Veeam Backup Software Being Exploited By New Ransomware Group
As per recent reports, a Veeam vulnerability, that is now patched, is being exploited by an emerging threat actor group named EstateRansomware. The Veeam security flaw is present in its Backup & Replication software and can lead to severe consequences if exploited. In this article, we’ll dive into the vulnerability and focus on how it was discovered, the attack chain, and more. Let’s begin!
Veeam Vulnerability: Initial Discovery
The Veeam vulnerability is currently being tracked as CVE-2023-27532 and has a critical vulnerability severity score (CVSS) of 7.5. Threat actor movements pertaining to exploiting Veeam vulnerability were first discovered by the Singapore-headquartered Group-IB in April 2024.
Security researchers from the organization believe that the initial access acquired by the threat actors was facilitated by the Fortinet FortiGate firewall SSL VPN appliance and that a dormant account was used. Yeo Zi Wei, a security researchers, providing further insight has stated that:
“The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server.”
The threat actor movements that were identified in April 2024 were VPN brute-force attempts made using a dormant account identified as “Acc1.” Successful VPN login using the account account was also traced back to a remote IP address days later.
Estate Ransomware Attack Chain
As far as the attack chain is concerned, the threat actors developed RDP connections from the firewall to the failover server. This initiative was followed by a persistent backdoor name “svchost.exe” which was executed on a daily basis. The backdoor also facilitated subsequent access and detection evasion.
It’s worth mentioning that the primary responsibilities of the backdoor were to connect to a command-and-control (C2) server using HTTP. After establishing a connection, it was used to execute arbitrary commands as per directed by the attacker. In addition, the threat actor exploiting the Veeam vulnerability aimed to enable xp_cmdshell on the back server.
This was done to create a rogue account named “VeeamBkp.” Other aims for this initiative included conducting network discovery, enumeration, and harvesting credentials. The tools that were used to acquire credentials include NetScan, AdFind, and NitSoft. These tools were accessed and used via the rouge account.
The ransomware was deployed after the threat actor expanded the attack surface by conducting lateral movements from the AD server. Commenting on the tactics, Group-IB said:
“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe.”
Conclusion
Given these insights about the Veeam vulnerability, it can be stated that cybercrime activities are now becoming more targeted. Threats are using various attack methods to differentiate themselves and are keen on gaining access before an attack to scope out the environment. In light of such circumstances, individual users and organizations must adapt robust cybersecurity protocols to lower risk and improve security posture.
The sources for this piece include articles in The Hacker News and Security Week.