On Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) increased its list of security issues that threat actors used in attacks by five, including three in Veritas Backup Exec exploited to deploy ransomware.

One of the vulnerabilities was exploited as a zero-day exploit chain that targeted Samsung’s web browser and another that allows attackers to escalate privileges on Windows machines.

Initial access during a ransomware attack

Of the five vulnerabilities CISA added to the Known Exploited Vulnerabilities (KEV) catalog today, only one was rated as critical, an issue in Veritas’ data protection software tracked as CVE-2021-27877 that allows the remote access and execution of commands with elevated privileges. .

A report earlier this week from a cybersecurity firm Beggar informs This CVE-2021-27877 was used by an affiliate of the ALPHV/BlackCat ransomware operation to gain initial access to a target network.

The other two faults (CVE-2021-27876, CVE-2021-27878) affecting Veritas Backup Exec were also exploited in the attack, allowing the intruder to access arbitrary files and execute arbitrary commands on the system.

It should be noted that Veritas patched all three vulnerabilities in March 2021 and thousands of Backup Exec instances are currently accessible on the public web.

The exploit chain provides spyware

Zero-day vulnerability exploited against Samsung’s web browser is tracked as CVE-2023-26083 and affects Arm’s Mali GPU driver.

Part of a operating chain who distributed commercial spyware in a campaign discovered in December 2022 by Google’s Threat Analysis Group (TAG), the security issue is an information leak that exposes sensitive kernel metadata.

In a previous KEV update At the end of March, CISA included in the catalog the other vulnerabilities exploited in the exploit chain, some of which were zero-days at the time of the attack.

The fifth CISA vulnerability added to KEV is identified as CVE-2019-1388. It impacts the Microsoft Windows certificate dialog and has been used in attacks to run processes with elevated privileges on a previously compromised machine.

Federal agencies in the United States have until April 28 to check whether their systems are affected by the newly added vulnerabilities and to apply the necessary updates.

As a member of binding operational directive (BOD 22-01) Beginning in November 2021, civilian Federal Executive Branch Agencies (FCEBs) must check and patch their networks for all bugs included in the KEV Catalog, which currently has 911 entries.

Although the KEV is primarily aimed at federal agencies, it is strongly recommended that private companies around the world address catalog vulnerabilities first.