Akira and Fog Ransomware Now Exploit Critical Veeam RCE Flaw
Summary:
Ransomware gangs are actively exploiting a critical vulnerability in Veeam Backup & Replication servers, designated as CVE-2024-40711, which allows attackers to achieve remote code execution. This vulnerability was discovered by Florian Hauser, a security researcher at Code White. The flaw arises from a deserialization of untrusted data issue, making it possible for unauthenticated threat actors to exploit it through low-complexity attacks. Veeam publicly disclosed the vulnerability on September 4, 2024, and released security updates to address the issue. A technical analysis by watchTowr Labs followed on September 9, with a proof-of-concept exploit code being withheld until September 15 to provide administrators ample time to secure their systems. The delay was crucial, as Veeam’s VBR software is widely used for backup, restoration, and replication of virtual, physical, and cloud-based machines, making it an attractive target for cybercriminals aiming to gain access to sensitive backup data.
In a series of incidents investigated by Sophos X-Ops over the past month, attackers exploited the CVE-2024-40711 flaw in Akira and Fog ransomware attacks. The attackers used previously compromised credentials to escalate privileges by adding a "point" local account to the Administrators and Remote Desktop Users groups. In one notable case, Fog ransomware was deployed, and in another, Akira ransomware was attempted. Sophos found that the tactics and indicators from these incidents overlapped with earlier ransomware campaigns carried out by these groups.
The initial access in these attacks was often gained through compromised VPN gateways that lacked multifactor authentication. Some VPN systems were also running outdated software, further increasing vulnerability. In one of the Fog ransomware attacks, the threat actors exploited an unprotected Hyper-V server and utilized the utility rclone to exfiltrate sensitive data before deploying the ransomware.
Security Officer Comments:
This recent Veeam vulnerability exploitation echoes similar incidents from 2023, when Veeam patched another high-severity flaw (CVE-2023-27532) in its VBR software. This vulnerability was exploited by the FIN7 threat group, known for its affiliations with Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations. The CVE-2023-27532 exploit was also later used in Cuba ransomware attacks against critical U.S. infrastructure and IT companies in Latin America. Veeam's products are used by over 550,000 organizations globally, including 74% of Global 2,000 companies, further highlighting the critical importance of promptly addressing these vulnerabilities to protect backup infrastructure from ransomware threats.
Suggested Corrections:
To mitigate the CVE-2024-40711 vulnerability in Veeam Backup & Replication (VBR) servers and reduce the risk of ransomware attacks, organizations should first prioritize applying the latest security updates. Veeam has released a patch addressing this vulnerability, and it is critical that all VBR servers be updated immediately to prevent exploitation. Establishing a regular patching schedule for all systems, especially backup infrastructure, will further help safeguard against future threats. Also, hardening Veeam servers by limiting user privileges and monitoring for suspicious activity is vital. Ensuring that backup systems are only accessible by essential personnel, deploying endpoint detection and response tools, and regularly auditing logs for unusual access patterns or privilege escalations can help detect and prevent attacks before they escalate. By combining these measures, organizations can significantly reduce their vulnerability to ransomware groups targeting VBR servers.
Link(s):
https://www.bleepingcomputer.com/ne...mware-now-exploiting-critical-veeam-rce-flaw/
https://infosec.exchange/@SophosXOps/113284564225476186
https://www.veeam.com/kb4649
https://labs.watchtowr.com/veeam-ba...uth-but-mostly-without-auth-cve-2024-40711-2/
Ransomware gangs are actively exploiting a critical vulnerability in Veeam Backup & Replication servers, designated as CVE-2024-40711, which allows attackers to achieve remote code execution. This vulnerability was discovered by Florian Hauser, a security researcher at Code White. The flaw arises from a deserialization of untrusted data issue, making it possible for unauthenticated threat actors to exploit it through low-complexity attacks. Veeam publicly disclosed the vulnerability on September 4, 2024, and released security updates to address the issue. A technical analysis by watchTowr Labs followed on September 9, with a proof-of-concept exploit code being withheld until September 15 to provide administrators ample time to secure their systems. The delay was crucial, as Veeam’s VBR software is widely used for backup, restoration, and replication of virtual, physical, and cloud-based machines, making it an attractive target for cybercriminals aiming to gain access to sensitive backup data.
In a series of incidents investigated by Sophos X-Ops over the past month, attackers exploited the CVE-2024-40711 flaw in Akira and Fog ransomware attacks. The attackers used previously compromised credentials to escalate privileges by adding a "point" local account to the Administrators and Remote Desktop Users groups. In one notable case, Fog ransomware was deployed, and in another, Akira ransomware was attempted. Sophos found that the tactics and indicators from these incidents overlapped with earlier ransomware campaigns carried out by these groups.
The initial access in these attacks was often gained through compromised VPN gateways that lacked multifactor authentication. Some VPN systems were also running outdated software, further increasing vulnerability. In one of the Fog ransomware attacks, the threat actors exploited an unprotected Hyper-V server and utilized the utility rclone to exfiltrate sensitive data before deploying the ransomware.
Security Officer Comments:
This recent Veeam vulnerability exploitation echoes similar incidents from 2023, when Veeam patched another high-severity flaw (CVE-2023-27532) in its VBR software. This vulnerability was exploited by the FIN7 threat group, known for its affiliations with Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations. The CVE-2023-27532 exploit was also later used in Cuba ransomware attacks against critical U.S. infrastructure and IT companies in Latin America. Veeam's products are used by over 550,000 organizations globally, including 74% of Global 2,000 companies, further highlighting the critical importance of promptly addressing these vulnerabilities to protect backup infrastructure from ransomware threats.
Suggested Corrections:
To mitigate the CVE-2024-40711 vulnerability in Veeam Backup & Replication (VBR) servers and reduce the risk of ransomware attacks, organizations should first prioritize applying the latest security updates. Veeam has released a patch addressing this vulnerability, and it is critical that all VBR servers be updated immediately to prevent exploitation. Establishing a regular patching schedule for all systems, especially backup infrastructure, will further help safeguard against future threats. Also, hardening Veeam servers by limiting user privileges and monitoring for suspicious activity is vital. Ensuring that backup systems are only accessible by essential personnel, deploying endpoint detection and response tools, and regularly auditing logs for unusual access patterns or privilege escalations can help detect and prevent attacks before they escalate. By combining these measures, organizations can significantly reduce their vulnerability to ransomware groups targeting VBR servers.
Link(s):
https://www.bleepingcomputer.com/ne...mware-now-exploiting-critical-veeam-rce-flaw/
https://infosec.exchange/@SophosXOps/113284564225476186
https://www.veeam.com/kb4649
https://labs.watchtowr.com/veeam-ba...uth-but-mostly-without-auth-cve-2024-40711-2/