CISA adds two resources to its RVWP initiative, focused on cybersecurity prioritization and mitigation efforts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) introduced two new resources to combat ransomware campaigns, as part of the Ransomware Vulnerability Warning Pilot (RVWP). These initiatives include a designated ‘Known to be Used in Ransomware Campaigns’ section in the Known Exploited Vulnerability (KEV) catalog, pinpointing KEVs linked with ransomware campaigns; and an inclusive table on StopRansomware.gov titled ‘Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns.’ 

“Today, we are pleased to announce some new resources added to the RVWP. Through the RVWP, CISA determines vulnerabilities that are commonly associated with known ransomware exploitation and warns critical infrastructure entities with those vulnerabilities, helping to enable mitigation before a ransomware incident occurs,” Sandra Radesky, CISA’s associate director of vulnerability management, and Gabriel Davis, lead operations risk advisor, wrote in a Thursday CISA blog post. 

“Now, all organizations have access to this information in our known exploited vulnerabilities (KEV) catalog as we added a column titled, ‘known to be used in ransomware campaigns,” the executives added. “For present vulnerabilities and all future to be added to the catalog, this column indicates whether CISA is aware  that a vulnerability has been associated with ransomware.” 

Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns. This list will guide organizations to identify services known to be used by ransomware threat actors so they can implement mitigations or compensating controls.

All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.  Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well. 

Moreover, the CISA ‘strongly recommends all stakeholders include a requirement to immediately address KEV catalog vulnerabilities as part of their vulnerability management plan. Doing so will build collective resilience across the cybersecurity community.’

The KEV catalog sends a clear message to organizations to prioritize remediation efforts on the subset of vulnerabilities that are causing immediate harm based on adversary activity. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework. 

Vulnerability management frameworks, such as the Stakeholder-Specific Vulnerability Categorization (SSVC) model, consider a vulnerability’s exploitation status and the KEV catalog serves as the authoritative repository of that information. Organizations should also consider using automated vulnerability and patch management tools that automatically incorporate and flag or prioritize KEV vulnerabilities. 

The three thresholds for KEV catalog updates cover the vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID; there is reliable evidence that the vulnerability has been actively exploited in the wild; and there is a clear remediation action for the vulnerability, such as a vendor-provided update.

The ‘Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns’ listing provides information on weaknesses and misconfigurations that are commonly exploited by threat actors in ransomware campaigns. This list is different from the KEV catalog as it contains information not CVE-based. The chart helps highlight specific misconfigurations and weaknesses associated with ransomware campaigns and is equipped with a column detailing the Cyber Performance Goal (CPG) action for each identified misconfiguration or weakness.

The CISA established the RVWP in January 2023, as required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Ransomware has disrupted critical services, businesses, and communities worldwide and many of these incidents are perpetrated by ransomware actors using known common vulnerabilities and exposures (CVE) (i.e., vulnerabilities). However, many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network, and the RVWP was established to help organizations overcome this potential blind spot. 

Since it was established, the CISA’s RVWP has initiated notifications for over 800 vulnerable systems identified as having internet-accessible vulnerabilities commonly associated with known ransomware campaigns. “To identify these systems, we use existing services, data sources, technologies, and authorities, including our free cyber hygiene vulnerability scanning service. All critical infrastructure sectors have benefited from the RVWP to include energy, healthcare and public health, water and wastewater systems sectors, and education facilities subsector specifically,” they added. 

As part of RVWP, CISA leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks. Once CISA identifies these affected systems, our regional cybersecurity personnel notify system owners of their security vulnerabilities, thus enabling timely mitigation before damaging intrusions occur.

CISA accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA’s Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002.

CISA routinely identifies security risks facing U.S. organizations, including information from government or industry partners. CISA additionally leverages commercial tools to identify organizations that may be at heightened cybersecurity risk. As required by CIRCIA, CISA proactively identifies information systems that contain security vulnerabilities commonly associated with ransomware attacks. After discovery, CISA notifies owners of the vulnerable systems.

Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated. CISA regional staff members will make notifications by phone call or email.

The U.S. National Security Agency (NSA) enhanced the cybersecurity landscape on Thursday with the release of ‘Elitewolf,’ a repository of intrusion detection signatures and analytics designed specifically for OT (operational technology) environments. This resource equips defenders of critical infrastructure, the defense industrial base, and national security systems to effectively recognize and thwart potential malicious cyber activities within their OT networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.