Important Veeam RCE bug now utilized in Frag ransomware assaults

After being utilized in Akira and Fog ransomware assaults, a vital Veeam Backup & Replication (VBR) safety flaw was additionally not too long ago exploited to deploy Frag ransomware.

Code White safety researcher Florian Hauser discovered that the vulnerability (tracked as CVE-2024-40711) is attributable to a deserialization of untrusted knowledge weak point that unauthenticated risk actors can exploit to achieve distant code execution (RCE) on Veeam VBR servers.

watchTowr Labs, which printed a technical evaluation on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit till September 15 to present admins sufficient time to use safety updates issued by Veeam on September 4.

Code White additionally delayed sharing extra particulars when it disclosed the flaw as a result of it “might instantly be abused by ransomware gangs.”

These delays have been prompted by Veeam’s VBR software program being a preferred goal for risk actors looking for fast entry to an organization’s backup knowledge since many companies use it as a catastrophe restoration and knowledge safety answer to again up, restore, and replicate digital, bodily, and cloud machines.

Nonetheless, Sophos X-Ops incident responders discovered that this did little or no to delay Akira and Fog ransomware assaults. The risk actors exploited the RCE flaw along with stolen VPN gateway credentials so as to add rogue accounts to the native Directors and Distant Desktop Customers teams on unpatched and Web-exposed servers.

Extra not too long ago, Sophos additionally found that the identical risk exercise cluster (tracked as “STAC 5881”) used CVE-2024-40711 exploits in assaults that led to Frag ransomware being deployed on compromised networks.

Frag ransom note
Frag ransom be aware (Sophos)

​”In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called ‘Frag,'” mentioned Sean Gallagher, a principal risk researcher at Sophos X-Ops.

“Similar to the previous events, the threat actor used a compromised VPN appliance for access, leveraged the VEEAM vulnerability, and created a new account named ‘point’. However in this incident a ‘point2’ account was also created.”

In a latest report, British cybersecurity firm Agger Labs mentioned that the not too long ago surfaced Frag ransomware gang extensively makes use of Residing Off The Land binaries (LOLBins) of their assaults—official software program already obtainable on compromised programs—making it difficult for defenders to detect their exercise.

Additionally they have an analogous playbook to Akira and Fog operators, as they’re going to seemingly goal unpatched vulnerabilities and misconfigurations in backup and storage options throughout their assaults.

In March 2023, Veeam patched one other high-severity VBR vulnerability (CVE-2023-27532) that may let malicious actors breach backup infrastructure. Months later, a CVE-2023-27532 exploit (utilized in assaults linked to the financially motivated FIN7 risk group) was deployed in Cuba ransomware assaults concentrating on U.S. vital infrastructure organizations.

Veeam says over 550,000 clients worldwide use its merchandise, together with roughly 74% of all firms within the World 2,000 record.

Recent articles