
The United States Cybersecurity and Infrastructure Agency (CISA) has announced that they have added five new security flaws to their Known Exploited Vulnerabilities (KEV) catalog. This is due to evidence of active exploitation of these flaws in the wild. Three of the five flaws are high severity and are located in the Veritas Backup Exec Agent software. These flaws (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) could lead to the execution of privileged commands on the underlying system. The good news is that these flaws were fixed in a patch that was released by Veritas in March 2021. The bad news is that, according to a report published last week by Google-owned Mandiant, an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations in order to gain initial access by leveraging the aforementioned three bugs. This particular affiliate actor is being tracked by Mandiant under the UNC4466 moniker. Mandiant has stated that they first observed exploitation of the flaws in the wild on October 22, 2020. In one incident that was detailed by Mandiant, UNC4466 was able to gain access to an internet-exposed Windows server. They then carried out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload. But not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability. In addition to the three Veritas Backup Exec Agent flaws, CISA has also added CVE-2019-1388 (CVSS score: 7.8) to the KEV catalog. This is a privilege escalation flaw that impacts Microsoft Windows Certificate Dialog and could be exploited to run processes with elevated permissions on an already compromised host.