Introducing a new schema to track ransomware vulnerabilities

David Strom 22 Sep 2021

The schema includes dozens of vulnerability listings for products including Microsoft Office, SharePoint, and SonicWall

A group of security researchers have put together a comprehensive schema to track common vulnerabilities of popular products. It’s an especially interesting resource because it visually documents how ransomware gangs are using weak points to leverage their way into popular networks and endpoints. The effort was first begun by Allan Liska, author of several tech guides, including one on ransomware defense.

The schema, shown above, includes dozens of vulnerability listings for products such as Microsoft SharePoint, Azure and Exchange, various VPNs, and a collection of SaaS tools. 

Understanding the schema’s listed vulnerabilities

One of the general Windows vulnerabilities is called the LSA Spoofing Vulnerability, which involves an issue with a remote procedure call that can gain authenticated access to a domain server. The CVE labels for each product show the Common Vulnerability Exchange number that is used to track these issues.

The LSA spoofing issue is cited as CVE 2021-36942, which means it was discovered this year and is one of the more than 36,000 issues that have already been cataloged during 2021. This year alone, ransomware attacks have leveraged Kaseya’s network access products, vulnerabilities in SonicWall products and various issues with Exchange servers, just to name a few. The latter was recently in the news with the Proxyshell Exchange exploits, which had three separate and related vulnerabilities.

Further reading:
Colonial Pipeline hobbled by a single password
What to do about the Kaseya and PrintNightmare vulnerabilities
SMBs need to take immediate action on Microsoft Exchange vulnerabilities

The numbers are assigned by a group within Mitre, the consulting firm responsible for numerous open source and government security programs (such as STIX and TAXII standards). The CVE database now contains more than 160,000 different records. As you might imagine, running this program requires a huge amount of volunteer labor there are six different working groups covering security automation, outreach, and quality assurance, composed of members from academia, industry, and government agency representatives.

The schema production shows the best of the infosec collaboration community. The fact that individual researchers put it together using a series of tweeted suggestions in a matter of a few days is immensely impressive.

The effort is complementary to another one that was produced earlier this year by the CISA agency, which published a seven-step ransomware mitigation guide. This is another resource that includes a wealth of advice related to ransomware attacks, including tips on when to consult with your incident response teams and when to bring law enforcement into the picture.

--> -->