An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product.
The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny.
Mandiant identifies the ALPHV affiliate as ‘UNC4466,’ noting that the method differs from the conventional breach, which depends on stolen credentials.
Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
- CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
- CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
- CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
The Veritas Backup software is affected by all three issues. They were disclosed by the vendor in March 2021, and a remedy was published with version 21.2. Despite the fact that it has been over two years, many endpoints remain vulnerable since they have not been updated to
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: