Two security vulnerabilities in Sharepoint – both from last year – are currently causing trouble for Sharepoint administrators. Because attackers are increasingly exploiting a combination of the two vulnerabilities, the Cybersecurity Infrastructure Security Agency CISA is now also issuing a warning. Affected customers of the Greenbone Enterprise Feed have been warned since June 2023.

Tracking-News: Critical Vunerability in MS Sharepoint

Remote Privilege Execution

The two vulnerabilities CVE-2023-29357 and CVE-2023-24955 together allow attackers to remotely gain administrator rights in a company’s SharePoint server. Details of the attack were published back in September 2023 at the Pwn2Own conference in Vancouver 2023 and can be found on the Singapore Starlabs blog, for example.

Massive attacks have now led to CISA recently issuing a warning about these vulnerabilities and including CVE-2023-29357 in its catalog of known exploited vulnerabilities. However, Greenbone has already had authenticated version checks for both CVEs since around June 2023 and an active check for CVE-2023-29357 since October 2023. Customers of the enterprise products have been receiving these CVEs as a threat for several months – in authenticated and unauthenticated scan mode.

Microsoft advises its customers on its website to update to the SharePoint Server 2019 version of June 13, 2023, (KB5002402), which fixes five critical vulnerabilities, including the first CVE mentioned by CISA. Furthermore, all administrators should install the antivirus software AMSI and activate Microsoft Defender in the SharePoint server. Otherwise, attackers could bypass authentication with fake authentication tokens and gain administrator rights.

Recognising and detecting vulnerabilities in the company at an early stage is important, as the many reports of damaging vulnerabilities show. Greenbone products can take on a lot of work here and ensure security – as a hardware- or virtual appliance or as a cloud service. The Greenbone Enterprise Feed, which feeds all Greenbone security products, receives daily updates and therefore covers a high percentage of risks.

CVE-2023-46604 Intelligence Summary

Enterprise | CVSS 9.8

Apache ActiveMQ is vulnerable to a CVSS 9.8 high-severity remote code execution (RCE) vulnerability tracked as CVE-2023-46604 that leverages deserialization of untrusted data [CWE-502] in the OpenWire protocol. The Apache ActiveMQ message broker can be exploited remotely [T1210] for execution of arbitrary shell commands at the privilege level of the ActiveMQ process [T1068]. CISA added CVE-2023-46604 to its actively exploited catalog on November 2nd, and its exploitation is considered trivial complexity. Attacks leveraging CVE-2023-46604 have included ransomware deployment consistent with the HelloKitty and TellYouThePass ransomware variants and Kinsing cryptomining malware. Greenbone added detection for CVE-2023-46604 to the Enterprise vulnerability feed on November 7th, 2023.

The Apache ActiveMQ broker service uses the OpenWire protocol for language-agnostic communication between software components or systems on port 61616 by default. The exploit occurs by manipulating serialized class types to cause the broker to instantiate any class on the classpath. Serialization (or marshalling) is the process of converting data objects (such as functions, classes, or arrays) into an encoded format for transmission over a network or to be stored for later use. Deserialization (or unmarshalling) is the reverse process whereby the serialized data is reconstructed into the format used by a programming language – in this case The Java programming language.

ActiveMQ is built on the Spring Java Framework. CVE-2023-46604 is exploited by specifying the `ClassPathXmlApplicationContext` class for the type of data to be unmarshalled. The `ClassPathXmlApplicationContext` class will fetch a remote XML file, allowing the attacker to specify their own malicious XML hosted anywhere on the Internet to be imported. The malicious XML file can include system commands to be called via the `java.lang.ProcessBuilder.start` function. Rapid7 has posted the most detailed technical analysis on how CVE-2023-46604 can be exploited for RCE.

Mitigating CVE-2023-46604

Several Proof of concept (PoC) for CVE-2023-46604 [1][2][3] are publically available as well as a Metasploit module which will make the exploitation of an estimated 3,000 vulnerable Apache ActiveMQ servers highly probable and increasing the urgency for remediation.

Several versions of Apache ActiveMQ, ActiveMQ Artemis, and Apache ActiveMQ Legacy OpenWire Module are affected. Users are strongly urged to upgrade affected brokers and clients to fixed versions 5.15.16, 5.16.7, 5.17.6, 5.18.3, or later. Patched versions were released in late October, 2023 and ActiveMQ version 6.0.0 was released on November 17th.

Although there is no alternative workaround for preventing exploitation of CVE-2023-46604 available for ActiveMQ itself, firewall rules may be used to whitelist trusted brokers and clients to prevent access by untrusted IP addresses.

What Is A “Message Broker” Anyway?

Message Brokers (also known as Message Queue broker or “MQ”) are software services that facilitate exchange of messages between different processes on the same system or between different systems. These message queues allow “senders” and “receivers” to operate asynchronously and thus independently and also enable the creation of interconnected software systems across a distributed IT architecture. There are many popular MQs available.

Greenbone OpenVas Democratizes Cybersecurity In Galicia

The global cyber threat landscape is increasingly challenging organizations around the world to be proactive about cybersecurity. According to Bitkom the total sum of all IT-related crime will cost Germany 206 billion euros ($224 billion) in 2023. Globally, the costs of a single data breach are equally staggering. An adequate response requires more cybersecurity talent and more efficient use of existing cybersecurity talent. Here is a story of how Greenbone’s open-source approach impacts the interplay of these factors by democratizing cybersecurity, distributing the burden of cybersecurity solution development, and improving the value proposition for organizations seeking to defend their operations from cyber attacks.

Investing in Small and Medium-sized Enterprises (SMEs) that deliver cybersecurity products – especially those that deliver open-source solutions – is a multifaceted value proposition that smashes the glass ceiling for organizations of all sizes caught in the crosshairs of cybersecurity risk.

Galencia Adopts Greenbone’s OpenVAS For Its Value Proposition

Innovation has a perfect ally in technology and in the companies that develop it. Hence the importance of projects like OpenVAS developed here at Greenbone AG.

Considering the need for cyber R&D, talent growth, and investment, it’s no surprise that Galencia’s Núñez Feijóo has invested in the new Research and Innovation Strategies for Smart Specialisations (RIS3), and has chosen Greenbone’s foundational OpenVAS vulnerability management solution. The GaiásTech Center of the Agency for Technological Modernization of Galicia (Amtega) champions this proposal that democratizes cybersecurity and has recently published the new OpenVAS cloud application on its web platform GaiásTech Cloud, for businesses and users to evaluate the cybersecurity posture of publicly accessible IT infrastructure.

Galencia’s investment makes essential tools available for burgeoning EU businesses, enabling more sustainable growth across diverse industries. Furthermore, this investment cultivates exportable cybersecurity capabilities, enriching the national economy, and bolstering national security, while underscoring the imperative of innovation in combating the ongoing cybersecurity crisis.

OpenVAS is first and foremost a vulnerability scanning engine that executes vulnerability tests against targeted IT infrastructure to detect security weaknesses that a cyber attacker could exploit to gain unauthorized access. Vulnerability scanning with OpenVAS represents a proactive approach to security. The results of a vulnerability scan give all stakeholders an attestation that software updates and security patches have been applied and that existing system configurations are hardened against attack.

Aligning these investments with the Research and Innovation Strategies for Smart Specialization (RIS3) framework is prudent, recognizing the global need, including within the EU, to synchronize cybersecurity capabilities with the risks posed by rapid technological advancement, digitization, and the increasing technologization of critical infrastructure. RIS3 represents a structured model for strategic investment, enabling nations and regions to harness their unique strengths in advancing cybersecurity readiness and resilience.

How Does OpenVAS Democratize Cybersecurity?

In a broad sense, “democratizing” something, such as cybersecurity, means making it more accessible, inclusive, and equitable to a larger and more diverse group of people or organizations. It involves breaking down barriers and providing opportunities for broader participation, understanding, and empowerment in that particular domain.

The most obvious contribution that the Open Vulnerability Assessment System (aka OpenVAS) makes to democratizing cybersecurity is obvious by the use of the word “Open” in its name referring to the project’s “open-source” development model. The concept of open-source software has been around since the 1980s when MIT’s Richard Stallman launched the GNU Project to develop a complete Unix-like operating system composed entirely of free and open-source software, which users could use, modify, and distribute freely. However, the term “open source software” and the practical advantages of the open-source development model didn’t emerge until 1998 through the works of Eric S. Raymond and Bruce Perens. Greenbone’s OpenVAS and related tools are released under various open-source licenses, including the GNU General Public License (GPL) version 2, and Open Database License (ODbL) version 1.

Here we can seek to understand the particular nuanced ways that open-source software supports the democratization of cybersecurity:

  • Increased Accessibility To Cybersecurity Tools: Open source solutions ensure that cybersecurity resources, tools, and knowledge are readily available and accessible to a wide range of users, regardless of their technical expertise, financial resources, or geographic location. This enables individuals and smaller organizations, non-profit organizations, and underserved communities to protect themselves against cyber threats.

  • Community Involvement In Security-Minded Discourse: Encouraging community participation and collaboration in cybersecurity efforts is crucial. This includes fostering a culture of information sharing, crowdsourcing threat intelligence, and engaging in collaborative security initiatives and services to provide direct access to cybersecurity professionals of all levels of expertise and experience.

  • Education and Awareness: Democratizing cybersecurity involves educating and raising awareness among users about the importance of cybersecurity practices and hygiene. It empowers individuals and organizations with the knowledge to protect themselves.

  • Better Products Through Collaboration: Open source software and open standards often play a role in making cybersecurity technologies, standards, and information openly available for scrutiny and collaboration. in this process.

  • Reducing Dependence: Reducing dependence on a single vendor or entity for cybersecurity solutions results in a more sustainable software ecosystem. This also fosters competition and choice, enabling users to select solutions that best meet their needs and preferences and gives them a solid foundation to start building their own custom solutions.

  • Global Reach: Democratizing cybersecurity recognizes that cyber threats are global and that solutions should be accessible and relevant to a global audience. It seeks to address cybersecurity challenges on a global scale.

  • Adaptability: Democratization involves adapting cybersecurity measures to different contexts and environments. This recognizes that one-size-fits-all solutions may not work for everyone and that those who require custom tools can draw from an existing repository of open-source software created by community efforts.

OpenVAS being part of Greenbone’s broader open-source technology stack, represents a greater public value than the mere sum of its parts as a vulnerability management solution. Greenbone supports the democratization of cybersecurity in the following ways:

  • The source code building blocks of open-source software are publicly available for download and review by anyone, as opposed to a proprietary closed-source software product model where code is protected as a form of intellectual property. The development of OpenVAS contributes to a shareable economy of cybersecurity infrastructure that can be leveraged without the added costs of software licensing.

  • While Greenbone Enterprise Edition is available for larger organizations with a need for increased security assurances, Greenbone’s Community Edition provides a complete platform for vulnerability management free of charge.

Summary

The financial threat of cybercrime looms large, putting pressure on organizations to make more efficient use of their existing IT security talent and simultaneously grow the next generation of skilled IT security professionals. The need for more investment into cybersecurity research and development is an important ongoing factor that will ultimately determine the cyber-resilience of global organizations of all shapes and sizes. SMEs and organizations within marginalized groups will especially face the most difficulty in allocating an adequate budget for advanced cybersecurity defenses.

Also, as our societies continue to digitize, the risks to critical infrastructures, personal data, and business continuity impact everyone in society to some degree and it is especially encouraging to see exemplary leaders such as Núñez Feijóo of Gaicia taking measures to ensure not only better IT security posture for themselves, but also, supporting open source cybersecurity initiatives that foster a culture of democratization of IT security.

In the November 2023 Vulnerability Tracking Update, several critical vulnerabilities and security threats have come to light. Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI) was found to be vulnerable to two actively exploited critical vulnerabilities, allowing attackers to execute arbitrary code remotely. The curl command-line tool, widely used across various platforms, faced a serious vulnerability that could result in arbitrary code execution during SOCKS5 proxy handshakes. VMware is urging immediate updates for its vCenter Server due to a critical vulnerability potentially leading to remote code execution. Multiple vulnerabilities were found in versions of PHP 8; one is a particularly critical deserialization vulnerability in the PHAR extraction process. Additionally, SolarWinds Access Rights Manager (ARM) was found susceptible to multiple critical vulnerabilities, emphasizing the urgency to update to version 2023.2.1. Lastly, two F5 BIG-IP vulnerabilities were discovered to be actively exploited, with mitigation options available and outlined below.

Cisco IOS XE: Multiple Critical Vulnerabilities

Two actively exploited critical CVSS 10 vulnerabilities were discovered in Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI); CVE-2023-20198 and CVE-2023-20273. Combined, they allow an attacker to remotely execute arbitrary code as the system user and are estimated to have been used to exploit tens of thousands of vulnerable devices within the past few weeks. Greenbone has added detection for both the vulnerable product by version [1], and another aimed at detecting the BadCandy implanted configuration file [2]. Both are VTs included in Greenbone’s Enterprise vulnerability feed.

Cisco IOS was created in the 1980s and used as the embedded OS in the networking technology giant’s routers. Fast forward to 2023, IOS XE is a leading enterprise networking full-stack software solution that powers Cisco platforms for access, distribution, core, wireless, and WAN. IOS XE is Linux-based, and specially optimized for networking and IT infrastructure, routing, switching, network security, and management. Cisco devices are pervasive in global IT infrastructure and used by organizations of all sizes, including large-scale enterprises, government agencies, critical infrastructure, and educational institutions.

