Again in November 2021, the US Cybersecurity and Infrastructure Safety Company (CISA) printed the Identified Exploited Vulnerabilities (KEV) Catalog to assist federal businesses and important infrastructure organizations establish and remediate vulnerabilities which can be actively being exploited. CISA added 548 new vulnerabilities to the catalog throughout 58 updates from January to finish of November 2022, in keeping with Gray Noise in its first-ever “GreyNoise Mass Exploits Report.”
Together with the roughly 300 vulnerabilities added in November and December 2021, CISA listed roughly 850 vulnerabilities within the first 12 months of the catalog’s existence.
Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple merchandise accounted for over half of the updates to the KEV catalog in 2022, Gray Noise discovered. Seventy-seven p.c of the updates to the KEV catalog have been older vulnerabilities courting again to earlier than 2022.
“Many have been printed within the earlier twenty years,” famous Gray Noise’s vp of information science, Bob Rudis, within the report.
A number of of the vulnerabilities within the KEV catalog are from merchandise which have already entered end-of-life (EOL) and end-of-service-life (EOSL), in keeping with an evaluation by a staff from Cyber Safety Works. Although Home windows Server 2008 and Home windows 7 are EOSL merchandise, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Home windows 7 vulnerabilities.
“The truth that they’re part of CISA KEV is kind of telling because it signifies that many organizations are nonetheless utilizing these legacy techniques and due to this fact grow to be simple targets for attackers,” CSW wrote in its “Decoding the CISA KEV” report.
Although the catalog was initially supposed for vital infrastructure and public-sector organizations, it has grow to be the authoritative supply on which vulnerabilities are – or have been – exploited by attackers. That is key as a result of the Nationwide Vulnerability Database (NVD) assigned Widespread Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it might be unwieldy for enterprise defenders to evaluate each single one to establish those related to their environments. Enterprise groups can use the catalog’s curated checklist of CVEs beneath energetic assault to create their precedence lists.
In actual fact, CSW discovered a little bit of a delay between when a CVE Numbering Authority (CNA), corresponding to Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For instance, a vulnerability in Apple WebKitGTK (CVE-2019-8720) acquired a CVE from Pink Hat in October 2019 was added to the KEV catalog in March as a result of it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW’s report).
A corporation counting on the NVD to prioritize patching would miss points which can be beneath energetic assault.
Thirty-six p.c of the vulnerabilities within the catalog are distant code execution flaws and 22% are privilege execution flaws, CSW discovered. There have been 208 vulnerabilities in CISA’s KEV Catalog related to ransomware teams and 199 being utilized by APT teams, CSW discovered. There was an overlap, as nicely, the place 104 vulnerabilities have been being utilized by each ransomware and APT teams.
As an example, a medium-severity info disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is related to 39 ransomware teams, CSW stated. The similar evaluation from CSW discovered {that a} vital buffer overflow vulnerability within the ListView/TreeView ActiveX controls utilized by Workplace paperwork (CVE-2012-0158) and a high-severity reminiscence corruption situation in Microsoft Workplace (CVE-2017-11882) are being exploited by 23 APT teams, together with most not too long ago by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.
The spike in March 2022 is the results of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been recognized to take advantage of in companies, governments, and important infrastructure organizations, Gray Noise stated. The overwhelming majority – 94% – of the vulnerabilities added to the catalog in March have been assigned a CVE earlier than 2022.
CISA updates the KEV catalog provided that the vulnerability is beneath energetic exploitation, has an assigned CVE, and there’s clear steerage on how you can remediate the problem. In 2022, enterprise defenders needed to cope with an replace to the KEV catalog on an virtually weekly foundation, with a brand new alert sometimes issued each 4 to seven days, Rudis wrote. The defenders have been simply as prone to have only a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.