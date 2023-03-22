CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) program aiming proactively identify information systems that have vulnerabilities associated with ransomware attacks.

The United States Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of its Ransomware Vulnerability Warning Pilot (RVWP) program. The program aims to proactively identify information systems that have security vulnerabilities commonly associated with ransomware attacks. Once the program identifies vulnerable systems, CISA will notify the owners to mitigate any flaws before attackers cause significant damage.

Details about the RVWP program

The agency will identify the affected systems using existing services, data sources, technologies, and authorities, including vulnerability analysis. CISA launched RVWP by notifying 93 companies identified as running Microsoft Exchange Service instances with the widely exploited vulnerability called ProxyNotShell. The agency said this cycle demonstrated the model’s efficiency to reduce risks in a timely manner, as they extend RVWP to additional vulnerabilities and organizations.

Eric Goldstein, executive assistant director for cybersecurity at CISA said,

« The RVWP will enable CISA to provide timely and actionable information that directly reduces the prevalence of damaging ransomware incidents affecting US organizations. We urge every organization to urgently mitigate vulnerabilities identified by this program and adopt robust security measures consistent with US government guidance on StopRansomware.gov »

Beyond the official announcement, CISA gave a few details about the RVWP program. One question is why the agency launched the program with the ProxyNotShell vulnerability. ProxyNotShell is the latest in a series of vulnerabilities exploited by the Hafnium cybergang, backed by China, targeting Microsoft Exchange servers. In late September, two zero-day vulnerabilities (CVE-2022-41040, CVE-2022-41082) collectively became known as ProxyNotShell. Microsoft released patches for ProxyNotShell in November.

Ransomware attackers seek unpatched vulnerabilities

According to the experts, the reason for choosing this vulnerability is likely that CISA had prior warnings or notices that malicious actors were actively using it. Satnam Narang, a senior research engineer at Tenable, said that his company had seen several ransomware actors taking advantage of ProxyNotShell in recent months.

Some experts believe that CISA would be better positioned to search for older vulnerabilities, which form the basis of most ransomware attacks. « The majority of ransomware targets vulnerabilities at least a year or two old, » said Jonathan Trull, Senior Vice President of Security Solution Architecture and CISO at Qualys. He added that Qualys’ research shows that the 300 oldest and most unpatched vulnerabilities are what ransomware attackers seek to exploit repeatedly.