Dive Brief:

• A state-linked botnet linked to the Flax Typhoon threat group is actively targeting 66 security vulnerabilities for exploitation, researchers from VulnCheck said Monday. Last week the Five Eyes intelligence partners named the botnet in a global threat advisory. 
• However researchers from VulnCheck warn that only 27 of the CVEs are listed in the Cybersecurity and Infrastructure Security Agency's closely monitored catalog of known exploited vulnerabilities.  
• Researchers say the discrepancy between the actively targeted CVEs and the official CISA catalog highlights a longstanding backlog in identifying security threats that critical infrastructure providers, private companies and government agencies are up against.

Dive Insight:

A CISA spokesperson pointed to agency guidance, which cites three thresholds for adding a vulnerability to the KEV catalog. 

• The vulnerability has been assigned a CVE ID.
• Reliable evidence exists showing exploitation in the wild.
• Clear guidance exists for remediating the vulnerability, such as a vendor update.

Federal agencies are also required to take steps to mitigate vulnerabilities added to the catalog, to reduce the risk of malicious activity causing damage to civilian agency operations. 

FBI Director Chris Wray last Wednesday disclosed an operation to disrupt a Mirai-variant botnet that has exploited more than 260,000 IoT devices globally. Just under half of the devices were located in the U.S. 

The Five Eyes warned that Flax Typhoon, a China-linked threat group linked to the botnet, is targeting critical infrastructure providers in the U.S. and other countries for malicious activity, including DDoS attacks and data theft. 

The group is exploiting the CVEs to target routers, internet protocol cameras and network attached storage devices. 

Among the 66 vulnerabilities, Apache had 10 CVEs, Cisco had five and Zyxel, QNAP, Fortinet and Draytek each had three, according to the VulnCheck report. 

There have been longstanding concerns about whether federal authorities have the resources to properly analyze and document all of the critical vulnerabilities that are used for malicious activity. 

“Maybe they didn’t have visibility into it and maybe they’re not as pervasive in federal (agencies) could be good, valid reasons why they haven’t been added,” Patrick Garrity, security researcher at VulnCheck told Cybersecurity Dive. 

A May report by VulnCheck showed the National Institute of Standards and Technology analyzed less than 10% of vulnerabilities published in the National Vulnerability Database that had been added since February. 

NIST brought in an outside firm to help reduce the analysis backlog. A NIST spokesperson said the agency has made progress towards reducing the backlog, and an update on that progress is pending.