Tag Archive for: Vulnerability Management

Greenbone AG

Exciting New Features Arrive for Greenbone Enterprise Appliances

We’re excited to announce the release of several feature updates to our Greenbone Operating System (GOS), the software stack behind our physical and virtual Enterprise Appliances. The updates introduce new front-end features to enhance enterprise vulnerability management capabilities, and performance enhancing back-end features. The newest updates to the Greenbone Operating System (GOS), version 24.10, reflect Greenbone’s commitment to empowering fundamental cybersecurity best practices and enabling organizations to prioritize and close security gaps faster than ever before.

In this post, we’ll delve into the latest features and improvements that make our line of Enterprise Appliances even more powerful tools for exposure management and cybersecurity compliance.

GOS 24.10 Brings All New Features

The Greenbone Security Assistant (GSA) is the IT administrator’s doorway into security visibility. From a high-level vantage, the GSA web-interface has a totally new look. The updated version features a modern minimalist look and feel, emphasizing utility and usability, while keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA) require organizations to take more proactive actions to protect digital infrastructure. Other forces such as cybersecurity insurance, the need for stronger third party oversight and accountability to customers are impacting how companies oversee their cybersecurity operations.

The GOS 24.10 update includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The updated user-interface allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of new CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a CVE being exploited in the wild. EPSS applies machine learning (ML) to historical data to predict which new CVEs are at highest risk of active attack.

EPSS data is now integrated into our Enterprise Appliances. Regularly updated exploitation probabilities for every active CVE are not available in the Greenbone platform. Administrators can leverage up-to-date exploit probability scores and percentiles in addition to the traditional CVSS severity, empowering them to focus on the most critical pressive vulnerabilities in their operations.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility. As such, the solutions fit a wide spectrum of unique operational needs. GOS 24.10 introduces JSON formatted report exporting. Users can also now customize the fields in exported CSV and JSON reports. This allows reports to be customized directly from Greenbone to more precisely match report requirements and focus on what’s essential for analysis, compliance or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, Greenbone has introduced several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • Greenbone Enterprise Appliances now support JSON-based CVE, CPE, EPSS, and CERT feeds and gzip data compression.

Summary

With the release of a new round of updates, Greenbone is strengthening the flagship Greenbone Enterprise Appliances. The updates introduce a modernized GSA web-interface, a compliance-focused audit report view for improved visibility, and enhanced CSV and JSON exporting capabilities give users control over report data. We’ve also added AI-based EPSS to the available options for vulnerability risk prioritization. Finally, backend optimizations ensure seamless compatibility with new CPE formats and JSON-based feeds. Together, these features add to Greenbone’s adaptable vulnerability management capabilities allowing organizations to stay ahead of emerging threats with industry leading vulnerability detection and prioritization.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

#GreenboneGoesGlobal: Strong Presence at ITASEC 2025 in Bologna

ITASEC, Italy’s most important conference for cyber security, takes place in Bologna from February 3 to 8, 2025. As a platinum sponsor, Greenbone is sending a strong signal for European cooperation and digital security. This step demonstrates our commitment to a global presence and direct customer interaction.

Street scene in the old town of Bologna with a view of the medieval 'Due Torri' towers, venue of the IT security conference ITASEC 2025

The “Due Torri”, two medieval towers, shape the image of the historic old town of Bologna. (Photo: Markus Feilner, CC-BY 2016)

 

New Perspectives in Italy and Worldwide

“At Greenbone, we are increasingly realizing how important our vulnerability management is for customers throughout Europe and how important it is for these customers to be able to communicate with us directly on site,” explains Chief Marketing Officer Elmar Geese. To meet this demand, Greenbone has established the Italian subsidiary OpenVAS S.R.L. At the same time, Greenbone is expanding into other regions. A new subsidiary in the Netherlands and an increased engagement in the Asian market are on the agenda.

We will not only be present at ITASEC with a booth, but will also contribute to the content: Dirk Boeing, Senior Consultant and cybersecurity expert at Greenbone, will speak on February 6th at 11:00 a.m. on the panel “Security Management in the NIS2 Era”.

Visit Us in Bologna!

The annual ITASEC takes place on the campus of the “Alma Mater Studiorum Università di Bologna”, the oldest university in Europe, which has been writing science history since 1088 – an ideal place for a conference dedicated to security in the digital future. The fair is organized by the CINI Cybersecurity National Lab, with a special focus in 2025 on the topic of security and rights in cyberspace. This is also reflected in the cooperation with the SERICS conference (Security and Rights in the Cyber Space), which is supported by the SERICS foundation as part of the almost 200 billion euro Italian „National Recovery and Resilience Plan“ (NRRP).

