The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.
- CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability
- CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability
- CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability
Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.
The threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.
In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.
Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.
The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.
Federal Civilian Executive Branch (FCEB) agencies have time till April 28, 2023, to apply the patches to secure their networks against potential threats.
The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.
Update:
CISA, on April 10, 2023, added the two Apple zero-day vulnerabilities to the KEV catalog, urging FCEB agencies to secure iOS, iPadOS, and macOS devices by May 1, 2023.