A CISA spokesperson contacted SC Media after initial publication, and their comments were added Feb. 21.
Researchers found that eight of the 131 vulnerabilities associated with ransomware not yet listed in a federal catalog meant to help the cybersecurity community are considered “most dangerous” because they could be easily exploited from initial access to exfiltration.
A ransomware report from Cyber Security Works, Ivanti, Cyware, and Securin warned organizations not to ignore vulnerabilities that have yet to be added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog (KEV), especially those with complete MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chains where each stage of an attack can be defined, described, and tracked by attackers.
According to the report, researchers identified 57 extremely dangerous ransomware-associated vulnerabilities with complete kill chains, eight of which are excluded in the KEV. These eight bugs are found in over 30 products, including products by Microsoft, Oracle, Zyxel, and QNAP.
The Ivanti research team highlighted that bugs (CVE-2016-10401, CVE-2017-6884) in Zyxel, a subsidiary of a Taiwanese multinational broadband provider Unizyx Holding is particularly notable because of the nation-state and global threat actor focusing on Taiwan. Additionally, these are old vulnerabilities discovered in 2016 and 2017, yet do not have a patch.
Srinivas Mukkamala, chief product officer at Ivanti, told SC Media that the research team has reached out to CISA to recommend including all of the severe vulnerabilities to its KEV catalog.
A CISA spokesperson did not directly respond to SC Media's inquiry on whether they will add the vulnerabilities, but told SC Media that "CISA relies on stakeholder feedback to improve its services to the cybersecurity community as well as input with nominating an actively exploited vulnerability to [KEV] catalog."
CISA published the KEV catalog in November 2021 to help organizations manage vulnerabilities and prioritize remediation for free. It started with 287 vulnerabilities and it is now a repository of 866 CVEs.
Mukkamala said all researchers should actively collaborate with CISA and contribute to expanding the KEV catalog.
"KEV is the authoritative source of exploited vulnerabilities. We benefit from this best service without having to pay for it. So as defenders, why don't we give back by sharing our knowledge and information with CISA?" he said.
Tony Cook, senior director of DFIR and Threat Intel at GuidePoint Security, echoed Mukkamala, highlighting that organizations should have a more transparent vulnerability disclosure process to help secure the large ecosystem.
"One of the biggest issues now is that companies do not want to disclose security incidents or vulnerability information to CISA for fear of legal obligation. It would be much easier for CISA to have a comprehensive database if organizations could openly report things happening around," Cook said.