ITASEC at the University of Bologna offers an excellent opportunity to experience Greenbone live and learn more about our solutions. And this is just the beginning: in 2025 we will be in Italy, for example, at CyberSec Italia in Rome on March 5 and 6. And from March 18 to 19, Greenbone will be at the „Digitaler Staat“ congress in Berlin, and from March 19 at secIT in Hanover. We look forward to your visit!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone 2024 Review: A Very Good Year with Growth Everywhere

Also in its 16th year, the Osnabrück-based expert and market leader in Open Source Vulnerability Management has kept growing, both in employees, customers, partners and last not least on this blog.

After doubling our workforce over the last two years, we at Greenbone are looking proudly at 143 employees, most of them work remotely. This growth brought about many new contributions, and of course many company events, unique development talks and a people lead concept with cross feedback as a major step forward in developing leadership culture. Inspired by happiness surveys, Greenbone will keep on growing and is a great employer. Have you applied yet?

Greenbone Threat Report

So, it’s no wonder that also this blog benefited from the growth and introduced a successful new format: Every month, we are now presenting with the Threat Report a monthly deep dive into the news and atrocities of vulnerability management, mitigation and new threats on the radar of our customers (and anybody interested in security). We started this series in March 2024 and have published 10 thorough blog reports so far. Find all of them here, and the last update here.

Endangered: Ivanti, Fortinet, Exchange, Confluence…

Apart from that, we could report on several crucial vulnerabilities. From Juniper and Ivanti to Fortinet, from problems in Microsoft Exchange and Sharepoint to Atlassians knowledge management Confluence: our experts provided helpful insights for nearly all customers.

Of course our blog reported on CrowdStrike and how it only took 62 minutes for a security provider to become a massive threat. We wrote about the never-ending dangers from Chinese hackers, DOS attacks, automated mass attacks, severe SSH key problems and featured in-depth analysis and papers, for example on the costs of cyber attacks.

Growing challenges: cyber threats and new legislation

In five blog posts we explained threat levels and specific vulnerability risks in branches affected hard by common vulnerabilities: For example, SMEs are investing more in security, Helsinki schools have been attacked and of course public administration networks are under special threat, as is practically anything in health care – says the BSI (Bundesamt für Sicherheit in der Informationstechnik), the German Federal Office for Information Security. Especially the latter two branches, not only among our customers, will also have benefited from the many posts we published on regulations – like CSAF (Common Security Advisory Framework) and the many updates on the slowly ongoing and interrupted (in Germany) progress of NIS2 (Network and Information Security).

All-year Topic NIS2

The NIS Directive in its second edition was a topic that has been and will be on the watchlist of Greenbone and our customers. Since the European Union decided on the second „Directive on Security of Network and Information Systems“ NIS, many member states have applied regulations that clarify how companies have to implement it. Only in Germany that took a little longer and – due to the fall of the government late in the year – has not been finished. Nevertheless, all the information and plans are available, there’s even a test from the BSI that allows you to check whether your networks are affected and need immediate action.

Greenbone Goes Green: ISO 14001

We wrote about sustainability and the great success Greenbone made with achieving the ISO 14001 certificate. Our CMO Elmar Geese shared his thoughts on the future of clouds and the breaking of their hype cycle. He also took part in a panel on artificial intelligence, and our products now integrate additional BSI basic and CIS guidelines to protect your office software.

New Products: Major Release 24.10, Greenbone Basic, Feed-Updates

But 2024 brought also many updates and news on our products: Greenbone’s vulnerability management got several improvements and updates, with a new video to explain vulnerability management in 12 minutes. In July, our new scan engine Notus received Support for Amazon’s Red-Hat-Linux variant dominating Amazon Web Services. Later in 2024 Greenbone both announced a new major version of its Enterprise Appliance (24.10) and a completely new product targeted at small and medium size businesses called “Greenbone Basic”. Ready to try?

But maybe you want to read about how Greenbone leads the competition of vulnerability scanners in our benchmark or find out what your Key Performance Indicators for vulnerability management products are.

Congresses and Events: Our Highlights of the Year 

If you want to meet us, you’ll find a growing amount of opportunities … worldwide, also showed in our blog: we also reported almost live from the other side of the globe, where Greenbone had a presence at the Singapore International Cyber Week. This conference was not only one of the major IT security events in Asia, but also one in a long list of business fairs that Greenbone attended: Public IT Security (PITS) in Berlin, the it-sa in Nuremberg or the Potsdam Conference for National Security are just a few to name.

Thank You and Happy Holidays!

So, obviously, also our 16th year was a good one, “a very good year” and thus we would like to take this opportunity to thank all customers, partners and the community again: Without your help none of this would be possible.

Thank you, happy holidays and a happy new year!

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

BSI: More Vulnerability Reports from Healthcare

There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

Innovation Meets Resonance: Greenbone Successful at SICW

The Singapore International Cyber Week (SICW) is one of the most important cybersecurity events worldwide. We were able to present our solutions to an international audience – and recieved great interest, inspiring discussions and valuable feedback. Three successful days in Singapore and an important step in strengthening our international presence!

Greenbone team and partners taking a group photo together at the stand at Singapore International Cyber Week 2024.

Since its launch, SICW has been bringing together leading companies, start-ups, government organizations and security authorities from around the world every year. The aim is to share knowledge, promote partnerships and present innovative solutions that meet the growing challenges in the field of cybersecurity. The event, organized by the Cyber Security Agency of Singapore (CSA), was launched in 2016 and has been held annually in Singapore ever since.

This year, Greenbone had the honor of being present at SICW as a technology partner of Huawei. During three exciting days, we presented our Enterprise Appliances to an international audience and were thrilled by the response.

Great Interest in Greenbone Solutions

We were overwhelmed by the positive feedback from visitors to our solutions – for us a strong signal that our cybersecurity solutions are also very important for the Asian market. In numerous discussions, we repeatedly noticed how great the interest is in a vulnerability scanner with excellent feed that focuses on the essentials while also allowing connection to other systems via its API.

VIP Visitors and Inspiring Talks

We were particularly pleased to welcome prominent personalities to our booth. A real highlight was the visit of John Tan, Commissioner of Cybersecurity and Chief Executive of the Cybersecurity Agency of Singapore. His interest and the numerous discussions with potential customers and partners have encouraged us to further expand our presence in Asia.

Conversation between stand visitors in front of the Greenbone display with world map and product information at SICW 2024.

Not entirely unexpected star of our appearance was “the Beast”, our company logo as a plush toy. It put a smile on the faces of many visitors to our stand and often served as a friendly icebreaker, facilitating lively and valuable discussions. 

Conclusion: Momentum for the Future

SICW was a great success for Greenbone. We were not only able to present our solutions to a broad audience, but also establish valuable connections and noticeably increase interest in the Asian market. The great popularity and high demand for our “Beast” shows that our brand is also very well received emotionally – and we look forward to continuing to build on this momentum.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Understanding CSAF 2.0 Stakeholders and Roles

The Common Security Advisory Framework (CSAF) is a framework for providing machine-readable security advisories following a standardized process to enable automated cybersecurity information sharing. Greenbone is continously working on the integration of technologies that leverage the CSAF 2.0 standard for automated cybersecurity advisories. For an introduction to CSAF 2.0 and how it supports next-generation vulnerability management, you can refer to our previous blog post.

In 2024, the NIST National Vulnerabilities Database (NVD) outage has disrupted the flow of critical cybersecurity intelligence to downstream consumers. This makes the decentralized CSAF 2.0 model increasingly relevant. The outage highlights the need for a decentralized cybersecurity intelligence framework for increased resilience against a single point of failure. Those who adopt CSAF 2.0, will be one step closer to a more reliable cybersecurity intelligence ecosystem.

Table of Contents

1. What We Will Cover in this Article
2. Who Are the CSAF Stakeholders?
2.1. Understanding Roles in the CSAF 2.0 Process
2.1.1. CSAF 2.0 Issuing Parties
2.1.1.1. Understanding the CSAF Publisher Role
2.1.1.2. Understanding the CSAF Provider Role
2.1.1.3. Understanding the CSAF Trusted-Provider Role
2.1.2. CSAF 2.0 Data Aggregators
2.1.2.1. Understanding the CSAF Lister Role
2.1.2.2. Understanding the CSAF Aggregator Role
3. Summary

1. What We Will Cover in this Article

This article will provide a detailed explanation of the various stakeholders and roles defined in the CSAF 2.0 specification. These roles govern the mechanisms of creating, disseminating and consuming security advisories within the CSAF 2.0 ecosystem. By understanding who the stakeholders of CSAF are and the standardized roles defined by the CSAF 2.0 framework, security practitioners can better realize how CSAF works, whether it can serve to benefit their organization and how to implement CSAF 2.0.

2. Who Are the CSAF Stakeholders?

At the highest level, the CSAF process has two primary stakeholder groups: upstream producers who create and supply cybersecurity advisories in the CSAF 2.0 document format and downstream consumers (end-users) who consume the advisories and apply the security information they contain.

