase their security spending, with larger enterprises projecting up to a 12% rise. Yet only 29% have fully implemented the necessary measures, citing workforce shortages and lack of awareness as key obstacles. The upcoming NIS2 directive presents not only a compliance challenge but also an opportunity to strengthen cyber resilience and gain customer trust. Therefore, 34% of organizations will invest in vulnerability management in the future.

Despite clear directives from the EU, political delays are undermining the urgency. The Bundesrechnungshof and other institutions have criticized the proposed exemptions for government agencies, which could weaken overall cybersecurity efforts. Meanwhile, the healthcare sector faces its own set of challenges, with some facilities granted extended transition periods until 2030.

Invest now to Stay Ahead

Latest since the NIS2 regulations impend, businesses are aware of the risks and are willing to invest in their security infrastructure. As government action lags, companies must take proactive measures. Effective vulnerability management solutions, like those provided by Greenbone, are critical to maintaining compliance and security.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

September 2024 Threat Tracking: Speed Before Safety?

A 2023 World Economic Forum report surveyed 151 global organizational leaders and found that 93% of cyber leaders and 86% business leaders believe a catastrophic cyber event is likely within the next two years. Still, many software vendors prioritize rapid development and product innovation above security. This month, CISA’s Director Jen Easterly stated software vendors “are building problems that open the doors for villains” and that “we don’t have a cyber security problem – we have a software quality problem”. Downstream, customers benefit from innovative software solutions, but are also exposed to the risks from poorly written software applications; financially motivated ransomware attacks, wiper malware, nation-state espionage and data theft, costly downtime, reputational damage and even insolvency.

However astute, the Director’s position glosses over the true cyber risk landscape. For example, as identified by Bruce Schneier back in 1999; IT complexity increases the probability of human error leading to misconfigurations [1][2][3]. Greenbone identifies both known software vulnerabilities and misconfigurations with industry leading vulnerability test coverage and compliance tests attesting CIS controls and other standards such as the BSI basic controls for Microsoft Office.

At the end of the day, organizations hold responsibility to their stakeholders, customers and the general public. They need to stay focused and protect themselves with fundamental IT security activities including Vulnerability Management. In September 2024’s Threat Tracking blog post, we review the most pressing new developments in the enterprise cybersecurity landscape threatening SMEs and large organizations alike.

SonicOS Exploited in Akira Ransomware Campaigns

CVE-2024-40766 (CVSS 10 Critical) impacting SonicWall’s flagship OS SonicOS, has been identified as a known vector for campaigns distributing Akira ransomware. Akira, originally written in C++, has been active since early 2023. A second Rust-based version became the dominant strain in the second half of 2023. The primary group behind Akira is believed to stem from the dissolved Conti ransomware gang. Akira is now operated as a Ransomware as a Service (RaaS) leveraging a double extortion tactic against targets in Germany and across the EU, North America, and Australia. As of January 2024, Akira had compromised over 250 businesses and critical infrastructure entities, extorting over 42 million US-Dollar.

Akira’s tactics include exploiting known vulnerabilities for initial access such as:

Greenbone includes tests to identify SonicWall devices vulnerable to CVE-2024-40766 [1][2] and all other vulnerabilities exploited by the Akira ransomware gang for initial access.

Urgent Patch for Veeam Backup and Restoration

Ransomware is the apex cyber threat, especially in healthcare. The US Human and Healthcare Services (HHS) reports that large breaches increased by 256% and ransomware incidents by 264% over the past five years. Organizations have responded with more proactive cybersecurity measures to prevent initial access and more robust incident response and recovery, including more robust backup solutions. Backup systems are thus a prime target for ransomware operators.

Veeam is a leading vendor of enterprise backup solutions globally and promotes its products as a viable safeguard against ransomware attacks. CVE-2024-40711 (CVSS 10 Critical), a recently disclosed vulnerability in Veeam Backup and Recovery is especially perilous since it could allow hackers to target the last line of protection against ransomware – backups. The vulnerability was discovered and responsibly reported by Florian Hauser of CODE WHITE GmbH, a German cybersecurity research company. Unauthorized Remote Code Execution (RCE) via CVE-2024-40711 was quickly verified by security researchers within 24 hours of the disclosure, and proof-of-concept code is now publicly available online, compounding the risk.

Veeam Backup & Replication version 12.1.2.172 and all earlier v12 builds are vulnerable and customers need to patch affected instances with urgency. Greenbone can detect CVE-2024-40711 in Veeam Backup and Restoration allowing IT security teams to stay one step ahead of ransomware gangs.

