Hackers Actively Exploiting Cisco AnyConnect and GIGABYTE Drivers Vulnerabilities

Cisco has warned of active exploitation attempts targeting a
pair of two-year-old security flaws in the Cisco AnyConnect Secure
Mobility Client for Windows.

Tracked as CVE-2020-3153^[1]
(CVSS score: 6.5) and CVE-2020-3433^[2]
(CVSS score: 7.8), the vulnerabilities could enable local
authenticated attackers to perform DLL hijacking and copy arbitrary
files to system directories with elevated privileges.

While CVE-2020-3153 was addressed by Cisco in February 2020, a
fix for CVE-2020-3433 was shipped in August 2020.

“In October 2022, the Cisco Product Security Incident Response
Team became aware of additional attempted exploitation of this
vulnerability in the wild,” the networking equipment maker said in
an updated advisory.

“Cisco continues to strongly recommend that customers upgrade to
a fixed software release to remediate this vulnerability.”

The alert comes as the U.S. Cybersecurity and Infrastructure
Security Agency (CISA) moved to add the two flaws to its Known
Exploited Vulnerabilities (KEV^[3]) catalog, alongside four
bugs in GIGABYTE drivers, citing evidence of active abuse in the
wild.

The vulnerabilities — assigned the identifiers CVE-2018-19320, CVE-2018-19321,
CVE-2018-19322, and CVE-2018-19323^[4], and patched in May 2020
— could permit an attacker to escalate privileges and run
malicious code to take complete control of an affected system.

The development also follows a comprehensive report released by
Singapore-based Group-IB last week detailing the tactics adopted by
a Russian-speaking ransomware group dubbed OldGremlin^[5]
in its attacks aimed at entities operating in the country.

Chief among its methods for gaining initial access is the
exploitation of the above-stated Cisco AnyConnect flaws, with the
GIGABYTE driver weaknesses employed to disarm security software,
the latter of which has also been put to use by the BlackByte^[6]
ransomware group.