Upstream producers are typically software product vendors (such as Cisco, Red Hat and Oracle) who are responsible for maintaining the security of their digital products and providing publicly available information about vulnerabilities. Upstream stakeholders also include independent security researchers and public entities that act as a source for cybersecurity intelligence such as the US Cybersecurity Intelligence and Security Agency (CISA) and the German Federal Office for Information Security (BSI).

Downstream consumers consist of private corporations who manage their own cybersecurity and Managed Security Service Providers (MSSPs), third-party entities that provide outsourced cybersecurity monitoring and management. The information contained in CSAF 2.0 documents is used downstream by IT security teams to identify vulnerabilities in their infrastructure and plan remediation and by C-level executives for assessing how IT risk could negatively impact operations.

Diagram of the CSAF 2.0 stakeholders: On the left, the upstream producers such as software vendors, authorities, and researchers; on the right, the downstream consumers such as CERTs, SOC teams, and security platforms – connected through the CSAF 2.0 advisory format.

The CSAF 2.0 standard defines specific roles for upstream producers that outline their participation in creating and disseminating advisory documents. Let’s examine those officially defined roles in more detail.

2.1. Understanding Roles in the CSAF 2.0 Process

CSAF 2.0 Roles are defined in Section 7.2. They are divided into two distinct groups: Issuing Parties (“Issuers”) and Data Aggregators (“Aggregators”). Issuers are directly involved in the creation of advisory documents. Aggregators collect those documents and distribute them to end-users, supporting automation for consumers. A single organization may fulfill the roles of both an Issuer and an Aggregator, however, these functions should operate as separate entities.  Obviously, organizations who act as upstream producers must also maintain their own cybersecurity. Therefore, they may also be a downstream consumer – ingesting CSAF 2.0 documents to support their own vulnerability management activities.

Diagram of the CSAF 2.0 upstream roles, showing the groups Issuing Parties (Producer, Provider, Trusted Provider) and Data Aggregators (Lister, Aggregator), who forward cybersecurity advisories to downstream consumers.

Next, let’s break down the specific responsibilities for CSAF 2.0 Issuing Parties and Data Aggregators.

2.1.1. CSAF 2.0 Issuing Parties

Issuing Parties are the origin of CSAF 2.0 cybersecurity advisories. However, Issuing Parties are not responsible for transmitting the documents to end-users. Issuing Parties are responsible for indicating if they do not want their advisories to be listed or mirrored by Data Aggregators. Also, CSAF 2.0 Issuing Parties can also act as Data Aggregators.

Here are explanations of each sub-role within the Issuing Parties group:

2.1.1.1. Understanding the CSAF Publisher Role

Publishers are typically organizations that discover and communicate advisories only on behalf of its own digital products. Publishers must satisfy requirements 1 to 4 in Section 7.1 of the CSAF 2.0 specification. This means issuing structured files with valid syntax and content that adhere to the CSAF 2.0 filename conventions described in Section 5.1 and ensuring that files are only available via encrypted TLS connections. Publishers must also make all advisories classified as TLP:WHITE publicly accessible.

Publishers must also have a publicly available provider-metadata.json document containing basic information about the organization, its CSAF 2.0 role status, and links to an OpenPGP public key used to digitally sign the provider-metadata.json document to verify its integrity. This information about the Publisher is used downstream by software apps that display the publisher’s advisories to end-users.

2.1.1.2. Understanding the CSAF Provider Role

Providers make CSAF 2.0 documents available to the broader community. In addition to meeting all the same requirements as a Publisher, a Provider must provide its provider-metadata.json file according to a standardized method (at least one of the requirements 8 to 10 from Section 7.1), employ standardized distribution for its advisories, and implement technical controls to restrict access to any advisory documents with a TLP:AMBER or TLP:RED status.

Providers must also choose to distribute documents in either a directory-based or the ROLIE-based method. Simply put, directory-based distribution makes advisory documents available in a normal directory path structure, while ROLIE (Resource-Oriented Lightweight Information Exchange) [RFC-8322] is a RESTful API protocol designed specifically for security automation, information publication, discovery and sharing.

If a Provider uses the ROLIE-based distribution, it must also satisfy requirements 15 to 17 from Section 7.1. Alternatively, if a Provider uses the directory-based distribution it must satisfy requirements 11 to 14 from Section 7.1.

2.1.1.3. Understanding the CSAF Trusted-Provider Role

Trusted-Providers are a special class of CSAF Providers who have established a high level of trust and reliability. They must adhere to stringent security and quality standards to ensure the integrity of the CSAF documents they issue.

In addition to meeting all the requirements of a CSAF Provider, Trusted-Providers must also satisfy the requirements 18 to 20 from Section 7.1 of the CSAF 2.0 specification. These requirements include providing a secure cryptographic hash and OpenPGP signature file for each CSAF document issued and ensuring the public part of the OpenPGP signing key is made publicly available.

