CISA plans to share more information about ransomware actors in its exploited vulnerability alerts


The largest US cybersecurity agency has announced plans to add a section dedicated to ransomware gangs to its list of vulnerabilities exploited by hackers.

Cybersecurity and Infrastructure Security Agency (CISA) officials said Thursday that all organizations will now have access to information on vulnerabilities commonly associated with ransomware attacks through its Catalog of Known Exploited Vulnerabilities (KEV).

This information was previously only offered through CISA’s Ransomware Vulnerability Warning Pilot Program (RVWP), an effort that began earlier this year, where organizations can register and receive private warnings from CISA about vulnerabilities commonly associated with known ransomware exploitation.

Through this program, CISA identifies organizations with Internet-accessible vulnerabilities, typically associated with known ransomware actors, using existing services, data sources, technologies and authorities.

Sandra Radesky, CISA associate director of vulnerability management, and Gabriel Davis, senior operational risk advisor, said they will now add a column in the KEV catalog titled “known to be used in ransomware campaigns “.

“Additionally, CISA has developed a second new RVWP resource that serves as a complementary list of misconfigurations and weaknesses known to be used in ransomware campaigns. » both said. “This list will help organizations quickly identify services known to be used by ransomware threat actors so they can implement mitigation measures or compensatory controls.”

LPCC added the 1000th vulnerability on the KEV list three weeks ago and it has quickly become a go-to repository for the most concerning vulnerabilities used by a wide range of hackers.

To date, RVWP has reported to organizations more than 800 vulnerable systems with Internet-accessible vulnerabilities, typically associated with known ransomware campaigns. They noted that “all critical infrastructure sectors have benefited from the RVWP, including the energy, healthcare and public health sectors, water and sanitation systems, and particularly the sub-sector of educational establishments”.

The RVWP was created as part of the rollout of the Cyber ​​Incident Reporting for Critical Infrastructure Act (CIRCIE) of 2022 – the rules of which should be announced next year. CISA Director Jen Easterly said the new incident reporting rules would allow government officials to better understand how their actions affect the number of ransomware attacks that U.S. organizations face.

Five Patch Tuesday additions to the KEV roster

In addition to the ransomware announcement, CISA added five serious issues to its list of exploited vulnerabilities.

On the heels of the latest Patch Tuesday vulnerability releases from the world’s largest technology companies, CISA has identified five specific issues, giving federal civilian agencies until the last day of October to fix them.

Issues exploited include:

  • Adobe Acrobat CVE-2023-21608
  • Cisco CVE-2023-20109
  • Microsoft Skype CVE-2023-41763
  • Microsoft WordPad CVE-2023-36563
  • CVE-2023-44487 affecting HTTP/2

The HTTP/2 issue was announced earlier this week by Google, Amazon and Cloudflare, who each said the vulnerability ease some of the largest distributed denial of service (DDoS) attacks on record.

Adobe Acrobat CVE-2023-21608 was patched in January after being reported by Trend Micro’s Zero Day Initiative.

The Cisco vulnerability caused concern last week after the business warned that hackers use it to attack their VPN products. It allows a hacker to act on an affected device or cause the device to crash, but experts noted that a hacker would already have to be deeply embedded in an organization’s systems to use it.

Microsoft’s two vulnerabilities: CVE-2023-41763 And CVE-2023-36563 – were among the 105 vulnerabilities announced by the tech giant on Tuesday.

Adam Barnett, principal software engineer at Rapid7, noted that there is a public exploit for CVE-2023-41763, which affects Skype and could lead to the disclosure of IP addresses and/or port numbers.

Barnett added that while Microsoft doesn’t specify what the scope of the disclosure might be, it will “likely be limited to what the Skype for Business server can see; As always, proper network segmentation will pay dividends when it comes to defense in depth.

Action1 President Mike Walters explained that the bug affects Skype for Business versions 2015 to 2019 and does not require any privileges or user interaction.

Experts from Trend Micro’s Zero Day initiative told Recorded Future News that the bug “acts more like an information disclosure than a privilege escalation.”

“An attacker could make a malicious call to an affected Skype for Business server, causing the server to parse an HTTP request to an arbitrary address,” they said. “This could result in the disclosure of information, which could include sensitive information providing access to internal networks.”

For CVE-2023-36563 – which affects Microsoft WordPad – concerns revolve around how the vulnerability would allow hackers to access NTLM hashes. Nikolas Cemerikic, cybersecurity engineer at Immersive Labs, explained that NTLM hashes are a fixed-length string of characters created from a user’s password using a one-way mathematical algorithm.

“They are used for authentication in Windows operating systems, where the password hash is compared during login attempts rather than the actual password stored on the machine. This is for increased security,” he said.

The vulnerability affects Windows 10 and later as well as Windows Server 2008 and later.

Several other experts said the issue could be exploited in one of two ways: either through an application specifically designed for this vulnerability, or through a malicious WordPad file that would typically be delivered as an attachment to a phishing email.

“It should be noted, however, that simply obtaining user password hashes would not automatically provide the attacker with knowledge of the user’s password themselves,” Cemerikic said.

“The attacker will need to retrieve these hashes and then perform an offline crack against the hash, such as a dictionary attack or brute force attack.”

Rapid7’s Barnett noted that Microsoft announcement Last month, WordPad is no longer updated and will be removed in a future version of Windows, although no specific timetable has been given yet. Microsoft recommends Word as a replacement for WordPad.

Walters said proof of concept demonstrating its impact was available.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment