Ransomware gangs now exploit a crucial safety vulnerability that lets attackers acquire distant code execution (RCE) on susceptible Veeam Backup & Replication (VBR) servers.
Code White safety researcher Florian Hauser discovered that the safety flaw, now tracked as CVE-2024-40711, is brought on by a deserialization of untrusted knowledge weak point that unauthenticated risk actors can exploit in low-complexity assaults.
Veeam disclosed the vulnerability and launched safety updates on September 4, whereas watchTowr Labs revealed a technical evaluation on September 9. Nevertheless, watchTowr Labs delayed publishing proof-of-concept exploit code till September 15 to present admins sufficient time to safe their servers.
The delay was prompted by companies utilizing Veeam’s VBR software program as an information safety and catastrophe restoration resolution for backing up, restoring, and replicating digital, bodily, and cloud machines.
This makes it a very fashionable goal for malicious actors in search of fast entry to an organization’s backup knowledge.
As Sophos X-Ops incident responders discovered over the past month, the CVE-2024-40711 RCE flaw was shortly picked up and exploited in Akira and Fog ransomware assaults along with beforehand compromised credentials so as to add a “point” native account to the native Directors and Distant Desktop Customers teams.
“In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks,” Sophos X-Ops mentioned.
“In every of the circumstances, attackers initially accessed targets utilizing compromised VPN gateways with out multifactor authentication enabled. A few of these VPNs had been operating unsupported software program variations.
“In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data.”
Not the primary Veeam flaw focused in ransomware assaults
Final 12 months, on March 7, 2023, Veeam additionally patched a high-severity vulnerability within the Backup & Replication software program (CVE-2023-27532) that may be exploited to breach backup infrastructure hosts.
Weeks later, in late March, Finnish cybersecurity and privateness firm WithSecure noticed CVE-2023-27532 exploits deployed in assaults linked to the financially motivated FIN7 risk group, recognized for its hyperlinks to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations.
Months later, the identical Veeam VBR exploit was utilized in Cuba ransomware assaults towards U.S. crucial infrastructure and Latin American IT firms.
Veeam says its merchandise are utilized by over 550,000 prospects worldwide, together with a minimum of 74% of all International 2,000 firms.
