CISA urged to add 8 severe ransomware bugs to vulnerability catalog

/in


Researchers found that eight of the 131 vulnerabilities associated with ransomware not yet listed in a federal catalog meant to help the cybersecurity community are considered “most dangerous” because they could be easily exploited from initial access to exfiltration. 

A ransomware report from Cyber Security Works, Ivanti, Cyware, and Securin warned organizations not to ignore vulnerabilities that have yet to be added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (KEV), especially those with complete MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chains where each stage of an attack can be defined, described, and tracked by attackers.  

According to the report, researchers identified 57 extremely dangerous ransomware-associated vulnerabilities with complete kill chains, eight of which are excluded in the KEV. These eight bugs are found in over 30 products, including products by Microsoft, Oracle, Zyxel, and QNAP.

The Ivanti research team highlighted that bugs (CVE-2016-10401, CVE-2017-6884) in Zyxel, a subsidiary of a Taiwanese multinational broadband provider Unizyx Holding is particularly notable because of the nation-state and global threat actor focusing on Taiwan. Additionally, these are old vulnerabilities discovered in 2016 and 2017, yet do not have a patch. 

Srinivas Mukkamala, chief product officer at Ivanti, told SC Media that the research team has reached out to CISA to recommend including all of the severe vulnerabilities to its KEV catalog.  

CISA has yet to respond to SC Media’s inquiry on whether it will add them, or if they plan to do so.  

CISA published the KEV catalog in November 2021 to help organizations manage vulnerabilities and prioritize remediation for free. It started with 287 vulnerabilities and it is now a repository of 866 CVEs.  

Mukkamala said all researchers should actively collaborate with CISA and contribute to expanding the KEV catalog.  

“KEV is the authoritative source of exploited vulnerabilities. We benefit from this best service without having to pay for it. So as defenders, why don’t we give back by sharing our knowledge and information with CISA?” he…

Source…