The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active abuse in the wild. The flaws, CVE-2015-2291, CVE-2022-24990, and CVE-2023-0669, have been linked to North Korean nation-state hackers, a Scattered Spider attack, and a cybercrime group affiliated with a ransomware operation, respectively.
The most severe of the three flaws is CVE-2022-24990, a bug affecting TerraMaster network-attached storage (TNAS) devices that could lead to unauthenticated remote code execution with the highest privileges. The vulnerability was disclosed by Ethiopian cyber security research firm Octagon Networks in March 2022 and has since been weaponized by North Korean nation-state hackers to launch ransomware attacks against healthcare and critical infrastructure entities.
CVE-2015-2291 is an unspecified flaw in the Intel ethernet diagnostics driver for Windows (IQVW32.sys and IQVW64.sys) that could throw an affected device into a denial-of-service state. The exploitation of CVE-2015-2291 in the wild was revealed by CrowdStrike last month, detailing a Scattered Spider attack that entailed an attempt to plant a malicious version of the vulnerable driver.
The third flaw, CVE-2023-0669, is a remote code injection discovered in Fortra's GoAnywhere MFT managed file transfer application. While patches for the flaw were released recently, the exploitation has been linked to a cybercrime group affiliated with a ransomware operation. Huntress reported that the infection chain leading to the deployment of TrueBot, a Windows malware attributed to a threat actor known as Silence, was observed. Federal Civilian Executive Branch (FCEB) agencies are required to apply the fixes by March 3, 2023, to secure the networks against active threats. As the saying goes, "prevention is better than cure".