Listing of CVEs (Common Vulnerabilities and Exposures) neglected by Flax Typhoon operation reveals in CISA (Cybersecurity and Infrastructure Security Agency) documentation

Listing of CVEs (Common Vulnerabilities and Exposures) neglected by Flax Typhoon operation reveals in CISA (Cybersecurity and Infrastructure Security Agency) documentation

In a bid to bolster cybersecurity and protect civilian agency operations, federal authorities are taking steps to mitigate vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog. These measures are aimed at reducing the risk of malicious activity causing damage.

The National Institute of Standards and Technology (NIST) is making strides to address a substantial backlog in analyzing critical vulnerabilities. The backlog reduction initiative aims to eliminate the National Vulnerability Database (NVD) backlog by March 2025, requiring the analysis and enrichment of approximately 4,364 vulnerabilities per month.

To assist in this endeavour, NIST has enlisted the help of an outside firm and launched the Vulnrichment program, which aims to enrich CVE records with additional data. This initiative is designed to provide more comprehensive information, making it easier for organizations to manage vulnerabilities effectively.

However, NIST faces challenges due to resource constraints, including limited funding and staffing. Despite these efforts, the inflow of new vulnerabilities continues to pose challenges, with predictions suggesting as many as 50,000 new CVEs per year.

Meanwhile, a state-linked botnet, associated with the Flax Typhoon threat group, has been identified as actively targeting 66 security vulnerabilities for exploitation. This botnet is reportedly targeting critical infrastructure providers in the U.S. and other countries, with concerns about federal authorities having the resources to properly analyze and document all critical vulnerabilities used for malicious activity.

Only 27 of the targeted CVEs are listed in the Cybersecurity and Infrastructure Security Agency's (CISA) closely monitored catalog of known exploited vulnerabilities. The VulnCheck report reveals that Apache had 10 CVEs, Cisco had five, Zyxel, QNAP, Fortinet, and Draytek each had three among the 66 vulnerabilities targeted by the botnet. The group is exploiting these CVEs to target routers, internet protocol cameras, and network attached storage devices.

A CISA spokesperson mentioned three thresholds for adding a vulnerability to the KEV catalog: the vulnerability has been assigned a CVE ID, reliable evidence exists showing exploitation in the wild, and clear guidance exists for remediating the vulnerability. However, a security researcher at VulnCheck suggests that lack of visibility and pervasiveness in federal agencies could be valid reasons why some vulnerabilities haven't been added to the KEV catalog.

The discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats. In response, NIST has stated that it has made progress towards reducing the backlog, and an update on that progress is pending.

Recently, the Five Eyes intelligence partners named this botnet in a global threat advisory. Last week, FBI Director Chris Wray disclosed an operation to disrupt a Mirai-variant botnet that has exploited over 260,000 IoT devices globally, with nearly half located in the U.S.

A May report by VulnCheck showed that NIST analyzed less than 10% of vulnerabilities published in the National Vulnerability Database that had been added since February. As federal agencies and NIST continue to work towards reducing the backlog and addressing these threats, it is crucial for organizations to stay vigilant and proactive in protecting their systems.

1. In the cybersecurity industry, federal authorities are focused on addressing vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog to protect civilian agency operations.
2. To aid in this initiative, the National Institute of Standards and Technology (NIST) has launched the Vulnrichment program, enlisting an outside firm, aimed at enriching CVE records for more comprehensive information.
3. Despite NIST's efforts to reduce a substantial backlog in analyzing critical vulnerabilities, the inflow of new vulnerabilities continues to pose challenges, with predictions suggestive of 50,000 new CVEs per year.
4. A state-linked botnet, affiliated with the Flax Typhoon threat group, has been targeting 66 security vulnerabilities, with concerns about federal authorities' ability to analyze and document all critical vulnerabilities used for malicious activity.
5. The discrepancy between the actively targeted CVEs and the official Cybersecurity and Infrastructure Security Agency (CISA) catalog indicates a longstanding backlog in identifying security threats, underscoring the need for organizations to stay vigilant and proactive in their cybersecurity investments.
6. Career development and education in self-development, especially in the areas of personal-finance, wealth-management, and technology, can be crucial for professionals in the industry to stay informed and prepared for the evolving cybersecurity landscape.

Read also: