Veritas Backup Exec was exploited by threat actors to deploy ransomware in three of the five security vulnerabilities added to CISA’s “must patch” list on Friday, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Veritas Backup Exec, a data backup tool that supports a wide range of systems, including desktop operating systems, virtual environments like VMware and Hyper-V, and cloud platforms like Amazon S3, Microsoft Azure, and Google Cloud Storage.
Attackers used a zero-day vulnerability in an attack chain that targeted Samsung’s web browser. Another vulnerability that allowed attackers to increase privileges on Windows machines.
Initial Ransomware Access
CISA added five vulnerabilities to the list of Known Exploited Vulnerabilities (KEV), with only CVE-2021-27877 rated critical. This vulnerability was discovered in Veritas’ data protection software and allows for remote access and command execution with privileged access.
The attackers also exploited two additional Veritas Backup Exec vulnerabilities (CVE-2021-27876 and CVE-2021-27878). This allowed them to access any file and execute commands on the system using system privileges.
It is important to mention that Veritas patched all three vulnerabilities in March 2021. However, hundreds of Backup Exec instances are currently available on the public web, and it is estimated that around 8,500 Veritas Backup Exec instances are exposed to the internet, some of which may still be vulnerable to these vulnerabilities.
Veritas Vulnerabilities Lead to Spyware Delivery
Google’s Threat Analysis Group (TAG) recently disclosed the exploitation of a zero-day vulnerability (CVE-2023-26083) in the Arm Mali GPU driver to compromise Samsung’s web browser. This vulnerability was part of an attack chain that an unknown spyware vendor used and was revealed by TAG last month.
In December 2022, Google’s Threat Analysis Group (TAG) identified a campaign that used an exploit chain to distribute commercial malware. This campaign included the discovery of a vulnerability that allowed for the public release of confidential kernel metadata.
CISA recently included CVE-2019-1388 in the KEV catalog, which is a privilege escalation vulnerability affecting the Microsoft Windows Certificate Dialog. This vulnerability may provide an attacker with access to launch processes with high privileges on a system that has already been compromised.
Federal Civilian Executive Branch (FCEB) agencies have until April 28, 2023, to install patches and enhance the security of their networks against potential threats.
FCEB must analyse and fix any problems with the 911 entries in the KEV catalogue on their networks in accordance with a legally binding operational directive (BOD 22-01) published in November 2021.
Although KEV is mainly targeted at federal organisations, it is highly recommended that companies worldwide give priority to solving the vulnerabilities listed in the catalog.
Apple has issued updates for iOS, iPadOS, macOS, and Safari web browser to fix two zero-day vulnerabilities (CVE-2023-28205 and CVE-2023-28206) that have been used in actual attacks. This advice was made public along with these updates.
Successful ransomware attacks are most-often preceded by phishing emails. Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.