Ransomware gangs now exploit a important safety vulnerability that lets attackers acquire distant code execution (RCE) on weak Veeam Backup & Replication (VBR) servers.
Code White safety researcher Florian Hauser discovered that the safety flaw, now tracked as CVE-2024-40711, is attributable to a deserialization of untrusted information weak spot that unauthenticated menace actors can exploit in low-complexity assaults.
Veeam disclosed the vulnerability and launched safety updates on September 4, whereas watchTowr Labs revealed a technical evaluation on September 9. Nevertheless, watchTowr Labs delayed publishing proof-of-concept exploit code till September 15 to present admins sufficient time to safe their servers.
The delay was prompted by companies utilizing Veeam’s VBR software program as an information safety and catastrophe restoration answer for backing up, restoring, and replicating digital, bodily, and cloud machines.
This makes it a highly regarded goal for malicious actors searching for fast entry to an organization’s backup information.
As Sophos X-Ops incident responders discovered over the past month, the CVE-2024-40711 RCE flaw was shortly picked up and exploited in Akira and Fog ransomware assaults along with beforehand compromised credentials so as to add a “level” native account to the native Directors and Distant Desktop Customers teams.
“In a single case, attackers dropped Fog ransomware. One other assault in the identical timeframe tried to deploy Akira ransomware. Indicators in all 4 circumstances overlap with earlier Akira and Fog ransomware assaults,” Sophos X-Ops mentioned.
“In every of the circumstances, attackers initially accessed targets utilizing compromised VPN gateways with out multifactor authentication enabled. A few of these VPNs had been operating unsupported software program variations.
“Within the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate information.”
Not the primary Veeam flaw focused in ransomware assaults
Final 12 months, on March 7, 2023, Veeam additionally patched a high-severity vulnerability within the Backup & Replication software program (CVE-2023-27532) that may be exploited to breach backup infrastructure hosts.
Weeks later, in late March, Finnish cybersecurity and privateness firm WithSecure noticed CVE-2023-27532 exploits deployed in assaults linked to the financially motivated FIN7 menace group, identified for its hyperlinks to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations.
Months later, the identical Veeam VBR exploit was utilized in Cuba ransomware assaults towards U.S. important infrastructure and Latin American IT firms.
Veeam says its merchandise are utilized by over 550,000 clients worldwide, together with a minimum of 74% of all World 2,000 firms.