Tom Huckle, Director of Information Security and Compliance, EMEA, BlueVoyant
With new threats emerging every day, keeping abreast of zero-day vulnerabilities and triaging alerts can be an onerous task. Therefore, it is interesting, when looking at the threats that we have seen in recent years, to question whether naming these vulnerabilities or “branding” them helps to improve understanding and education around such threats. I am talking about names allocated outside of their CVE designations and whether this encourages organisations to take action or notice them more than they would if we just used CVE names.
For example, if I said to you CVE-2021-44228, CVE-2021-34523, CVE2021-27065 and CVE-2020-1472, would you know which vulnerabilities they are, which product they affect, and the type of vulnerability they are? Some security researchers and Security Operations Centre (SOC) analysts may very well be able to explicitly divulge the answers. Generally, though, most people (even those in the security industry) would draw a blank. Yet if I were to say Log4Shell, ProxyShell, ProxyLogon, and ZeroLogon, this would likely elicit a different reaction.
A trend that started eight years ago
The naming of security vulnerabilities is by no means a new trend. Back in April 2014, a vulnerability nicknamed ‘Heartbleed’ hit the scene and is still remembered to this day. Once announced, it wasn’t just identified by its CVE number; it came with a website, a logo, and its now-memorable nickname. Human beings find it difficult to remember numbers alone because they are abstract concepts. But combining a CVE with a branded name makes it much easier to remember.
In data posted by CISA in April 2022, nine out of the top 15 most routinely exploited vulnerabilities in 2021 had a nickname. CVE-2021-44228, aka Log4Shell, involved targeting the Apache Log4j open-source logging framework and, following its disclosure in December 2021, it was rapidly weaponised. The set of four vulnerabilities known collectively as ProxyLogon, and the set of three vulnerabilities known as ProxyShell, all affect Microsoft Exchange email servers.
For most of these vulnerabilities, researchers or other actors release proof-of-concept code within a fortnight of their initial disclosure. This makes the race to patch frighteningly quick. The argument for this is that by creating media attention and providing a website and a memorable nickname, this encourages more people to pay attention and consequently patch their systems. This is supported by the security researchers who discovered ‘ProxyLogon’, who state on their website that they published research about a Remote Code Execution (RCE) on several leading SSL VPN vendors in 2019. ¹
Although these RCEs got lots of media exposure and were covered by US-CERT, GCHQ and even the NSA, they were still being exploited by threat actors, botnets and Advanced Persistent Threat (APT) groups until 2021. As the Exchange vulnerabilities were more severe than the SSL VPN ones and the researchers wanted to raise people’s security awareness, they then created the nickname and website for the ProxyLogon vulnerability.²
The downside of branding or nicknames
However, there is a downside to all this media attention. The viral branding of these vulnerabilities highlights them to attackers, who in turn focus their efforts in creating proofs of concepts. Soon, the public online repositories are flooded with exploits, allowing anyone to target vulnerable machines.
Plenty of other vulnerabilities have extensive archives that explain what the vulnerability is, how it works and highlight its dangers. This effort by security researchers to draw attention to their work, and the apparent dangers organisations face if they do nothing, can only be a good thing if done correctly. Most responsible security professionals have good intentions and just want to see the software products that are used en masse are secure and safe to use. Admittedly, in the past this has gone awry when a company has tried to use a found vulnerability for marketing purposes and raising awareness, but it turns out the vulnerability is not as bad as it was first thought, and a backlash occurs (e.g.,Badlock in 2016).³
However, the naming of security vulnerabilities does help the community to distinguish between vulnerabilities and group them together if they affect the same vendor and product (i.e., ProxyShell and ProxyLogon for Microsoft Exchange Server). It creates an understanding and an ongoing reference point as malware variants surface or activities of an APT team evolve. This is especially handy when considering that, in 2021, over 18,000 vulnerabilities were recorded in the US-Cert Vulnerability database.
Educating organisations by naming vulnerabilities
By naming vulnerabilities and creating a media buzz, it is more likely that a company’s security team will hear about the vulnerability. That said, many enterprise teams will already have a vulnerability and patch management programme in place (or if they don’t, they should). This is most likely an automated process that will scan their systems for vulnerabilities and inform the security team if any are present. The security team will then decide on the risk associated with the vulnerability and any mitigating factors before enacting their patching programme. At the enterprise level, whether a vulnerability is named or not probably won’t make a huge amount of difference, but it certainly helps to deliver wider recognition, education and understanding across the business.
However, at the small to medium business (SMB) level, this naming trend will definitely help any under-resourced security teams become aware of potentially important vulnerabilities that they may otherwise miss. This is by no means a criticism of the teams working in SMBs, as they will likely be under-resourced and have a million-and-one things going on. They are probably running the IT and security operations simultaneously and if a news feed, social media post or word-of-mouth reaches them about the latest ‘HeartShock’ vulnerability then, in my eyes, this is ‘job done’.