CISA kicks off ransomware vulnerability pilot to help spot ransomware-exploitable flaws

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of the Ransomware Vulnerability Warning Pilot (RVWP) program to “proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks.” Once the program identifies vulnerable systems, regional CISA personnel will notify them so they can mitigate the flaws before attackers can cause too much damage. 

CISA says it will seek out affected systems using existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning. CISA initiated the RVWP by notifying 93 organizations identified as running instances of Microsoft Exchange Service with a vulnerability called “ProxyNotShell,” widely exploited by ransomware actors. The agency said this round demonstrated “the effectiveness of this model in enabling timely risk reduction as we further scale the RVWP to additional vulnerabilities and organizations.”

Eric Goldstein, executive assistant director for cybersecurity at CISA, said, “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations. We encourage every organization to urgently mitigate vulnerabilities identified by this program and adopt strong security measures consistent with the U.S. government’s guidance on StopRansomware.gov.”

The pilot kicked off with ProxyNotShell

Beyond the official announcement, CISA offered few details about the RVWP program. One question is why CISA initiated the program with the ProxyNotShell vulnerability. ProxyNotShell is the latest in a series of flaws exploited by the Chinese state-sponsored hacker Hafnium targeting Microsoft Exchange Servers. In late September, two zero-day flaws (CVE-2022-41040, CVE-2022-41082) became known collectively as ProxyNotShell. Microsoft released patches for ProxyNotShell in November.

“I guarantee you that the most likely reason [CISA started with ProxyNotShell] is because they had some heads up or advanced notice that it was being used,” Andrew Morris, GreyNoise founder and CEO, tells CSO. “That vulnerability was actively being used by some malicious actor to achieve lots of compromises and spy on US persons and businesses. Because CISA works hand in hand with the United States intelligence community, the most obvious and the most likely thing would just be that they had some heads up that, ‘Hey, this is a vulnerability that some state actor is using with wild success.'”

Satnam Narang, a senior research engineer at Tenable, said his company has seen several ransomware actors taking advantage of ProxyNotShell over the past few months. “I would say towards the latter half of last year, and into early this year, the PLAY ransomware group was the most notable for its use of ProxyNotShell because they managed to find a way to target the mitigation recommendations that Microsoft had provided initially when the vulnerabilities were disclosed.”

The Play ransomware group is a relatively new threat actor. The recent incidents the group took credit for are damaging attacks on the City of Oakland, Germany’s H-Hotels chain, the Belgian city of Antwerp, Argentina’s Judiciary of Córdoba, and other high-profile targets.

Older vulnerabilities should be next for RVWP

ProxyNotShell is a relatively recent discovery, but some experts think that CISA would best position itself to start scanning for older vulnerabilities that constitute the foundation for most ransomware attacks. “The majority of the ransomware is targeting at least a one-year-old, if not two-year-old vulnerabilities,” Jonathan Trull, senior VP of security solution architecture and CISO at Qualys, tells CSO.

Trull says that Qualys’ research shows that the same old, unpatched 300 or so flaws are what ransomware attackers seek to exploit time and again. “We know pretty closely from our research that it’s a handful of the same vulnerabilities in every ransomware kit,” he says. “I hope CISA won’t focus just on the latest and greatest.”

Narang thinks CISA will focus on public-facing applications in its next RVWP initiative. “I think that a lot of the program’s focus will be to identify these vulnerable public-facing applications because, more often than not, ransomware groups are looking for public-facing applications with vulnerabilities in them.”

Narang points to the spike in ransomware groups targeting SSL VPNs at the outset of the pandemic as one such public-facing target. “We’ve seen ransomware groups targeting these SSL VPNs. We’ve talked about them at length for years now. We still see those being leveraged by ransomware groups.”

Small organizations will benefit the most

CISA says it will warn critical infrastructure entities in the RVWP scanning efforts that they suffer vulnerabilities that can lead to ransomware attacks. The program will likely benefit small organizations the most, given that large organizations typically have more personnel and resources to remediate or manage vulnerabilities.

“I suspect a lot of small- to mid-size businesses will probably be beneficiaries of this because often those organizations may not have the requisite budget or security staff,” Narang says. “They may be outsourcing their security to manage service providers. But, even then, I think they will likely be the biggest beneficiaries of this type of program.”

Mom-and-pop shops and small government offices need this kind of service, Morris says. “That’s where their impact is going to be the largest. They are the folks who need it the most.”

High marks all around

Reaction to the RVWP appears to be uniformly positive. “I ran a pretty large incident response team for Microsoft back in the day,” Trull says. “Of all the incidents we ran, probably 90% to 95% were ransomware related. So, I think having to respond to these incidents across the globe and seeing their impact, I am excited to see this initiative kick off.”

“I think it’s a fantastic initiative considering how successful ransomware groups have been at breaking into organizations targeting known vulnerabilities,” Narang says. Morris says, “my overall impression is that it’s a really good thing. It’s very much needed, and it’s a big step in the right direction for keeping US businesses safe from ransomware and protecting Americans.”