CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

Threat Response / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild.

Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges.

Details about the flaw were disclosed by Ethiopian cyber security research firm Octagon Networks in March 2022.

The vulnerability, according to a joint advisory released by U.S. and South Korean government authorities, is said to have been weaponized by North Korean nation-state hackers to strike healthcare and critical infrastructure entities with ransomware.

The second shortcoming to be added to KEV catalog is CVE-2015-2291, an unspecified flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys) that could throw an affected device into a denial-of-service state.

The exploitation of CVE-2015-2291 in the wild was revealed by CrowdStrike last month, detailing a Scattered Spider (aka Roasted 0ktapus or UNC3944) attack that entailed an attempt to plant a legitimately signed but malicious version of the vulnerable driver using a tactic called Bring Your Own Vulnerable Driver (BYOVD).

The goal, the cybersecurity firm said, was to bypass endpoint security software installed on the compromised host. The attack was ultimately unsuccessful.

The development underscores the growing adoption of the technique by multiple threat actors, namely BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, to power their intrusions with elevated privileges.

Lastly, CISA has also added a remote code injection discovered in Fortra’s GoAnywhere MFT managed file transfer application (CVE-2023-0669) to the KEV catalog. While patches for the flaw were released recently, the exploitation has been linked to a cybercrime group affiliated with a ransomware operation.

Huntress, in an analysis published earlier this week, said it observed the infection chain leading to the deployment of TrueBot, a Windows malware attributed to a threat actor known as Silence and which shares connections with Evil Corp, a Russian cybercrime crew that exhibits tactical overlaps with TA505.

With TA505 facilitating the deployment of Clop ransomware in the past, it’s being suspected that the attacks are a precursor to deploying file-locking malware on targeted systems.

Furthermore, security blog Bleeping Computer reported that the Clop ransomware crew reached out to the publication and claimed to have exploited the flaw to steal data stored in the compromised servers from over 130 companies.

Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 3, 2023, to secure the networks against active threats.

Related Articles

Back to top button