The US Cybersecurity and Infrastructure Security Agency (CISA) has initiated the Ransomware Vulnerability Warning Program. This initiative aims to identify and alert owners of systems that may be susceptible to ransomware attacks.
CISA recently unveiled their Cyber Security Evaluation Tool, a desktop software application that guides asset owners and operators through an organized process to assess their cybersecurity posture. It also includes the Ransomware Readiness Assessment module which tests network defenses to see how well equipped they are against ransomware attacks.
RVWP Identifies Vulnerabilities
CISA has launched the Ransomware Vulnerability Warning Program (RVWP) to assist organizations in strengthening their security posture against ransomware attacks. RVWP detects vulnerabilities that are relevant for ransomware attacks and notifies owners of such flaws.
CISA’s CVE Catalog lists vulnerabilities ranked by severity and then categorised according to risk level. This allows organizations to quickly assess which security threats are more important than others.
Recently, several vulnerabilities associated with ransomware attacks were uncovered. These include a flaw in Cisco’s Small Business RV Series Routers that could allow an attacker to escalate privileges, and another in the Windows Print Spooler Service which allows an adversary to remotely execute code with system-level access.
One other pressing security issue being reported involves a vulnerability in Cisco’s WebVPN that could allow remote attackers to gain unauthorized access to sensitive information. Two of the vulnerabilities, CVE-2022-20700 and CVE-2022-20701, rate critical with CVSS scores of 10 and 9, respectively; while another vulnerability, CVE-2022-20702, rates medium severity at 6CVSS points.
Although these vulnerabilities do not pose a direct risk to an organization, they still need to be kept in mind by those working in cybersecurity. Just like with any other vulnerability, the more aware a vulnerable system is of its potential exposure to threats, the easier it will be to mitigate them.
Organizations affected by ransomware are encouraged to apply relevant security updates, enable strong spam filters and install antivirus software to safeguard their networks. Furthermore, they should implement a cybersecurity awareness training program in order to gain greater insight into ransomware’s threats and how it could potentially impact their operations.
The FBI and CISA have issued a joint Cybersecurity Advisory warning about an advanced persistent threat group associated with Iran that is exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems before conducting subsequent operations, such as ransomware deployments. To aid network defenders in tracking these actors and their activities, the CSA includes a downloadable STIX file of IOCs.
Criminal ransomware groups have a history of targeting public and private organizations, especially those with sensitive data such as healthcare or banking institutions. These incidents can disrupt business operations and leave organizations unable to operate. Furthermore, victims often need to recoup millions of dollars annually in losses. Fortunately, there are various tools and resources that can be used to protect against ransomware attacks like the CISA/Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA’s cyber resilience assessments.
RVWP Notifies Owners
CISA has launched the Ransomware Vulnerability Warning Program (RVWP) to alert owners about threats affecting their network infrastructure. This initiative takes advantage of existing resources by sending timely notifications about vulnerabilities and malicious actors associated with ransomware.
RVWP was created to notify owners about systemic vulnerabilities and warn them of attackers targeting their networks and the organizations they serve, including government agencies. In addition to providing details about vulnerable devices, the program also offers a suite of tools designed to help organizations manage the impact of a vulnerability.
One such tool is the CISA Catalog, a repository of publicly disclosed vulnerabilities related to ransomware attacks. Through this Catalog, organizations can quickly prioritize those threats which pose greatest risk to their networks and take immediate steps for remediation.
Additionally, the Catalog provides a range of indicators to help defenders anticipate what their environment may hold. These could include vulnerability trends, attack vectors and threat actors.
CISA recommends organizations take a comprehensive approach to protecting against ransomware, from security awareness to detection and mitigation. As part of this effort, organizations should implement the following best practices:
Implement a strong password policy and teach users how to select and protect their passwords. Doing so can significantly reduce the chance of being targeted by phishing attempts.
Enable and enforce multifactor authentication, if applicable, to protect against unauthorized users. Furthermore, make sure employees receive adequate training on how to identify phishing attempts.
