Headline
CISA Warns of Active Attacks Exploiting Fortra MFT, TerraMaster NAS, and Intel Driver Flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. Details
Threat Response / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild.
Included among the three is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges.
Details about the flaw were disclosed by Ethiopian cyber security research firm Octagon Networks in March 2022.
The vulnerability, according to a joint advisory released by U.S. and South Korean government authorities, is said to have been weaponized by North Korean nation-state hackers to strike healthcare and critical infrastructure entities with ransomware.
The second shortcoming to be added to KEV catalog is CVE-2015-2291, an unspecified flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys) that could throw an affected device into a denial-of-service state.
The exploitation of CVE-2015-2291 in the wild was revealed by CrowdStrike last month, detailing a Scattered Spider (aka Roasted 0ktapus or UNC3944) attack that entailed an attempt to plant a legitimately signed but malicious version of the vulnerable driver using a tactic called Bring Your Own Vulnerable Driver (BYOVD).
The goal, the cybersecurity firm said, was to bypass endpoint security software installed on the compromised host. The attack was ultimately unsuccessful.
The development underscores the growing adoption of the technique by multiple threat actors, namely BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, to power their intrusions with elevated privileges.
Lastly, CISA has also added a remote code injection discovered in Fortra’s GoAnywhere MFT managed file transfer application (CVE-2023-0669) to the KEV catalog. While patches for the flaw were released recently, the exploitation has been linked to a cybercrime group affiliated with a ransomware operation.
Huntress, in an analysis published earlier this week, said it observed the infection chain leading to the deployment of TrueBot, a Windows malware attributed to a threat actor known as Silence and which shares connections with Evil Corp, a Russian cybercrime crew that exhibits tactical overlaps with TA505.
With TA505 facilitating the deployment of Clop ransomware in the past, it’s being suspected that the attacks are a precursor to deploying file-locking malware on targeted systems.
Furthermore, security blog Bleeping Computer reported that the Clop ransomware crew reached out to the publication and claimed to have exploited the flaw to steal data stored in the compromised servers from over 130 companies.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 3, 2023, to secure the networks against active threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers.
TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used.
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
This Metasploit module exploits an unauthenticated remote code execution vulnerability in TerraMaster TOS versions 4.2.29 and below by chaining two existing vulnerabilities, CVE-2022-24990 "Leaking sensitive information" and CVE-2022-24989, "Authenticated remote code execution". Exploiting vulnerable endpoint api.php?mobile/webNasIPS leaking sensitive information such as admin password hash and mac address, the attacker can achieve unauthenticated access and use another vulnerable endpoint api.php?mobile/createRaid with POST parameters raidtype and diskstring to execute remote code as root on TerraMaster NAS devices.
Fortra, the company behind Cobalt Strike, shed light on a zero-day remote code execution (RCE) vulnerability in its GoAnywhere MFT tool that has come under active exploitation by ransomware actors to steal sensitive data. The high-severity flaw, tracked as CVE-2023-0669 (CVSS score: 7.2), concerns a case of pre-authenticated command injection that could be abused to achieve code execution. The
Goanywhere Encryption Helper version 7.1.1 suffers from a remote code execution vulnerability.
After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.
Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. (Read more...) The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop Tags: ransomware Tags: GoAnywhere Tags: CVE-2023-0669 The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software's administrative interface. (Read more...) The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.
App-based multi-factor authentication — which is still free on Twitter — is safer than SMS MFA. So in theory, forcing people to pay for it would make them less likely to use it and switch to the free option.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The list of shortcomings is as follows - CVE-2022-47986 (CVSS score: 9.8) - IBM Aspera Faspex Code Execution Vulnerability CVE-2022-41223 (CVSS score: 6.8) - Mitel MiVoice Connect Code Injection
Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. (Read more...) The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.
Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.
Suspected Russian threat actors have been targeting Eastern European users in the crypto industry with fake job opportunities as bait to install information-stealing malware on compromised hosts. The attackers "use several highly obfuscated and under-development custom loaders in order to infect those involved in the cryptocurrency industry with Enigma stealer," Trend Micro researchers Aliakbar
State-backed hackers from North Korea are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund illicit activities, U.S. and South Korean cybersecurity and intelligence agencies warned in a joint advisory. The attacks, which demand cryptocurrency ransoms in exchange for recovering access to encrypted files, are designed to support North Korea's
This Metasploit module exploits an object deserialization vulnerability in Fortra GoAnywhere MFT.
TerraMaster NAS 4.2.29 and earlier allows remote attackers to discover the administrative password by sending "User-Agent: TNAS" to module/api.php?mobile/webNasIPS and then reading the PWD field in the response.
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object.