The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of exploits in the wild.
All three contain CVE-2022-24990. This is a bug affecting TerraMaster Network Attached Storage (TNAS) devices that could allow remote code execution without authorization with highest privileges.
Details about this vulnerability were revealed in March 2022 by Ethiopian cybersecurity research firm Octagon Networks.
The vulnerability was allegedly weaponized by North Korean state hackers to attack medical and critical infrastructure entities with ransomware, according to a joint advisory released by US and South Korean government officials.
The second flaw added to the KEV catalog is CVE-2015-2291. This is an unspecified flaw in the Intel Ethernet Diagnostic Drivers for Windows (IQVW32.sys and IQVW64.sys) that could cause a denial of service condition for affected devices. .
A real-world exploit for CVE-2015-2291 was revealed by CrowdStrike last month, revealing details of the Scattered Spider (aka Roasted 0ktapus or UNC3944) attack. This attack uses legally signed, malicious versions of vulnerable drivers for Bring Your Own Vulnerable Drivers (BYOVD).
According to the cybersecurity firm, its purpose was to bypass endpoint security software installed on compromised hosts. The attack ultimately failed.
This development highlights the increasing adoption of this technique by multiple actors such as BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, enhancing their penetration with elevated privileges.
Finally, CISA has also added to the KEV catalog a remote code injection discovered in Fortra’s GoAnywhere MFT managed file transfer application (CVE-2023-0669). A patch was recently released for this vulnerability, but the exploit has been linked to a cybercriminal group associated with ransomware operations.
In an analysis published earlier this week, Huntress said it observed the infection chain leading to the deployment of TrueBot. TrueBot is a Windows malware attributed to a threat actor known as Silence and shares ties with Evil Corp, a Russian cybercrime crew that exhibits tactical overlap. on the TA505.
As TA505 facilitated the deployment of Clop ransomware in the past, this attack is suspected to be a prelude to deploying file-locking malware on targeted systems.
Additionally, security blog Bleeping Computer claims that the Clop ransomware crew contacted the publication and exploited the flaw to steal data stored on compromised servers from over 130 companies. reported as claimed.
Federal Civilian Executive Branch (FCEB) agencies have until March 3, 2023 to apply patches to protect their networks from active threats.
