close
close

You’ve had a year to fix this Veeam vulnerability, and now it’s going to hurt you • The Register

You’ve had a year to fix this Veeam vulnerability, and now it’s going to hurt you • The Register

Another new ransomware gang, dubbed EstateRansomware, is using a Veeam vulnerability patched more than a year ago to drop file-encrypting malware of the LockBit variety and extort money from victims.

Veeam fixed the bug, followed CVE-2023-27532For versions 12/11a and later of the backup and replication software in March 2023. The high severity bug received a CVSS rating of 7.5.

“The replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database,” the software vendor warned when it identified the flaw, adding: “This could lead to an attacker gaining access to backup infrastructure hosts.”

It appears that not all Veeam users got the memo that patching is important, and at least one criminal gang has started distributing ransomware using unpatched systems.

Singapore-based Group-IB security researchers detected EstateRansomware in early April and said the team gained initial access to targeted networks by conducting brute-force attacks against FortiGate firewall SSL VPN devices using a dormant account.

According to this analysis Subsequent VPN connections from Group-IB originated from a US-based IP address. After brute-forcing their way in using valid credentials, the attackers established remote desktop protocol connections through the firewall to the failover server, we were told.

“Examination of the firewall configuration file revealed an existing RDP bookmark that provided access to the takeover server,” wrote Group-IB digital forensics analyst Yeo Zi Wei. “This bookmark, associated with the ‘Acc1’ VPN account, allowed the threat actor to access the takeover server via RDP without requiring additional credentials.

The EstateRansomware gang then used this remote access to plant a backdoor and scheduled it to run daily to gain constant access to the victim’s environment.

Criminals then used this access to steal user credentials and exploit a vulnerability in the backup and replication software, just as Veeam warned in a March 2023 patch that could happen if users didn’t patch it.

The threat team’s assumption was that the attack likely originated from a folder called “VeeamHax” on the file server that contained a vulnerable version of the software. And after accessing that folder, the criminals activated it xp_cmdshell (a SQL server stored procedure for executing Windows shell commands) and created a new account named “VeeamBkp”.

“CVE-2023-27532.exe and VeeamHax are likely to be linked to a Proof of Concept published by (pen testing organization) Horizon3 and (Rapid7 security researcher) sfewer-r7 “On GitHub,” Wei noted, “it was determined that both the file server and the backup server were running vulnerable versions of Veeam Backup & Replication: v9.5.2855 and v9.5.0.1922, respectively.”

Using various network scanning and password recovery tools, including SoftPerfect Netscan and Nirsoft, the thieves gathered information about hosts, open ports, file shares, and stole credentials.

The criminals also used these compromised accounts to access Active Directory (AD) and other servers and then disable Windows Defender before deploying the ransomware payload, a variant of LockBit 3.0 that encrypts files and clears logs.

It’s unclear how many victims EstateRansomware’s data-locking malware has affected. We’ve contacted Group-IB for more information about the ransomware campaign.

Veeam Software spokesperson Heidi Monroe Kroft declined to answer specific questions about the ransomware attack but noted that the software vendor released a patch to close the vulnerability on March 6, 2023.

“This has been communicated directly to all of our VBR customers,” Kroft said. Record“A Knowledge Base article “A release detailing the issue has been published. Once a vulnerability is identified and disclosed, attackers will still attempt to exploit and reverse engineer patches and use them in attempts to exploit the vulnerability in an unpatched version of Veeam software.”

“This underscores the importance of ensuring customers are using the latest versions of all software and that patches are installed in a timely manner.”

In other words: If you want to avoid becoming a victim of malware, get software updates.

Group-IB’s investigation into EstateRansomware’s malware campaign echoes another ransomware report released today. This report from Cisco Talos analyzed the preferred tactics, techniques, and procedures (TTPs) of the top 14 ransomware groups. Talos found that the “most prolific” criminals on the scene prioritized gaining initial access via valid account credentials. ®