Stealth Ransomware Hides in CISA KEV Updates, Threat Intel Uncovers Chains

GreyNoise’s recent analysis shows that multiple ransomware families have been operating almost invisibly by surfacing only in the Cybersecurity and Infrastructure Security Agency’s KEV (Known Exploited Vulnerabilities) bulletins. By correlating passive DNS records with network traffic logs, the researchers reconstructed full infection chains—from the initial exploit of a disclosed CVE to the use of low‑profile command‑and‑control (C2) servers that blend into legitimate traffic. The study revealed that these actors deliberately time their activity to coincide with KEV releases, using the alerts as a covert “handshake” to validate that their exploits are still effective.

For defenders, this tactic means traditional signature‑based tools and static blocklists are likely to miss the early stages of compromise. The reliance on known‑exploited CVEs underscores the critical need for rapid patching, while the stealthy C2 infrastructure calls for enriched telemetry—such as passive DNS, DNS‑over‑HTTPS monitoring, and anomaly‑based detection. Integrating KEV feed intelligence with proactive hunting can surface these hidden campaigns before ransomware encrypts data, reducing dwell time and limiting impact.

Categories: Malware & Ransomware, Vulnerabilities & Exploits, Data Breaches

Source: Read original article