Here’s how the two recently disclosed CVEs work:

CVE-2023-20198 (CVSS 10 Critical): Allows a remote, unauthenticated attacker to create an account [T1136] on an affected system with privilege level 15 (aka privileged EXEC level) access [CWE-269]. Privilege level 15 is the highest level of access to Cisco IOS. The attacker can then use that account to gain control of the affected system.
CVE-2023-20273 (CVSS 7.2 High): A regular user logged into the IOS XE web UI, can inject commands [CWE-77] that are subsequently executed on the underlying system with the system (root) privileges. This vulnerability is caused by insufficient input validation [CWE-20]. CVE is also associated with a Lua-based web-shell [T1505.003] implant dubbed “BadCandy”. BadCandy consists of an Nginx configuration file named `cisco_service.conf` that establishes a URI path to interact with the web-shell implant but requires the webserver to be restarted.

Cisco has released software updates for mitigating both CVEs in IOS XE software releases, including versions 17.9, 17.6, 17.3, and 16.12 as well as available Software Maintenance Upgrades (SMUs) and IT security teams are strongly advised to urgently install them. Cisco has also released associated indicators of compromise (IoC), Snort rules for detecting active attacks, and a TAC Technical FAQs page. Disabling the web UI prevents exploitation of these vulnerabilities and may be suitable mitigation until affected devices can be upgraded. Publicly released proof of concept (PoC) code [1][2] and a Metasploit module further increase the urgency to apply the available security updates.

Critical Vulnerability In The Curl Tool

A widespread vulnerability has been discovered in the popular curl command line tool, libcurl, and the many software applications that leverage them across a wide number of platforms. Tracked as CVE-2023-38545 (CVSS 9.8 Critical), the flaw makes curl overflow a heap-based buffer [CWE-122]] in the SOCKS5 proxy handshake that can result in arbitrary code execution [T1203]. Greenbone’s community feed includes several NVTs [1] to detect many of the affected software products and will add additional detections for CVE-2023-38545 as more vulnerable products are identified.

CVE-2023-38545 is a client-side vulnerability exploitable when passing a hostname to the SOCKS5 proxy that exceeds the maximum length of 255 bytes. If supplied with an excessively long hostname, curl is supposed to use local name resolution and pass it on to the resolved address only. However, due to the CVE-2023-38545 flaw, curl may actually copy the overly long hostname to the target buffer instead of copying just the resolved address there. The target buffer, being a heap-based buffer, and the hostname coming from the URL results in the heap-based overflow.

While the severity of the vulnerability is considered high because it can be exploited remotely and has a high impact to the confidentiality, integrity, and availability (CIA) of the underlying system, the SOCKS5 proxy method is not the default connection mode and must be declared explicitly. Additionally, for an overflow to happen an attacker also needs to cause a slow enough SOCKS5 handshake to trigger the bug. All versions of curl are affected between v7.69.0 (released March 4th, 2020) until v8.3.0. The vulnerable code was patched in v8.4.0 commit 4a4b63daaa.

VMware vCenter Server: Multiple Vulnerabilities

CVE-2023-34048 is a critical severity vulnerability that could allow a malicious actor with network access to vCenter Server to cause an out-of-bounds write [CWE-787] potentially leading to remote code execution (RCE). The affected software includes VMware vCenter Server versions 6.5, 6.7, 7.0, and 8.0. VMWare has issued a security advisory to address both vulnerabilities which states that there are no known mitigations other than installing the provided updates. Both vulnerabilities can be detected by Greenbone’s enterprise vulnerability feed [1]. The vCenter Server patch also fixes CVE-2023-34056, a medium-severity information disclosure resulting from improper authorization [CWE-285].

Although there are no reports that CVE-2023-34048 is being actively exploited in the wild attackers have proven adept at swiftly converting threat intelligence into exploit code. Research by Palo Alto Networks Unit 42 threat research group shows that on average an exploit is published 37 days after a security patch is released.

Here are some brief details on both CVEs:

CVE-2023-34048 (CVSS 9.8 Critical): vCenter Server contains an out-of-bounds write [CWE-787] vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability to achieve remote code execution (RCE). The Distributed Computing Environment Remote Procedure Call (DCERPC) protocol facilitates remote procedure calls (RPC) in distributed computing environments, allowing applications to communicate and invoke functions across networked systems.
CVE-2023-34056 (CVSS 4.3 Medium): vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data.

Multiple Vulnerabilities Discovered In PHP 8

Several vulnerabilities were identified in PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3. Although the group of vulnerabilities does include one critical and two high-severity vulnerabilities, these require particular contexts to be present for exploitation; either deserializing PHP applications using PHAR or else using PHP’s core path resolution functions on untrusted input. Greenbone’s enterprise VT feed includes multiple detection tests for these vulnerabilities across multiple platforms.

Here are brief descriptions of the most severe recent PHP 8 vulnerabilities:

CVE-2023-3824 (CVSS 9.8 Critical): A PHAR file (short for PHP Archive) is a compressed packaging format in PHP, which is used to distribute and deploy complete PHP applications in a single archive file. While reading directory entries during the PHAR archive loading process, insufficient length checking may lead to a stack buffer overflow [CWE-121], potentially leading to memory corruption or remote code execution (RCE).
CVE-2023-0568 (CVSS 8.1 High): PHP’s core path resolution function allocates a buffer one byte too small. When resolving paths with lengths close to the system `MAXPATHLEN` setting, this may lead to the byte after the allocated buffer being overwritten with NULL value, which might lead to unauthorized data access or modification. PHP’s core path resolution is used for the `realpath()` and `dirname()` functions, when including other files using the `include()`, `include_once()`, `require()`, and `require_once()`, and during the process of resolving PHP’s “magic” constants” such as `__FILE__` and `__DIR__`.
CVE-2023-0567 (CVSS 6.2 Medium): PHP’s `password_verify()` function may accept some invalid Blowfish hashes as valid. If such an invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid [CWE-287]. Notably, this vulnerability has been assigned different CVSS scores by NIST (CVSS 6.2 Medium) and the PHP group CNA (CVSS 7.7 High), the difference being that the PHP Group CNA considers CVE-2023-0567 a high risk to confidentiality while NIST does not. CNAs are a group of independent vendors, researchers, open source software developers, CERT, hosted service, and bug bounty organizations authorized by the CVE Program to assign CVE IDs and publish CVE records within their own specific scopes of coverage.

SolarWinds Access Rights Manager (ARM): Multiple Critical Vulnerabilities

SolarWinds Access Rights Manager (ARM) prior to version 2023.2.1 is vulnerable to 8 different exploits; one critical and two additional high-severity vulnerabilities (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187). These include authenticated and unauthenticated privilege escalation [CWE-269], directory traversal [CWE-22], and remote code execution (RCE) at the most privileged “SYSTEM” level. Greebone’s Enterprise vulnerability feed includes both local security check (LSC) [1] and remote HTTP detection [2].

SolarWinds ARM is an enterprise access control software for Windows Active Directory (AD) networks and other resources such as Windows File Servers, Microsoft Exchange services, and Microsoft SharePoint as well as virtualization environments, cloud services, NAS devices, and more. The widespread use of ARM and other SolarWinds software products means that its vulnerabilities have a high potential to impact a wide range of large organizations including critical infrastructure.

These and more recent vulnerabilities are disclosed in SolarWinds’ security advisories. Although no reports of active exploitation have been released, mitigation is highly recommended and available by installing SolarWinds ARM version 2023.2.1.

F5 BIG-IP: Unauthenticated RCE And Authenticated SQL Injection Vulnerabilities

Two RCE vulnerabilities in F5 BIG-IP, CVE-2023-46747 (CVSS 9.8 Critical) and CVE-2023-46748 (CVSS 8.8 High), have been observed by CISA to be actively exploited in the wild soon after PoC code was released for CVE-2023-46747. A Metasploit exploit module has also since been published. F5 BIG-IP is a family of hardware and software IT security products for ensuring that applications are always secure and perform the way they should. The platform is produced by F5 Networks, and it focuses on application services ranging from access and delivery to security. Greenbone has added detection for both CVEs [1][2].

CVE-2023-46747 is a remote authentication bypass [CWE-288] vulnerability while CVE-2023-46748 is a remote SQL injection vulnerability [CWE-89] that can only be exploited by an authenticated user. The affected products include the second minor release (X.1) for major versions 14-17 of BIG-IP Advanced Firewall Manager (AFM) and F5 Networks BIG-IP Application Security Manager (ASM).

If you are running an affected version you can eliminate this vulnerability by installing the vendor-provided HOTFIX updates [1][2]. The term “hotfix” implies that the patch can be applied to a system while it is running and operational, without the need for a shutdown or reboot. If updating is not an option, CVE-2023-46747 can be mitigated by downloading and running a bash script that adds or updates the `requiredSecret` attribute in the Tomcat configuration, which is used for authentication between Apache and Tomcat, and CVE-2023-46748 can be mitigated by restricting access to the Configuration utility to allow only trusted networks or devices, and ensuring only trusted user accounts exist thereby limiting the attack surface.

We are pleased to announce another installment in our video series on learning Greenbone!

This time Joseph (@rippledj) will take you through Greenbone’s filters, providing a useful overview of filter functionalities. From the basic filter interface and report customization to understanding the power filter syntax and useful tips and trick – this video will help you get started using this powerful feature or dig even deeper if you are a seasoned user!

Please note: Clicking on the video will open Youtube in a new tab.

Find the mentioned python-gvm documentation here: Python-gvm documentation

Enjoy honing your skills and stay safe!

CVE-2023-4863 and CVE-2023-5217 are two critical zero-click remote code execution (RCE) vulnerabilities in common image rendering libraries used by all Chromium-based web browsers as well as many other popular mobile and desktop applications. Both share the same CVSS score of 8.8. More specifically, CVE-2023-4863 is a vulnerability in the libwebp library while CVE-2023-5217 is a vulnerability in the libvpx library.  Neither  CVE-2023-4863 or CVE-2023-5217 require user interaction and both are remote code execution (RCE) vulnerabilities that can be exploited when malicious content is supplied to any client application that uses the affected image processing libraries. In a typical attack a victim could simply visit a website that includes a malicious WebP image or otherwise these vulnerabilities may be used to target specific individuals directly via social media messages, phishing, or other social engineering techniques.

Both CVEs have been observed to be actively exploited in the wild and have been added to CISA’s Known Exploited Vulnerabilities Catalog. CVE-2023-4863 was first discovered and reported by Citizen Lab on September 9th, 2023.  Dubbed BLASTPASS, it was uncovered that the flaw was being actively used to infect devices with NSO Group’s infamous Pegasus spyware. Being actively exploited greatly increases the risk associated with these vulnerabilities and updates to all impacted should be given the highest priority.

Scope Of Impact

The scope of impact for CVE-2023-4863 and CVE-2023-5217 includes any applications or other resources that rely on libwebp (for WebM video format) or libvpx (for WebP image for image). Both CVEs are client-side vulnerabilities, meaning that the end user of an affected application (such as a malicious website) is at risk of being exploited. The use of the WebP and WebM formats is not unique to Chrome or even web browsers but is incorporated in many other applications across all major OS platforms including Windows, macOS, and Linux, so the use of libwebp and libvpx are widespread throughout the digital media ecosystem.

Examples of technologies that are confirmed to be impacted include:

A Complete Attack Trajectory and Associated ATT&CK TTP

These two vulnerabilities have all the prerequisites to be classified as high severity.  They are considered “zero-click” meaning that an attacker does not need to use sophisticated social engineering techniques to exploit them.  These flaws can be exploited when a victim simply visits a website that hosts an infected WebP resource, making a watering hole attack a very viable infection path.  However, individuals may be targeted with social engineering contexts enticing them to open malicious links or files.

MITRE ATT&CK TTP of the exploit chain are:

  • Drive-By Compromise [T1189]: Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Unlike Exploit Public-Facing Application [T1190], the focus of this technique is to exploit software on a client endpoint upon visiting a website.
  • Shared Modules [T1203]: Adversaries may execute malicious payloads via loading shared modules.
  • Exploitation for Client Execution [T1203]: Adversaries may exploit software vulnerabilities in client applications to execute code.
  • Command and Control [TA0011]: Attackers control a system within a victim network to remotely execute arbitrary commands, import additional malware tools, and avoid detection.

MITRE Common Weakness Enumeration (CWE) references include:

  • Out-of-bounds Write [CWE-787]: Writing data past the end, or before the beginning, of the intended memory buffer.
  • Stack-based Buffer Overflow [CWE-121]: A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.
  • Heap-based Buffer Overflow [CWE-122]: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory.

After initial infection, the attack trajectory depends on the nature of the attacker-supplied code that is executed. Initially attackers will leverage the run-time permission context of the exploited application to download and install a second-stage malware payload with more advanced capabilities and to establish remote command and control (C2).  If the attacker successfully gains C2, they will seek to establish persistence, meaning their malware will be loaded every time the infected system reboots, and attempt to escalate privileges, enumerate the local network, move laterally to higher value targets, and execute on objectives.

The final stage objectives also heavily depends on the particular goals of the threat actor but typically may include stealing sensitive data [TA0010] such as account credentials [TA0006] to be cracked offline [T1110.002] and subsequently used for account takeover, importing and executing ransomware [T1486] and demanding payment for a decryptor, or installing a rootkit [TA1014] for the purpose of maintaining persistent [TA0003] and covert spyware.

What is VP8 encoding?

VP8 is a video codec developed as an open and royalty-free alternative to proprietary codecs like H.264. The Internet Engineering Task Force (IETF) published the VP8 Data Format and Decoding Guide as RFC 6386 in November 2011. The protocol itself was developed by On2 Technologies. Google acquired On2 Technologies in February 2010, and later open-sourced VP8 as part of the WebM project. The VP8 video codec is widely used for web video, real-time communication (WebRTC), and various other applications. The libvpx library is a cross-platform, open-source software library that provides an implementation of VP8 and VP9 video codecs.

Summary

CVE-2023-4863 and CVE-2023-5217 are actively exploited client-side, zero-click, remote code execution (RCE) vulnerabilities in widely-used image rendering libraries. Rated with CVSS 8.8 critical severity, they impact all Chromium-based web browsers and numerous desktop and mobile applications. As of October 27th, 2023, security updates are currently at various stages of being prepared.

CVE-2023-4863 resides in the libwebp library, while CVE-2023-5217 is linked to libvpx and they allow attackers to achieve zero-click RCE by providing malicious WebM formatted video or WebP formatted image content to a vulnerable application on a victim’s device.

Victims may encounter these threats by visiting compromised websites or opening other malicious content such as images or videos Security teams should assess their organization’s degree of exposure to CVE-2023-4863 and CVE-2023-5217 and apply updates as soon as they become available.

Introduction to the Vulnerability Tracking Update!

Welcome to the first Greenbone Vulnerability Tracking blog post! This series of blog posts will summarize the most important new vulnerability tests (VTs) added to the Greenbone community and enterprise vulnerability feeds. The blog series will provide updates about new vulnerability detection capabilities that have been added to Greenbone’s community and enterprise vulnerability feeds and support the learning curve into cybersecurity vulnerability management (VM).

That being said, let’s dive into some recent events making waves in the global threat landscape!

Summary

In October 2023, several high-severity vulnerabilities in the QNAP Turbo NAS System were exposed rendering many QNAP products vulnerable and a DoS attack dubbed the “Rapid Reset Attack,” was identified in many implementations of the HTTP/2 protocol. The amplification magnitude of the HTTP/2 DoS vulnerability was evidenced by record-breaking DDoS attacks against CloudFlare and Google.

Google Chrome is again the subject of multiple high-severity vulnerabilities, building upon those previously identified in CVE-2023-4863 and CVE-2023-5217. Finally, Greenbone’s VTs can also detect several new vulnerabilities in the WordPress core and several plugins. WordPress users are encouraged to adopt proactive security practices such as enabling automatic updates and only implementing plugins that have a broad user base and receive regular updates.

Greenbone’s vulnerability feed includes detection for all items discussed in this report as well as over 160,000 other vulnerabilities in total. IT security teams are urged to conduct regular vulnerability scanning for all assets and update any impacted systems according to the appropriate mitigation methods.

Multiple Vulnerabilities In QNAP OS

Three Days after the publication of the vulnerability, Greenbone released detection for CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973. These all impact “QTS” (QNAP Turbo NAS System), a proprietary Linux-based operating system developed by QNAP Systems, Inc., which is the embedded OS in the company’s Network-Attached Storage (NAS) devices. Greenbone community vulnerability feed now includes vulnerability tests to address CVE-2023-32974, CVE-2023-32970, and CVE-2023-32973 [1][2][3][4][5].

QNAP has released security updates for:

  • QTS 5.0.1.2425 build 20230609 and later

  • QTS 4.5.4.2467 build 20230718 and later

  • QuTS hero h5.1.0.2424 build 20230609 and later

  • QuTS hero h4.5.4.2476 build 20230728 and later

  • QuTScloud c5.1.0.2498 and later

Here is a summary of each vulnerability:

  • CVE-2023-32974 (CVSS 7.5 High): A path traversal vulnerability [CWE-22] affecting several versions of QTS can be triggered remotely via a network connection adding to the severity of its impact. “Path traversal” vulnerabilities are typically caused by improperly sanitized input allowing an attacker to supply malicious input that references resources outside of the intended scope, potentially leading to unauthorized data access or execution of malicious code.

  • CVE-2023-32970 (CVSS 4.9 Medium): A NULL pointer dereference [CWE 476] vulnerability affecting several versions of QTS. If exploited, the vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack remotely. QNAP Enterprise Storage (QES) is not affected.

  • CVE-2023-32973 (CVSS 7.2 High): A buffer copy without checking the size of input [CWE-120] vulnerability has been reported for several versions of QTS. The vulnerability could allow authenticated administrators to execute arbitrary code via a network connection.

QNAP has published mitigation advisories QSA-23-42 and QSA-23-41 with instructions for installing the available firmware updates. Those using QNAP products built with the QTS operating system, as well as the QuTS hero cloud NAS solution or QuTScloud should update their systems as soon as possible.

The HTTP/2 “Rapid Reset Attack” Emerges

Several unrelated DoS vulnerabilities [T1464] were identified and disclosed in the HTTP/2 application layer protocol. HTTP/2 makes up about 65% percent of the internet traffic while less than 10% still uses HTTP/1 and the newer HTTP/3 makes up almost 25%. The weakness in HTTP/2 was disclosed by Internet WAF provider CloudFlare which claims to have mitigated a record-breaking DDoS attack, exceeding 201 million requests per second (RPS). For context, the entire Internet has between 1 and 3 billion requests per second.

CloudFlare named the attack “Rapid Reset Attack”. The attack works by leveraging a sizable botnet to abuse HTTP/2’s stream cancellation feature by continuously sending and then immediately canceling connection requests. HTTP/2’s stream multiplexing feature allows a single connection to manage multiple concurrent streams without requiring an individual connection for each request. The Rapid Reset Attack leverages this multiplexing feature to open many parallel streams per “round-trip” connection request triggering the target server to open an equivalent number of parallel processes and imposing a high resource cost. The attacker can then quickly issue a large number of RST_STREAM frames to cancel all the requested streams, also in a single round-trip, and repeat the process.

While the size of the botnet required to carry out the attack depends on the target’s resources, the Rapid Reset Attack is considered to be a substantial improvement over other known forms of amplification DoS attacks. The vulnerability is tracked as CVE-2023-44487 allowing various software vendors to reference it in any mitigation advisories or security patches.

