CEWL - Making the world a safer place

February 21, 2019

CEWL - the CVE Early Warning List, helps organizations on what to focus on when it comes to CVEs that threat actors are exploiting or imminently about to exploit in the wild.

The whole idea around CEWL is if you know what threat actors are using you can determine what the best way to defend against these attacks be it: patch, WAF, workaround, security product settings, deception, mitigation, detections, etc.

The article makes reference to today's, November 15th excellent DFIR Report:

Exchange Exploit Leads to Domain Wide Ransomware

This was chaining exploitation for domain-wide ransomware.  Uggh, really nasty!. The Microsoft Exchange vulnerabilities used were: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.  The DFIR report was from a customer compromised in late September.

TL;DR We had this is in CEWL in June and early August, so CEWL would have kept you safe.

CEWL is a validated and curated list.  With CVE-2021-31207 it has a CVSS score of high and a lot of organizations weren't patching this vulnerability because it wasn't critical.  Unfortunately, in the real world threat actors don't care about CVSS scores.  In fact, 80% of the CVEs that threat actors are using are non-critical - mainly medium and high. This is why it's important to use the CEWL list.  In relation to CVSS score, anything in the CEWL list is classed as critical as threat actors are using them. (From a usage point of view we see the same CVEs used for years after it is added to the list.)

One aim of CEWL is to reduce the pain of knowing what to patch.  Patching is a pain to the business so patching what is important and that can really make a difference to the security posture is the right balance between business and security.  

When CTCI sees the exploitation of these vulnerabilities we add them to the CEWL list as soon as possible.  A lot of time we have: added the CVE to the CEWL list on the day of the CVE or as we have seen it in the wild after the CVE has been released.  

From the CEWL portal. You see what got the Intel on the day after the CVE, however, we needed further validation as the intel source wasn't at the level of credibility we are after.  The CVE Date is the date of the CVE, the Date Added is the date we added the CVE to CEWL.  Honeypot is the first time we saw it in our honeypot, Intel is the first time we saw Intel on this and Research when manual Research is done by our threat analysts.

Figure 1, CEWL from the CTCI portal.

If you want a demo of CEWL to be more secure than your peers, lets us know, send us an email at sales@ctci.ai.

Knowing Is Half the Battle
get access now