CISA orders agencies to patch Backup Exec bugs used by ransomware gang

On Friday, U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased by five its list of security issues that threat actors have used in attacks, three of them in Veritas Backup Exec exploited to deploy ransomware.

One of the vulnerabilities was exploited as zero-day as part of an exploit chain that targeted Samsung’s web browser and another that allows attackers to increase privileges on Windows machines.

Initial access in ransomware attack

Of the five vulnerabilities that CISA added to the catalog of Known Exploited Vulnerabilities (KEV) today, only one was rated critical, an issue in Veritas’ data protection software tracked as CVE-2021-27877 that allows remote access and command execution with elevated privileges.

A report earlier this week from cybersecurity firm Mandiant informs that CVE-2021-27877 was used by an affiliate of the ALPHV/BlackCat ransomware operation to gain initial access to a target network.

The other two flaws (CVE-2021-27876, CVE-2021-27878) impacting Veritas Backup Exec were also leveraged in the attack, enabling the intruder to access arbitrary files and execute arbitrary commands on the system.

It is worth noting that Veritas patched all three vulnerabilities in March 2021 and that thousands of Backup Exec instances are currently reachable over the public web.

Exploit chain delivers spyware

The zero-day vulnerability leveraged against Samsung’s web browser is tracked as CVE-2023-26083 and affects the Mali GPU driver from Arm.

Part of an exploit chain that delivered commercial spyware in a campaign discovered in December 2022 by Google's Threat Analysis Group (TAG), the security issue is an information leak that allows exposing sensitive kernel metadata.

In a previous KEV update at the end of March, CISA included in the catalog the other vulnerabilities leveraged in the exploit chain, some of which were zero-days at the time of the attack.

The fifth vulnerability CISA added to KEV is identified as CVE-2019-1388. It impacts the Microsoft Windows Certificate Dialog and has been used in attacks to run processes with elevated privileges on a previously compromised machine.

Federal agencies in the U.S. have until April 28 to check if their systems are impacted by the newly added vulnerabilities and to apply the necessary updates.

As part of the binding operational directive (BOD 22-01) from November 2021, Federal Civilian Executive Branch Agencies (FCEB) agencies have to check and fix their networks for all bugs included in the KEV catalog, which currently has 911 entries.

Even if KEV is mainly aimed at federal agencies, it is strongly recommended that private companies all over the world treat with priority the vulnerabilities in the catalog.