‘That escalated quickly’ comes to mind when looking at the 95 new exploited vulnerabilities CISA added on March 3rd, then an additional 12 on March 7th. With these two additions, the known exploited vulnerability catalog increased by 21%. This represents a significant jump, the total number of vulnerabilities on this list as of March 7th is now 524. 

In November 2021, the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities was initiated. The recent batch of added exploited vulnerabilities come mostly because of the ShieldsUp alert. CISA directly points to the 95 added on March 3rd as a prioritized analysis of vulnerabilities that have been used by Russian cyber threat actors. This growing list should be a concern for every organization – large or small – as they must be prepared to respond to disruptive cyber activity.   

Analysis of the Exploited Vulnerability Catalog  

As of March 7th, 2022: 

Total Number of Vulnerabilities = 524

Number of Vendors/Projects on the List = 96

Total Number of Vulnerabilities with CVEs published in 2022 = 15

Top Vendor/Projects and number of Vulnerabilities on the List

 

 

 

 

Nothing too surprising, the most popular software vendors have many exploited vulnerabilities on this list. Except for the CVEs published in 2022, these vulnerabilities should have been identified and hopefully remediated by now.

When you look at the distribution by CVE publication year of those vulnerabilities originally on the list and the ones recently added for years before 2022, you can see that much of the newly added vulnerabilities happen to be older ones.

Be Prepared for More Additions

Government entities must remediate all the vulnerabilities against this list, some as early as March 31st. It is highly recommended that all organizations work to this guideline.

  • Defense and Gov’t contractors
    • CMMC 2.0 focuses on NIST-171 as a security framework; it does little in setting vulnerability remediation timelines. Any connected entity in this industry should act now, review, and remediate in the recommended gov’t timeframe.
  • Healthcare Entities and Healthcare Business Associates
    • Service disruption is a deep concern for designated critical infrastructure as sanctions increase and spillover from current cyber conflicts may occur. This adds to the standing concern about ransomware and theft of ePHI.
  • Financial Servicing Organizations
    • Hitting across the financial ecosystem, all software vendors to third-party entities should elevate their security posture. They need to protect themselves from adversarial automation that may escalate to disrupt the US economy.
  • Others
    • While some businesses may not be part of any of the ecosystems above, this exploited vulnerability list should be concerned. Exploited vulnerabilities are those that can or have been weaponized and potentially automated. You should consider this list as the last exit warning before leaving the state ‘uncompromised.’ Additionally, if you become compromised by exploiting any of these vulnerabilities, it will be impossible to claim you have taken reasonable security efforts. Government-issued alerts and warnings should constantly be monitored and applied.

Keep Remediating Vulnerabilities as a Priority

Understanding that resources are limited for mid-sized organizations, here is some guidance our team suggests in light of the current events:

  • Anything browser-related is a concern to any business size, especially considering many companies are still work-from-home or work-from-coffee-shop and browser exploits cause an overwhelming number of client-side breaches (XSS, CSRF, etc.).
  • If a business allows personal phones access to their internal Wi-Fi, any mobile device vendor like Apple and Android should be addressed. These devices could be used as a jump or pivot point into the more comprehensive internal network.
  • Workstation operating systems are just as critical as core servers.  Nine times out of 10, attackers can only exploit your internal network because they pivoted through a compromised workstation, whether that was through a malicious email or client breach/attack.

 

Security Business-Impact Analysis

Unfortunately, it may be hard to control all the components mentioned above. Enforcing browser updates or mobile O/S updates on personal systems is not feasible without costly mobile device management solutions. Even with these solutions, controlling all aspects of the systems an end-user leverages to work is not easy or 100% effective. If you have not performed a security business-impact analysis, now is a great time to consider it. Without a current evaluation, it will be hard to communicate to executives and leaders of the organization what additional risks and costs to the business need to be monitored as expectations for more exploited vulnerability alerts and other cybersecurity warnings are issued. We can help your organization look at the risks and recommend how to enhance your security posture where it is needed. Security Control Effectiveness and Gap Assessments to Penetration Testing can immediately provide prioritized findings to accelerate your efforts.

Enhanced Multi-Signal Threat Detection

Everyone would say good security, hygiene, and maintenance are needed more than ever. However, with the longstanding cyber security talent crisis, getting the resources for your organization to accomplish these items is costly and time-consuming. Endpoints are the largest attack surface for an organization, and any of the exploited vulnerabilities in this CISA list can quickly expose an organization. This might be the catalyst moment to consider enhancing the security for your organization and move to a managed security service provider.

At TECH LOCK, we help those in regulated industries, like healthcare, financial services, and government contractors, quickly accelerate their data security and compliance assurances.

  • Managed Detection and Response (EDR with 24/7 Security Operations) to block threats at the endpoint. From known to emerging threats based on anomalous behavior, threats are blocked; in addition, proactive actions can be taken on the system to prevent compromise or reconnaissance. Take a proactive approach and upgrade the protection of your endpoints against exploitable vulnerabilities.
  • Network Security and Log Management with Threat Detection. As more indicators of compromise with malicious IP addresses are uncovered, streamlining log management for multi-signal investigations expedites threat hunting. We investigate all events, all hours of the day and night, to quickly address issues before any damage can occur.
  • Vulnerability Management and Remediation Prioritization. While many exploitable vulnerabilities are older, newer ones emerge every day. We help organizations understand the business risk impact and how best to mitigate or patch exposure points. As part of our multi-signal investigations, open vulnerability findings help to augment threat intelligence. With the view across the exposure, the criticality, and the activities, our SOC team takes decisive actions to neutralize any threats.

We expect the CISA exploited vulnerability catalog to grow. It will continue to be another data source organizations need to watch as part of their ongoing security practice. Contact us if you would like to discuss any of the guidelines in this article.