Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
Company backups are in the crosshairs of ransomware.
Security researchers at Sophos X-Ops have discovered that hacker groups have begun to exploit a critical vulnerability in Veeam Backup & Replication (VBR) that allows attackers to remotely execute code on vulnerable servers.
The security flaw, reported as CVE-2024-40711, was previously identified by security researcher Florian Hauser. The vulnerability is related to the deserialization of untrusted data, which allows attackers without authentication to carry out low-level attacks.
Veeam announced this vulnerability and released security updates on September 4, 2024. Later, a technical analysis of the vulnerability was published by experts from watchTowr Labs, however, they postponed the release of the proof-of-concept code until September 15 to give administrators time to eliminate the threat.
VBR is a popular solution for data protection and disaster recovery, making it a priority target for hackers looking to gain access to company backups. Over the past month, experts from Sophos X-Ops have established that the CVE-2024-40711 vulnerability is actively used in attacks using the Akira and Fog ransomware. Attackers, having gained access using compromised credentials, created local accounts with administrator and remote desktop user privileges.
In one case, the hackers used Fog to attack a Hyper-V server and then used the rclone utility to exfiltrate the data. In a similar period, an attempt was made to deploy the Akira program. Notably, all of these cases had similar indicators to earlier attacks using ransomware data.
It is noted that earlier, in March 2023, Veeam had already fixed another vulnerability - CVE-2023-27532, which was also used to attack the backup infrastructure. At that time, the vulnerability was seen in attacks by the FIN7 group, associated with known operations to distribute Conti, REvil and other ransomware.
Veeam products are used by more than half a million customers worldwide, including 74% of the Global 2000 companies. This underscores the criticality of attacks on VBR, as the compromise of such widely used software can lead to large-scale data breaches and disruption to large organizations around the world.
Source
Security researchers at Sophos X-Ops have discovered that hacker groups have begun to exploit a critical vulnerability in Veeam Backup & Replication (VBR) that allows attackers to remotely execute code on vulnerable servers.
The security flaw, reported as CVE-2024-40711, was previously identified by security researcher Florian Hauser. The vulnerability is related to the deserialization of untrusted data, which allows attackers without authentication to carry out low-level attacks.
Veeam announced this vulnerability and released security updates on September 4, 2024. Later, a technical analysis of the vulnerability was published by experts from watchTowr Labs, however, they postponed the release of the proof-of-concept code until September 15 to give administrators time to eliminate the threat.
VBR is a popular solution for data protection and disaster recovery, making it a priority target for hackers looking to gain access to company backups. Over the past month, experts from Sophos X-Ops have established that the CVE-2024-40711 vulnerability is actively used in attacks using the Akira and Fog ransomware. Attackers, having gained access using compromised credentials, created local accounts with administrator and remote desktop user privileges.
In one case, the hackers used Fog to attack a Hyper-V server and then used the rclone utility to exfiltrate the data. In a similar period, an attempt was made to deploy the Akira program. Notably, all of these cases had similar indicators to earlier attacks using ransomware data.
It is noted that earlier, in March 2023, Veeam had already fixed another vulnerability - CVE-2023-27532, which was also used to attack the backup infrastructure. At that time, the vulnerability was seen in attacks by the FIN7 group, associated with known operations to distribute Conti, REvil and other ransomware.
Veeam products are used by more than half a million customers worldwide, including 74% of the Global 2000 companies. This underscores the criticality of attacks on VBR, as the compromise of such widely used software can lead to large-scale data breaches and disruption to large organizations around the world.
Source
