A Snapshot

Cybersecurity
in US States
A Special Investigation of US States’ Attack Surface
 Ransomware Spotlight Report 2023

Table of Contents Report Methodology

Introduction
The Special Snapshot section of this report provides data on the
Executive Summary
ransomware susceptibility of US state entities. This data was
Report Methodology
gathered by passively scanning domains belonging to state entities Open Exposures
Key Findings
of all 50 states in the US. In this section, we look at the attack surface,
Ransomware Metrics
region wise, to see what threats might slip through the cracks in their
MITRE Analysis defense. Vulnerable Exposures
Scanner and Weakness Analysis

Latency Analysis Securin Attack Surface Management (ASM) passively scanned and discovered Exploitable Exposures
Special Snapshot: Cybersecurity in the
262,000 internet-facing assets across 50 US states and investigated their cyber
US States
hygiene to understand the potential dangers they are exposed to. The assets we
Noteworthy Trends and Interesting
scanned include visible internet hosts, web applications, APIs, CIDR (Netblock), and RCE/PE
Facts
certificates. While exposure5 is a broad term, in Securin ASM, we consider
Future Predictions
misconfigurations (DNS, email servers, hosts, and applications), data leaks (email Ransomware
Conclusion Exposures
breaches), and vulnerabilities in products as part of the exposure metric.
About Us

Appendix
Securin ASM analyzed discovered assets, identified exposures, and adopted a funnel approach
to prioritize the most dangerous exposures based on the severity, impact, and criticality of assets.

5
Aggregated number of vulnerabilities on hosts is described as Exposures

51
 Ransomware Spotlight Report 2023

Table of Contents Attack Surface by Region Count of Assets by Region

100000
Introduction
From an asset segregation perspective, the Western region has the biggest
93001

Owned Assets
Executive Summary 80000
attack surface with maximum number of assets, followed by the Midwest.
Report Methodology Massive expanding attack surfaces are the crux of the problem for all 60000
64607
Key Findings government entities, as unknown, unmanaged assets within these attack 56917
40000 48064
Ransomware Metrics surfaces can invariably expose sensitive data or provide a path for
MITRE Analysis adversaries to infiltrate critical assets. 20000

Scanner and Weakness Analysis 0

West South Northeast Midwest
Latency Analysis
Region
Special Snapshot: Cybersecurity in the
US States
Open Exposures
Noteworthy Trends and Interesting
Securin ASM considers the following as open exposures: misconfigurations,
Facts
Open Exposures by Region
Future Predictions
data leaks, and product vulnerabilities. Open exposures are preferred targets 120000
for adversaries as they can be quickly and easily exploited.
Conclusion 100000

Owned Assets
109978
Our analysis found that the Southern states had the maximum open 107951
About Us 80000 100035
89476
exposures, followed by the West. This spotlights the need for a dedicated
Appendix 60000
discovery engine that would continuously discover known and unknown
40000
assets that operate within the expanding attack surface. Unmanaged and
unknown assets with dangerous exposures and vulnerabilities are favorite 20000

entry points for adversaries to infiltrate and breach. 0

West South Northeast Midwest

Region

52
 Ransomware Spotlight Report 2023

Table of Contents Exploitable Exposures

Exploitable Exposures by Region
Introduction
Exploitable open exposures provide adversaries with more opportunities to
Executive Summary
maliciously leverage vulnerabilities. We discovered 64 unique vulnerabilities West 6133
Report Methodology
overall in all the states with exploits available in the public domain. We found
Key Findings South 6571

Region
the Midwest region had more exploitable exposures, followed closely by the
Ransomware Metrics
South.
Northeast 4226
MITRE Analysis
An examination of these exploitable CVEs based on CVSS scores showed that
Scanner and Weakness Analysis
8 were critical and 22 of them were rated high. In contrast, Securin VRS rated Midwest 6655
Latency Analysis 56 as critical and 3 as high.
Special Snapshot: Cybersecurity in the Exploitable Exposures
US States

