Ransomware Vulnerabilities

I wanted to pass on a query that was shared with me to look for common vulnerabilities used in Ransomware attacks. I hope others find this as useful as I did.

Ransomware Vulnerabilities: Rapid7’s Managed Vulnerability Management team has put together a list of vulnerabilities that they’ve found are commonly used in Ransomware attacks. Note that this is not meant to be an exhaustive list - simply a good place to get started to reduce your potential risk, based on our research:

  1. Go to Query Builder in InsightVM

  2. Click on “Switch to Export Mode”

  3. Paste the following into the Vulnerability Filter and click apply (you can then save this filter to use with dashboard/projects/etc):

vulnerability.cveIds IN [‘CVE-2010-0738’] ||
vulnerability.cveIds IN [‘CVE-2010-1428’] ||
vulnerability.cveIds IN [‘CVE-2012-0158’] ||
vulnerability.cveIds IN [‘CVE-2012-0507’] ||
vulnerability.cveIds IN [‘CVE-2012-0874’] ||
vulnerability.cveIds IN [‘CVE-2012-1723’] ||
vulnerability.cveIds IN [‘CVE-2012-4681’] ||
vulnerability.cveIds IN [‘CVE-2012-5076’] ||
vulnerability.cveIds IN [‘CVE-2013-0074’] ||
vulnerability.cveIds IN [‘CVE-2013-0322’] ||
vulnerability.cveIds IN [‘CVE-2013-0634’] ||
vulnerability.cveIds IN [‘CVE-2013-2465’] ||
vulnerability.cveIds IN [‘CVE-2013-2551’] ||
vulnerability.cveIds IN [‘CVE-2013-2618’] ||
vulnerability.cveIds IN [‘CVE-2013-2729’] ||
vulnerability.cveIds IN [‘CVE-2014-0556’] ||
vulnerability.cveIds IN [‘CVE-2014-0569’] ||
vulnerability.cveIds IN [‘CVE-2014-6332’] ||
vulnerability.cveIds IN [‘CVE-2014-8439’] ||
vulnerability.cveIds IN [‘CVE-2015-0311’] ||
vulnerability.cveIds IN [‘CVE-2015-1641’] ||
vulnerability.cveIds IN [‘CVE-2015-1701’] ||
vulnerability.cveIds IN [‘CVE-2015-2419’] ||
vulnerability.cveIds IN [‘CVE-2015-3105’] ||
vulnerability.cveIds IN [‘CVE-2015-3133’] ||
vulnerability.cveIds IN [‘CVE-2015-7645’] ||
vulnerability.cveIds IN [‘CVE-2015-8446’] ||
vulnerability.cveIds IN [‘CVE-2016-1019’] ||
vulnerability.cveIds IN [‘CVE-2017-0143’] ||
vulnerability.cveIds IN [‘CVE-2017-0144’] ||
vulnerability.cveIds IN [‘CVE-2017-0145’] ||
vulnerability.cveIds IN [‘CVE-2017-0146’] ||
vulnerability.cveIds IN [‘CVE-2017-0147’] ||
vulnerability.cveIds IN [‘CVE-2017-0148’] ||
vulnerability.cveIds IN [‘CVE-2017-0199’] ||
vulnerability.cveIds IN [‘CVE-2017-10271’] ||
vulnerability.cveIds IN [‘CVE-2017-11882’] ||
vulnerability.cveIds IN [‘CVE-2017-5638’] ||
vulnerability.cveIds IN [‘CVE-2017-6884’] ||
vulnerability.cveIds IN [‘CVE-2018-12808’] ||
vulnerability.cveIds IN [‘CVE-2018-20685’] ||
vulnerability.cveIds IN [‘CVE-2018-4878’] ||
vulnerability.cveIds IN [‘CVE-2018-8174’] ||
vulnerability.cveIds IN [‘CVE-2018-8389’] ||
vulnerability.cveIds IN [‘CVE-2018-8453’] ||
vulnerability.cveIds IN [‘CVE-2019-0604’] ||
vulnerability.cveIds IN [‘CVE-2019-0708’] ||
vulnerability.cveIds IN [‘CVE-2019-11510’] ||
vulnerability.cveIds IN [‘CVE-2019-1367’] ||
vulnerability.cveIds IN [‘CVE-2019-19781’] ||
vulnerability.cveIds IN [‘CVE-2019-2725’] ||
vulnerability.cveIds IN [‘CVE-2019-3396’] ||
vulnerability.cveIds IN [‘CVE-2019-6109’] ||
vulnerability.cveIds IN [‘CVE-2019-6110’] ||
vulnerability.cveIds IN [‘CVE-2019-6111’] ||
vulnerability.cveIds IN [‘CVE-2020-0688’] ||
vulnerability.cveIds IN [‘CVE-2020-0968’] ||
vulnerability.cveIds IN [‘CVE-2020-10189’] ||
vulnerability.cveIds IN [‘CVE-2020-1472’] ||
vulnerability.cveIds IN [‘CVE-2021-20016’] ||
vulnerability.cveIds IN [‘CVE-2021-26855’] ||
vulnerability.cveIds IN [‘CVE-2021-26857’] ||
vulnerability.cveIds IN [‘CVE-2021-26858’] ||
vulnerability.cveIds IN [‘CVE-2021-27065’]

5 Likes

Nice. Thanks for sharing!