Here are CVE references to the HTTP/2 Rapid Reset CVE and two other previously disclosed HTTP/2 DoS vulnerabilities that were recently added to Greenbone’s detection NVTs:

  • CVE-2023-44487 aka “HTTP/2 Rapid Reset Attack” (CVSS 7.5 High): The HTTP/2 protocol allows a denial of service (DoS) due to server resource consumption because request cancellation can quickly reset multiple streams at once.CVE-2023-44487 has been observed being actively exploited during August and October 2023.

  • CVE-2020-11080 (CVSS 7.5 High): nghttp2, a C library for implementing HTTP/2 and HTTP/3 protocols is vulnerable to an attack that leverages an overly large HTTP/2 SETTINGS frame to achieve DoS. nghttp2 before version 1.41.0 are vulnerable. A proof of concept attack is reportedly available which induces a CPU spike reaching 100% consumption. The vulnerability exploits [CWE-400] “Uncontrolled Resource Consumption” and [CWE-707] “Improper Neutralization”. nghttp2 v1.41.0 fixes this vulnerability, and a workaround is available for those who cannot update. The workaround involves implementing the `nghttp2_on_frame_recv_callback` setting, and if the received frame is SETTINGS frame and the number of settings entries is large (e.g., > 32), drop the connection.

  • CVE-2023-36478 (CVSS 7.5 High): In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52 of Eclipse Jetty, an integer overflow [CWE-190] in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. Although there are no known workarounds, the issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53.

How Is HTTP/3 Different Than HTTP/2?

HTTP/3 was published in 2022 and uses QUIC protocol which runs on top of UDP instead of TCP. This is different from HTTP/1 and HTTP/2 which both use TCP as a transport layer protocol. HTTP/3 is enabled on over one-quarter of all websites and is at least partially supported by most web browsers.

HTTP/3 has lower latency due to QUIC’s ability to initialize an encrypted connection using fewer round trips than TCP, and it also leverages multiplexing – allowing a single connection to relay multiple streams of data simultaneously. However, Google believes that HTTP/3 is not susceptible to the Rapid Reset Attack.

More High Severity Vulnerabilities In Chromium

The Chromium browser engine is again subject to a significant set of vulnerabilities in close succession to CVE-2023-4863 and CVE-2023-5217. The additional disclosures include several high-severity CVSS 8.8 CVEs that impact any Chromium-based browsers earlier than version 118.0.5993.70 across all OS platforms including Google Chrome, Microsoft Edge, Opera, and others.

This most recent group of vulnerabilities spans a wide range of components in Chrome. The most severe were found in Chrome’s Site Isolation feature, its Blink rendering engine, and the Chromium PDF renderer. All allow a remote attacker to execute arbitrary code by supplying a victim with specially crafted resources such as a malicious HTML web page or PDF file.

These vulnerabilities do not grant an attacker elevated privileges and exploitation requires at least the minimal form of user interaction preventing them from receiving the highest possible CVSS score of 10. The less severe vulnerabilities disclosed in the group range from CVSS 6.5 to 4.3, classifying them as medium severity. Their technical impacts range from allowing an attacker to change the security UI of the browser or gaining access to limited information.

Here are the specific details of each associated CVE:

  • CVE-2023-5218 (CVSS 8.8 High): Use after free [CWE-416] in Site Isolation allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Site Isolation is a security feature designed to prevent cross-site data leaks that exploit vulnerabilities in modern processors such as Spectre and Meltdown by isolating each browser tab into its own system process.

  • CVE-2023-5476 (CVSS 8.8 High): Use after free [CWE-416] in Blink History allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. Microsoft is tracking this vulnerability as CVE-2023-4074. Blink is a critical component of the Chromium browser engine responsible for rendering web pages and displaying content on the screen.

  • CVE-2023-5474 (CVSS 8.8 High): Heap buffer overflow [CWE-122] in Chrome’s PDF rendering engine allows a remote attacker to execute arbitrary commands on a victim’s computer via a maliciously crafted PDF file [T1204.002] opened in the browser.

  • CVE-2023-5487 (CVSS 6.5 Medium): Inappropriate implementation in full-screen allows an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

  • CVE-2023-5484, CVE-2023-5483, CVE-2023-5481, and CVE-2023-5486 (CVSS 6.5 – 4.3 Medium): Inappropriate implementation in Navigation allows a remote attacker to spoof the security UI via a crafted HTML page. These security UI elements typically include visual cues or warnings displayed in the web browser to help users assess the trustworthiness of a website such as the SSL/TLS certificate validation icon, information about the website’s identity such as the organization’s name or the website’s verified identity, and the contents of the URL bar.

  • CVE-2023-5479 (CVSS 6.5 Medium): Inappropriate implementation in Extensions API allows an attacker who convinced a user to install a malicious extension [T1204] to bypass an enterprise policy [CWE-284] via a crafted HTML page.

  • CVE-2023-5485 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to bypass autofill restrictions via a crafted HTML page.

  • CVE-2023-5478 (CVSS 4.3 Medium): Inappropriate implementation in Autofill allows a remote attacker to leak cross-origin data [CWE-200] via a crafted HTML page.

  • CVE-2023-5477 (CVSS 4.3 Medium): Inappropriate implementation in the installer allows a local attacker to bypass discretionary access control [CWE-284] via a crafted command.

  • CVE-2023-5473 (CVSS 4.3 Medium): Use after free [CWE-416] in Cast in Google Chrome allows a remote attacker who had compromised the renderer process to potentially exploit heap corruption [CWE-122] via a crafted HTML page [T1204.001].

How Can Zero-Day Browser Vulnerabilities Be Mitigated?

Browser client-based attacks are especially hard to avoid because accessing internet resources is so fundamental to business operations and daily life. Browser isolation is a virtualization technology that helps increase security when handling web-based content. Browser isolation is designed to prevent attackers from gaining initial access to a device through browser-based vulnerabilities such as the ones mentioned above. Fundamentally, browser isolation sandboxes web browsers so that they operate within a controlled environment, shielding the user’s underlying device and OS from being accessed by malicious web content [T1611] including zero-day vulnerabilities.

Browser isolation comes in two primary forms: process-level isolation and remote browser isolation (RBI). Process-level isolation creates isolated containers for each browsing session, preventing a compromise in one session from affecting others or the underlying host system. RBI goes a step further by operating the browser application on a remote server and using a remote desktop protocol like VNC or RDP to replay the web content and allow users to interact seamlessly. RBI solutions allow the browser to look and operate in the same way as a browser installed locally.

A New Round Of WordPress Vulnerabilities

Greenbone has also added detection for several new CVEs that impact all versions of WordPress up to version 6.3.2. The exploits in WordPress core reported by WordPress security vendor WordFence were called the “most significant security fixes we’ve seen in a while”.

