The Cybersecurity and Infrastructure Security Agency (CISA) is beefing up its ransomware protection for U.S. critical infrastructure with a plan to proactively identify vulnerabilities in U.S. government agencies that are vulnerable to attack by ransomware cybercriminals.
The program is called Ransomware Vulnerability Warning Pilot (RVWP) and was unveiled Monday. RVWP aims to alert agencies of attack surface vulnerabilities that could be used by ransomware criminals so security teams can mitigated bugs as soon as possible.
"CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure," according to a description of the program posted to the U.S. government's Stop Ransomware advocacy website.
Ransomware attacks often exploit unpatched and known vulnerabilities that organizations are not aware of. Through RVWP, CISA will identify attack surface weak spots and warn critical infrastructure entities when their systems have exposed vulnerabilities that could be exploited by ransomware threat actors.
The pilot is designed to support entities with urgent patch awareness, which will enable “timely mitigation before damaging intrusions occur.”
Key elements of the pilot are the Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority, granted to CISA under the Homeland Security Act of 2002. CISA did not identify what open-source and internal scanning tools it uses to identify vulnerabilities.
The pilot comes on the heels of the new FDA authorities that establish medical device security requirements for manufacturers, a move lauded by many healthcare stakeholders as a big step forward to make sure new devices brought to market are designed with security in mind, also known as security by design principles.
However, the FDA policy failed to tackle one of the largest medical device security challenges: the prevalence of unpatched legacy devices. The CISA pilot could lend the sector much needed support on identifying and securing these flaws.
Unpatched vulnerabilities are a leading cause behind the majority of overall cyberattacks, with Threatpost research finding patchable external vulnerabilities spurred 82% of cyberattacks during the first half of 2022. These targeted exploits have remained a prevalent target for critical infrastructure this year.
WithSecure research found an ongoing campaign tied to the Lazarus Group targeting known vulnerabilities found in unpatched Zimbra devices last month, while Unit 42 researchers observed three campaigns leveraging a Mirai botnet variant called V3G4 targeting 13 unpatched vulnerabilities in a range of IoT devices.
Critical infrastructure entities struggle with prompt patch management strategies for a host of reasons. Even when vulnerabilities are known to an organization the mean time to remediation is also prolonged by a backlog of vulnerabilities to fix, prioritizing vulnerabilities most likely to be exploited and delegating the fix to specific security teams. In healthcare, the issue of a heavy reliance on medical devices built on legacy systems or operating on products in end-of-life stages are also often at the crux of the complex device security patch management challenge.
And as noted by CISA, most organizations are unaware “that a vulnerability used by ransomware threat actors is present on their network.”
The pilot seeks to address some of these known knowledge gaps, which will hopefully lead to quicker patching of known vulnerabilities. To accomplish this, CISA is using its existing authorities to identify systems with security vulnerabilities commonly tied to ransomware exploits, then inform its regional cybersecurity personnel to notify system owners.
These notifications will contain key information about the vulnerable system, including the manufacturer, device model, the IP address in use, how the vulnerability was detected and information on how to mitigate the flaw. The regional staff may also provide assistance and resources to mitigate the vulnerability for these entities.
“Receiving a notification through CISA RVWP is not indicative of a compromise. However, it does indicate you are at risk and the information system requires immediate remediation,” officials explained.
CISA also recommends the implementation of the other security controls provided on its Stop Ransomware website and urges entities to sign up for a host of no-cost tools, including its cyber hygiene scanning.