Veeam Backup Vulnerability Exploited in Ransomware Attacks
/ 3 min read
Quick take - A security vulnerability in Veeam Backup & Replication, identified as CVE-2024-40711, has been exploited in ransomware attacks by various groups, allowing unauthorized remote code execution on unpatched servers.
Fast Facts
- A security vulnerability in Veeam Backup & Replication, CVE-2024-40711, allows unauthenticated remote code execution (RCE) and has been exploited in ransomware attacks by groups like Akira, Fog, and Frag.
- Discovered by Florian Hauser from Code White, the flaw is due to deserialization of untrusted data and affects widely used Veeam VBR servers.
- watchTowr Labs published a technical analysis on September 9, 2023, but delayed the proof-of-concept exploit release to give administrators time to apply critical updates issued on September 4.
- Attackers exploited the vulnerability alongside stolen VPN credentials to create unauthorized accounts on unpatched servers, leading to ransomware deployments.
- Veeam has a history of vulnerabilities, including CVE-2023-27532, which was linked to attacks by the FIN7 group, highlighting ongoing security risks for its 550,000+ global customers.
Security Vulnerability in Veeam Backup & Replication Exploited in Ransomware Attacks
A security vulnerability in Veeam Backup & Replication (VBR), identified as CVE-2024-40711, has been exploited in several ransomware attacks. These attacks include those carried out by the Akira, Fog, and Frag groups. The vulnerability stems from a deserialization of untrusted data weakness, allowing unauthenticated threat actors to achieve remote code execution (RCE) on Veeam VBR servers.
Discovery and Response
Florian Hauser, a security researcher at Code White, discovered the flaw. On September 9, watchTowr Labs published a technical analysis detailing CVE-2024-40711. However, they delayed the release of a proof-of-concept exploit until September 15, aiming to give administrators time to apply critical security updates issued by Veeam on September 4. To further mitigate potential exploitation, Code White withheld additional details about the vulnerability.
Impact on Businesses
Veeam VBR software is widely used by businesses for disaster recovery and data protection, making it an attractive target for threat actors aiming to access backup data. Sophos X-Ops incident responders noted that the delay in sharing information about the vulnerability did not significantly impede the ransomware attacks conducted by Akira and Fog. Attackers exploited the RCE flaw in conjunction with stolen VPN gateway credentials, allowing them to establish unauthorized accounts on unpatched and Internet-exposed servers.
Additionally, Sophos identified a threat activity cluster known as “STAC 5881,” which utilized CVE-2024-40711 in attacks that led to the deployment of Frag ransomware. Sean Gallagher, a principal threat researcher at Sophos X-Ops, reported that the attackers leveraged a compromised VPN appliance alongside the Veeam vulnerability, enabling them to create new accounts during the Frag ransomware incident.
Historical Context
The Frag ransomware gang has been noted for employing Living Off The Land binaries (LOLBins) in their attacks, utilizing legitimate software already present on compromised systems, complicating detection efforts. Their tactics are similar to those of the Akira and Fog operators, focusing on exploiting unpatched vulnerabilities and misconfigurations in backup and storage solutions.
This situation follows a history of vulnerabilities within Veeam’s infrastructure. In March 2023, Veeam addressed another high-severity vulnerability, CVE-2023-27532, which also posed risks of allowing malicious actors to breach backup systems. Exploitation of CVE-2023-27532 was linked to attacks by the financially motivated FIN7 threat group, notably used in Cuba ransomware attacks targeting U.S. critical infrastructure organizations.
Veeam reports that over 550,000 customers worldwide utilize its products, with approximately 74% of companies on the Global 2,000 list relying on its solutions for their data protection needs.
Original Source: Read the Full Article Here
