CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws

On Friday, 02/10/23, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild.

Among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges.

Ethiopian cyber security research firm Octagon Networks disclosed details about the flaw in March 2022.

According to a joint advisory released by U.S. and South Korean government authorities, the vulnerability is said to have been weaponized by North Korean nation-state hackers to strike healthcare and critical infrastructure entities with ransomware.

The second shortcoming to be added to the KEV catalog is CVE-2015-2291, an unspecified flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys) that could throw an affected device into a denial-of-service state.

The exploitation of CVE-2015-2291 in the wild was revealed by CrowdStrike last month, detailing a Scattered Spider (aka Roasted 0ktapus or UNC3944) attack that attempted to plant a legitimately signed but malicious version of the vulnerable driver using a tactic called Bring Your Own Vulnerable Driver (BYOVD).

The goal, the cybersecurity firm said, was to bypass endpoint security software installed on the compromised host. The attack was ultimately unsuccessful.

The development underscores the growing technique adoption by multiple threat actors,  BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, to power their intrusions with elevated privileges.

Lastly, CISA added a remote code injection discovered in Fortra’s GoAnywhere MFT-managed file transfer application (CVE-2023-0669) to the KEV catalog. While patches for the flaw were released recently, the exploitation has been linked to a cybercrime group affiliated with a ransomware operation.

Huntress, in an analysis published earlier this week, said it observed the infection chain leading to the deployment of TrueBot, a Windows malware attributed to a threat actor known as Silence and shares connections with Evil Corp. This Russian cybercrime crew exhibits tactical overlaps with TA505.

With TA505 facilitating the deployment of Clop ransomware in the past, it’s suspected that the attacks are a precursor to deploying file-locking malware on targeted systems.

Furthermore, the security blog Bleeping Computer reported that the Clop ransomware crew reached out to the publication and claimed to have exploited the flaw to steal data stored in the compromised servers from over 130 companies.

Federal Civilian Executive Branch (FCEB) agencies must apply the fixes by March 3, 2023, to secure the networks against active threats.

Source: THN