Additionally, a comprehensive threat intelligence program that integrates network analytics with machine learning-based models can assist organizations in recognizing and responding to malicious activity. For ransomware specifically, this could involve detecting abnormal traffic patterns and potential traversal of indicated ransomware using a network monitoring tool, as well as detecting compromised accounts through SIEM.
In 2022, threat actors used Hive ransomware to target a wide range of businesses and critical infrastructure sectors such as Government Facilities, Communications, Critical Manufacturing, Information Technology, Healthcare & Public Health (HPH). These attacks usually began by exploiting an identified vulnerability within the victim’s network.
RVWP Leverages Existing Services
RVWP utilizes existing services to reduce the risk of ransomware and boost resilience against this cyber threat. These solutions include:
CISA provides cybersecurity awareness training and education programs; free cyber hygiene services to organizations; assessments to evaluate their security posture and harden systems against attacks; response resources for cybersecurity incidents; and more.
RVWP can identify and prioritize vulnerabilities, alert owners of those vulnerabilities, and offer them a range of mitigation options to prevent or respond to ransomware attacks.
CISA has also created a program and issued guidance to public and private sector entities on mitigating ransomware risks. These tools, resources, cybersecurity training classes and awareness sessions are intended to safeguard critical information assets while increasing an organization’s resilience against cyberattacks.
CISA recently issued guidance on how managed service providers (MSPs) can safeguard against ransomware threats. This guidance covers key topics like security hygiene, data security and incident response planning.
The guidance also contains a list of recommended mitigations to aid MSPs in anticipating and responding to ransomware incidents.
These recommendations are in line with a series of new initiatives from the United States government to combat ransomware’s growing threat. Most recently, the US Department of Homeland Security issued its Framework for Protecting National Infrastructure and Public Health from Ransomware which outlines an organized international strategy to deter ransomware attacks.
Therefore, the US government is intensifying its efforts to combat ransomware and disrupt the criminal business model associated with this threat. These initiatives are focused on four primary objectives:
First, the Framework advocates for a unified international strategy to prevent nation-states from providing safe havens to ransomware criminals. Second, an interagency working group should be created to coordinate an efficient response to ransomware attacks. Finally, an informal private industry threat detection cooperative could supplement government initiatives.
In addition to the Framework, CISA and the FBI have issued multiple advisory alerts warning of an increasing ransomware threat, such as Conti, Hancitor, and PYSA. In each case, CISA and FBI provide technical details, adversary behavior mapped to MITRE ATT&CK standards, and recommended mitigations.
RVWP Scales
CISA has launched the Ransomware Vulnerability Warning Program to provide real-time alerts and threat intelligence to organizations so they can protect their networks. The RVWP builds upon existing CISA services while adding new tools and resources for protecting against this growing danger.
This program focuses on three primary areas: vulnerabilities, alerts and threats. The purpose is to reduce the risk of compromised systems and enhance speed and effectiveness in cyber incident response.
CISA’s Resistant Vibration Warning Program (RVWP) includes a series of cyber security alerts and advisory documents to help organizations strengthen their defenses against ransomware attacks. These advisories provide technical information, adversary behavior mapped to MITRE ATT&CK models, as well as recommended mitigations.
For instance, the alert on Conti ransomware provides technical details of the attack and recommended mitigations to help network defenders reduce their risks. It also provides a map of attacker techniques and indicators of compromise to aid detection and investigation into the malware.
One essential element of the RVWP is CISA’s Cyber Security Evaluation Tool (CSET). This self-assessment tool enables organisations to assess their cybersecurity practices against government and industry standards and guidelines.
One of the most effective methods for protecting against ransomware is network segmentation, which controls traffic flows between and access to various subnetworks. Doing this will significantly restrict lateral movement, privilege escalation and exfiltration by restricting access to vulnerable network elements.
Thirdly, one way to prevent ransomware is by auditing and controlling all hardware and software assets within an organization. This simple step may be overlooked, but it has become increasingly crucial in today’s cyber environment.
Finally, organisations should audit the use of privileged accounts and make sure they do not allow malicious actors access to critical system resources. This should be done according to the principle of least privilege and may involve reviewing domain controllers, servers and workstations for new or unrecognized accounts as well as configuring access controls according to this principle.
