CISA plans to share more information on ransomware actors in its exploited vulnerability alerts

The U.S.’s top cybersecurity agency said it plans to add a section dedicated to ransomware gangs to its list of vulnerabilities being exploited by hackers.

Cybersecurity and Infrastructure Security Agency (CISA) officials said on Thursday that all organizations will now have access to information about which vulnerabilities are commonly associated with ransomware attacks through its known exploited vulnerabilities (KEV) catalog.

This information was previously only offered through CISA’s Ransomware Vulnerability Warning Pilot Program (RVWP) – an effort that began earlier this year where organizations can enroll and receive private warnings from CISA about vulnerabilities commonly associated with known ransomware exploitation.

Through the program, CISA identifies organizations with internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies, and authorities.

CISA associate director of vulnerability management Sandra Radesky and lead operations risk advisor Gabriel Davis said they would now be adding a column in the KEV catalog titled “known to be used in ransomware campaigns.”

“Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns,” the two said. “This list will guide organizations to quickly identify services known to be used by ransomware threat actors so they can implement mitigations or compensating controls.”

CISA added the 1,000th vulnerability to the KEV list three weeks ago and it has quickly become a go-to repository for the most concerning vulnerabilities being used by a wide range of hackers.

So far, the RVWP has notified organizations of more than 800 vulnerable systems that have internet-accessible vulnerabilities commonly associated with known ransomware campaigns. They noted that “all critical infrastructure sectors have benefited from the RVWP to include Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, and Education Facilities subsector specifically.”

The RVWP was created as part of the rollout of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 – the rules of which are slated to be announced some time next year. CISA director Jen Easterly said the new incident reporting rules would allow government officials to get a better handle on how their actions are affecting the number of ransomware attacks facing U.S. organizations.

Five Patch Tuesday additions to KEV list

In addition to the ransomware announcement, CISA added five serious issues to its list of vulnerabilities being exploited.

On the heels of the latest Patch Tuesday vulnerability releases from the world’s leading technology firms, CISA picked out five specific issues, giving federal civilian agencies until the last day of October to patch them.

The issues being exploited include:

• Adobe Acrobat’s CVE-2023-21608
• Cisco’s CVE-2023-20109
• Microsoft Skype’s CVE-2023-41763
• Microsoft WordPad’s CVE-2023-36563
• CVE-2023-44487 affecting HTTP/2

The HTTP/2 issue was announced earlier this week by Google, Amazon and Cloudflare, each of which said the vulnerability facilitated some of the largest distributed denial-of-service (DDoS) attacks on record.

Adobe Acrobat’s CVE-2023-21608 was patched in January after being reported by Trend Micro’s Zero Day Initiative.

The Cisco vulnerability caused alarm last week after the company warned that hackers are using it to attack their VPN products. It allows a hacker to take actions on an affected device or cause the device to crash, but experts noted that a hacker would already need to be deep in an organization’s systems to use it.

Both of the Microsoft vulnerabilities — CVE-2023-41763 and CVE-2023-36563 — were among the 105 vulnerabilities announced by the tech giant on Tuesday.

Rapid7’s lead software engineer Adam Barnett noted that public exploit code exists for CVE-2023-41763, which affects Skype and could lead to the disclosure of IP addresses and/or port numbers.

Barnett added that while Microsoft does not specify what the scope of the disclosure might be, it will “presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.”

Action1 president Mike Walters explained that the bug affects Skype for Business versions 2015 to 2019 and requires no user privileges or interaction.

Experts from Trend Micro’s Zero Day Initiative told Recorded Future News that the bug “acts more like an information disclosure than a privilege escalation.”

“An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address,” they said. “This could result in disclosing information, which could include sensitive information that provides access to internal networks.”

For CVE-2023-36563 — which affects Microsoft WordPad — the concerns revolve around how the vulnerability would allow hackers to access NTLM hashes. Immersive Labs cybersecurity engineer Nikolas Cemerikic explained that NTLM hashes are a fixed-length string of characters created from a user's password using a one-way mathematical algorithm.

“They are used for authentication in Windows operating systems, where the hash of the password is compared during login attempts rather than the real password being saved on the machine. This is for increased security,” he said.

The vulnerability affects Windows 10 and later as well as Windows Server 2008 and later.

Several other experts said the issue can be exploited in two ways: either through a specially crafted application designed for the vulnerability or through a malicious WordPad file that would typically come as an attachment to a phishing email.

“It should be noted, however, that simply obtaining user password hashes would not inherently provide the attacker with knowledge of the user password itself,” Cemerikic said.

“The attacker would need to take these hashes and then perform an offline crack against the hash, such as a dictionary attack or brute-force attack.”

Rapid7’s Barnett noted that Microsoft announced last month that WordPad is no longer being updated and will be removed in a future version of Windows, although no specific timeline has yet been given. Microsoft recommends Word as a replacement for WordPad.

Walters said a proof of concept demonstrating its impact is available.