The race to patch: Our vulnerability alerts provide a 15.5 day head start
Spring is here! Time for budding flowers, later sunsets, and seasonal allergies. Oh — and everyone’s favorite holiday season — tax season. And while we say that in jest, for cybercriminals, it’s not a bad time to launch a fruitful phishing campaign.
Emotet malware operations are targeting users with emails containing fake W-9 tax forms, sent as Word documents with malicious embedded VBScript files. Get ahead with your spring cleaning and move any suspicious emails from people you don’t know straight into your trash.
For a deep dive on vulnerabilities and updates from Corvus [hand wave emoji], keep reading:
In this month’s newsletter:
- Vulnerability alerts, right in the Policyholder Dashboard.
- CISA announces Ransomware Vulnerability Warning Pilot (RVWP)
- Threats to watch for this month.
Risk + Response Tips
Security tips and service updates from SVP of Risk + Response Lauren Winchester
Your vulnerability alerts are now in the Policyholder Dashboard!
When it comes to protecting your organization from critical vulnerabilities, timing is crucial. On average, we notify our policyholders of new vulnerabilities within 9 hours of discovery.
❗ Our alerts typically provide a 15.5 day head start to patch before a vulnerability is exploited.
Making your organization safer just got easier: You’ll find a notification for a Time Sensitive alert right on the Dashboard homepage, but only if a vulnerability is relevant to you. From there, you can head to the Action Center to get all of the details you need:
- Our findings: What we know about the vulnerability.
- Potential impact: How attackers are exploiting the vulnerability in the wild.
- Next steps: What your organization should do to mitigate a potential attack.
- Update us: With the click of a button, you can let us know where your organization stands; whether you’re working on a resolution or want to underscore a false positive.
Like our emails? Don’t worry, our vulnerability alerts will still hit your inbox as usual!
Noteworthy trends in cybersecurity from Chief Information Security Officer Jason Rebholz
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, which President Biden signed into law last year, required that CISA establish the Ransomware Vulnerability Warning Pilot (RVWP). On March 13th 2023, it went live.
The goal is to warn critical infrastructure entities if their systems have exposed vulnerabilities that could be exploited by ransomware threat actors.
Good timing: So far in 2023, we’ve seen two ransomware campaigns that have relied on vulnerabilities for success. First, a two-year-old security flaw within VMware ESXi servers resulted in over 2,400 encrypted devices. And last month, the Clop ransomware gang exploited a vulnerability within the GoAnywhere MFT product to steal data and extort over 130 businesses.
Why this matters: Not only does this further emphasize the government’s push to prioritize cybersecurity, but it also stresses a simple truth: vulnerabilities are one of the easiest routes threat actors can take to access an organization’s systems. Knowing what (and when) to patch matters.
Our approach: We aren’t just worried about critical infrastructure. We regularly alert all policyholders at risk due to critical vulnerabilities:
- 41% of the vulnerabilities we’ve alerted on have been exploited by ransomware gangs, specifically.
- But it’s not just ransomware: 82% of vulnerabilities we’ve sent alerts for in the past 9 months have resulted in exploitation by threat actors in general.
- We’ve now added vulnerability alerts directly to the Policyholder Dashboard to make your organization safer.
What to watch for this month.
The Corvus Scan is a powerful asset that enables us to identify which policyholders may be at greater risk for vulnerabilities. In response, we send tailored notifications with insights and guidance for remediation. We’ve gathered a monthly round-up of our alerts and threat intel updates below:
3CX Desktop App
A threat actor compromised the 3CX VoIP DesktopApp resulting in malicious code being installed in the legitimate software. The app is now being used in supply chain attacks. Cyber security firms have attributed the attacks to state-sponsored threat actors, noting that the malicious activity affects both Windows and Mac environments. Next steps to mitigate risk.
New Phishing Tactic
A prominent ransomware group is sending mass emails to organizations falsely claiming to have stolen data from their environments. Organizations should be mindful of this new phishing tactic and ensure they do not engage directly with any threat actor claiming to have stolen data from the environment. See our article for more information.
Banking Wire Fraud
The apparent financial instability of several banking institutions, most prominently Silicon Valley Bank, has led many organizations to change their banking relationships. This means in the coming days there will be an unusually large volume of communication about banking information between organizations and their customers, vendors and partners. What to watch for.
Veeam released an advisory detailing a serious security flaw (CVE-2023-27532) in their backup and replication appliance. The vulnerability allows for an unauthenticated attacker to obtain credentials stored in the configuration database. Security patches have been released and should be applied as soon as possible. This vulnerability impacts all versions prior to:
- V12 (build 188.8.131.520 P20230223)
- V11a (build 184.108.40.2061 P20230227)
Adobe ColdFusion Vulnerability
CVE-2023-26359 & CVE-2023-26360 were discovered in Adobe ColdFusion product, often used for web application development and delivery. Adobe reports that at least one of the flaws is being actively exploited. Affected organizations should apply a security patch. The vulnerabilities affect the following products and versions:
- ColdFusion 2018, Update 15 and earlier versions
- ColdFusion 2021, Update 5 and earlier versions
Jenkins open-source automation server has a serious security flaw (CVE-2023-27898). The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. The vulnerability affects Jenkins instances running the following versions:
- Jenkins 2.270 through 2.393
- Jenkins LTS 2.277.1 through 2.375.3