Noteworthy Trends and Interesting CVSS Scores VRS Scores We also identified two exploitable vulnerabilities, CVE-2019-6111 and
Facts

Future Predictions
Critical High Medium Critical High Medium CVE-2019-6110, tied to the infamous Ryuk ransomware. Ryuk is
Low Informational Low notorious for targeting hospitals, especially in 2020, when the world was
Conclusion
in the grip of a pandemic. The attacks on US hospitals in California, New
About Us 2 3
8 2
2
York, and Oregon and also in the UK and Germany crippled the healthcare
Appendix
infrastructure and impaired critical care treatments. In the latter part of
2020, a spate of attacks on dozens of US hospitals led to the shutting
32 22 56
down of hospitals, as healthcare administrators could not access patient
records; it also disrupted chemotherapy treatment for cancer patients in
critical condition.

53
 Ransomware Spotlight Report 2023

Table of Contents Ryuk is known to be favored by the FIN12 Advanced Persistent Threat (APT) group among other types of code, such as Conti, Hive, and BlackCat. The

Introduction
latter two, Hive, and BlackCat, have been ravaging multiple organizations in cyber attacks in 2022. Conti is believed to be the successor of Ryuk and saw
a slow but steady rise on the ransomware charts, while incidents of the Ryuk ransomware slowly dwindled in 2021.
Executive Summary

Report Methodology
Interestingly, despite this association with this notorious ransomware strain, the CVSS V2 and V3 rate these vulnerabilities as medium severity with scores
of 4 and 6.80, respectively, while Securin VRS rates it as a high-severity vulnerability with a score of 7.86. Both vulnerabilities (CVE-2019-6111 and
Key Findings
CVE-2019-6110) have been found trending on the internet as a point of interest.
Ransomware Metrics

MITRE Analysis Based on the number of exposures found in the US, the most important question would be whether these regions have visibility into their attack
Scanner and Weakness Analysis surface. If yes, are they prioritizing the right kind of exposures for remediation?

Latency Analysis Exploitable Exposures and RCE/PE

Special Snapshot: Cybersecurity in the Assets with RCE/PE Exploits Exploitable RCE/PE
US States

Securin experts prioritize Remote Code Execution and Privilege Escalation

Noteworthy Trends and Interesting
West 804 6133
Facts
(RCE/PE) exploits as the most dangerous vulnerabilities.
Future Predictions
The Southern region has the highest number of vulnerabilities classified as South 883 6571

Region
Conclusion
RCE/PE exploits, followed by the West. Approximately 13% of exploitable
Northeast 485 4226
About Us vulnerabilities are RCE/PE, which is a worrying metric.
Appendix
We have seen higher adoption of these exploits by ransomware operators Midwest 410 6655

seeking dangerous exploits to compromise exposed assets. The Southern

0 1000 2000 3000 4000 5000 6000 7000
region seems to have more assets exposed to RCE/PE vulnerabilities.

When we examined the susceptibility metric, the South region took the lead with 1.55 exposures per 100
assets, followed by the Northeast region with 1 exposure per 100 assets. From an overall perspective, this
is a worrying metric as all US regions have assets with this dangerous exposure.

54
 Ransomware Spotlight Report 2023

Table of Contents Our research shows that there are 64 exploitable vulnerabilities in the US, and of them, 19 CVEs have been classified as RCE/PE exploits. We examined

Introduction
their severity ratings and found that four have been rated critical and six as high severity vulnerabilities, but in comparison, VRS rates 18 (out of 19) as
critical, because exploitability of the vulnerability is a key scoring factor for Securin VRS..
Executive Summary

Report Methodology Among the 19 RCE/PE vulnerabilities, our experts highlighted the
CVSS Scores VRS Scores
Key Findings
following vulnerabilities for prioritized patching as they could be
Critical High Medium Critical Low
exploited on public-facing assets
Ransomware Metrics

