The US Cybersecurity and Infrastructure Security Agency (CISA), on 07 April 2023 added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.
- CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability
- CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability
- CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability
In a recent report, researchers revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation targets publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.[1]
See: https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty
The cyber threat investigators are tracking the affiliate actor under its uncategorized name UNC4466 said it first observed exploitation of the flaws on 22 October 2022.
In one incident, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.
See: https://redskyalliance.org/xindustry/ficker-stealer-debuts-rust
Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.
The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) in March 2023 as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.
Federal Civilian Executive Branch (FCEB) agencies have until 28 April 2023 to apply the patches to secure their networks against potential threats.
The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browsers to address zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said have been exploited in real-world attacks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/04/cisa-warns-of-5-actively-exploited.html
Comments