2.1.2. CSAF 2.0 Data Aggregators

Data Aggregators focus on the collection and redistribution of CSAF documents. They act as a directory for CSAF 2.0 Issuers and their advisory documents and intermediary between Issuers and end-users. A single entity may act as both a CSAF Lister and Aggregator. Data Aggregators may choose which upstream Publishers’ advisories to list or collect and redistribute based on their customer’s needs.

Here are explanations of each sub-role in the Data Aggregator group:

2.1.2.1. Understanding the CSAF Lister Role

Listers gather CSAF documents from multiple CSAF Publishers and list them in a centralized location to facilitate retrieval. The purpose of a Lister is to act as a sort of directory for CSAF 2.0 advisories by consolidating URLs where CSAF documents can be accessed. No Lister is assumed to provide a complete set of all CSAF documents.

Listers must publish a valid aggregator.json file that lists at least two separate CSAF Provider entities and while a Lister may also act as an Issuing Party, it may not list mirrors pointing to a domain under its own control.

2.1.2.2. Understanding the CSAF Aggregator Role

The CSAF Aggregator role represents the final waypoint between published CSAF 2.0 advisory documents and the end-user. Aggregators provide a location where CSAF documents can be retrieved by an automated tool. Although Aggregators act as a consolidated source of cybersecurity advisories, comparable to NIST NVD or The MITRE Corporation’s CVE.org, CSAF 2.0 is a decentralized model as opposed to a centralized model. Aggregators are not required to offer a comprehensive list of CSAF documents from all Publishers. Also, Publishers may provide free access to their CSAF advisory feed, or operate as a paid service.

Similarly to Listers, Aggregators must make an aggregator.json file available publicly and CSAF documents from each mirrored Issuer must be placed in a separate dedicated folder along with the Issuer’s provider-metadata.json. Essentially, Aggregators must satisfy the requirements 1 to 6 and 21 to 23 from Section 7.1 of the CSAF 2.0 specification.

CSAF Aggregators are also responsible for ensuring that each mirrored CSAF document has a valid signature (requirement 19) and a secure cryptographic hash (requirement 18). If the Issuing Party does not provide these files, the Aggregator must generate them.

3. Summary

Understanding CSAF 2.0 stakeholders and roles is essential for ensuring proper implementation of CSAF 2.0 and to benefit from automated collection and consumption of critical cybersecurity information. The CSAF 2.0 specification defines two main stakeholder groups: upstream producers, responsible for creating cybersecurity advisories, and downstream consumers, who apply this information to enhance security. Roles within CSAF 2.0 include Issuing Parties, such as Publishers, Providers, and Trusted-Providers to who generate and distribute advisories, and Data Aggregators, like Listers and Aggregators, who collect and disseminate these advisories to end-users.

Members of each role must adhere to specific security controls that support the secure transmission of CSAF 2.0 documents, and the Traffic Light Protocol (TLP) governs how documents are authorized to be shared and the required access controls.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

October 2024 Threat Report: Ransomware Rising Defenders Must Respond

October was European Cyber Security Month (ECSM) and International Cybersecurity Awareness month with the latter’s theme being “Secure Our World”. It’s safe to say that instilling best practices for online safety to individuals, businesses and critical infrastructure is mission critical in 2024. At Greenbone, in addition to our Enterprise vulnerability management products, we are happy to make enterprise grade IT security tools more accessible via our free Community Edition, Community Portal and vibrant Community Forum to discuss development, features and get support.

Our core message to cybersecurity decision makers is clear: To patch or not to patch isn’t a question. How to identify vulnerabilities and misconfigurations before an attacker can exploit them is. Being proactive is imperative; once identified, vulnerabilities must be prioritized and fixed. While alerts to active exploitation can support prioritization, waiting to act is unacceptable in high risk scenarios. Key performance indicators can help security teams and executive decision makers track progress quantitatively and highlight areas that need improvement.

In this month’s Threat Tracking blog post, we will review this year’s ransomware landscape including the root causes of ransomware attacks and replay some of the top cyber threats that emerged in October 2024.

International Efforts to Combat Ransomware Continue

The International Counter Ransomware Initiative (CRI), consisting of 68 countries and organizations (notably lacking Russia and China), convened in Washington, D.C., to improve ransomware resilience globally. The CRI aims to reduce global ransomware payments, improve incident reporting frameworks, strengthen partnerships with the cyber insurance industry to lessen the impact of ransomware incidents, and enhance resilience by establishing standards and best practices for both preventing and recovering from ransomware attacks.

