DeeAnn Little

Installing the Greenbone Community Edition using Docker Containers

,

We are very happy to share the first video of the Greenbone Community series, as Joseph from the Greenbone Community walks you through the process of installing the Greenbone Community Edition using Docker containers.

Please note: Clicking on the video will open Youtube in a new tab.

Do you have questions or comments? Please let us know at the Greenbone Community Forum or on the Fediverse/Mastodon at greenbone.social

If you’d like the documentation to follow along with the video, it’s located here on GitHub.

Back to Portal Entry
/by
Markus Feilner

“Ransomware as a Service” as a Business Model: Why the Business of Extortion Flourishes

,

This article is the first of three blogposts about the changing threat landscape in professional environments. “Ransomware as a Service” as a business model has powerful implications for enterprises, which are by no means defenseless. Modern vulnerability management, which Greenbone’s products enable, also plays an important role in this context.

Numbers 2020 – Increase, Revenue, Costs

They are called DarkSide, REvil, Dharma, Egregor, Maze, LockBit or Thanos. Even Emotet is currently celebrating an unpleasant comeback: ransomware attacks are increasing worldwide, seemingly unchecked. Their intensity is also growing massively: REvil and DarkSide paralyzed the Bank of Scotland and an important pipeline on the US East Coast. In Germany, government agencies, hospitals, and entire counties are suffering from ransomware attacks.

Ransomware is malware that encrypts a system and only enables access to the data again if the victim pays a ransom. Common distribution channels for ransomware are spam mails, phishing and drive-by exploits. The latter take advantage of vulnerabilities in browsers, browser plug-ins, operating systems and network services.

Almost all successful attacks on IT infrastructures in recent years can be traced back to this type, which works so differently from the cyber criminals of previous decades. The threat scenario has changed, ransomware is now created and operated by professional infrastructures, they operate for profit and at least as efficiently as the companies and organizations they target. Faced with the new threat, the latter need to rethink when it comes to protecting their infrastructures.

According to manufacturers, one important reason for the great success of ransomware is the increasing spread of cloud infrastructures. On the one hand, attackers use cloud services themselves; on the other hand, they benefit from the larger attack surface that companies offer, even more so in the age of home office. Another reason is a lack of updates or incorrect configurations in corporate IT. Both causes increase the probability of success for attackers. However, resources are very unevenly distributed: in recent years, a global and highly professional industry has established itself that offers cloud services for cyber criminals – “Ransomware as a Service” (RaaS).

From “Software as a Service” to “Ransomware as a Service”

The concept of “Software as a Service” (SaaS), i.e., IT services from the cloud without purchasing software and charging for them only according to use, has proven itself for several decades. Well-known SaaS providers include Slack, Salesforce and WordPress. Major software companies such as Microsoft with Microsoft 365 and Adobe with Adobe Creative Cloud now also offer SaaS versions of their products. Greenbone’s cloud service also works according to this model. The advantages of the service lie in its scalability, flexibility, high IT security, and the strict rules of European data protection, especially if hosting takes place in German data centers, as is also the case with the Greenbone Cloud Service.

By 2020 at the latest, the trend also reached the darknet and the ransomware hacker market. With the SaaS business model in the background, attackers infiltrate local networks, encrypt data and demand a ransom from the victim. RaaS is now using the SaaS model to deliver malware and extort money more efficiently and cost-effectively.

Over 60 % of all known ransomware attacks in 2020 have already been attributed to RaaS models, a highly competitive but growing market. 15 new RaaS providers are reported to have joined in 2020. The business model is clear: the customers, i.e. potential hackers or attackers, no longer need any technical skills, there are discount promotions and professional services. All of this makes RaaS increasingly attractive to cyber criminals and obviously works because countless inadequately protected infrastructures are open to them.

The number of total ransomware attacks increased by nearly 500 percent in 2020. Two-thirds of these are attributable to RaaS offerings, with the trend continuing to rise in 2021 [1]. Attackers made an estimated $ 20 billion in revenue from ransomware in 2020, up from just over $ 11 billion in 2019 [2]. RaaS offerings are available to hackers starting at $ 40/month. Those who want more service can also invest thousands of dollars [3].

