Hackers Actively Exploiting Vulnerabilities in Cisco AnyConnect and GIGABYTE Drivers

Cisco has issued a warning regarding active exploitation attempts of two persistent vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows, which have been present for two years. The vulnerabilities, identified as CVE-2020-3153 (with a CVSS score of 6.5) and CVE-2020-3433 (CVSS score: 7.8), could potentially allow authenticated local attackers to exploit DLL hijacking and copy arbitrary files to system directories with elevated privileges.

Although CISCO issued a patch for CVE-2020-3153 in February 2020, it wasn’t until August 2020 that a fix for CVE-2020-3433 was provided. In an update from October 2022, the Cisco Product Security Incident Response Team confirmed that attempts to exploit this vulnerability had increased. They strongly advise customers to upgrade to a patched software version to mitigate risks associated with these vulnerabilities.

Furthermore, the importance of addressing these flaws has been underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This catalog now includes several deficiencies in GIGABYTE drivers, which also exhibit signs of active exploitation. Identified vulnerabilities, such as CVE-2018-19320, CVE-2018-19321, CVE-2018-19322, and CVE-2018-19323, were patched in May 2020 and may allow attackers to execute elevated privileges and run malicious code, granting them full control of affected systems.

This escalation follows a detailed report released by Singapore-based cybersecurity firm Group-IB, which revealed the tactics utilized by a Russian-speaking ransomware group known as OldGremlin. A primary method of gaining initial access involved exploiting the vulnerabilities present in Cisco AnyConnect, while the weaknesses found in GIGABYTE drivers were leveraged to disable security software. Similarly, these vulnerabilities have also been targeted by the BlackByte ransomware group.

By categorizing the tactics within the MITRE ATT&CK framework, these vulnerabilities underscore the significance of addressing initial access and privilege escalation tactics commonly employed by such adversaries. Business owners should remain vigilant and ensure their software is updated to defend against these emerging threats.