Key Vulnerabilities
Below are select highlights from the list of software vulnerabilities that the Corvus team has responded to recently. Keep scrolling to see the timeline of one of these responses to see how we reach the right policyholders with key information — quickly — when we detect a new vulnerability on their system.
October:
Fortinet Vulnerability
Fortinet sent an advisory bulletin to clients detailing a critical security flaw (CVE-2022-40684). The vulnerability allows for authentication bypass in certain versions of FortiOS and FortiProxy. Learn more.
The Apache Commons Text team disclosed CVE-2022-42889 and recommended users upgrade to version 1.10. While Apache Commons Text is frequently used, the specific components of code with the flaw is unlikely to be as widespread. Learn more.
September:
Microsoft Exchange Vulnerability
Security researchers from the cybersecurity company GTSC published a report detailing a possible new flaw in on-premises Microsoft Exchange Servers. Attackers first needed to steal credentials to exploit these vulnerabilities. Learn more.
August:
Zimbra Vulnerability
Two vulnerabilities in the Zimbra Collaboration Suite (ZCS) — a software suite with an email server and web client — led to widespread exploitation. Attackers placed backdoors on over 1,000 victims’ ZCS servers using these two exploits. Learn more.
June:
Mitel Vulnerability
Mitel, a telecommunications company that provides business phone systems, issued a security advisory for critical vulnerability, CVE-2022-29499 (present in their Mitel Service Appliance component of MiVoice Connect). The vulnerability allows for remote code execution. Learn more.
Atlassian issued a security advisory for a critical vulnerability, CVE-2022-26134, impacting Atlassian's on premise Confluence Server and Confluence Data Center servers. All supported versions of the products were impacted (except cloud-based). Learn more.
Technology company F5 released patches for a critical remote code execution vulnerability, CVE-2022-1388, affecting its BIG-IP family of products, which include popular load balancer devices and software. Learn more.
May:
Zyxel disclosed a critical vulnerability, CVE-2022-30525, affecting Zyxel products. This vulnerability allows unauthenticated and remote attackers to execute code on affected devices. Learn more.
How Corvus Alerts Work
VPN Vulnerability - October 2022
Our Risk + Response team has developed a holistic approach including continual risk assessment, proactive risk management, and rapid response. A key fixture of our outreach are vulnerability alert emails, sent in response to critical security advisories. On average, we find that policyholders who receive Corvus Alerts patch their systems three times faster than organizations who don't receive a notification.
Who do we alert, why does it matter, and how do we stay ahead of threat actors? Scroll down to follow the timeline of one event from the discovery of a vulnerability to the alert landing in a policyholder’s inbox.
10:00am
The Vulnerability is Discovered
On Friday, October 7th, 2022, a major VPN provider sent an email to select customers about a critical vulnerability that potentially allowed for authentication bypass in certain versions of the software. The vendor released a security patch and recommended immediate application. It would not issue a public advisory until the following Monday.
Potential Impact Threat actors could leverage this vulnerability to gain access to the firewall and VPN device, which is a common target to ultimately deploy ransomware throughout the environment. This was a “zero-day”: once the word got out, threat actors were armed with the knowledge of how to seek out vulnerable organizations and launch an attack.
2:30pm
Triage
Despite the fact that the news was only released to select customers, our team had our ears to the ground and was made aware of the situation. As a first step, our in-house security experts assessed the severity risk. With numerous advisories and rumors surfacing on any given day, prioritization is critical. Using our established criteria, the team determined that the vulnerability’s severity justified a proactive alert to policyholders. Members of the Risk + Response team gathered all known information and compiled it into easy-to-follow instructions that were published by 2:30pm.
6:00pm
The Race to the Inbox (with a leg up from Corvus tech)
With a “zero-day” vulnerability, timely alerts are particularly crucial. But sending alerts that aren’t applicable to a policyholder is a waste of their time and risks making them less responsive to true threats (the proverbial "crying wolf" situation). So a key part of determining our response is finding out how many policyholders use the device, and who they are.
How do we know who to alert? With the proprietary Corvus Scan, the Corvus Data Science team plugs gaps in traditional “off the shelf” IT scans. One feature utilizes keywords to match certain VPNs, enabling our team to identify which of our policyholders were most likely at risk through the use of the affected software.
7:00pm
Alerts Sent
Within hours of discovering the vulnerability, our team sent an Alert email to the Corvus policyholders who were most likely affected, with clear steps and helpful resources. The team stood by to help any policyholders with questions or clarifications.
These Alerts reached hundreds of potential victims the same day as the initial customer announcement, and preceded the public advisory by more than two days. By patching their systems on average three times faster than a typical organization, we know that our policyholders are much more likely to beat any threat actors' activity to the punch.
Thanks for reading!
Lauren Winchester VP, Risk + Response
Jason Rebholz Chief Information Security Officer
Chris Hedenberg VP, Data Science
Lori Bailey Chief Insurance Officer
Legal Disclaimer: This report is intended for general guidance and information purposes only. This report is under no circumstances intended to be used or considered as specific insurance or information security advice. Please consult your broker with respect to the information presented herein.
About Corvus
Corvus Insurance is building a safer world through insurance products and digital tools that reduce risk, increase transparency, and improve resilience for policyholders and program partners. Our market-leading specialty insurance products are enabled by advanced data science and include Smart Cyber Insurance® and Smart Tech E+O™. Our digital platforms and tools enable efficient quoting and binding and proactive risk mitigation. Corvus Insurance offers insurance products in the U.S., Middle East, Europe, Canada, and Australia. Current insurance program partners include AXIS Capital, Crum & Forster, Hudson Insurance Group, certain underwriters at Lloyd’s of London, R&Q Accredited, SiriusPoint, and The Travelers Companies, Inc.
Corvus Insurance, Corvus London Markets, and Corvus Germany are the marketing names used to refer to Corvus Insurance Agency, LLC; Corvus Agency Limited; and Corvus Underwriting GmbH. All entities are subsidiaries of Corvus Insurance Holdings, Inc. Corvus Insurance was founded in 2017 and is headquartered in Boston, Massachusetts with offices across the U.S., in the UK, and Germany. For more information, visit corvusinsurance.com.
Share with others!