
Taking Heed of CISA alerts
CISA or the Cybersecurity and Infrastructure Security Agency is the operational lead for federal cybersecurity, and they are the national coordinator for critical infrastructure security and resilience.
CISA regularly publishes alerts as well as binding operational directives (BOD) which gives a good idea about the most exploited vulnerabilities in the wild. We will look at some of the alerts and BOD published by CISA and how we are tracking them in our Product.
Figure 1: CISA Strike Lists in BreakingPoint
BOD 22-01- REDUCING THE SIGNIFICANT RISK OF KNOWN EXPLOITED VULNERABILITIES
Directives are directions in which the agency wants certain federal agencies to take action. They can be accessed at https://www.cisa.gov/directives.
BOD 22-01 is a binding operational directive that deals with the known exploited vulnerabilities.
Known Exploited Vulnerabilities
The Known Exploited Vulnerabilities catalog contains vulnerabilities that have been seen in the wild and used as a frequent attack vector by malicious cyber actors. More details as to how they determine if a vulnerability needs to be added to the catalog or not are documented here.
We are always tracking this list of known exploited vulnerabilities and coming up with Strikes for the CVEs in this list. At the time of writing this blog, we have coverage for 272 CVEs out of the total 826 CVEs.
To get access to this list, you can search for Strike List with the name CISA known exploited.
Figure 2: “CISA Known Exploited Vulnerabilities Catalog” Strike List
Alert (AA22-279A) Top CVEs Actively Exploited by People’s Republic of China (PRC) State-Sponsored Cyber Actors
Alerts provide timely information about the current security threats, vulnerabilities, and exploits, they are not binding as BOD however these provide a good overview of the present and top security threats.
According to this alert, PRC state-sponsored cyber-attacks are exploiting the known vulnerabilities and provides a list of Top CVE used by them.
At the time of writing the Blog ATI has coverage for 15 out of the 20 CVEs that are mentioned in the table below. For ease of testing, we have also provided them as a separate strike list to be ran.
Table: Top CVEs most used by Chinese state-sponsored cyber actors since 2020
Alert (AA22-257A) Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations
According to this alert, Iranian government-sponsored APT actors are scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021.
Figure 3: ATI has coverage of 7 of the CVEs mentioned in the report.
Alert (AA22-216A) 2021 Top Malware Strains
Alert issued on August 04 , 2022 deals with Top malware strains that have been observed in the year 2021. The list included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware.
Few of the interesting takeaway form this alert is that certain malware families are being used for at least five years, and some even for a decade. This points to the fact that having a robust testing for these malware families is required for creating a more secure environment.
The top Malwares that are discussed in the report Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, TrickBot, Ursnif, Qakbot are all available as part of ATI Malware releases.
Figure 4: “CISA 2021 Top Malware Strains” Strike List
Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities
Alert issued on April 27, 2022, talks about the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
Both the Top 15 Routinely Exploited Vulnerabilities in 2021 and Additional Routinely Exploited Vulnerabilities in 2021 are available as strike lists to facilitate an easy testing.
Figure 5: “CISA 2021 Top Routinely Exploited Vulnerabilities” Strike List
Figure 6: “CISA 2021 Additional Routinely Exploited Vulnerabilities” Strike List
Alert (AA21-209A) Top Routinely Exploited Vulnerabilities
Alert issued on July 28, 2021, talks about the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2020, as well as some CVEs which were being exploited in 2021 early first half.
The Top 12 Routinely Exploited Vulnerabilities in 2020 is available as strike lists to facilitate an easy testing.
Figure 7: “CISA 2020 Top Routinely Exploited Vulnerabilities” Strike List
Alert (AA20-133A) Top 10 Routinely Exploited Vulnerabilities
Alert issued on May 12, 2020, talks about the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in the year 2016 to 2019, as well as some CVEs which were being exploited in 2020 early first half.
The Top 10 Routinely Exploited Vulnerabilities in 2016-1019 is available as strike lists to facilitate an easy testing.
Figure 8: “CISA 2016-2019 Top 10 Routinely Exploited Vulnerabilities” Strike List
Call to Action
Knowing which vulnerabilities are presently being exploited in the wild and protecting against those threats provides real value to any organization, looking to secure their infrastructure. Strike lists which are released as part of the bi-weekly Strike Packs provide a great way to test against the latest threats and attacks as we see them. To know more about the latest in the wild attacks you can read this blog. To know more about Strike Lists and what is a good default test cases to run, this blog provides a great overview.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Keysight BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.