New Stakeholder-Specific Vulnerability Categorization guidance has been unveiled by the Cybersecurity and Infrastructure Security Agency in an effort to bolster the prioritization of flaw patching, according to SecurityWeek.
CISA's SSVC offers a decision tree model, which facilitates the classification of flaws into four categories Track, Track*, Attend, and Act with the categories based on the exploitation status, technical effect, mission-essential function impact, and potential system compromise impact.
Such guidance should be used alongside the Known Exploited Vulnerabilities Catalog, Vulnerability Exploitability eXchange, Common Security Advisory Framework, and machine-readable security advisories, said CISA.
"Context matters (a lot), and SSVC has done incredible work enumerating all the factors that should be involved in determining how to deal with vulnerabilities in any given setting. CISA's work in extending that should prove to be valuable in boiling up some of the more pertinent details to allow organizations to more easily digest and implement vulnerability management policies and procedures that reflect the goals of the SSVC framework," said NetRise Director of Field Engineering Derek McCarthy.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.