Microsoft’s Digital Defense Report 2024 found the rate of attacks has increased so far in 2024, yet fewer breaches are reaching the encryption phase. The result is fewer victims paying ransom overall. Findings from Coveware, Kaseya, and the Chainanalysis blockchain monitoring firm also affirm lower rates of payout. Still, ransomware gangs are seeing record profits; more than 459 million US-Dollar were extorted during the first half of 2024. This year also saw a new single incident high; a 75 million US-Dollar extortion payout amid a trend towards “big game hunting” – targeting large firms rather than small and medium sized enterprises (SMEs).

What Is the Root Cause of Ransomware?

How are successful ransomware attacks succeeding in the first place? Root cause analyses can help: A 2024 Statista survey of organizations worldwide reports exploited software vulnerabilities are the leading root cause of successful ransomware attacks, implicated in 32% of successful attacks. The same survey ranked credential compromise the second-most common cause and malicious email (malspam and phishing attacks) third. Security experts from Symantec claim that exploitation of known vulnerabilities in public facing applications has become the primary initial access vector in ransomware attacks. Likewise, KnowBe4, a security awareness provider, ranked social engineering and unpatched software as the top root causes of ransomware.

These findings bring us back to our core message and highlight the importance of Greenbone’s industry leading core competency: helping defenders identify vulnerabilities lurking in their IT infrastructure so they can fix and close exploitable security gaps.

FortiJump: an Actively Exploited CVE in FortiManager

In late October 2024, Fortinet alerted its customers to a critical severity RCE vulnerability in FortiManager, the company’s flagship network security management solution. Dubbed “FortiJump” and tracked as CVE-2024-47575 (CVSS 9.8), the vulnerability is classified as “Missing Authentication for Critical Function” [CWE-306] in FortiManager’s fgfm daemon. Google’s Mandiant has retroactively searched logs and confirmed this vulnerability has been actively exploited since June 2024 and describes the situation as a mass exploitation scenario.

Another actively exploited vulnerability in Fortinet products, CVE-2024-23113 (CVSS 9.8) was also added to CISA’s KEV catalog during October. This time the culprit is an externally-controlled format string in FortiOS that could allow an attacker to execute unauthorized commands via specially crafted packets.

Greenbone is able to detect devices vulnerable to FortiJump, FortiOS devices susceptible to CVE-2024-23113 [1][2][3], and over 600 other flaws in Fortinet products.

Iranian Cyber Actors Serving Ransomware Threats

The FBI, CISA, NSA and other US and international security agencies issued a joint advisory warning of an ongoing Iranian-backed campaign targeting critical infrastructure networks particularly in healthcare, government, IT, engineering and energy sectors. Associated threat groups are attributed with ransomware attacks that primarily gain initial access by exploiting public facing services [T1190] such as VPNs. Other techniques used in the campaign include brute force attacks [T1110], password spraying [T1110.003], and MFA fatigue attacks.

The campaign is associated with exploitation of the following CVEs:

Greenbone can detect all CVEs referenced in the campaign advisories, providing defenders with visibility and the opportunity to mitigate risk. Furthermore, while not tracked as a CVE, preventing brute force and password spraying attacks is cybersecurity 101. While many authentication services do not natively offer brute force protection, add-on security products can be configured to impose a lockout time after repeated login failures. Greenbone can attest compliance with CIS security controls for Microsoft RDP including those that prevent brute-force and password spraying login attacks.

Finally, according to the EU’s Cyber Resilience Act’s (CRA), Annex I, Part I (2)(d), products with digital elements must “ensure protection from unauthorized access by appropriate control mechanisms”, including systems for authentication, identity and access management, and should also report any instances of unauthorized access. This implies that going forward the EU will eventually require all products to have built-in brute force protection rather than relying on third-party rate limiting tools such as fail2ban for Linux.

Unencrypted Cookies in F5 BIG-IP LTM Actively Exploited

CISA has observed that cyber threat actors are exploiting unencrypted persistent cookies on F5 BIG-IP Local Traffic Manager (LTM) systems. Once stolen, the cookies are used to identify other internal network devices which can further allow passive detection of vulnerabilities within a network. Similar to most web-applications, BIG-IP passes an  HTTP cookie between the client and server to track user sessions. The cookie, by default, is named BIGipServer<pool_name> and its value contains the encoded IP address and port of the destination server.

F5 BIG-IP is a network traffic management suite and LTM is the core module that provides load balancing and traffic distribution across servers. CISA advises organizations to ensure persistent cookies are encrypted. F5 offers guidance for setting up cookie encryption and a diagnostic tool, BIG-IP iHealth to detect unencrypted cookie persistence profiles.