The average cost for affected companies to clean up after a ransomware attack has doubled during 2020 and is typically ten times the ransom demanded. These in turn averaged between $ 200,000 and $ 300,000 in 2020 [4]. Whether a corporation or a small business, the demands are usually the same, because not every attack has to be successful. As with spam, mass is decisive.

“Ransomware as a Service” as a Business Model

The business model of “Ransomware as a Service” is comprehensively and clearly explained by websites like AppKnox: RaaS organizations rent software and IT infrastructures operated by and at an external IT service company. Cyber criminals lease them as a service to attack and extort businesses or individuals. RaaS developers and providers are legally on the safe side, as they “only” provide the infrastructure and are thus not responsible for the attack. Today, anyone can book and launch RaaS attacks and cause considerable damage to companies, authorities or private individuals.

There are four common RaaS business models behind this:

  • Monthly payment (subscription model)
  • Partner programs, in addition to the subscription model there are profit-sharing schemes
  • One-time license fee
  • Profit sharing only

No matter which model users choose, some RaaS companies make it very easy: go to the darknet, log in, create an account, choose a model, pay with Bitcoin if necessary, distribute malware and wait for success.

For the money invested, you get an enterprise-level service. A typical product not only includes the ransomware code and the keys to encrypt and decrypt it, but also provides the appropriate phishing e-mails to launch an attack, good documentation and 24/7 support. Billing, monitoring, updates and status reports, calculation and forecasts regarding an income-expense statement are also taken care of.

Potential Victims Are by no Means Helpless

Despite the professionalism, companies and authorities do not have to stand idly by. Although they now face other attackers, they are by no means powerless or helpless.

The FBI regularly warns against accepting demands from extortionists, especially not in the case of organized crime and certainly not in the case of ransomware. The only solution is an expensive, lengthy rebuild or an attempt to crack the encryption. Instead, it is better to be prepared.

Companies can protect themselves with a few simple measures and consistent adherence to best practices. Backups, in different locations and separate from day-to-day operations, protect data. Two-factor authentication hampers attackers who could get passwords. Strong passwords should be standard practice today, as should smart network segmentation. Planning, incident response and recovery plans must be in place and tested regularly. Automation, monitoring and regular training of employees regarding IT security (e.g. phishing emails) are a must. Automation is of particular importance within IT, because attacks sometimes occur so quickly that human reactions come to nothing.

The basis for all these measures is provided by endpoint protection solutions and professional vulnerability management. Knowledge of vulnerabilities and weaknesses in networks is worth a fortune here. Admins identify the gaps in your IT defenses and close them before cyber criminals can abuse them – with Greenbone solutions continuously and automatically.

Greenbone products continuously scan the corporate network or external IT resources for potential vulnerabilities. The specially hardened Greenbone Enterprise Appliances or the Greenbone Cloud Service, available as Software as a Service and hosted in German data centers, guarantee daily updates on the latest vulnerabilities. Admins and IT management are informed immediately, if necessary, when threatening security vulnerabilities are revealed. In this way, companies are also well prepared if “Ransomware as a Service” as a business model continues to grow.

[1] https://www.unityit.com/ransomware-as-a-service/

[2] https://www.pcspezialist.de/blog/2021/06/14/raas-ransomware-as-a-service/

[3] https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/

[4] https://www.appknox.com/blog/ransomware-as-a-service

The second part of our series on the ongoing professionalization of attacks on IT systems deals with changes in the attackers’ mindset. Automation, commercialization and cloud computing have also left their mark on the typical profile of cyber criminals that admins and vulnerability management have to deal with. Contrary to common Hollywood clichés, the threat of Ransomware as a Service is usually not (anymore) posed by highly talented script kiddies with a lot of time on their hands or anarchistic world improvers in hoodies. Nor from highly qualified intelligence agencies equipped with seemingly endless resources.

Attacks Are Commissioned Work Today

Today’s most dangerous attacks are increasingly working “on contract,” pursuing a business model, and must also be guided by values such as efficiency or probability of success. Just as cloud computing has become an integral part of most companies’ IT, it now also serves cyber criminals to automate, organize and accelerate attacks. With great success: Ransomware has grown to become the biggest threat, and with Ransomware as a Service, attacks can be booked quite easily.