Blast-RADIUS Highlights a 20 Year old MD5 Collision Attack

RADIUS is a powerful and flexible authentication, authorization, and accounting (AAA) protocol used in enterprise environments to validate user-supplied credentials against a central authentication service such as Active Directory (AD), LDAP, or VPN services. Dubbed BlastRADIUS, CVE-2024-3596 is a newly disclosed attack against the UDP implementation of RADIUS, accompanied by a dedicated website, research paper, and attack details. Proof-of-concept code is also available from a secondary source.

Blast-RADIUS is an Adversary in The Middle (AiTM) attack that exploits a chosen-prefix collision weakness in MD5 originally identified in 2004 and improved in 2009. The researchers exponentially reduced the time required to spoof MD5 collisions and released their improved version of hashclash. The attack can allow an active AiTM positioned between a RADIUS client and a RADIUS server to trick the client into honoring a forged Access-Accept response despite the RADIUS server issuing a Access-Reject response. This is accomplished by computing an MD5 collision between the expected Access-Reject and a forged Access-Accept response allowing an attacker to approve login requests.

Greenbone can detect a wide array vulnerable RADIUS implementations in enterprise networking devices such as F5 BIG-IP [1], Fortinet FortiAuthenticator [2] and FortiOS [3], Palo Alto PAN-OS [4], Aruba CX Switches [5] and ClearPass Policy Manager [6], and on the OS level in Oracle Linux [7][8], SUSE [9][10][11], OpenSUSE [12][13], Red Had [14][15], Fedora [16][17], Amazon [18], Alma [19][20], and Rocky Linux [21][22] among others.

Urgent: CVE-2024-27348 in Apache HugeGraph-Server

CVE-2024-27348 (CVSS 9.8 Critical) is a RCE vulnerability in the open-source Apache HugeGraph-Server that affects all versions of 1.0 before 1.3.0 in Java8 and Java11. HugeGraph-Server provides an API interface used to store, query, and analyze complex relationships between data points and is commonly used for analyzing data from social networks, recommendation systems and for fraud detection.

CVE-2024-27348 allows attackers to bypass the sandbox restrictions within the Gremlin query language by exploiting inadequate Java reflection filtering. An attacker can leverage the vulnerability by crafting malicious Gremlin scripts and submitting them via API to the HugeGraph /gremlin endpoint to execute arbitrary commands. The vulnerability can be exploited via remote, adjacent, or local access to the API and can enable privilege escalation.

It is being actively exploited in hacking campaigns. Proof-of-concept exploit code [1][2][3] and an in-depth technical analysis are publicly available giving cyber criminals a head start in developing attacks. Greenbone includes an active check and version detection test to identify vulnerable instances of Apache HugeGraph-Server. Users are advised to update to the latest version.

Ivanti has Been an Open Door for Attackers in 2024

Our blog has covered vulnerabilities in Invati products several times this year [1][2][3]. September 2024 was another hot month for weaknesses in Ivanti products. Ivanti finally patched CVE-2024-29847 (CVSS 9.8 Critical), a RCE vulnerability impacting Ivanti Endpoint Manager (EPM), first reported in May 2024. Proof-of-concept exploit code and a technical description are now publicly available, increasing the threat. Although there is no evidence of active exploitation yet, this CVE should be considered high priority and patched with urgency.

However, in September 2024, CISA also identified a staggering four new vulnerabilities in Ivanti products being actively exploited in the wild. Greenbone can detect all of these new additions to CISA KEV and previous vulnerabilities in Ivanti products. Here are the details:

Summary

In this month’s Threat Tracking blog, we highlighted major cybersecurity developments including critical vulnerabilities such as CVE-2024-40766 exploited by Akira ransomware, CVE-2024-40711 impacting Veeam Backup and the newly disclosed Blast-RADIUS attack that could impact enterprise AAA. Proactive cybersecurity activities such as continuous vulnerability management and compliance attestation help to mitigate risks from ransomware, wiper malware, and espionage campaigns, allowing defenders to close security gaps before adversaries can exploit them.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

August 2024 Threat Tracking: Threats on the Rise

The cybersecurity risk environment has been red hot through the first half of 2024. Critical vulnerabilities in even the most critical technologies are perpetually open to cyber attacks, and defenders face the continuous struggle to identify and remediate these relentlessly emerging security gaps. Large organizations are being targeted by sophisticated “big game hunting” campaigns by ransomware gangs seeking to hit the ransomware jackpot. The largest ransomware payout ever was reported in August – 75 million Dollar to the Dark Angels gang. Small and medium sized enterprises are targeted on a daily basis by automated “mass exploitation” attacks, also often seeking to deliver ransomware [1][2][3].