The release of WordPress core 6.3.2 fixes arbitrary shortcode execution resulting from improper input validation [CWE-20]. The WordFence Intelligence Database has added an extensive list of shortcode-related vulnerabilities. Several XSS vulnerabilities were also patched that allow attackers to execute client-side attacks via specially crafted URLs. Greenbone has added detection for the missing security updates [1][2].

A summary of the issues reported include:

  • Potential disclosure [CWE-200] of user email addresses

  • Remote code execution (RCE) [CWE-94] POP Chains vulnerability

  • Cross-site scripting (XSS) [CWE-725] issue in the post-link navigation block

  • Comments on private posts could be leaked to other users [CWE-200]

  • A way for low-privileged logged-in users to execute any shortcode [CWE-78]

  • XSS vulnerability [CWE-725] in the application password screen

  • XSS vulnerability [CWE-725] in the footnotes block

  • Cache poisoning [CAPEC-14

Whenever possible it is a good idea to enable automatic WordPress updates and avoid the use of unnecessary plugins or those that represent a high potential for security risk. In general, plugins that have a high number of total installations and regularly receive updates are better choices than less popular or unmaintained plugins.

Hello! Joseph from the Greenbone community walks you through getting started using the Greenbone Community Edition vulnerability scanner.
In this video you’ll be logging in and starting a first scan, using the scan wizard to scan a local network IP and go over basic scan report formatting and other features.

Please note: Clicking on the video will open Youtube in a new tab.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you still need to install the Greenbone Community Edition, we recommend using our Docker container, and the video to show you how to install here.

Do you have any questions or comments? The best place to reach us is at our community forum here: https://forum.greenbone.net/ and happy scanning!

We are very happy to share the first video of the Greenbone Community series, as Joseph from the Greenbone Community walks you through the process of installing the Greenbone Community Edition using Docker containers.

Please note: Clicking on the video will open Youtube in a new tab.

Do you have questions or comments? Please let us know at the Greenbone Community Forum or on the Fediverse/Mastodon at greenbone.social

If you’d like the documentation to follow along with the video, it’s located here on GitHub.

This article is the first of three blogposts about the changing threat landscape in professional environments. “Ransomware as a Service” as a business model has powerful implications for enterprises, which are by no means defenseless. Modern vulnerability management, which Greenbone’s products enable, also plays an important role in this context.

Numbers 2020 – Increase, Revenue, Costs

They are called DarkSide, REvil, Dharma, Egregor, Maze, LockBit or Thanos. Even Emotet is currently celebrating an unpleasant comeback: ransomware attacks are increasing worldwide, seemingly unchecked. Their intensity is also growing massively: REvil and DarkSide paralyzed the Bank of Scotland and an important pipeline on the US East Coast. In Germany, government agencies, hospitals, and entire counties are suffering from ransomware attacks.

Ransomware is malware that encrypts a system and only enables access to the data again if the victim pays a ransom. Common distribution channels for ransomware are spam mails, phishing and drive-by exploits. The latter take advantage of vulnerabilities in browsers, browser plug-ins, operating systems and network services.

Almost all successful attacks on IT infrastructures in recent years can be traced back to this type, which works so differently from the cyber criminals of previous decades. The threat scenario has changed, ransomware is now created and operated by professional infrastructures, they operate for profit and at least as efficiently as the companies and organizations they target. Faced with the new threat, the latter need to rethink when it comes to protecting their infrastructures.

According to manufacturers, one important reason for the great success of ransomware is the increasing spread of cloud infrastructures. On the one hand, attackers use cloud services themselves; on the other hand, they benefit from the larger attack surface that companies offer, even more so in the age of home office. Another reason is a lack of updates or incorrect configurations in corporate IT. Both causes increase the probability of success for attackers. However, resources are very unevenly distributed: in recent years, a global and highly professional industry has established itself that offers cloud services for cyber criminals – “Ransomware as a Service” (RaaS).

From “Software as a Service” to “Ransomware as a Service”

The concept of “Software as a Service” (SaaS), i.e., IT services from the cloud without purchasing software and charging for them only according to use, has proven itself for several decades. Well-known SaaS providers include Slack, Salesforce and WordPress. Major software companies such as Microsoft with Microsoft 365 and Adobe with Adobe Creative Cloud now also offer SaaS versions of their products. Greenbone’s cloud service also works according to this model. The advantages of the service lie in its scalability, flexibility, high IT security, and the strict rules of European data protection, especially if hosting takes place in German data centers, as is also the case with the Greenbone Cloud Service.

By 2020 at the latest, the trend also reached the darknet and the ransomware hacker market. With the SaaS business model in the background, attackers infiltrate local networks, encrypt data and demand a ransom from the victim. RaaS is now using the SaaS model to deliver malware and extort money more efficiently and cost-effectively.

Over 60 % of all known ransomware attacks in 2020 have already been attributed to RaaS models, a highly competitive but growing market. 15 new RaaS providers are reported to have joined in 2020. The business model is clear: the customers, i.e. potential hackers or attackers, no longer need any technical skills, there are discount promotions and professional services. All of this makes RaaS increasingly attractive to cyber criminals and obviously works because countless inadequately protected infrastructures are open to them.

The number of total ransomware attacks increased by nearly 500 percent in 2020. Two-thirds of these are attributable to RaaS offerings, with the trend continuing to rise in 2021 [1]. Attackers made an estimated $ 20 billion in revenue from ransomware in 2020, up from just over $ 11 billion in 2019 [2]. RaaS offerings are available to hackers starting at $ 40/month. Those who want more service can also invest thousands of dollars [3].

The average cost for affected companies to clean up after a ransomware attack has doubled during 2020 and is typically ten times the ransom demanded. These in turn averaged between $ 200,000 and $ 300,000 in 2020 [4]. Whether a corporation or a small business, the demands are usually the same, because not every attack has to be successful. As with spam, mass is decisive.

“Ransomware as a Service” as a Business Model

The business model of “Ransomware as a Service” is comprehensively and clearly explained by websites like AppKnox: RaaS organizations rent software and IT infrastructures operated by and at an external IT service company. Cyber criminals lease them as a service to attack and extort businesses or individuals. RaaS developers and providers are legally on the safe side, as they “only” provide the infrastructure and are thus not responsible for the attack. Today, anyone can book and launch RaaS attacks and cause considerable damage to companies, authorities or private individuals.

There are four common RaaS business models behind this:

  • Monthly payment (subscription model)
  • Partner programs, in addition to the subscription model there are profit-sharing schemes
  • One-time license fee
  • Profit sharing only

No matter which model users choose, some RaaS companies make it very easy: go to the darknet, log in, create an account, choose a model, pay with Bitcoin if necessary, distribute malware and wait for success.

