CISA Alerts on 5 Actively Exploited Security Flaws: Urgent Action Required

April 10, 2023Ravie LakshmananSoftware Security / Cyber ​​Threats

The US Cyber ​​Security and Infrastructure Agency (CISA) on Friday added five security flaws to a Known Exploited Vulnerability (KEV) catalog, citing evidence of active exploitation in the wild.

This includes three high-level flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to execution of privileged commands on the underlying system. The downside is still in a patch released by Veritas in March 2021.

• CVE-2021-27876 (CVSS Score: 8.1) – Veritas Backup Exec Agent File Access Vulnerability
• CVE-2021-27877 (CVSS Score: 8.2) – Veritas Backup Exec Agent Vulnerability Incorrect Authentication
• CVE-2021-27878 (CVSS Score: 8.8) – Veritas Backup Exec Agent Command Execution Vulnerability

Google’s Mandiant, at a report published last week, it was revealed that affiliates associated with the BlackCat ransomware operation (aka ALPHV and Noberus) targeted publicly exposed installations of Veritas Backup Exec to gain early access by exploiting the three aforementioned bugs.

The threat intelligence firm, which tracks affiliated actors under the unclassified name UNC4466, said it first observed exploits of the vulnerability in the wild on October 22, 2022.

In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by performing a series of actions that allowed attackers to deploy a Rust-based ransomware payload, but not before performing reconnaissance, elevating privileges, and disabling Defense’s real-time monitoring capabilities. Microsoft.

Also added by CISA to the KEV catalog CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw affecting the Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on compromised hosts.

The fifth vulnerability included in the list is an information disclosure flaw in the Arm Mali GPU Kernel Driver (CVE-2023-26083) which was disclosed by the Google Threat Analysis Group (TAG) last month as being abused by an unnamed spyware vendor as part of a chain of exploits to break into Samsung Android smartphones.

Federal Civil Executive Branch (FCEB) agencies have until April 28 to apply a patch to secure their network against potential threats.

The advisory also comes as Apple releases updates for iOS, iPadOS, macOS, and the Safari web browser to address a pair of zero-day vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that it says are actually being exploited. world attack.