While active exploitation increases the threat to organizations who have not remediated this weakness, the vulnerability has been known since early 2018.  Greenbone has included detection for this weakness since January 2018, allowing users to identify and close the security gap presented by unencrypted cookies in F5 BIG-IP LTM since its disclosure.

New High Risk Vulnerabilities in Palo Alto Expedition

Several new high risk vulnerabilities have been disclosed in Palo Alto’s Expedition, a migration tool designed to streamline the transition from third-party security configurations to Palo Alto’s PAN-OS. While not observed in active campaigns yet, two of the nine total CVEs assigned to Palo Alto in October were rated with EPSS scores in the top 98th percentile.  EPSS (Exploit Prediction Scoring System) is a machine learning prediction model that estimates the likelihood of a CVE being exploited in the wild within 30 days from the model prediction.

Here is a brief technical description of each CVE:

  • CVE-2024-9463 (CVSS 7.5, EPSS 91.34%): An OS command injection vulnerability in Palo Alto’s Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations and device API keys of PAN-OS firewalls.
  • CVE-2024-9465 (CVSS 9.1, EPSS 73.86%): An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal sensitive database contents, such as password hashes, usernames, device configurations and device API keys. Once this information has been obtained, attackers can create and read arbitrary files on affected systems.

Four Critical CVEs in Mozilla Firefox: One Actively Exploited

As mentioned before on our Threat Tracking blog, browser security is critical for preventing initial access, especially for workstation devices. In October 2024, seven new critical severity and 19 other less critical vulnerabilities were disclosed in Mozilla Firefox < 131.0 and Thunderbird < 131.0.1. One of these, CVE-2024-9680, was observed being actively exploited against Tor network users and added to CISA’s known exploited catalog. Greenbone includes vulnerability tests to identify all affected Mozilla products.

The seven new critical severity disclosures are:

  • CVE-2024-9680 (CVSS 9.8): Attackers achieved unauthorized RCE in the content process by exploiting a Use-After-Free in Animation timelines. CVE-2024-9680 is being exploited in the wild.
  • CVE-2024-10468 (CVSS 9.8): Potential race conditions in IndexedDB allows memory corruption, leading to a potentially exploitable crash.
  • CVE-2024-9392 (CVSS 9.8): A compromised content process enables arbitrary loading of cross-origin pages.
  • CVE-2024-10467, CVE-2024-9401 and CVE-2024-9402 (CVSS 9.8): Memory safety bugs present in Firefox showed evidence of memory corruption. Security researchers presume that with enough effort some of these could have been exploited to run arbitrary code.
  • CVE-2024-10004 (CVSS 9.1): Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could result in the padlock icon showing an HTTPS indicator incorrectly.

Summary

Our monthly Threat Tracking blog covers major cybersecurity trends and high-risk threats. Key insights for October 2024 include expanded efforts to counter ransomware internationally and the role proactive vulnerability management plays in preventing successful ransomware attacks. Other highlights include Fortinet and Palo Alto vulnerabilities actively exploited and updates on an Iranian-backed cyber attack campaign targeting public-facing services of critical infrastructure sector entities. Additionally, F5 BIG-IP LTM’s unencrypted cookie vulnerability, exploited for reconnaissance, and four new Mozilla Firefox vulnerabilities, one actively weaponized, underscore the need for vigilance.

Greenbone facilitates identification and remediation of these vulnerabilities and more, helping organizations enhance resilience against evolving cyber threats. Prioritizing rapid detection and timely patching remains crucial for mitigating risk.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Stop the Standstill: how Greenbone Helps Protect Against DoS Attacks

A DoS attack (Denial of Service) can mean a complete standstill: an important service fails, an application no longer responds or access to one’s own system is blocked. DoS attacks have a clear, destructive goal: to paralyze digital resources, preventing access to the legitimate users. The consequences of a DoS attack can be drastic: from downtime and business interruptions to financial losses and significant risks for the entire organization.

For several years, DoS attacks have been on the rise and have significantly impacted business, critical infrastructure and healthcare services. DoS attacks are also being leveraged in sophisticated cyber military campaigns and to extort victims into paying a ransom. What lies behind these attacks and how can you protect yourself?

Widening the Threat Landscape

With unauthorized access attackers may impose DoS by simply shutting down a system [T1529]. Otherwise, application logic flaws can allow a remote attacker to crash the system, or they may flood it with network traffic to exhaust its resources. Blocking account access [T1531], destroying data [T1485], or deploying ransomware [T1486] can further hinder system recovery [T1490] or distract defenders while other attacks take place. At the same time, disabled critical services increase vulnerability to further cyber attacks; if a virus scanner is stopped, malware can enter the network unimpeded; if backup services are down, full recovery from ransomware may be impossible.

DoS Attacks Often Leverage Known Weaknesses

DoS attacks often exploit weaknesses in network protocol specifications, improper protocol implementations, faulty logic in software applications, or misconfigurations. Some software flaws that could allow DoS attacks include:

  • Uncontrolled resource consumption
  • Buffer overflows
  • Memory leaks
  • Improper error handling
  • Asymmetric resource consumption (amplification)
  • Failure to release a resource after use

When vulnerabilities such as these are discovered, vendors rush to issue patches. However, only users who install them are protected. By scanning network and host attack surfaces, IT security teams can be alerted to DoS and other types of vulnerabilities. Once alerted, defenders can act by applying updates or adjusting vulnerable configurations.

Types of DoS Attacks

DoS attacks may employ a variety of different techniques, such as flooding networks with excessive traffic, exploiting software vulnerabilities, or manipulating application-level functions. Understanding how DoS attacks work and their potential impact is crucial for organizations to develop comprehensive defense strategies and minimize the risk of such disruptions.

The main categories of DoS attacks include:

  • Volume Based DoS Attacks: Volume-based DoS attacks overwhelm the target’s network bandwidth or compute resources such as CPU and RAM with high volumes of traffic, rendering the network unable to fulfill its legitimate purpose.
  • Application and Protocol DoS Attacks: These attacks target vulnerabilities within software applications or network protocols, which may reside at any layer of the protocol stack. Attackers exploit flaws in a protocol specification, flawed application logic, or system configurations to destabilize or crash the target.
  • Amplification DoS Attacks: Amplification attacks exploit specific protocols that generate a response larger than the initial request. Attackers send small queries to the target which responds with large packets. This tactic significantly amplifies the impact to the victim as high as 100 times the initial request size.
  • Reflection DoS Attacks: The attacker sends a request to a service, but replaces the source IP address with the victim’s IP. The server then sends its response to the victim, “reflecting” the attacker’s forged requests. Reflection attacks typically rely on UDP (User Datagram Protocol) due to its connectionless nature. Unlike TCP, UDP-based services do not automatically verify the source IP address of data they receive.
  • Distributed DoS Attacks (DDoS): DDoS attacks leverage large groups of compromised devices (often called a botnet) to send overwhelming amounts of traffic to a target. Botnets consist of hacked web servers or SOHO (Small Office, Home Office) routers from all over the world and are controlled centrally by the threat actor. The distributed nature of DDoS attacks make them much harder to mitigate, as the malicious traffic comes from many different IP addresses. This makes it difficult to distinguish legitimate users and infeasible to block the botnet’s large number of unique IP addresses.

Using Greenbone Against System Breakdown

Government cybersecurity agencies from all NATO countries such as Germany, the US, and Canada urge vulnerability management as a top priority for defending against DoS attacks.  By scanning for known vulnerabilities, Greenbone helps close the door to DoS attacks and can identify when human error contributes to the problem by detecting known misconfigurations and CIS benchmark controls. Greenbone also updates its vulnerability tests daily to include detection for the latest vulnerabilities that can allow successful DoS attacks.

Greenbone includes the Denial of Service category of vulnerability tests and other test families also include DoS identification such as: database DoS tests, web application DoS tests, web server DoS tests, Windows DoS tests [1][2] and product specific DoS detection for many enterprise networking products such as Cisco, F5, Juniper Networks, Palo Alto and more. Using Greenbone to scan your networks and endpoints, you have access to over 4,900 tests capable of identifying exploitable DoS flaws.

Also, when Greenbone’s “Safe Checks” protection for a scan configuration is disabled, our scanner will conduct active attacks such as amplification DoS attacks. Since these tests present higher risk such as increased likelihood of service disruption, the Safe Checks feature is enabled by default, meaning this extended set of invasive scans are not conducted unless specifically configured to do so.

While no known cybersecurity mitigation can guarantee protection against all DoS attacks such as high volume DDoS attacks, the proactive identification and mitigation of known flaws removes the “low-hanging fruit” presented by exploitable services. By removing known vulnerabilities from its IT infrastructure, an organization can avoid becoming part of the problem as well – since hijacked IT assets are often used by attackers to conduct DDoS attacks against others.

Summary

Denial of Service (DoS) attacks aim to disrupt the availability of IT systems by overwhelming them with traffic or by exploiting known software vulnerabilities. Greenbone’s comprehensive vulnerability assessment solutions can identify potential entry points for DoS attacks, enabling organizations to strengthen their defenses and minimize their risk. By proactively managing vulnerabilities and employing continuous monitoring, Greenbone helps organizations to detect and mitigate the impact of potentially destructive DoS attacks.

Contact Test Now Buy Here Back to Overview

/by