For the money invested, you get an enterprise-level service. A typical product not only includes the ransomware code and the keys to encrypt and decrypt it, but also provides the appropriate phishing e-mails to launch an attack, good documentation and 24/7 support. Billing, monitoring, updates and status reports, calculation and forecasts regarding an income-expense statement are also taken care of.

Potential Victims Are by no Means Helpless

Despite the professionalism, companies and authorities do not have to stand idly by. Although they now face other attackers, they are by no means powerless or helpless.

The FBI regularly warns against accepting demands from extortionists, especially not in the case of organized crime and certainly not in the case of ransomware. The only solution is an expensive, lengthy rebuild or an attempt to crack the encryption. Instead, it is better to be prepared.

Companies can protect themselves with a few simple measures and consistent adherence to best practices. Backups, in different locations and separate from day-to-day operations, protect data. Two-factor authentication hampers attackers who could get passwords. Strong passwords should be standard practice today, as should smart network segmentation. Planning, incident response and recovery plans must be in place and tested regularly. Automation, monitoring and regular training of employees regarding IT security (e.g. phishing emails) are a must. Automation is of particular importance within IT, because attacks sometimes occur so quickly that human reactions come to nothing.

The basis for all these measures is provided by endpoint protection solutions and professional vulnerability management. Knowledge of vulnerabilities and weaknesses in networks is worth a fortune here. Admins identify the gaps in your IT defenses and close them before cyber criminals can abuse them – with Greenbone solutions continuously and automatically.

Greenbone products continuously scan the corporate network or external IT resources for potential vulnerabilities. The specially hardened Greenbone Enterprise Appliances or the Greenbone Cloud Service, available as Software as a Service and hosted in German data centers, guarantee daily updates on the latest vulnerabilities. Admins and IT management are informed immediately, if necessary, when threatening security vulnerabilities are revealed. In this way, companies are also well prepared if “Ransomware as a Service” as a business model continues to grow.

[1] https://www.unityit.com/ransomware-as-a-service/

[2] https://www.pcspezialist.de/blog/2021/06/14/raas-ransomware-as-a-service/

[3] https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/

[4] https://www.appknox.com/blog/ransomware-as-a-service

The second part of our series on the ongoing professionalization of attacks on IT systems deals with changes in the attackers’ mindset. Automation, commercialization and cloud computing have also left their mark on the typical profile of cyber criminals that admins and vulnerability management have to deal with. Contrary to common Hollywood clichés, the threat of Ransomware as a Service is usually not (anymore) posed by highly talented script kiddies with a lot of time on their hands or anarchistic world improvers in hoodies. Nor from highly qualified intelligence agencies equipped with seemingly endless resources.

Attacks Are Commissioned Work Today

Today’s most dangerous attacks are increasingly working “on contract,” pursuing a business model, and must also be guided by values such as efficiency or probability of success. Just as cloud computing has become an integral part of most companies’ IT, it now also serves cyber criminals to automate, organize and accelerate attacks. With great success: Ransomware has grown to become the biggest threat, and with Ransomware as a Service, attacks can be booked quite easily.

More and more security professionals are just now developing an understanding of the attackers’ business models: their logic is hardly any different from that of other companies. They invest the same resources in developing exploits and tools and want to achieve the highest possible return on investment (ROI). That is why they often pay close attention to the reusability of their tools.

Faced with limited resources, cyber criminals develop exploits for widely used technologies that offer high profit potential for multiple targets.

The Perspective of Cyber Criminals

The attackers have organized themselves, orders are placed on the darknet, and payment is made via Bitcoin. They are profit-maximized, efficiency-oriented and professionally structured: However, the new, economy-oriented logic can and must also be a key to better defense mechanisms. Especially when security managers see themselves buried under an avalanche of security warnings, it is helpful to understand how cyber criminals “tick”.

In order to secure their own systems, defense must now rethink and think outside the box. Understanding the logic of cyber criminals helps decipher key signals and close gaps. David Wolpoff, CTO of Randori, has formulated six key questions in a blog post on Threatpost that describe the mindset of modern cyber criminals well:

What useful information about a target can be identified from the outside?
How valuable is the target to the attackers?
Is the target known to be easy to hack?
What is the potential of the target and environment?
How long will it take to develop an exploit?
Is there a repeatable ROI for an exploit?

The more knowledge cyber criminals can gather about a technology or a person in a company, the better they can plan the next attack phase. In the first step, they thus ask how detailed the target can be described from the outside. For example, depending on the configuration, a web server may not reveal a server identifier or server names and detailed version numbers. If the exact version of a used service and its configuration is visible, precise exploits and attacks can be executed. This maximizes the chances of success while minimizing the probability of detection and the effort required.

No Longer Random

The increasingly important economic interest ensures that cyber criminals have to consider factors such as effort, time, money and risk more strongly. Accordingly, it is not worthwhile to attack or spy on systems indiscriminately. These days, attackers first clarify the potential value before acting and focus on promising targets such as VPNs and firewalls, credential stores, authentication systems or remote support solutions at the network edge. These could turn out to be master keys and unlock the way into the network or to credentials.

Again and again, reports of critical and incendiary vulnerabilities emerge that apparently no one had exploited for attacks. It sounds unbelievable, but often no one has done the work to program an exploit for a vulnerability. Modern cyber criminals increasingly follow the principle of return on investment and make use of existing proof of concepts (POC).

Complexity Is Unwanted

This sometimes yields surprising findings: modern cyber criminals avoid well-documented vulnerabilities. Extensive research and analysis of a particular vulnerability is more an indicator of unwanted complexity and effort, which one wants to keep to a minimum. RaaS hackers search for available tools or buy exploits already created for a particular object. Attackers want to move unnoticed in the systems they compromise. So they pick targets with few defenses where malware and pivoting tools work, such as desktop phones and VPN apps and other unprotected hardware. Many apps there are built with or for Linux, have a full scope of use, and have trusted pre-installed tools. This promises to keep them usable after an exploit and makes them all the more attractive to cyber criminals.

Surprising Cost-Benefit Calculation

Once the target has been set, attackers need to assess time, cost, and reusability. Vulnerability research also goes beyond simply uncovering unpatched devices. Cyber criminals must assess whether the cost of researching and developing the resulting tools is commensurate with the gain after an attack. Well-documented software or open-source tools that are easy to obtain and test mean a relatively easy target.

Also surprising: overall, the severity of a vulnerability does not play the central role for cyber criminals, according to Wolpoff. Planning an attack is far more complex and requires economic thinking. Recognizing that the other side must also make compromises helps defend cloud environments in a meaningful way. Protecting everything, everywhere, all the time from all attackers is illusory. Thinking more like them, however, makes prioritization easier.

In the third part of this series of articles, it’s all about whether the Ransomware-as-a-Service model would be possible without Bitcoin and darknet, and whether the two technologies actually deliver what the attackers promise in that context.