CISA Alerted Thousands of Orgs of Vulnerabilities - Only Half Took Action


May 20, 2024

World map

CISA (Cybersecurity and Infrastructure Security Agency) alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, yet only about half took any action on the alerts last year.

“Our findings indicated that 852 of the 1,754 notifications of vulnerable devices were either patched, implemented a compensating control, or taken offline after notification from CISA,” CIO Dive reports the agency as stating.

“While these trends with ransomware vulnerability warning pilot and cyber hygiene vulnerability scanning represent progress in the right direction, CISA acknowledges that there is room for improvement — this is only the beginning."  

Takeaway: So how do ransomware operators compromise thousands of servers in a matter of a few weeks? They are increasingly automating the exploitation of known vulnerabilities en masse, and the huge increase in the volume of attacks observed in 2023 is evidence of this trend.

Ransomware operators are adept at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang as they exploited known vulnerabilities in the GoAnywhere and MoveIT software. These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion.  

This ingress and lateral movement on the targeted network usually takes some time, so automating these aspects of the attack sequence allows threat actors to compromise more targets faster.

Some of these automated techniques and attack tooling are extremely difficult to detect and are more typical of APT-type operations. Timely patching of vulnerabilities – both old and new - is something all organizations should prioritize to prevent exploitation.  

Patching can be difficult, in some circumstances and take time, but there is no excuse for organizations to be unaware that they need to patch a known vulnerability.  

Attackers are automating the discovery and exploitation of these vulnerable systems, so organizations should have processes in place to understand if they are exposed. There is no reason for them to be caught off guard.

There are only two reasons for an organization having failed to patch in a timely manner: they could patch but didn’t, or they wanted to patch but couldn’t. Organizations who wanted to patch but couldn’t is where the real work needs to be done.  

Patching systems can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production.

Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. That’s why there can be months or more of work to do before they can deploy a patch throughout the network.

But for the others, those who could patch but didn’t, there is really no excuse. If we could first address this issue of the “low hanging fruit” who offer attackers a ripe target via poor security protocols, we could certainly make a big dent in this growing threat. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.