Headline
Adobe, Apple, Cisco, Microsoft Flaws Make Up Half of KEV Catalog
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Back in November 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published the Known Exploited Vulnerabilities (KEV) Catalog to help federal agencies and critical infrastructure organizations identify and remediate vulnerabilities that are actively being exploited. CISA added 548 new vulnerabilities to the catalog across 58 updates from January to end of November 2022, according to Grey Noise in its first-ever “GreyNoise Mass Exploits Report.”
Including the approximately 300 vulnerabilities added in November and December 2021, CISA listed approximately 850 vulnerabilities in the first year of the catalog’s existence.
Actively exploited vulnerabilities in Microsoft, Adobe, Cisco, and Apple products accounted for over half of the updates to the KEV catalog in 2022, Grey Noise found. Seventy-seven percent of the updates to the KEV catalog were older vulnerabilities dating back to before 2022.
“Many were published in the previous two decades,” noted Grey Noise’s vice president of data science, Bob Rudis, in the report.
Several of the vulnerabilities in the KEV catalog are from products that have already entered end-of-life (EOL) and end-of-service-life (EOSL), according to an analysis by a team from Cyber Security Works. Even though Windows Server 2008 and Windows 7 are EOSL products, the KEV catalog lists 127 Server 2008 vulnerabilities and 117 Windows 7 vulnerabilities.
“The fact that they are a part of CISA KEV is quite telling as it indicates that many organizations are still using these legacy systems and therefore become easy targets for attackers,” CSW wrote in its “Decoding the CISA KEV” report.
Even though the catalog was originally intended for critical infrastructure and public-sector organizations, it has become the authoritative source on which vulnerabilities are – or have been – exploited by attackers. This is key because the National Vulnerability Database (NVD) assigned Common Vulnerabilities and Exposures (CVE) identifiers for over 12,000 vulnerabilities in 2022, and it would be unwieldy for enterprise defenders to assess every single one to identify the ones relevant to their environments. Enterprise teams can use the catalog’s curated list of CVEs under active attack to create their priority lists.
In fact, CSW found a bit of a delay between when a CVE Numbering Authority (CNA), such as Mozilla or MITRE, assigned a CVE to a vulnerability and when the vulnerability was added to the NVD. For example, a vulnerability in Apple WebKitGTK (CVE-2019-8720) received a CVE from Red Hat in October 2019 was added to the KEV catalog in March because it was being exploited by BitPaymer ransomware. It had not been added to the NVD as of early November (the cutoff date for CSW’s report).
An organization relying on the NVD to prioritize patching would miss issues that are under active attack.
Thirty-six percent of the vulnerabilities in the catalog are remote code execution flaws and 22% are privilege execution flaws, CSW found. There were 208 vulnerabilities in CISA’s KEV Catalog associated with ransomware groups and 199 being used by APT groups, CSW found. There was an overlap, as well, where 104 vulnerabilities were being used by both ransomware and APT groups.
For instance, a medium-severity information disclosure vulnerability in Microsoft Silverlight (CVE-2013-3896) is associated with 39 ransomware groups, CSW said. The same analysis from CSW found that a critical buffer overflow vulnerability in the ListView/TreeView ActiveX controls used by Office documents (CVE-2012-0158) and a high-severity memory corruption issue in Microsoft Office (CVE-2017-11882) are being exploited by 23 APT groups, including most recently by the Thrip APT group (Lotus Blossom/BitterBug), in November 2022.
The spike in March 2022 is the result of Russia invading Ukraine in February – and the updates included many legacy vulnerabilities that nation-state actors had been known to exploit in businesses, governments, and critical infrastructure organizations, Grey Noise said. The vast majority – 94% – of the vulnerabilities added to the catalog in March were assigned a CVE before 2022.
CISA updates the KEV catalog only if the vulnerability is under active exploitation, has an assigned CVE, and there is clear guidance on how to remediate the issue. In 2022, enterprise defenders had to deal with an update to the KEV catalog on an almost weekly basis, with a new alert typically issued every four to seven days, Rudis wrote. The defenders were just as likely to have just a single day between updates, and the longest break defenders had in 2022 between updates was 17 days.
Related news
The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.
Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said. HZ RAT was first
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,
USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
By Waqas KEY FINDINGS Organizations should take steps to protect themselves from this campaign by keeping software up to date,… This is a post from HackRead.com Read the original post: Rust Implant Used in New Malware Campaign Against Azerbaijan
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
A vulnerability was found in WebKit. The flaw is triggered when processing maliciously crafted web content that may lead to arbitrary code execution. Improved memory handling addresses the multiple memory corruption issues.
By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,
Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
An update is now available for Service Telemetry Framework 1.4 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
Evidence suggests that a just-discovered APT has been active since 2013.
"Aoqin Dragon" has been operating since at least 2013, with targets including government and telecommunications companies in multiple countries.
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013. "Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Today we released eight security bulletins addressing 13 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other six have a maximum severity rating of Important. The table is designed to help you prioritize the deployment of updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max exploit-ability Likely first 30 days impact Platform mitigations and key notes MS14-029(Internet Explorer) Victim browses to a malicious webpage.