Source URL: https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/
Source: The Register
Title: Ransomware criminals love CISA’s KEV list – and that’s a bug, not a feature
Feedly Summary: 1 in 3 entries are used to extort civilians, says new paper
Fresh research suggests attackers are actively monitoring databases of vulnerabilities that are known to be useful in carrying out ransomware attacks.…
AI Summary and Description: Yes
**Summary:**
The text discusses findings from GreyNoise’s annual Mass Internet Exploitation Report, revealing that attackers exploit known vulnerabilities for ransomware attacks and highlights the use of CISA’s Known Exploited Vulnerability (KEV) catalog as a resource for attackers. The report identifies specific vulnerabilities and criticizes vendors like Ivanti, D-Link, and VMware for their inadequate handling of security flaws, urging organizations to adopt better security practices and possibly switch vendors.
**Detailed Description:**
The report by GreyNoise provides crucial insights into the intersection of vulnerabilities and ransomware exploitation, emphasizing the importance of proactive security measures for organizations. Key points from the report include:
– **Use of KEV Catalog by Attackers:**
– **28% of vulnerabilities** in the KEV catalog were utilized in 2024 ransomware attacks.
– The KEV catalog serves as a tool for attackers to identify successful exploits and aids in planning future attacks, thus raising concerns about its dual-use nature.
– **Noteworthy Vulnerabilities:**
– Examples of exploited vulnerabilities include:
– **CVE-2024-50623** in Cleo Harmony: Remote code execution exploited before being added to the KEV list.
– **CVE-2024-1212** in Progress’s Kemp LoadMaster: Critical command execution vulnerability exploited before official listing.
– Commonly exploited vulnerabilities included older flaws affecting home routers, particularly:
– **CVE-2018-10561**: An authentication bypass flaw prevalent in APAC.
– **CVE-2014-8361**: A critical vulnerability affecting multiple router brands for cryptocurrency mining and DDoS attacks.
– **Call to Action for Organizations:**
– **Ivanti, D-Link, and VMware** were singled out for poor vulnerability management.
– Ivanti faced multiple zero-day vulnerabilities, leading to severe compromises.
– D-Link’s failure to patch critical vulnerabilities created a significant risk.
– VMware was criticized for delays in patching critical flaws exploited by attackers.
– **Recommendations for Security Improvements:**
– GreyNoise urged organizations to enhance their security monitoring and evaluation processes.
– Strong recommendations included considering alternatives to the aforementioned vendors that maintain better security practices and a proactive approach to vulnerability management.
– **Conclusion:**
– The findings underscore the persistent threat posed by both legacy and new vulnerabilities, highlighting the necessity for organizations to take immediate and concrete action to bolster their security frameworks.
By addressing these vulnerabilities and understanding the methods employed by ransomware attackers, organizations can implement more effective security strategies to mitigate risks and enhance their overall security posture.