MITRE Analysis
1 • CVE-2019-0211 (Apache, Fedora Project, Canonical, Debian,
4
openSUSE)
Scanner and Weakness Analysis
9 • CVE-2018-19518 (PHP, Debian, UW IMAP Project, Canonical)
Latency Analysis
• CVE-2009-2521 (Microsoft)
Special Snapshot: Cybersecurity in the
US States 6 18

Noteworthy Trends and Interesting Ransomware Impacted Assets Vs Count of Exposure by Region
Facts

Future Predictions 800

Assets with Ransomware

Conclusion
Assets with Ransomware-Associated Vulnerabilities
600
604
About Us
We found four CVEs associated with Ryuk ransomware in all the regions. 597
540
Appendix These CVEs exist in the open-source code used in OpenBSD, WinSCP, 400

Canonical, Debian, NetApp, Red Hat, and Oracle products. Unfortunately,

this means that all US state agencies using these products are susceptible 200
198 234
194 172
to ransomware, especially as attackers would only need to exploit one
0 69
vulnerability associated with ransomware to deploy their malware and
West South Northeast Midwest
cripple computer systems.
Region
Count of Ransomware Exposures Assets with Ransomware

55
 Ransomware Spotlight Report 2023

Table of Contents The Midwest has the maximum number of ransomware exposures (instances of the affected assets being used within the attack surface), closely followed

Introduction
by the West and the South. In terms of impacted assets, the South is in first place, followed closely by the West. In terms of ransomware susceptibility ratio,
the South has 0.94 exposure per 100 assets, followed by the Midwest with 0.93 exposures.
Executive Summary

Report Methodology This means that for every 100 assets, one asset is susceptible to ransomware.

Key Findings
The Midwest has the highest number of assets with ransomware-associated vulnerabilities. We also found that one-third of the Midwestern
Ransomware Metrics
states (4 out of 12 states) have a higher risk of experiencing a ransomware attack as the count of their ransomware exposure is higher than their
MITRE Analysis
RCE/PE count.
Scanner and Weakness Analysis CVE ID Severity Scores Vendor & Product
In comparison, the Northeast has the lowest ransomware exposure and least
Latency Analysis CVE-2019-6109 CVSS V2 - 4.00 (Medium) OpenBSD, WinSCP,
impacted assets. CVSS V3 - 6.80 (Medium) Canonical, Debian, NetApp
Special Snapshot: Cybersecurity in the VRS - 7.86 (High)
US States We also identified four ransomware-associated vulnerabilities in all regions, and
CVE-2019-6111 CVSS V2 - 5.80 (Medium) OpenBSD, WinSCP,
Noteworthy Trends and Interesting incidentally, they all are tied to Ryuk ransomware. Interestingly, CVE-2019-6109 CVSS V3 - 5.90 (Medium) Canonical, Debian, Red Hat
Facts VRS - 7.86 (High)
and CVE-2018-20685 do not have any publicly known exploits; however, both
CVE-2019-6110 CVSS V2 - 4.00 (Medium) OpenBSD, WinSCP, NetApp
Future Predictions
vulnerabilities are associated with Ryuk ransomware. Securin ASM powered by VRS CVSS V3 - 6.80 (Medium)
VRS - 7.86 (High)
Conclusion
metrics, takes this threat context into consideration and assigns a higher score to
CVE-2018-20685 CVSS V2 - 2.60 (Low) OpenBSD, WinSCP, NetApp,
About Us vulnerabilities for their association with Ryuk ransomware despite the lack of CVSS V3 - 5.30 (Medium) Debian, Canonical, Red Hat,
Oracle
VRS - 7.66 (High)
Appendix publicly known exploits.

Assets with ransomware-associated vulnerabilities can put an entire state’s machinery and infrastructure at high risk. Unless the government entities in all
the regions have a greater visibility into their attack surface and the assets that operate within, they are at risk of becoming the next ransomware victim.
To protect an ever-expanding attack surface, organizations need a robust ASM solution that will continuously prioritize exposures and help remediate
them. Automated discovery of all assets and continuous asset monitoring based on criticality, impact, exploits, and threat associations is the need of the
hour for these regions.

56
 Ransomware Spotlight Report 2023

Table of Contents CISA Known Exploited Vulnerabilities

Count of CISA KEV Exposures by Region
Introduction

Executive Summary CISA has mandated Federal Civilian Executive Branch (FCEB) entities to 800

remediate all Known Exploited Vulnerabilities (KEVs) within stipulated 700 778
Report Methodology
deadlines. The KEV catalog is a dynamic list of vulnerabilities that have 600
Key Findings

CISA KEVs
been exploited in the past or present; it presents clear remediation 500
Ransomware Metrics 509
400
guidelines allowing organizations to patch without any complication.
MITRE Analysis 300 408
CISA has been updating the KEV catalog with the trending list of CVEs 314
Scanner and Weakness Analysis 200
that can cause immediate harm. However, as CVSS scores are unreliable
100
Latency Analysis and NVD and MITRE latencies have been enabling adversaries, the CISA
0
Special Snapshot: Cybersecurity in the KEV catalog is the best option for organizations to kick-start their West South Northeast Midwest
US States
vulnerability prioritization framework. Region
Noteworthy Trends and Interesting
Facts

Future Predictions
We found five CISA KEV exposures in all US regions.
The South has the highest CISA KEV exposures CVE ID Vendor & Product Deadline
Conclusion
followed by the Northeast. Unfortunately, the
About Us
deadlines for patching these KEVs have already CVE-2019-0211 Apache, Fedora Project, Canonical, Debian, May 3, 2022
Appendix lapsed. openSUSE

CVE-2020-36193 PHP, Fedora Project, Debian, Drupal Sep 15, 2022

CVE-2020-13671 Drupal, Fedora Project Aug 18, 2022

CVE-2020-28949 PHP, Debian, Fedora Project, Drupal Sep 15, 2022

CVE-2021-40438 Apache, Fedora Project, Debian, NetApp, F5, Oracle, Dec 15, 2022
Siemens

57
 Ransomware Spotlight Report 2023

Securin ASM with the CISA KEV Filter

Table of Contents
For government entities, remediating CISA KEVs
Introduction
should be a no-brainer. The catalog provides
Executive Summary
prescribed deadlines by which these vulnerabilities
Report Methodology
need to be remediated. Furthermore, as these KEVs
Key Findings
have clear remediation guidance with patch
Ransomware Metrics availability, it should be an easy exercise for US state
MITRE Analysis entities to patch them, unless they are unaware of
Scanner and Weakness Analysis these exposures.

Latency Analysis

Special Snapshot: Cybersecurity in the

US States

Noteworthy Trends and Interesting

Facts
Internal Assets Exposed by Region
Future Predictions Exposed Internal Assets
2500
Internal Assets Exposed

Conclusion
2000 2304 Yet another common attack vector that puts organizations at high risk is
2217
About Us
non-production environments and internal IPs exposed to the internet. Internal
1875 1881
Appendix 1500
IPs and test environments must be used internally, but hackers can use leaked
1000 test credentials to log into these environments and access massive volumes of

500 customer data. The Midwest has the highest internal assets exposed to the
internet, followed closely by the South.
0
West South Northeast Midwest

Region

58
 Ransomware Spotlight Report 2023

Table of Contents High-Risk Services High Risk Services by Region

15000

High Risk Services

Introduction
When we analyzed the services running within each region, the Northeast region had the most 12000
Executive Summary 12703
high-risk services, followed by the Midwest. High-risk services are unsafe services with ports
9000
Report Methodology
open to the public internet; they lack sufficient network security and are easily exploited by 9729
6000
8270
7286
Key Findings attackers. These services can also be third-party associations and cloud platforms.
3000
Ransomware Metrics

