Organizations patch CISA KEV list bugs 35 times faster than others researchers find

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Researchers have found that a catalog of exploited vulnerabilities maintained by the federal government  is having a tangibly positive effect on organizations both within and outside of the federal government pp The Cybersecurity and Infrastructure Security Agency CISA has run its Known Exploited Vulnerabilities KEV catalog for nearly three years and it has quickly become the goto repository for software and hardware bugs actively being exploited by hackers around the world pp Experts at cybersecurity scanning company Bitsight posed the question do organizations remediate KEVs faster than vulnerabilities not in the KEV catalog pp The answer is a clear yes they said Their data shows that the median time to patch vulnerabilities listed on the catalog is 35 times faster than nonKEV bugs pp Put another way the median time for remediation of KEVlisted bugs is 174 days while the time for nonKEVlist vulnerabilities is 621 days  pp Those numbers come from Bitsight scanning for vulnerabilities within more than 1 million entities companies schools local governments and more  pp The researchers also tracked a new feature within the KEV list in which CISA says whether ransomware gangs are specifically targeting a certain vulnerability  pp If we average out the relative drops ransomware KEVs are fixed 25x faster on average than KEVs not known to be used in ransomware Bitsight said  pp Bitsight researchers also confirmed that the KEV list was having a tangible effect by helping companies and local governments sort through the deluge of vulnerabilities to address the bugs that truly matter   pp Thirtyfive percent of all organizations observed by Bitsight dealt with a KEV in 2023 with the vast majority having more than one   pp Every vulnerability added to the KEV list comes with a deadline that varies based on the severity of the bug and the urgency of the targeting The deadline officially applies to federal agencies but for organizations outside of the US government it can serve as a guideline for the severity of a bug pp Bitsight found that federal civilian agencies accountable to CISAs binding directive are 63 more likely to remediate KEVs by the deadline than other organizations About 40 of all organizations those outside of the federal government that do not have to abide by CISA rules are able to resolve bugs by the CISAs deadline pp The report notes that throughout the existence of the KEV list the deadlines given to patch have changed drastically When it was first created CISA typically gave federal civilian agencies either one week two weeks or six months to patch a bug But by the spring of 2022 they shifted to three week deadlines  pp It is only in the last few months that one week deadlines have been reintroduced  pp Why the shift Those early vulnerabilities tended to be older when they were added to the KEV catalog Given that they may have been around for a while it seems logical to give organizations time to address issues the researchers said  pp Deadlines seem to be influenced by whether a vulnerability is used in ransomware 1 week deadline vulnerabilities are nearly twice as likely to have been used in ransomware This likely is because these vulnerabilities are particularly urgent and likely to cause significant damage if exploited on an agency system pp Technology firms were the fastest to remediate vulnerabilities in part because they topped Bitsights list of sectors that had the most exposure Educational organizations and local governments were the worst off among the sectors tracked by Bitsight with both having a high exposure to KEV list bugs and a slow remediation time   pp Insurance companies credit unions and engineering firms had relatively low exposure to KEV list vulnerabilities and typically fixed issues quickly  pp CISA added two vulnerabilities to the KEV list this week On Tuesday the agency added CVE202429988 to the list  pp The vulnerability was unveiled by Microsoft as part of the Patch Tuesday releases in April and affects Microsoft SmartScreen a cloudbased antiphishing and antimalware component included in several Microsoft products pp Ben McCarthy lead cyber security engineer at Immersive Labs said the SmartScreen is a large popup that warns the user about running an unknown file and is often the endpoint of phishing attacks as it scares the user enough to not continue opening it pp He added that the bug is popular among attackers that use a file download as part of their attack techniques for gaining initial access because they want to find ways to bypass the security features such as SmartScreen pp CISA noted that the vulnerability can be chained with CVE202421412 during attacks Tenables Satnam Narang explained that the same Zero Day Initiative researcher that discovered CVE202421412 also found CVE202429988  pp Social engineering through direct means email and direct messages that requires some type of user interaction is a typical route for exploitation for this type of flaw he said  pp CVE202421412 was used as part of a DarkGate campaign that leveraged fake software installers impersonating Apples iTunes Notion NVIDIA and more Microsoft Defender SmartScreen is supposed to provide additional protections for end users against phishing and malicious websites However as the name implies these flaws bypass these security features which leads to end users being infected with malware pp Bleeping Computer reported last month that the bug was used by a financiallymotivated hacking group to target forex trading forums and stock trading Telegram channels pp CISA also added CVE20237028 to the KEV list on Wednesday It affects Gitlab a popular open source code repository and collaborative software development platform pp The bug found in GitLab Community and Enterprise Editions allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover pp Debrup Ghosh senior staff product manager at Synopsys Software Integrity Group warned that the ability to compromise platforms like GitLab that are inherently trusted would allow attackers to launch attacks that are difficult to detect and can have rippling effects downstream  pp Additionally it appears that although the patch was issued in January more than 40 of GitLab instances are not patched almost four months later Ghosh said ppJonathan Greigppis a Breaking News Reporter at Recorded Future News Jonathan has worked across the globe as a journalist since 2014 Before moving back to New York City he worked for news outlets in South Africa Jordan and Cambodia He previously covered cybersecurity at ZDNet and TechRepublicppPrivacyppAboutppContact Uspp Copyright 2024 The Record from Recorded Future Newsp