A quick look at CISA’s Top Routinely Exploited Vulnerabilities shows us that even though cyber criminals can turn new CVE (Common Vulnerabilities and Exposures) information into exploit code in a matter of days or even hours, older vulnerabilities from years past are still on their radar.

In this month’s Threat Tracking blog post, we will point out some of the top cybersecurity risks to enterprise cybersecurity, highlighting vulnerabilities recently reported as actively exploited and other critical vulnerabilities in enterprise IT products.

The BSI Improves LibreOffice’s Mitigation of Human Error

OpenSource Security on behalf of the German Federal Office for Information Security (BSI) recently identified a secure-by-design flaw in LibreOffice. Tracked as CVE-2024-6472 (CVSS 7.8 High), it was found that users could enable unsigned macros embedded in LibreOffice documents, overriding the “high security mode” setting. While exploitation requires human interaction, the weakness addresses a false sense of security, that unsigned macros could not be executed when “high security mode” enabled.

KeyTrap: DoS Attack Against DNSSEC

In February 2024, academics at the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt disclosed “the worst attack on DNS ever discovered”. According to German researchers, a single packet can cause a “Denial of Service” (DoS) by exhausting a DNSSEC-validating DNS resolver. Dubbed “KeyTrap”, attackers can exploit the weakness to prevent clients using a compromised DNS server from accessing the internet or local network resources. The culprit is a design flaw in the current DNSSEC specification [RFC-9364] that dates back more than 20 years [RFC-3833].

Published in February 2024 and tracked as CVE-2023-50387 (CVSS 7.5 High), exploitation of the vulnerability is considered trivial and proof-of-concept code is available on GitHub. The availability of exploit code means that low skilled criminals can easily launch attacks. Greenbone can identify systems with vulnerable DNS applications impacted by CVE-2023-50387 with local security checks (LSC) for all operating systems.

CVE-2024-23897 in Jenkins Used to Breach Indian Bank

CVE-2024-23897 (CVSS 9.8 Critical) in Jenkins (versions 2.441 and LTS 2.426.2 and earlier) is being actively exploited and used in ransomware campaigns including one against the National Payments Corporation of India (NPCI). Jenkins is an open-source automation server used primarily for continuous integration (CI) and continuous delivery (CD) in software development operations (DevOps).

The Command Line Interface (CLI) in affected versions of Jenkins contains a path traversal vulnerability [CWE-35] caused by a feature that replaces the @-character followed by a file path with the file’s actual contents. This allows attackers to read the contents of sensitive files including those that provide unauthorized access and subsequent code execution. CVE-2024-23897 and its use in ransomware attacks follows a joint CISA and FBI alert for software vendors to address path traversal vulnerabilities [CWE-35] in their products. Greenbone includes an active check [1] and two version detection tests [2][3] for identifying vulnerable versions of Jenkins on Windows and Linux.

2 New Actively Exploited CVEs in String of Apache OFBiz Flaws

Apache OFBiz (Open For Business) is a popular open-source enterprise resource planning (ERP) and e-commerce software suite developed by the Apache Software Foundation. In August 2024, CISA alerted the cybersecurity community to active exploitation of Apache OFBiz via CVE-2024-38856 (CVSS 9.8 Critical) affecting versions before 18.12.13. CVE-2024-38856 is a path traversal vulnerability [CWE-35] that affects OFBiz’s “override view” functionality allowing unauthenticated attackers Remote Code Execution (RCE) on the affected system.

CVE-2024-38856 is a bypass of a previously patched vulnerability, CVE-2024-36104, just published in June 2024, indicating that the initial fix did not fully remediate the problem. This also builds upon another 2024 vulnerability in OFBiz, CVE-2024-32113 (CVSS 9.8 Critical), which was also being actively exploited to distribute Mirai botnet. Finally, in early September 2024, two new critical severity CVEs, CVE-2024-45507 and CVE-2024-45195 (CVSS 9.8 Critical) were added to the list of threats impacting current versions of OFBiz.

Due to the notice of active exploitation and Proof-of-Concept (PoC) exploits being readily available for CVE-2024-38856 [1][2] and CVE-2024-32113 [1][2] affected users need to patch urgently. Greenbone can detect all aforementioned CVEs in Apache OFBiz with both active and version checks.

CVE-2022-0185 in the Linux Kernel Actively Exploited

CVE-2022-0185 (CVSS 8.4 High), an heap-based buffer overflow vulnerability in the Linux kernel, was added to CISA KEV in August 2024. Publicly available PoC-exploit-code and detailed technical descriptions of the vulnerability have contributed to the increase in cyber attacks exploiting CVE-2022-0185.

