Download Ransomware Index Update Q1 2022

20 Percent of CVEs Listed in CISA’s Latest Directive have Ransomware Associations

Posted on Nov 15, 2021 | Updated on May 25, 2022 | By Surojoy Gupta

A directive recently released by the US government-backed Cybersecurity and Infrastructure Security Agency has a list of 703 known vulnerabilities that organizations have been asked to focus on patching immediately. Amongst the vulnerabilities, 158 vulnerabilities have been identified as being exploited actively by various ransomware families. Read on to learn more about the vulnerabilities.

 

On November 03, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released a list of known exploited vulnerabilities in a directive aimed at organizations from all sectors. With regular upates to the list, the final count now stands at 703 KEVs. The CISA list puts special emphasis towards patching known and exploited vulnerabilities associated with software and hardware commonly found on the US federal information systems, and those used by third party agencies.

 

On November 15, 2021, CISA published a list of vulnerabilities as part of the Industrial Control Systems Advisory (ICSA) that are found in data distribution and implementation service software. 

 

Our security analysts took a deeper look at the list and discovered that several of the vulnerabilities have been exploited by or are associated with multiple ransomware groups. 

Ransomware CVEs 158
Exploited CVEs 116
CVEs with RCE/PE 100
Total trending CVEs 138


CSW Ransomware Reports Call Out 157 of the 158 vulnerabilities

CSW experts have mentioned 157 of the 158 vulnerabilities that have ransomware associations in the Ransomware Spotlight Report 2021 and 2022, and their subsequent index updates.
 

We have also identified a total of 138 unique ransomware groups that are associated with the ransomware vulnerabilities in CISA’s KEVs. Our researchers have also noted that out of a total of  158 ransomware vulnerabilities, 86 vulnerabilities are also actively exploited by Advanced Persistent Threat (APT) groups.

 

CVEs with Most Ransomware Associations

The top five CVEs with the highest number of ransomware family associations include:
 

CVE IDs

No. of Ransomware Associations

CVE-2018-4878

41

CVE-2017-0144

17

CVE-2017-0145

16

CVE-2017-0147

13

CVE-2019-19781

12

 

Top Vendors Affected by Ransomware

Our research on the vendors most affected by ransomware puts Microsoft at the top of the list with 737 affected products, and Apache in second position with 607 products. 

Here is a detailed insight into the Top Vendors Affected by Ransomware.

 

Vendor

Overall Affected Products

Most Critical CVE

Ransomware Associations

Microsoft

737

CVE-2020-1472

7

Apache

607

CVE-2017-5638

4

VMware

577

CVE-2021-21972

2

Oracle

530

CVE-2019-2725

7

Adobe

314

CVE-2018-15982

5

 

Top Products Affected by Ransomware

Our analysts noted that Oracle’s Java Software Environment  was the worst hit by ransomware and accounted for 497 affected products. VMWare’s ESXi and Horizon DaaS Appliances take the second spot. The Apache Log4j logging library that created a security storm in late 2021 comes in third with 378 affected products, closely followed by Microsoft Windows, Windows Server and the popular Office suite. Zoho ManageEngine Self Service engine makes the cut into the top five most affected products.

Product

Vendors

No. of Products Affected

Java SE

Oracle

497

ESXi, Horizon DaaS Appliances

VMware

474

Log4j2

Apache

378

Windows, Windows Server, Office

Microsoft

340

ManageEngine ADSelfServicePlus

Zoho

170

 

Top Trending CVEs

There are a total of 138 CVEs that are trending, of which Microsoft has a majority of products. Of these  vulnerabilities, our team of expert pentesters have prioritized a handful of them for further research. Here is an in-depth analysis of the trending CVEs selected by our researchers which have the largest impact:

CVE

Vendor

Product

Severity |

CVSS V3 Score

Number of Products

Affected

CVE-2017-5638

Apache

Struts

Critical | 10.0

53

CVE-2020-0796

Microsoft

SMBv3

Critical | 10.0

4

CVE-2020-1472

Microsoft

Netlogon Remote

Protocol (MS-NRPC)

Critical | 10.0

24

CVE-2021-22205

ExifTool

ExifTool

Critical | 10.0

6

CVE-2021-44228

Apache

Log4j2

Critical | 10.0

378

 

Ransomware CVEs that Ought to be Patched in June 2022

Out of the 138 most trending vulnerabilities, CISA has identified 3 that need to be patched by June 2022. 

CVE

Vendor

Product

CVSS Severity

CVE-2017-0147

Microsoft

SMBv1 server

MEDIUM

CVE-2017-12149

Red Hat

JBoss Application Server

CRITICAL

CVE-2018-14847

MikroTik

RouterOS

CRITICAL

 

For an overall analysis of all CISA warned vulnerabilities, and those that need to be addressed immediately, refer to our blog.

 

Fix these Vulnerabilities Now! Conduct Regular Ransomware Pentesting Assessments to Secure your Attack Surface. 

Of the known and exploited vulnerabilities that CISA places emphasis on in their directive for organizations to patch,  vulnerabilities with ransomware associations require immediate attention and urgent patching.  

 

At CSW, our expert pentesters and security researchers can help you prioritize the patching of the ransomware vulnerabilities and ensure that all organizations meet the deadlines set by the directive. 

 

CSW experts believe that organizations that conduct monthly or quarterly ransomware penetration assessments have a greater chance of identifying and fixing vulnerabilities that can potentially affect their systems, thereby ensuring a secure attack surface. This in turn helps to improve an organization’s cyber hygiene, reinforces security management teams and boosts brand reputation.

 

Worried about how susceptible your organization is to a ransomware attack? 

Get a Ransomware Penetration Test done today! 

Click here to talk to us. 
 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito