Apr 10, 2023Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on Friday added five security flaws[1]
to its Known Exploited Vulnerabilities (KEV[2]) catalog, citing
evidence of active exploitation in the wild.
This includes three high-severity flaws in the Veritas Backup
Exec Agent software (CVE-2021-27876, CVE-2021-27877, and
CVE-2021-27878) that could lead to the execution of privileged
commands on the underlying system. The flaws were fixed[3]
in a patch released by Veritas in March 2021.
- CVE-2021-27876[4] (CVSS score: 8.1) –
Veritas Backup Exec Agent File Access Vulnerability - CVE-2021-27877[5] (CVSS score: 8.2) –
Veritas Backup Exec Agent Improper Authentication
Vulnerability - CVE-2021-27878[6] (CVSS score: 8.8) –
Veritas Backup Exec Agent Command Execution Vulnerability
Google-owned Mandiant, in a report[7]
published last week, revealed that an affiliate associated with the
BlackCat[8]
(aka ALPHV and Noberus) ransomware operation is targeting publicly
exposed Veritas Backup Exec installations to gain initial access by
leveraging the aforementioned three bugs.
The threat intelligence firm, which is tracking the affiliate
actor under its uncategorized moniker UNC4466, said it first
observed exploitation of the flaws in the wild on October 22,
2022.
In one incident detailed by Mandiant, UNC4466 gained access to
an internet-exposed Windows server, followed by carrying out a
series of actions that allowed the attacker to deploy the
Rust-based ransomware payload, but not before conducting
reconnaissance, escalating privileges, and disabling Microsoft
Defender’s real-time monitoring capability.
Also added by CISA to the KEV catalog is CVE-2019-1388[9]
(CVSS score: 7.8), a privilege escalation flaw impacting Microsoft
Windows Certificate Dialog that could be exploited to run processes
with elevated permissions on an already compromised host.
UPCOMING WEBINAR
Learn to Secure the Identity Perimeter – Proven Strategies
Improve your business security with our upcoming expert-led
cybersecurity webinar: Explore Identity Perimeter strategies!
Don’t Miss Out – Save Your Seat![10]
The fifth vulnerability included in the list is an information
disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083[11]) that was revealed[12] by Google’s Threat
Analysis Group (TAG) last month as abused by an unnamed spyware
vendor as part of an exploit chain to break into Samsung’s Android
smartphones.
Federal Civilian Executive Branch Agencies (FCEB) have time till
April 28 to apply the patches to secure their networks against
potential threats.
The advisory also comes as Apple released updates for iOS,
iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws[13] (CVE-2023-28205 and
CVE-2023-28206) that it said has been exploited in real-world
attacks.
Found this article interesting? Follow us on Twitter [14] and LinkedIn[15] to read more exclusive
content we post.
References
- ^
five
security flaws (www.cisa.gov) - ^
KEV
(www.cisa.gov) - ^
fixed
(www.veritas.com) - ^
CVE-2021-27876
(nvd.nist.gov) - ^
CVE-2021-27877
(nvd.nist.gov) - ^
CVE-2021-27878
(nvd.nist.gov) - ^
report
(www.mandiant.com) - ^
BlackCat
(thehackernews.com) - ^
CVE-2019-1388
(nvd.nist.gov) - ^
Don’t
Miss Out – Save Your Seat! (thehacker.news) - ^
CVE-2023-26083
(nvd.nist.gov) - ^
revealed
(thehackernews.com) - ^
pair
of zero-day flaws (thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/04/cisa-warns-of-5-actively-exploited.html
