Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
A previously unknown virus is spreading rapidly across critical infrastructures.
Cybercriminals have begun to actively exploit a vulnerability in the popular Veeam Backup & Replication software to distribute a new ransomware called "Frag". The vulnerability with the identifier CVE-2024-40711 allows remote code execution without authentication and has a critical severity level of 9.8 out of 10 on the CVSS scale.
Sophos X-Ops researchers reported that the attacks are linked to the activity of a group designated STAC 5881. These hackers use vulnerable VPN devices to infiltrate networks and then use an exploit for Veeam to create fake admin accounts.
The issue affects versions of Veeam Backup & Replication up to and including 12.1.2.172. Veeam is the go-to backup solution used by more than 550,000 customers worldwide, including 74% of Global 2000 companies. Patches to address the vulnerability were released in early September 2024.
Previously, the STAC 5881 group used the well-known Akira and Fog ransomware viruses. Attacks using the previously unknown Frag malware have only recently been identified. According to Sean Gallagher, lead researcher at Sophos X-Ops, the attack pattern remains the same: attackers first gain access through a vulnerable VPN, then exploit the Veeam vulnerability and create "point" and "point2" accounts.
Frag is executed via the command line and requires specifying the thoroughness of file encryption as a percentage. All encrypted documents receive the '.frag' extension. Sophos has already included support for the detection of this malware in its endpoint protection tools.
Veeam Backup & Replication customers are advised to install the latest updates immediately. It's also a good idea to isolate your backup servers from the internet, apply multi-factor authentication, and use monitoring to detect suspicious activity.
Source
Cybercriminals have begun to actively exploit a vulnerability in the popular Veeam Backup & Replication software to distribute a new ransomware called "Frag". The vulnerability with the identifier CVE-2024-40711 allows remote code execution without authentication and has a critical severity level of 9.8 out of 10 on the CVSS scale.
Sophos X-Ops researchers reported that the attacks are linked to the activity of a group designated STAC 5881. These hackers use vulnerable VPN devices to infiltrate networks and then use an exploit for Veeam to create fake admin accounts.
The issue affects versions of Veeam Backup & Replication up to and including 12.1.2.172. Veeam is the go-to backup solution used by more than 550,000 customers worldwide, including 74% of Global 2000 companies. Patches to address the vulnerability were released in early September 2024.
Previously, the STAC 5881 group used the well-known Akira and Fog ransomware viruses. Attacks using the previously unknown Frag malware have only recently been identified. According to Sean Gallagher, lead researcher at Sophos X-Ops, the attack pattern remains the same: attackers first gain access through a vulnerable VPN, then exploit the Veeam vulnerability and create "point" and "point2" accounts.
Frag is executed via the command line and requires specifying the thoroughness of file encryption as a percentage. All encrypted documents receive the '.frag' extension. Sophos has already included support for the detection of this malware in its endpoint protection tools.
Veeam Backup & Replication customers are advised to install the latest updates immediately. It's also a good idea to isolate your backup servers from the internet, apply multi-factor authentication, and use monitoring to detect suspicious activity.
Source
