With state government stay-at-home orders pushing more people online, bad actors are increasingly interested in and increasing their use of web shell malware. The NSA (National Security Agency) and the Australian Signals Directorate very recently (22 April) issued a dual-seal Cybersecurity Information Sheet focused on detecting and preventing web shell malware. Among the items highlighted in the 17-page document was a list of 13 web application vulnerabilities commonly exploited to install web shell malware. Of the 13 cited, we have seen a significant increase to our CyRating® for several of them.
One vulnerability that our AI analysis clearly indicates is of special interest to cyber criminals during the COVID-19 situation is CVE-2019-19781* related to Citrix® Gateway, Citrix® Application Delivery Controller, and Citrix® SD-WAN WANOP appliances. In the accompanying graph, notice the sudden steep increase in CyRating® around the end of January. Contrast the timing of that increase with the Google Trends image which shows general interest of the word (and its variants) “Coronavirus” lagging by weeks. This is pretty good anecdotal evidence that cyber criminals are initiative-taking and adaptive threat actors.
The CyRating® Score is designed to encapsulate the likelihood of threat. CYR3CON developed CyRating® as a means to distill a lot of complex information and context regarding each CVE into a single number. For the average vulnerability, CyRating® has a value of 1.0. Since it is a measure of relative likelihood, a vuln with a CyRating® Score of 10.0 indicates that it is 10x more likely that the average vuln to be exploited by hackers.
CyRating® is calculated using a peer-reviewed, supervised ML (machine learning) approach. Threat intel from various hacker community sources is aligned with information on exploits-in-the-wild to produce the prediction. The CyRating® score is very useful for prioritizing vulnerability mitigation/remediation efforts. Emblematic of threat, CyRating® is designed to be considered in combination with internal organizational policies, controls, and/or topology (attack surface) in assessing overall risk.
The Score can also be used to rapidly triage intelligence information. Since the CyRating® Score is driven by continuous analysis of threat intelligence, a higher score is generally indicative of threats that will use a particular vuln in an attack. When combined with an organizational assessment of impact (potential damage), CyRating® can be used to effectively drive security decisions.
* The CVE or "Common Vulnerability Enumeration" is a standard for identifying software and hardware vulnerabilities set by the US National Institute of Standards (NIST). Click here for more information.