More and more security professionals are just now developing an understanding of the attackers’ business models: their logic is hardly any different from that of other companies. They invest the same resources in developing exploits and tools and want to achieve the highest possible return on investment (ROI). That is why they often pay close attention to the reusability of their tools.

Faced with limited resources, cyber criminals develop exploits for widely used technologies that offer high profit potential for multiple targets.

The Perspective of Cyber Criminals

The attackers have organized themselves, orders are placed on the darknet, and payment is made via Bitcoin. They are profit-maximized, efficiency-oriented and professionally structured: However, the new, economy-oriented logic can and must also be a key to better defense mechanisms. Especially when security managers see themselves buried under an avalanche of security warnings, it is helpful to understand how cyber criminals “tick”.

In order to secure their own systems, defense must now rethink and think outside the box. Understanding the logic of cyber criminals helps decipher key signals and close gaps. David Wolpoff, CTO of Randori, has formulated six key questions in a blog post on Threatpost that describe the mindset of modern cyber criminals well:

What useful information about a target can be identified from the outside?
How valuable is the target to the attackers?
Is the target known to be easy to hack?
What is the potential of the target and environment?
How long will it take to develop an exploit?
Is there a repeatable ROI for an exploit?

The more knowledge cyber criminals can gather about a technology or a person in a company, the better they can plan the next attack phase. In the first step, they thus ask how detailed the target can be described from the outside. For example, depending on the configuration, a web server may not reveal a server identifier or server names and detailed version numbers. If the exact version of a used service and its configuration is visible, precise exploits and attacks can be executed. This maximizes the chances of success while minimizing the probability of detection and the effort required.

No Longer Random

The increasingly important economic interest ensures that cyber criminals have to consider factors such as effort, time, money and risk more strongly. Accordingly, it is not worthwhile to attack or spy on systems indiscriminately. These days, attackers first clarify the potential value before acting and focus on promising targets such as VPNs and firewalls, credential stores, authentication systems or remote support solutions at the network edge. These could turn out to be master keys and unlock the way into the network or to credentials.

Again and again, reports of critical and incendiary vulnerabilities emerge that apparently no one had exploited for attacks. It sounds unbelievable, but often no one has done the work to program an exploit for a vulnerability. Modern cyber criminals increasingly follow the principle of return on investment and make use of existing proof of concepts (POC).

Complexity Is Unwanted

This sometimes yields surprising findings: modern cyber criminals avoid well-documented vulnerabilities. Extensive research and analysis of a particular vulnerability is more an indicator of unwanted complexity and effort, which one wants to keep to a minimum. RaaS hackers search for available tools or buy exploits already created for a particular object. Attackers want to move unnoticed in the systems they compromise. So they pick targets with few defenses where malware and pivoting tools work, such as desktop phones and VPN apps and other unprotected hardware. Many apps there are built with or for Linux, have a full scope of use, and have trusted pre-installed tools. This promises to keep them usable after an exploit and makes them all the more attractive to cyber criminals.

Surprising Cost-Benefit Calculation

Once the target has been set, attackers need to assess time, cost, and reusability. Vulnerability research also goes beyond simply uncovering unpatched devices. Cyber criminals must assess whether the cost of researching and developing the resulting tools is commensurate with the gain after an attack. Well-documented software or open-source tools that are easy to obtain and test mean a relatively easy target.

Also surprising: overall, the severity of a vulnerability does not play the central role for cyber criminals, according to Wolpoff. Planning an attack is far more complex and requires economic thinking. Recognizing that the other side must also make compromises helps defend cloud environments in a meaningful way. Protecting everything, everywhere, all the time from all attackers is illusory. Thinking more like them, however, makes prioritization easier.

In the third part of this series of articles, it’s all about whether the Ransomware-as-a-Service model would be possible without Bitcoin and darknet, and whether the two technologies actually deliver what the attackers promise in that context.

Back to Portal Entry
/by
Markus Feilner

Docker Container for Greenbone Community Edition

,

Greenbone is stepping up its commitment to open source and the community edition of its vulnerability management software.
In addition to the open source code on Github, Greenbone now also provides pre-configured and tested Docker containers.

Official containers from the manufacturer itself

The Greenbone Community Containers are regularly built automatically and are also available for ARM and Raspberry Pi.

Björn Ricks, Senior Software Developer at Greenbone, sees this as a “big improvement for admins who just want to give Greenbone a try.
Our official containers replace the many different Docker images that exist on the web with an official, always up-to-date, always-maintained version of Greenbone.”

Docker Container, Illustratiojn

Hi Björn, what is your role at Greenbone?

Björn Ricks: One of my current tasks is to provide community container builds at Greenbone. Taking care of the community has always been a big concern of mine and for a long time I wanted to make sure that we also provide “official” Docker images of Greenbone. I’m very pleased that this has now worked out.

What is the benefit of the images for the community?

Björn Ricks: We make it much easier for administrators and users who want to test Greenbone. The installation now works completely independent of the operating system used: just download and run the Docker compose file that describes the services, open the browser and scan the local network. I think that’s a much lower barrier to entry, ideal even for anyone who doesn’t yet know the details and capabilities of our products.

Why does Greenbone now provide containers itself? There were already some on the net, weren’t there?

Björn Ricks: Yes, that’s right, but we found out that some people were unsure about the content, legitimacy and maintenance of these images. That’s why we decided to offer Docker images signed by us with verified and secured content.
All the container images existing on the network have different version status and even more so different quality grade. It is often impossible to tell from the outside whether an image is “any good” or not. Of course, you also have to trust the external authors and maintainers that they know what they are doing and that their images do not contain any additional security vulnerabilities. Only we, as producers of our own software, can guarantee that the published container images have the current version status and the desired quality grade.

Does Greenbone also plan to provide Docker images for its commercial product line, Greenbone Enterprise Appliances?

Björn Ricks: That depends on requests from our commercial customers. The Greenbone Community Edition includes access to the community feed with around 100,000 vulnerability tests. Our commercial feed contains even more tests, including those for many proprietary products that our customers use.

We have found that our customers are happy with our appliances, our virtual appliances, and our cloud solution – all of which qualify for use of the commercial feed subscription. However, this could change, and if it does, we will consider offering Docker containers to commercial customers.

How often are the images updated and what feed is included?

Björn Ricks: The images are built and published directly from the source code repositories. So they are always up to date and contain all patches. At the moment only the community feed is available for the images, but this might change in the future.

Where can I get the images and the documentation?

Björn Ricks: The Docker compose file for orchestrating the services is linked in the documentation, The Dockerfiles for building the Docker images can also be found on Github in the corresponding repositories, and are quite easy to download, for example: here.

Back to Portal Entry

/by
Markus Feilner

Now on Mastodon: Greenbone in the Fediverse

,

drawing of people with moving boxes

Greenbone is happy to announce another important part of our community strategy: We are now also in the Fediverse, on Mastodon: You can find and follow us on @greenbone@floss.social! The federated messaging service Mastodon has grown massively over the last weeks, millions of users are switching to this open-source alternative to proprietary tools like Twitter. In November alone the user numbers raised from a few hundred thousands to several millions. Greenbone is honoring this development and supports both Mastodon and the Fediverse alongside with our forum and this community portal.

What is the Fediverse, why Mastodon?

The Fediverse is a growing network of services, run by open source volunteers, supported by open source companies and following free and open standards. A variety of services helps replacing the proprietary offers of Twitter, Facebook, Instagram or others while the underlying decentralized social networking protocol ActivityPub ensures interoperability.

The Fediverse – and thus also Mastodon was developed in open source, with special focus on community aspects, transparency, authenticity, thus giving users more control over their data and the content they’re offered.

How to Mastodon

Compared to other social networks, Mastodon has advantages and disadvantages – your mileage may vary. Greenbone believes that Mastodon (as the Fediverse) share the same values when it comes to open source and human interactions. However, that also means that on Mastodon, users have to be more active. No company-driven algorithm will wash toots (the Mastodon equivalent of tweets) into your timeline – it will only display toots from people (or hashtags) you actively follow and which you not explicitly blocked. Because of the “federated” nature of mastodon, you can also block whole servers or change your own “home” server whenever you desire – your data belongs to you.

Join Greenbone – go to greenbone.social and log into mastodon.

Back to Portal Entry

/by