Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » New Ransomware Group Exploiting Veeam Backup Software Vulnerability

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

https://firewall.firm.in/wp-content/uploads/2024/07/gib.png

Jul 10, 2024NewsroomData Breach / Malware

Veeam Backup Software Vulnerability

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware.

Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities.

Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

“The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server,” security researcher Yeo Zi Wei said in an analysis published today.

Cybersecurity

“Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using a dormant account identified as ‘Acc1.’ Several days later, a successful VPN login using ‘Acc1’ was traced back to the remote IP address 149.28.106[.]252.”

Next, the threat actors proceeded to establish RDP connections from the firewall to the failover server, followed by deploying a persistent backdoor named “svchost.exe” that’s executed daily through a scheduled task.

Subsequent access to the network was accomplished using the backdoor to evade detection. The primary responsibility of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.

Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named “VeeamBkp,” alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft using the newly created account.

“This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server,” Zi Wei hypothesized.

“This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the ‘VeeamBkp’ account.”

Ransomware Group

The attack culminated in the deployment of the ransomware, but not before taking steps to impair defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts.

“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB said.

Cybersecurity

The disclosure comes as Cisco Talos revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains.

The double extortion model of exfiltrating data prior to encrypting files has further given rise to custom tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.

This necessitates that these e-crime groups establish long-term access to explore the environment in order to understand the network’s structure, locate resources that can support the attack, elevate their privileges, or allow them to blend in, and identify data of value that can be stolen.

“Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” Talos said.

“The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket