After being utilized in Akira and Fog ransomware assaults, a essential Veeam Backup & Replication (VBR) safety flaw was additionally just lately exploited to deploy Frag ransomware.
Code White safety researcher Florian Hauser discovered that the vulnerability (tracked as CVE-2024-40711) is brought on by a deserialization of untrusted information weak point that unauthenticated menace actors can exploit to achieve distant code execution (RCE) on Veeam VBR servers.
watchTowr Labs, which revealed a technical evaluation on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit till September 15 to present admins sufficient time to use safety updates issued by Veeam on September 4.
Code White additionally delayed sharing extra particulars when it disclosed the flaw as a result of it “would possibly immediately be abused by ransomware gangs.”
These delays have been prompted by Veeam’s VBR software program being a well-liked goal for menace actors searching for fast entry to an organization’s backup information since many companies use it as a catastrophe restoration and information safety answer to again up, restore, and replicate digital, bodily, and cloud machines.
Nonetheless, Sophos X-Ops incident responders discovered that this did little or no to delay Akira and Fog ransomware assaults. The menace actors exploited the RCE flaw along with stolen VPN gateway credentials so as to add rogue accounts to the native Directors and Distant Desktop Customers teams on unpatched and Web-exposed servers.
Extra just lately, Sophos additionally found that the identical menace exercise cluster (tracked as “STAC 5881”) used CVE-2024-40711 exploits in assaults that led to Frag ransomware being deployed on compromised networks.
”In a latest case MDR analysts as soon as once more noticed the techniques related to STAC 5881 – however this time noticed the deployment of a previously-undocumented ransomware known as ‘Frag,'” stated Sean Gallagher, a principal menace researcher at Sophos X-Ops.
“Just like the earlier occasions, the menace actor used a compromised VPN equipment for entry, leveraged the VEEAM vulnerability, and created a brand new account named ‘level’. Nonetheless on this incident a ‘point2’ account was additionally created.”
In a latest report, British cybersecurity firm Agger Labs stated that the just lately surfaced Frag ransomware gang extensively makes use of Dwelling Off The Land binaries (LOLBins) of their assaults—authentic software program already accessible on compromised techniques—making it difficult for defenders to detect their exercise.
In addition they have the same playbook to Akira and Fog operators, as they will probably goal unpatched vulnerabilities and misconfigurations in backup and storage options throughout their assaults.
In March 2023, Veeam patched one other high-severity VBR vulnerability (CVE-2023-27532) that may let malicious actors breach backup infrastructure. Months later, a CVE-2023-27532 exploit (utilized in assaults linked to the financially motivated FIN7 menace group) was deployed in Cuba ransomware assaults concentrating on U.S. essential infrastructure organizations.
Veeam says over 550,000 clients worldwide use its merchandise, together with roughly 74% of all corporations within the World 2,000 checklist.