CISA kicks off ransomware vulnerability pilot to help spot ransomware-exploitable flaws

/in


Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP) program to “proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks.” Once the program identifies vulnerable systems, regional CISA personnel will notify them so they can mitigate the flaws before attackers can cause too much damage. 

CISA says it will seek out affected systems using existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning. CISA initiated the RVWP by notifying 93 organizations identified as running instances of Microsoft Exchange Service with a vulnerability called “ProxyNotShell,” widely exploited by ransomware actors. The agency said this round demonstrated “the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations.”

Eric Goldstein, executive assistant director for cybersecurity at CISA, said, “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations. We encourage every organization to urgently mitigate vulnerabilities identified by this program and adopt strong security measures consistent with the U.S. government’s guidance on StopRansomware.gov.”

The pilot kicked off with ProxyNotShell

Beyond the official announcement, CISA offered few details about the RVWP program. One question is why CISA initiated the program with the ProxyNotShell vulnerability. ProxyNotShell is the latest in a series of flaws exploited by the Chinese state-sponsored hacker Hafnium targeting Microsoft Exchange Servers. In late September, two zero-day flaws (CVE-2022-41040, CVE-2022-41082) became known collectively as ProxyNotShell. Microsoft released patches for ProxyNotShell in November.

“I guarantee you that the most likely reason [CISA started with ProxyNotShell] is because they had some heads up or advanced notice that it was being used,” Andrew Morris, GreyNoise founder and CEO, tells…

Source…