Threat actors can break into an organization’s infrastructure to initiate ransomware attacks in many ways, but vulnerability exploits remain an effective and productive tool for financially-motivated cybercriminals, data from the Cybersecurity and Infrastructure Security Agency shared Thursday illustrates.
Nearly 1 in 5 exploited common vulnerabilities and exposures (CVE) are also known to be used in ransomware attacks, according to CISA’s Known Exploited Vulnerabilities Catalog.
The database of 1,019 exploited CVEs, some dating back to 2002, was updated Thursday to include those with known ransomware exploits. At least 184 CVEs have known use in ransomware attacks, according to CISA.
Of those, more than 2 in 5 of the vulnerabilities exploited by threat actors to conduct ransomware are linked to Microsoft products, which are ubiquitous in the enterprise.
The next closest vendor on the list, network storage appliance maker QNAP, has 9 exploited CVEs used in ransomware attacks, paling in comparison to the 78 attributed to Microsoft.
Microsoft tops the list of vendors with known CVEs used in ransomware attacks
More than half of the exploited Microsoft vulnerabilities used in ransomware campaigns are present in two of the vendor’s most popular products: Windows and Exchange Server.
Windows, Exchange Server dominate Microsoft's ransomware exploited CVEs
“Ransomware has disrupted critical services, businesses and communities worldwide and many of these incidents are perpetrated by ransomware actors using known CVEs,” Sandra Radesky, associate director of vulnerability management, and Gabriel Davis, lead operations risk advisor at CISA, said in a Thursday blog post.
“Many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network,” Radesky and Davis said.
Updated and more actionable data is one of many efforts CISA is undertaking in the Ransomware Vulnerability Warning Pilot, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, to overcome this potential blind spot.
“All of the vulnerabilities listed in this report have been addressed and customers who have applied the latest updates are already protected. We have a comprehensive response process for responding to and remediating software security events and incidents as quickly as possible,” a Microsoft spokesperson said via email.
“We continue to invest in layers of security measures for customers to leverage especially when it comes to staying safe from malware attacks and we encourage our customers to follow our security best practices, and install all available updates as soon as possible,” the spokesperson said.
Editor’s note: This story has been updated to include comments from Microsoft.