CISA adds dozens of vulnerabilities to catalog of exploited bugs
The Cybersecurity and Infrastructure Security Agency (CISA) added 41 vulnerabilities to its catalog of known exploited bugs this week, one of the largest batches of additions to the list since CISA began compiling it in November.
Dozens of the vulnerabilities are years old and federal civilian agencies have been given until June 13 and 14 to apply the patches or disconnect the ones that are end-of-life.
The list includes bugs in products from Microsoft, Apple, Adobe, Whatsapp, Mozilla, Google, Cisco, Kaseya, Artifex and QNAP.
CISA puts the list together based on evidence of active exploitation, noting that the vulnerabilities listed are “a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.” Andrew Hay, COO at cybersecurity firm LARES Consulting, said CISA likely received intelligence, or perhaps monitored actual activity, which indicates that the vulnerabilities added need to be patched immediately.
Kevin Breen, director of Cyber Threat Research at Immersive Labs, told The Record that it was not surprising CISA added so many relatively old vulnerabilities — some of the vulnerabilities added this week date as far back as 2016. Breen said that attackers are well versed at finding vulnerabilities, old and new, to exploit in their campaigns.
“The Windows elevation of privileges vulnerability CVE-2020-0638 was disclosed in 2020 but was still being harnessed by the prolific ransomware gang Conti for their attacks on corporate networks this year,” Breen noted.
The Kaseya bug – CVE-2017-18362 – was used by hackers to deploy the GandCrab ransomware on companies’ customer workstations in 2019. At least one company was successfully attacked at the time using the bug.
While the list includes vulnerabilities from 2016, it also includes more recent ones, namely the Cisco IOS XR bug that was patched last week and two Android vulnerabilities that were discovered in November.
Other experts, like Viakoo CEO Bud Broomhead, noted that the addition of older vulnerabilities was even more evidence that patching among federal agency offices was severely lacking.
The nature of the vulnerabilities listed – privilege escalation, remote code injection, memory corruption – suggests that the goal of the threat actors is to use these vulnerabilities to first breach an organization, then use that access to move laterally to more sensitive internal systems, Broomhead explained.