Final month, Sophos X-Ops reported a number of MDR instances the place menace actors exploited a vulnerability in Veeam backup servers. We proceed to trace the actions of this menace cluster, which not too long ago included deployment of a brand new ransomware. The vulnerability, CVE-2024-40711, was used as a part of a menace exercise cluster we named STAC 5881. Assaults leveraged compromised VPN home equipment for entry and used the VEEAM vulnerability to create a brand new native administrator account named “level”.
Some instances on this cluster led to the deployment of Akira or Fog ransomware. Akira was first seen in 2023 and seems to be inactive since mid-October with its data leak website now offline. Fog emerged earlier this 12 months, first seen in Might. In a current case MDR analysts as soon as once more noticed the techniques related to STAC 5881 – however this time noticed the deployment of a previously-undocumented ransomware known as “Frag”.
Much like the earlier occasions, the menace actor used a compromised VPN equipment for entry, leveraged the VEEAM vulnerability, and created a brand new account named ‘level’.
Nevertheless on this incident a ‘point2’ account was additionally created.
Frag is executed on the command line with a lot of parameters, with one required: proportion of file encryption. The attacker can specify directories or particular person recordsdata to encrypt.
When encrypted, recordsdata are given a .frag extension. On this case, the ransomware was blocked by Sophos endpoint safety’s CryptoGuard function. A detection for the ransomware binary has since been added.
The similarity within the techniques, strategies and practices of the actor behind Frag to these utilized by Akira and Fog menace actors has additionally been noticed by Agger Labs. Sophos X-Ops is intently monitoring this doable emergence of a brand new ransomware participant with behaviors beforehand seen in Akira ransomware. We are going to proceed to trace this menace conduct. We are going to replace this publish with extra technical particulars as they turn into accessible.