The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-risk vulnerability in Array Networks SSL VPN products to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2023-28461, allows remote arbitrary code execution due to missing authentication mechanisms.
Array Networks disclosed and patched the vulnerability in March 2023 with the release of version 9.4.0.484. The vulnerability affects both the AG Series (hardware appliances) and vxAG Series (virtual appliances).
Recent analysis by Trend Micro has revealed that the vulnerability has been exploited by a threat actor group known as Earth Kasha. The group has targeted advanced technology organizations and government agencies in Japan, Taiwan, and India. CVE-2023-28461 is being combined with other vulnerabilities, such as Proself's flaw CVE-2023-45727 and Fortinet's FortiOS/FortiProxy vulnerability CVE-2023-27997, for initial access.
After gaining access, Earth Kasha reportedly deploys backdoors including Cobalt Strike, LodeInfo, and NoopDoor to establish persistence and conduct further malicious activities.