25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

CISA Shares Vulnerabilities and Misconfigurations Exploited by Ransomware Gangs

Posted By on Oct 16, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities (KEV) Catalog, which includes a list of all common vulnerabilities and exposures (CVEs) that are known to have been exploited by malicious actors. In January, CISA launched its Ransomware Vulnerability Warning Pilot (RVWP) program, under which critical infrastructure organizations are warned when Internet-accessible devices and systems are discovered on their networks that have unpatched vulnerabilities that could be exploited by ransomware actors. Organizations cannot address vulnerabilities on their networks that they are unaware of. The RVWP program aims to shine a light on security blind spots to allow organizations to take action and address the vulnerabilities before they are exploited in ransomware attacks. Under this program, CISA has already issued warnings to more than 800 organizations about unpatched vulnerabilities on their networks.

Last week, CISA published two new resources to help network defenders combat ransomware campaigns. The KEV Catalog has been updated and includes a new column that identifies KEVs that are known to have been exploited in ransomware campaigns. Currently, the KEV Catalog includes 184 CVEs that are known to have been exploited by ransomware gangs for initial access or other parts of the attack chain – almost 1 in 5 of the vulnerabilities listed in the KEV Catalog.

CISA has also added a new table to the StopRansomware.gov website – Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns – that lists the most common misconfigurations and weaknesses along with Cyber Performance Goal (CPG) actions for each of the misconfigurations and weaknesses. CPGs are a common set of protections that should be implemented by all critical infrastructure organizations to reduce the likelihood and impact of known risks and adversary techniques.

The table guides organizations to allow them to quickly identify services known to be used by ransomware threat actors so they can implement mitigations or compensating controls. The table differs from the KEV Catalog as it includes weaknesses and misconfigurations that are not CVE-based. For example, there are known CVEs affecting Remote Desktop Protocol (RDP), but ransomware attackers can still gain access to networks via RDP even if patches have been applied to fix all known CVEs affecting RDP.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

At the time of publication, the table includes 5 Common Weakness Enumerations (CWEs)/misconfigurations: RDP, File Transfer Protocol (FTP), TELNET, Server Message Block (SMB), and Virtual Network Computing (VNC). The most commonly exploited weaknesses in these services are the use of default, weak, hard-coded, or compromised credentials, and the interception of cleartext credentials. The CPG actions include setting strong and unique passwords, enabling multi-factor authentication where possible, encrypting data during transmission using SSH File Transfer Protocol (SFTP), and using an encrypted Virtual Private Network (VPN).

Given the extent to which the healthcare industry is targeted by ransomware groups, it is vital for healthcare organizations to ensure that they address CVEs and security weaknesses/misconfigurations promptly. CISA issues notifications to healthcare organizations when vulnerabilities on their networks are discovered; however, faster and more targeted notifications will be received if they sign up for CISA’s vulnerability scanning service.

The HHS’ Office for Civil Rights investigates all data breaches of 500 or more records and state Attorneys General are increasingly taking action against organizations that suffer ransomware attacks. The failure to promptly address a vulnerability known to be exploited by ransomware gangs could put healthcare organizations at risk of civil monetary penalties if that vulnerability is exploited and it would make for a compelling negligence claim in data breach litigation.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist