The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned more than 100 critical infrastructure organizations so far that they are operating devices with flaws commonly used in ransomware attacks, as part of its Ransomware Vulnerability Warning Pilot program launched earlier this year.
Under the Ransomware Vulnerability Warning Pilot program, CISA hopes to help critical infrastructure operators get ahead of ransomware attacks by scanning for vulnerabilities that have typically been exploited by ransomware groups on internet-accessible devices, and then notifying the device owners of those flaws using an administrative subpoena authority.
“This work just started a few months ago,” said Brandon Wales, executive director of CISA during the Cyber Initiatives Group Summit on Wednesday. “We’ve already made over 100 notifications to organizations that have ransomware-related vulnerabilities on internet-accessible devices. These devices are coming from a variety of critical infrastructure sectors; we’re talking defense industrial base, energy, schools, financial services, hospitals and state and local governments.”
Many of these notifications have involved the prolific “ProxyNotShell” Microsoft Exchange Service vulnerability, which has been leveraged by a number of ransomware threat actors in attacks, including the Play ransomware group.
However, this program has also expanded to include notifications involving other bugs. Wales said that CISA has recently alerted 26 entities in the U.S. that their devices are vulnerable to the MOVEit Transfer vulnerability (CVE-2023-34362) as part of the pilot program – and will likely reach out to 80 to 90 more organizations in the next round of notifications in the coming seven days.
“We have the ability to think strategically on how to use this, but also to pivot fast when we need to.”
“We’re also going to pivot fast when we need to,” said Wales. “The MOVEit Transfer vulnerability cropped up a few weeks ago, and when we saw threat actors begin to exploit it we put that into the program. And so far there have been about 26 notifications of entities throughout the United States, and we’re making more as we speak… we have the ability to think strategically on how to use this, but also to pivot fast when we need to.”
The pilot program was first authorized under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, which is federal legislation that implemented various requirements mandating that critical infrastructure entities report cyber incidents and ransom payments to CISA.
CISA said it is able to identify the internet-exposed vulnerable devices through various scanning and testing services, data sources, technologies and authorities. A major part of the notification process has been enabled via an administrative subpoena authority that was granted to CISA in January 2021 under Section 2209 of the Homeland Security Act of 2002.
This authority gives CISA the power to issue administrative subpoenas if it finds an internet-accessible vulnerable device that it believes relates to a critical infrastructure system, and so it can notify the entity at risk. Before CISA was granted this authority, if the agency uncovered a vulnerability on a critical infrastructure device, they would need to notify the ISP which in turn would notify the operator – however, that process “very rarely ended in those gaps being closed,” said Wales.
The Ransomware Vulnerability Warning Pilot program is one of the many ways that CISA has been working to improve security measures across critical infrastructure sector networks, including the introduction of voluntary Cross-Sector Cybersecurity Performance Goals for OT operators. Wales said that the program has allowed CISA to crack down on vulnerabilities that are being specifically targeted by ransomware threat actors, as opposed to more generic flaws in the critical infrastructure space.
“Before that, a lot of our administrative subpoena work had been more focused on vulnerabilities in the industrial control system space, but with the pilot we have now been working to… reduce the prevalence of ransomware by taking away vulnerabilities that ransomware groups are exploiting,” said Wales.