0
MITRE Analysis West South Northeast Midwest

Scanner and Weakness Analysis

Email Breaches by Region Region

Latency Analysis The exposure of email IDs in a breach is a significant security risk, as it paves the way for
Email Breaches by Region
Special Snapshot: Cybersecurity in the phishing, internal sabotage, and fraud attacks. Our analysis found that the Western region had
US States
800
the maximum email addresses exposed in breaches, with 638 email credentials available in the

Email Breaches
Noteworthy Trends and Interesting
Facts deep and dark web. This makes it extremely easy for anattacker to gain unauthorized access 600 638

Future Predictions and move laterally within the environment, and access assets with sensitive information. 400
399
Conclusion Based on these passive scans, the Southern region seems to be most vulnerable with the 200
311
217
About Us highest open exposures, exploitable exposures, and RCE/PE exploits; it also has the most
0
Appendix
assets with ransomware-associated vulnerabilities and the highest unpatched exposures to
West South Northeast Midwest
KEVs.
Region
Based on our analysis, our experts have prioritized the top 10 vulnerabilities found in all the US State regions that need to be prioritized for
patching immediately.

Top 10 vulnerabilities that US States need to remediate immediately! DOWNLOAD NOW

59
 Ransomware Spotlight Report 2023

Table of Contents

Conclusion
Introduction

Executive Summary

Report Methodology Overall, the US regions need better visibility into their attack surface, followed by continuous remediation of key exposures. These key exposures need to
Key Findings be prioritized by the impact and criticality of the asset so that agencies can remediate the most dangerous exposures first. Adopting automated solutions
Ransomware Metrics to continuously monitor and discover unknown assets will help shrink these attack surfaces. Any state entities that run their vulnerability management

MITRE Analysis
program based on CVSS scores will be severely disadvantaged. As the CISA KEV catalog does not yet list all the vulnerabilities associated with ransomware,
US state entities may need to augment their vulnerability management program with an accurate vulnerability intelligence feed and a contextualized
Scanner and Weakness Analysis
scoring system to help vulnerable regions gain resilience against adversaries.
Latency Analysis

Special Snapshot: Cybersecurity in the

US States

Noteworthy Trends and Interesting

Facts

Future Predictions

Conclusion

About Us

ASM
Appendix

REQUEST A DEMO
https://securin.io/

Discover all your known and unknown assets & prioritize your most dangerous exposures

60
 Ransomware Spotlight Report 2023

Table of Contents How is Securin helping customers?

Introduction

Executive Summary For the past three years, Securin experts have been tracking vulnerabilities associated with ransomware and their usage by various ransomware gangs. We
Report Methodology observed the vulnerabilities quadruple in 2020 during the COVID pandemic, which facilitated prolific cyber attacks and brought the focus firmly back on

Key Findings
cyber hygiene. Securin launched its product arm to help customers defend against cyber attacks through Securin Attack Surface Management (ASM) and
Securin Vulnerability Intelligence (VI).
Ransomware Metrics

MITRE Analysis

Scanner and Weakness Analysis ASM

Latency Analysis
Securin ASM provides its customers with a hacker’s view of their attack surface, enabling you to see exposures,
Special Snapshot: Cybersecurity in the
US States misconfigurations, shadow IT, and vulnerable products with vulnerabilities associated with ransomware. Securin
Noteworthy Trends and Interesting ASM helps you gain visibility into your true attack surface helping you expedite remediation before you are
Facts
attacked.
Future Predictions

Conclusion

About Us VI
Appendix
Securin VI provides security teams with an entire spectrum of vulnerability information consumable via an intuitive
dashboard or APIs. Powered by 700+ authentic intelligence feeds, Securin VI’s AI and ML models continuously
measure a vulnerability’s risk by dynamically tracking its trajectory from exploitation to weaponization.

61