findsec.org Open in urlscan Pro
2606:4700:3033::6815:3b4b  Public Scan

Form analysis
0 forms found in the DOM

Text Content

FindSec Cybersecurity Solutions Your Security is Important to us
Menu
 * Home
 * What We Do
 * Services
   * Penetration Testing
   * Cybersecurity Consulting
   * OS Forensics
   * Data Recovery
   * Virtualization Security
   * IoT Device Penetration Testing
   * EDR and XDR
   * Sandbox
   * Mobile Application Security
   * Network Security
 * Blog
 * Contact Us
 * About


VEEAM VULNERABILITY EXPLOITED TO SPREAD RANSOMWARE

Details Mohammad Mehdi Edrisian Blog

A critical security flaw in Veeam Backup & Replication software has become the
target of cybercriminals, who are exploiting the vulnerability to spread Akira
and Fog ransomware. This vulnerability, tracked as CVE-2024-40711, is rated 9.8
out of 10 on the CVSS scale, indicating its severity. Veeam has since patched
the flaw in version 12.2 of the software, but attackers have already seized the
opportunity to launch ransomware campaigns against unpatched systems.

 

 

In this blog post, we will break down what happened, how attackers are
exploiting the vulnerability, and what steps organizations can take to protect
their networks from further attacks.

 

The Veeam Vulnerability: CVE-2024-40711

CVE-2024-40711 is a critical flaw in Veeam’s Backup & Replication software, a
widely used platform for enterprise backup and disaster recovery solutions. The
flaw allows unauthenticated remote code execution (RCE), making it a prime
target for threat actors who can use this loophole to gain control over
vulnerable systems without needing to authenticate themselves.

The issue was discovered by security researcher Florian Hauser of CODE WHITE,
who responsibly disclosed it, leading to a patch by Veeam in September 2024.

However, before organizations had a chance to apply the patch, threat actors
began exploiting this vulnerability to install ransomware, creating havoc across
affected systems.

 

How Attackers are Exploiting the Veeam Flaw

Cybersecurity firm Sophos has been tracking the attacks and reported that
hackers are using compromised VPN credentials and the CVE-2024-40711
vulnerability to deploy Akira and Fog ransomware.

The attack process follows a specific pattern:

1.Initial Access via VPN: In most cases, attackers first gain access to the
target system using compromised VPN credentials. This is particularly dangerous
in environments where multifactor authentication (MFA) is not enabled, or the
VPN software is outdated and unsupported.

2.Exploitation of Veeam on Port 8000: Once inside the network, attackers target
the Veeam software by sending requests to the URI /trigger on port 8000. This
triggers the Veeam.Backup.MountService.exe to spawn net.exe, a legitimate
Windows process used to create a new local account. The attackers create an
account named “point” and add it to both local Administrators and Remote Desktop
Users groups, granting themselves administrative privileges.

3.Deployment of Ransomware: In some instances, such as during a Fog ransomware
attack, the malware is dropped directly onto an unprotected Hyper-V server. The
attackers use the rclone utility to exfiltrate sensitive data before deploying
ransomware. However, not all ransomware attempts were successful.

 

Akira and Fog Ransomware: What’s the Damage?

The Akira and Fog ransomware families are both devastating in their own right.
While Akira ransomware has been active for some time, the relatively newer Fog
ransomware has made headlines for targeting Hyper-V environments, particularly
vulnerable backup servers.

 

Fog Ransomware Attack Tactics:

•Exfiltration via rclone: The attackers use rclone, an open-source cloud storage
tool, to transfer stolen data to a remote server.

•Targeting Backup Infrastructure: The ransomware is deployed directly to Hyper-V
servers, disrupting essential backup operations and holding critical data
hostage.

Both ransomware variants have proven themselves capable of double extortion,
meaning they encrypt data and threaten to leak sensitive information unless the
ransom is paid.

 

Why Backup Software Is a Prime Target

Backup and disaster recovery applications like Veeam are attractive targets for
ransomware operators because they house a significant amount of sensitive
information and are often central to an organization’s recovery efforts. A
compromised backup system means the organization could be left with no reliable
way to restore data after an attack.

This trend has raised alarms across industries. According to NHS England,
enterprise backup systems are increasingly being targeted by cybercriminals
looking for a high payoff. The active exploitation of CVE-2024-40711 further
underscores the importance of promptly patching vulnerabilities in backup
software.

 

Related Ransomware Activity

In addition to the exploitation of Veeam, the ransomware landscape has seen
other significant developments:

1.Lynx Ransomware: A successor to INC ransomware, Lynx has been targeting
businesses across multiple sectors, including retail, financial, and
architecture industries in the U.S. and U.K. The emergence of Lynx appears to
have been driven by the sale of INC’s source code in early 2024.

2.Trinity Ransomware: This rebrand of 2023Lock and Venus ransomware has been
targeting healthcare institutions using double extortion methods, forcing
victims to pay not only for decrypting their data but also to prevent the
release of sensitive information.

3.BabyLockerKZ (MedusaLocker Variant): A financially motivated actor has been
deploying MedusaLocker under the alias BabyLockerKZ, targeting organizations
across the EU and South America. This group is known for using publicly
available tools and living-off-the-land binaries (LoLBins) to escalate
privileges and move laterally within compromised networks.

 

Recommendations: How to Protect Your Systems

Given the critical nature of the vulnerability and its active exploitation,
organizations using Veeam Backup & Replication must act immediately to protect
their systems.

Here are some critical steps to take:

1.Apply Patches: Upgrade to Veeam Backup & Replication version 12.2 or later,
which addresses CVE-2024-40711. Ensure that your backup and disaster recovery
software is always up to date.

2.Enable Multifactor Authentication (MFA): Protect VPN access by enabling MFA.
Many attacks start by exploiting weak VPN credentials, so adding an extra layer
of security can significantly reduce this risk.

3.Monitor for Unusual Activity: Be vigilant for signs of compromise, such as
unauthorized account creation or suspicious network activity, especially
targeting Veeam services.

4.Backup Your Backups: Ensure that backups themselves are securely stored and
isolated from the main network. This limits the ability of ransomware to encrypt
backup files during an attack.

5.Educate Employees: Make sure your staff are aware of the risks posed by
phishing and social engineering tactics that are often used to gain an initial
foothold in your network.

 

Conclusion

The ongoing exploitation of CVE-2024-40711 in Veeam Backup & Replication is a
stark reminder that critical vulnerabilities can be weaponized quickly.
Ransomware groups are evolving, and backup systems are becoming prime targets
due to their importance in disaster recovery.

Organizations using Veeam must act fast to patch their systems, enable robust
security practices like MFA, and continually monitor for suspicious activity.
The stakes are high, and the consequences of inaction can be devastating.

Stay proactive and ensure your systems are fortified against these emerging
threats.

"For further information, please do not hesitate to contact us"

Previous article: Critical RCE Vulnerability in Pac4j Framework Prev Next
article: Gamers Targeted by Lua-Based Malware Next

Copyright © FindSec Cybersecurity Solutions Inc. Designed by FindSec
Cybersecurity Solutions Inc.
Our mission: Freedom — From The Limitations of Traditional Cybersecurity