Cyber Threat Actors Exploit Critical Vulnerabilities in Cacti, Realtek, and IBM Aspera Faspex
Recent cyberattacks have exposed critical security vulnerabilities in multiple systems, notably Cacti, Realtek, and IBM Aspera Faspex, amid ongoing exploitation by various threat actors targeting unpatched installations. This surge in activity highlights the pressing need for organizations to prioritize timely updates and vulnerability management.
The primary vulnerabilities in question include CVE-2022-46169 and CVE-2021-35394, both rated with a CVSS score of 9.8, which are being utilized to deploy malware variants such as MooBot and ShellBot. According to a recent report from Fortinet FortiGuard Labs, these vulnerabilities have facilitated attacks against systems running Cacti and Realtek components. Specifically, CVE-2022-46169 pertains to a critical authentication bypass and command injection flaw in Cacti, enabling unauthenticated users to execute arbitrary code. Similarly, CVE-2021-35394 identifies an arbitrary command injection vulnerability within the Realtek Jungle SDK, which was patched in 2021 but continues to be exploited.
Traditionally, vulnerabilities like CVE-2021-35394 have been leveraged by botnets such as Mirai and Gafgyt. However, the recent developments mark the first instance of this vulnerability being exploited for deploying MooBot, a variant of Mirai active since 2019. Notably, the Cacti vulnerability has also been associated with the distribution of ShellBot payloads since it came into public awareness at the beginning of 2023, showcasing its versatility in facilitating cyberattacks.
At least three distinct versions of ShellBot have been identified, including PowerBots (C) GohacK, LiGhT’s Modded PerlBot v2, and B0tchZ 0.2a. Some of these versions, such as PowerBots and B0tchZ, possess backdoor capabilities that allow for file uploads and downloads, as well as the launching of reverse shells. The implication here is significant, as compromised systems could potentially participate in distributed denial-of-service (DDoS) attacks on command from a centralized server. Researcher Cara Lin from Fortinet emphasizes the importance of strong passwords and regular updates to mitigate these risks.
In addition to the vulnerabilities present in Cacti and Realtek, the CVE-2022-47986 vulnerability has emerged as a critical concern for IBM’s Aspera Faspex file exchange application. This YAML deserialization flaw, which received a CVSS score of 9.8, has been identified as a potential vector for ransomware attacks. Patched in December 2022, it has been exploited by threat actors linked to ransomware gangs such as Buhti and IceFire, particularly after the dissemination of an exploit proof-of-concept.
Numerous businesses could be at risk due to this flaw, and cybersecurity firm Rapid7 has already reported incidents involving compromised systems. They advise organizations that cannot immediately deploy patches to consider taking the affected service offline to avert further risk. The rapid exploitation of vulnerabilities in these systems raises alarms about the vulnerabilities’ public exposure, particularly for services that are often internet-facing.
As these incidents unfold, it is crucial for organizations to understand that tactics such as initial access, exploitation of vulnerabilities, and lateral movement are central to the strategies employed by these threat actors, as delineated in the MITRE ATT&CK framework. By comprehensively addressing and mitigating these vulnerabilities, businesses can enhance their resilience against the growing threats posed by cybercriminals.