In CVE-2022-0185 in Linux’s “legacy_parse_param()” function within the Filesystem Context functionality the length of supplied parameters is not being properly verified. This flaw allows an unprivileged local user to escalate their privileges to the root user.

Greenbone could detect CVE-2022-0185 since it was disclosed in early 2022 via vulnerability test modules covering a wide set of Linux distributions including Red Hat, Ubuntu, SuSE, Amazon Linux, Rocky Linux, Fedora, Oracle Linux and Enterprise products such as IBM Spectrum Protect Plus.

New VoIP and PBX Vulnerabilities

A handful of CVEs were published in August 2024 impacting enterprise voice communication systems. The vulnerabilities were disclosed in Cisco’s small business VOIP systems and Asterisk, a popular open-source PBX branch system. Let’s dig into the specifics:

Cisco Small Business IP Phones Offer RCE and DoS

Three high severity vulnerabilities were disclosed that impact the web-management console of Cisco Small Business SPA300 Series and SPA500 Series IP Phones. While underscoring the importance of not exposing management consoles to the internet, these vulnerabilities also represent a vector for an insider or dormant attacker who has already gained access to an organization’s network to pivot their attacks to higher value assets and disrupt business operations.

Greenbone includes detection for all newly disclosed CVEs in Cisco Small Business IP Phone. Here is a brief technical description of each:

  • CVE-2024-20454 and CVE-2024-20450 (CVSS 9.8 Critical): An unauthenticated, remote attacker could execute arbitrary commands on the underlying operating system with root privileges because incoming HTTP packets are not properly checked for size, which could result in a buffer overflow.
  • CVE-2024-20451 (CVSS 7.5 High): An unauthenticated, remote attacker could cause an affected device to reload unexpectedly causing a Denial of Service because HTTP packets are not properly checked for size.

CVE-2024-42365 in Asterisk PBX Telephony Toolkit

Asterisk is an open-source private branch exchange (PBX) and telephony toolkit. PBX is a system used to manage internal and external call routing and can use traditional phone lines (analog or digital) or VoIP (IP PBX). CVE-2024-42365, published in August 2024, impacts versions of asterisk before 18.24.2, 20.9.2 and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2. An exploit module has also been published for the Metasploit attack framework adding to the risk, however, active exploitation in the wild has not yet been observed.

Greenbone can detect CVE-2024-42365 via network scans. Here is a brief technical description of the vulnerability:

  • CVE-2024-42365 (CVSS 8.8 High): An AMI user with “write=originate” may change all configuration files in the “/etc/asterisk/” directory. This occurs because they are able to curl remote files and write them to disk but are also able to append to existing files using the FILE function inside the SET application. This issue may result in privilege escalation, Remote Code Execution or blind server-side request forgery with arbitrary protocols.

Browsers: Perpetual Cybersecurity Threats

CVE-2024-7971 and CVE-2024-7965, two new CVSS 8.8 High severity vulnerabilities in the Chrome browser, are being actively exploited for RCE. Either CVE can be triggered when victims are tricked into simply visiting a malicious web page. Google acknowledges that exploit code is publicly available, giving even low skilled cyber criminals the ability to launch attacks. Google Chrome has seen a steady stream of new vulnerabilities and active exploitation in recent years. A quick inspection of Mozilla Firefox shows a similar continuous stream of critical and high severity CVEs; seven Critical and six High severity vulnerabilities were disclosed in Firefox during August 2024, although active exploitation of these has not been reported.

The continuous onslaught of vulnerabilities in major browsers underscores the need for diligence to ensure that updates are applied as soon as they become available. Due to Chrome’s high market share of over 65% (over 70% considering Chromium-based Microsoft Edge) its vulnerabilities receive increased attention from cyber criminals. Considering the high number of severe vulnerabilities impacting Chromium’s V8 engine (more than 40 so far in 2024), Google Workspace admins might consider disabling V8 for all users in their organization to increase security. Other options for hardening browser security in high-risk scenarios include using remote browser isolation, network segmentation and booting from secure baseline images to ensure endpoints are not compromised.

Greenbone includes active authenticated vulnerability tests to identify vulnerable versions of browsers for Linux, Windows and macOS.

Summary

New critical and remotely exploitable vulnerabilities are being disclosed at record shattering rates amidst a red hot cyber risk environment. Asking IT security teams to manually track newly exposed vulnerabilities in addition to applying patches imposes an impossible burden and risks leaving critical vulnerabilities undetected and exposed. Vulnerability management is considered a fundamental cybersecurity activity; defenders of large, medium and small organizations need to employ tools such as Greenbone to automatically seek and report vulnerabilities across an organization’s IT infrastructure. 

Conducting automated network vulnerability scans and authenticated scans of each system’s host attack surface can dramatically reduce the workload on defenders, automatically providing them with a list of remediation tasks that is sortable according to threat severity.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Enterprise Products Lead all Network Vulnerability Scanners

OpenVAS began in 2005 when Nessus transitioned from open source to a proprietary license. Two companies, Intevation and DN Systems adopted the existing project and began evolving and maintaining it under a GPL v2.0 license. Since then, OpenVAS has evolved into Greenbone, the most widely-used and applauded open-source vulnerability scanner and vulnerability management solution in the world. We are proud to offer Greenbone as both a free Community Edition for developers and also as a range of enterprise products featuring our Greenbone Enterprise Feed to serve the public sector and private enterprises alike.

As the “old-dog” on the block, Greenbone is hip to the marketing games that cybersecurity vendors like to play. However, our own goals remain steadfast – to share the truth about our product and industry leading vulnerability test coverage. So, when we reviewed a recent 2024 network vulnerability scanner benchmark report published by a competitor, we were a little shocked to say the least.

As the most recognized open-source vulnerability scanner, it makes sense that Greenbone was included in the competition for top dog. However, while we are honored to be part of the test, some facts made us scratch our heads. You might say we have a “bone to pick” about the results. Let’s jump into the details.

What the 2024 Benchmark Results Found

The 2024 benchmark test conducted by Pentest-Tools ranked leading vulnerability scanners according to two factors: Detection Availability (the CVEs each scanner has detection tests for) and Detection Accuracy (how effective their detection tests are).

The benchmark pitted our free Community Edition of Greenbone and the Greenbone Community Feed against the enterprise products of other vendors: Qualys, Rapid7, Tenable, Nuclei, Nmap, and Pentest-Tools’ own product. The report ranked Greenbone 5th in Detection Availability and roughly tied for 4th place in Detection Accuracy. Not bad for going up against titans of the cybersecurity industry.

The only problem is, as mentioned above, Greenbone has an enterprise product too, and when the results are recalculated using our Greenbone Enterprise Feed, the findings are starkly different – Greenbone wins hands down.

Here is What we Found

Bar chart from the 2024 benchmark for network vulnerability scanners: Greenbone Enterprise achieves the highest values with 78% availability and 61% accuracy

 

Our Enterprise Feed Detection Availability Leads the Pack

According to our own internal findings, which can be verified using our SecInfo Portal, the Greenbone Enterprise Feed has detection tests for 129 of the 164 CVEs included in the test. This means our Enterprise product’s Detection Availability is a staggering 70.5% higher than reported, placing us heads and tails above the rest.

To be clear, the Greenbone Enterprise Feed tests aren’t something we added on after the fact. Greenbone updates both our Community and Enterprise Feeds on a daily basis and we are often the first to release vulnerability tests when a CVE is published. A review of our vulnerability test coverage shows they have been available from day one.

Our Detection Accuracy was far Underrated

And another thing. Greenbone isn’t like those other scanners. The way Greenbone is designed gives it strong industry leading advantages. For example, our scanner can be controlled via API allowing users to develop their own custom tools and control all the features of Greenbone in any way they like. Secondly, our Quality of Detection (QoD) ranking doesn’t even exist on most other vulnerability scanners.

The report author made it clear they simply used the default configuration for each scanner. However, without applying Greenbone’s QoD filter properly, the benchmark test failed to fairly assess Greenbone’s true CVE detection rate. Applying these findings Greenbone again comes out ahead of the pack, detecting an estimated 112 out of the 164 CVEs.

Summary

While we were honored that our Greenbone Community Edition ranked 5th in Detection Availability and tied for 4th in Detection Accuracy in a recently published network vulnerability scanner benchmark, these results fail to consider the true power of the Greenbone Enterprise Feed. It stands to reason that our Enterprise product should be in the running. Afterall, the benchmark included enterprise offerings from other vendors.

When recalculated using the Enterprise Feed, Greenbone’s Detection Availability leaps to 129 of the 164 CVEs on the test, 70.5% above what was reported. Also, using the default settings fails to account for Greenbone’s Quality of Detection (QoD) feature. When adjusted for these oversights, Greenbone ranks at the forefront of the competition. As the most used open-source vulnerability scanner in the world, Greenbone continues to lead in vulnerability coverage, timely publication of vulnerability tests, and truly enterprise grade features such as a flexible API architecture, advanced filtering, and Quality of Detection scores.

Contact Test Now Buy Here Back to Overview

/by