Another way to write the same query.

vulnerability.cveIds IN [‘CVE-2010-0738’,‘CVE-2010-1428’,‘CVE-2012-0158’,‘CVE-2012-0507’,‘CVE-2012-0874’,‘CVE-2012-1723’,‘CVE-2012-4681’,‘CVE-2012-5076’,‘CVE-2013-0074’,‘CVE-2013-0322’,‘CVE-2013-0634’,‘CVE-2013-2465’,‘CVE-2013-2551’,‘CVE-2013-2618’,‘CVE-2013-2729’,‘CVE-2014-0556’,‘CVE-2014-0569’,‘CVE-2014-6332’,‘CVE-2014-8439’,‘CVE-2015-0311’,‘CVE-2015-1641’,‘CVE-2015-1701’,‘CVE-2015-2419’,‘CVE-2015-3105’,‘CVE-2015-3133’,‘CVE-2015-7645’,‘CVE-2015-8446’,‘CVE-2016-1019’,‘CVE-2017-0143’,‘CVE-2017-0144’,‘CVE-2017-0145’,‘CVE-2017-0146’,‘CVE-2017-0147’,‘CVE-2017-0148’,‘CVE-2017-0199’,‘CVE-2017-10271’,‘CVE-2017-11882’,‘CVE-2017-5638’,‘CVE-2017-6884’,‘CVE-2018-12808’,‘CVE-2018-20685’,‘CVE-2018-4878’,‘CVE-2018-8174’,‘CVE-2018-8389’,‘CVE-2018-8453’,‘CVE-2019-0604’,‘CVE-2019-0708’,‘CVE-2019-11510’,‘CVE-2019-1367’,‘CVE-2019-19781’,‘CVE-2019-2725’,‘CVE-2019-3396’,‘CVE-2019-6109’,‘CVE-2019-6110’,‘CVE-2019-6111’,‘CVE-2020-0688’,‘CVE-2020-0968’,‘CVE-2020-10189’,‘CVE-2020-1472’,‘CVE-2021-20016’,‘CVE-2021-26855’,‘CVE-2021-26857’,‘CVE-2021-26858’,‘CVE-2021-27065’]

When I enter the above I get an invalid query icon. Any help would be appreciated

Screen Shot 2021-08-25 at 11.05.51 AM

I did too, but this fixed it for me

vulnerability.cveIds IN ['CVE-2010-0738','CVE-2010-1428','CVE-2012-0158','CVE-2012-0507','CVE-2012-0874','CVE-2012-1723','CVE-2012-4681','CVE-2012-5076','CVE-2013-0074','CVE-2013-0322','CVE-2013-0634','CVE-2013-2465','CVE-2013-2551','CVE-2013-2618','CVE-2013-2729','CVE-2014-0556','CVE-2014-0569','CVE-2014-6332','CVE-2014-8439','CVE-2015-0311','CVE-2015-1641','CVE-2015-1701','CVE-2015-2419','CVE-2015-3105','CVE-2015-3133','CVE-2015-7645','CVE-2015-8446','CVE-2016-1019','CVE-2017-0143','CVE-2017-0144','CVE-2017-0145','CVE-2017-0146','CVE-2017-0147','CVE-2017-0148','CVE-2017-0199','CVE-2017-10271','CVE-2017-11882','CVE-2017-5638','CVE-2017-6884','CVE-2018-12808','CVE-2018-20685','CVE-2018-4878','CVE-2018-8174','CVE-2018-8389','CVE-2018-8453','CVE-2019-0604','CVE-2019-0708','CVE-2019-11510','CVE-2019-1367','CVE-2019-19781','CVE-2019-2725','CVE-2019-3396','CVE-2019-6109','CVE-2019-6110','CVE-2019-6111','CVE-2020-0688','CVE-2020-0968','CVE-2020-10189','CVE-2020-1472','CVE-2021-20016','CVE-2021-26855','CVE-2021-26857','CVE-2021-26858','CVE-2021-27065']

When you copy them from the web forums they contain an incorrect single quote. Toss it into notepad and search for the single quote and replace it with a single quote.