Researchers at Cyber Security Works, Ivanti, and Cyware identify new vulnerabilities, blindspots in popular network scanners, and emerging Advanced Persistent Threat (APT) groups in a joint ransomware report.
By Aaron Sandeen, CEO and co-founder of Cyber Security Works
Since our last ransomware report earlier this year, both the severity and complexity of attacker tactics continue to grow as we head into the final quarter of 2022. The total number of ransomware vulnerabilities out there has climbed to 323. It is about a 450% increase since ransomware became a prevalent threat in 2019. That is a lot to be on the lookout for! However, not all ransomware vulnerabilities are the same. Our team has compiled research to help you navigate all the ransomware information out there.
Researchers across Cyber Security Works, Ivanti, and Cyware have compiled key figures on the latest data compiled during the second and third quarters of this year. In addition to new vulnerabilities, researchers found that popular network scanners routinely fail to identify known vulnerabilities, three new Advanced Persistent Threat (APT) groups have emerged, and the CISA Known Exploited Vulnerabilities (KEV) catalog does not list about half of the known vulnerabilities associated with ransomware.
While the findings may appear to be signs of a worsening cybersecurity landscape, it is not all doom and gloom. Of the 323 total ransomware vulnerabilities found in the wild, a MITRE ATT&CK kill chain exists for 57 of them. Documentation continues to grow as the industry comes together to collectively address the threat of ransomware. With the release of our report, we hope to share this knowledge to fight the ransomware menace.
New vulnerabilities, new threat actors
Our team of researchers found 13 new vulnerabilities associated with ransomware in Q2 and Q3, 10 of which possess a Common Vulnerability Scoring System (CVSS) v3.0 “critical” severity score. Although four vulnerabilities were just identified they have existed in the wild for a little over a year. This highlights the importance of continuous network monitoring.
Vulnerabilities CVE-2022-26352 (Zoho), CVE-2021-40539 (SonicWall), and CVE-2021-20023 (DotCMS) allow adversaries to infiltrate web applications and remotely execute malicious code. CVE-2022-26352 (Zoho) also serves a double purpose as an easy entry point for attackers and allows them to gain elevated privileges.
In addition to finding the latest vulnerabilities, we document the movements of APT groups each quarter to keep watch as they continually add ransomware capabilities to their arsenal. Over the past two quarters, we identified Andariel, Tropical Scorpius, and DEV-0530 utilizing ransomware against their victims.
Andariel – Also known as the Lazurus group, Andariel is suspected to have originated from North Korea. Its number of attacks has grown considerably. Deploying the Maui ransomware, Andariel has targeted crypto platforms, both private and public companies across North America, Europe, and Asia
Tropical Scorpius – With unknown origins, Tropical Scorpius has been documented to specifically target American organizations in government, manufacturing, healthcare, finance, and high tech. This group is known to favor the Cuba ransomware payload.
DEV-0530 – This group also has ties to North Korea and is suspected to collaborate with the Andariel group in coordinating attacks.
Blindspots in popular scanners
Network scanners are a relatively cheap and easy solution to monitor your organization’s assets with little active management. However, after testing scanners offered by Nessus, Nexpose, and Qualys, we found they can miss up to 18 ransomware vulnerabilities. To categorize the severity of each vulnerability, we used the CVSS V3 rating system. However, this poses a problem as it only applies to vulnerabilities discovered after 2015. Using proprietary Machine Learning frameworks, CSW was able to derive a severity score equivalent to CVSS V3 (or V2 where V3 was unavailable).
Of the 18 vulnerabilities, here is what we found:
Once deriving severity ratings, 11 out of 18 vulnerabilities ranked Critical or High but no scanner plugins are available to detect them across Nessus, Nexpose, and Qualys scanners
Interestingly, two vulnerabilities (CVE-2019-9081 and CVE-2015-2551) are still missing severity ratings as the National Vulnerability Database rejected them. CVE-2019-9081 is actively exploited by Satan and Mailto ransomware groups, and CVE-2015-2551 by multiple groups.
Ransomware vulnerabilities missing from CISA KEV catalog
CISA’s KEV catalog is the federal government’s continuous list of vulnerabilities that hackers are known to exploit. The list was created on November 03, 2021, and only started with 287 vulnerabilities. Today its collection has soared to 800+ and is only growing larger as it is updated monthly.
All public companies, government bodies, and federal agencies are mandated to prioritize and patch all vulnerabilities found in the KEV catalog. It is also a great introduction to vulnerability management strategies for private organizations. Although CISA has documented 199 vulnerabilities associated with ransomware, the catalog is currently missing 124 of them.
Earlier this October, CISA released a binding directive advising all government agencies to improve asset visibility and vulnerability detection — highlighting the necessity of vulnerability enumeration beyond the scope of the catalog. This requires routine scanning of an organization’s network perimeter to stay ahead of the latest threats.
Asset visibility and vulnerability detection is easier said than done. We recommend learning exactly how ransomware groups deploy and execute their attacks to know where to look and how to think like the adversary. To make this easier for network security teams, CSW’s research team employed the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chain to map exactly how threat groups exploit vulnerabilities. We did each step of the way for 57 vulnerabilities. Via these vulnerabilities, threat groups can completely take control of a system from end to end, deploy any code, escalate privileges within the network, and steal data. To learn more about our process, read more about it here or reach out to us directly.
I hope you find this information as enlightening as it has been for me and the CSW team. Although a pervasive menace, ransomware can be fought and defeated by utilizing data, intelligence, expertise and a collaborative security community.