“Known exploited vulnerabilities” are usually the simplest category of cyber weakness to shut down. They are also the biggest danger to networks. Why does this apparent contradiction exist? Because, in some cases, organizations do not keep on top of vulnerability scanning and patching.
When known exploited vulnerabilities are made public, it creates a roadmap directly to a security problem. This map is almost always accompanied by a patch, or at the very least remediation advice that neutralizes the threat. But now it’s up to organizations to follow the map to the problem and take care of it. Threat actors and cybercriminals are also following these maps, and any delay creates the possibility of them beating the good guys to it.
This should be a no-brainer as a priority item, but known exploited vulnerabilities continue to be exposed in the wild for months, sometimes years. Organizations may not have the manpower, or even the IT knowledge, to keep up with them. And even when they are adequately equipped, there is sometimes hesitancy to pull the trigger out of fear that patching will create other problems in the system.
Vulnerability scanning simplifies the process of identifying new known exploited vulnerabilities and getting patches and fixes to them as soon as possible. But there are differing approaches to the vulnerability management process, some more efficient than others. Focused vulnerability scanning conducted on a regular basis, with an eye toward reducing time-consuming “false positives,” is absolutely vital in today’s cybersecurity landscape.
The CISA Known Exploited Vulnerability catalog: A starting point for vulnerability scanning
Vulnerability scanning begins with having the most timely and thorough possible source of input. That’s the Cybersecurity & Infrastructure Security Agency (CISA)’s Known Exploited Vulnerability (KEV) catalog. Federal civilian executive branch (FCEB) agencies are required by the government to remediate these vulnerabilities under Binding Operational Directive (BOD) 22-01, but it is also strongly recommended to other organizations as a tool for task prioritization.
The Known Exploited Vulnerability catalog is usually the fastest central source for confirmed vulnerabilities that have had a Common Vulnerabilities and Exposures (CVE) ID score assigned to them, have been exploited in the wild and have an established remediation action available to nullify the danger.
What kind of damage can known exploited vulnerabilities do?
In April 2022, a joint Cybersecurity Advisory Alert (AA22-117A) was issued by the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom, providing details of the top 15 routinely exploited vulnerabilities for 2021. These were the cybersecurity weaknesses commonly targeted by malicious attackers.
To understand the severity of the “known exploited vulnerabilities” problem, take a look at a few of the most recent and serious threats — all of which have been the subject of CISA bulletins.
The king of the hill is CVE-2021-44228, better known as “Log4Shell.” First emerging in late 2021, this vulnerability is a serious threat to millions of systems that make use of a common logging tool that is embedded in many software packages. With little more than a specially crafted string of code, an attacker can completely take over a target system without the interaction of any employees.
Microsoft Exchange email servers have also experienced a string of known exploited vulnerabilities dating back over a year now. A number of these are “remote code execution” flaws, highly severe openings that can allow an attacker to rapidly escalate privileges and overtake a system once they establish an initial foothold.
Another threat to commonly used Atlassian local server and data center products is similar to Log4Shell in that it does not require the attacker to first compromise user credentials; they can take over a system simply by sending particular requests to the server.
In all cases, these known exploited vulnerabilities were announced to the public after they had been spotted in the wild but before there was common and widespread knowledge or use of them. They all represent issues that are vital to patch once they are announced, as all saw spikes of millions of would-be hacking attempts incorporating them once they became public knowledge.
Streamlining with vulnerability scanning
While it’s possible to assign IT staff to manually stay on top of these notifications as one of their functions, a much more sensible solution is to employ automated vulnerability scanning software that can pop notifications when a relevant and serious threat is listed.
Good vulnerability scanning software also often assists in the patching and remediation process, usually specifically tailored to these CISA notifications. This was especially helpful in addressing the Log4Shell issue, which went through several variations of the vulnerability and is often embedded deep in networks in multiple locations.
But vulnerability scanning is not as simple as just drawing on CISA notifications. Alone, the Known Exploited Vulnerability catalog and the BOD 22-01 do not provide enough inputs for an organization to know exactly how high a priority some vulnerabilities are to their specific environment. This is where vulnerability assessments and penetration tests conducted by experienced and qualified professionals can help in determining the actual cyber risk to your organization and reducing the significant risk of known exploited vulnerabilities.
At a minimum, focused and regular vulnerability scanning that prioritizes known exploited vulnerabilities is key to quickly taking out problems that are both relatively straightforward to fix, and relatively easy for attackers to exploit if they are not fixed.
Ask for a free Known Exploited Vulnerability (KEV) scan of your publicly accessible systems today!