Hackers are actively exploiting vulnerabilities in Cisco AnyConnect and GIGABYTE drivers

Cisco has warned of active exploit attempts targeting a pair of two-year-old security vulnerabilities in Cisco AnyConnect Secure Mobility Client for Windows.

Tracked as CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), the vulnerabilities could allow authenticated local attackers to perform DLL hijackings and copy arbitrary files into system directories with elevated privileges.

While CVE-2020-3153 was patched by Cisco in February 2020, a patch for CVE-2020-3433 was released in August 2020.

“In October 2022, the Cisco Product Security Incident Response Team became aware of another attempt to exploit this vulnerability in the wild,” the networking equipment maker said in an update. day.

“Cisco continues to strongly recommend that customers upgrade to a fixed software release to address this vulnerability.”

The alert comes as the US Cybersecurity and Infrastructure Security Agency (CISA) decided to add the two flaws to its known exploited vulnerabilities (KEV) catalog, alongside four bugs in GIGABYTE drivers, citing evidence of active abuse in the wild.

Vulnerabilities — attributed to credentials CVE-2018-19320, CVE-2018-19321, CVE-2018-19322 and CVE-2018-19323and patched May 2020 – could allow an attacker to elevate their privileges and execute malicious code to take full control of an affected system.

The development also follows a comprehensive report released last week by Singapore-based Group-IB detailing the tactics adopted by a Russian-speaking ransomware group dubbed OldGremlin in its attacks targeting entities operating in the country.

Chief among its methods of gaining initial access is exploiting the aforementioned Cisco AnyConnect flaws, with weaknesses in the GIGABYTE driver being used to disarm security software, the latter of which has also been used by the BlackByte ransomware group.