Cyber Threat Alert: Protect Your Devices Against Exploited Fortra MFT, TerraMaster NAS, and Intel Driver Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This comes after evidence of active abuse in the wild was reported. The first vulnerability is CVE-2022-24990, which affects TerraMaster network-attached storage (TNAS) devices. This bug has the potential to lead to unauthenticated remote code execution with the highest privileges. The vulnerability was first disclosed by Ethiopian cyber security research firm Octagon Networks in March 2022. According to a joint advisory by U.S. and South Korean government authorities, the bug has been weaponized by North Korean nation-state hackers to launch ransomware attacks against healthcare and critical infrastructure entities.

The second vulnerability added to the KEV catalog is CVE-2015-2291, an undisclosed flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys). This flaw could throw an affected device into a denial-of-service state. This exploitation was revealed by cybersecurity firm CrowdStrike last month, detailing a Scattered Spider attack. The goal of the attack was to plant a malicious version of the vulnerable driver, bypassing endpoint security software. This development highlights the growing adoption of the technique by multiple threat actors, including BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, to power their intrusions with elevated privileges.

The third vulnerability added to the KEV catalog is a remote code injection discovered in Fortra's GoAnywhereMFT-managed file transfer application (CVE-2023-0669). Despite patches being released for the flaw, exploitation has been linked to a cybercrime group affiliated with a ransomware operation. The security blog Huntress analyzed the infection chain and observed the deployment of TrueBot, a Windows malware attributed to a threat actor known as Silence. This threat actor shares connections with Evil Corp, a Russian e-crime crew that exhibits tactical overlaps with another financially motivated group, TA505. With TA505 having facilitated the deployment of Clop ransomware in the past, it is suspected that these attacks are a precursor to deploying file-locking malware on targeted systems.

The security blog Bleeping Computer reported that the Clop ransomware crew reached out to the publication and claimed to have exploited the flaw to steal data stored in the compromised servers from over 130 companies. Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 3, 2023, to secure their networks against active threats.

In conclusion, the recent addition of three vulnerabilities to the KEV catalog highlights the ongoing threat of nation-state hackers and cybercrime groups. The TerraMaster TNAS bug and the remote code injection in Fortra's GoAnywhereMFT application both have the potential to cause significant damage to healthcare and critical infrastructure entities. The Intel ethernet diagnostics driver flaw highlights the increasing use of tactics like Bring Your Vulnerable Driver to bypass endpoint security software. FCEB agencies must take the necessary steps to apply the fixes and secure their networks against these active threats.

Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more exciting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!