The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added 20 vulnerabilities known to be exploited by threat actors to its catalog, many of which are a few years old.
CISA says these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise, as well as organizations of all shapes and sizes.
CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established a list of known vulnerabilities that carry significant risk. BOD 22-01 requires Federal Civilian Executive Branch Agencies (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
The list, which includes products from Microsoft, Adobe, Oracle, Mozilla, and IBM, can be found here.
It is interesting, though, that many of the CVEs (common vulnerabilities and exposures) are from years in the past, some going back as far as 2014. Why are we still seeing CISA talk about these CVEs?
Mark Lambert, Vice President of Products at ArmorCode, explains:
"The reason why we have so many old 'active vulnerabilities' is because many of the systems where they exist are no longer being actively developed or maintained. When we look at vulnerability feeds, we can see vulnerabilities like CVE-2021-44228 (aka Log4Shell) are at the top of the list - but teams doing active development and leveraging Application Security practices like AppSecOps are able to quickly react. The older systems become a challenge, especially when those were provided by a 3rd party or created under contract with a Systems Integrator—and the longer we leave those vulnerabilities in the systems the harder they get to remediate."
Bud Broomhead, CEO at Viakoo, also shared his take:
"Seeing older vulnerabilities appear as ones that are both severe and currently exploited highlights a direction that threat actors have taken towards breaching organizations through IoT and other devices outside the control of IT organizations. This would explain why Internet Explorer shows up on the list, despite many IT organizations having moved on from it; IE still lives in older systems not managed by IT, and simply its existence would suggest that cyber security is lacking.
These recent updates to the CISA list are notable for how the vast majority are older vulnerabilities that would not impact up-to-date and secured IT systems; in other words cyber criminals are avoiding well-defended systems in favor of IoT, OT, and unmanaged devices.
The nature of these vulnerabilities (privilege escalation, remote code injection, memory corruption, etc…) suggests that the goal of the threat actors is to use these vulnerabilities to first breach an organization, then use that access to move laterally to more sensitive internal systems."
Has your organization recently checked CISA's Known Exploited Vulnerabilities Catalog? Today is the to find out.