Veeam vulnerability is being exploited to deploy malware via compromised VPN credentials
Hackers are exploiting a vulnerability in a Veeam product to deploy ransomware against their targets.
This is what cybersecurity researchers from Sophos say, who have described their findings in detail Infosec exchange late last week. According to the researchers, crooks are using a combination of compromised credentials and exploiting vulnerabilities to deploy Fog and Akira ransomware.
First, they would go after VPN gateways with bad passwords and no multi-factor authentication (MFA). Some of these VPNs were even running unsupported software versions, it was said. They then allegedly exploited a vulnerability in Veeam Backup & Replication, tracked as CVE-2024-40711, that allowed them to create a local account.
Akira and Mist
CVE-2024-40711 is a critical vulnerability that allows unauthenticated remote code execution (RCE) via deserialization of untrusted data. By sending a malicious payload to the app, attackers can gain the ability to execute arbitrary code without authentication. It has a severity rating of 9.8 (critical). Veeam released a fix for this bug in version 12.2 (build 12.2.0.334), which was pushed in September this year. The vulnerability affected earlier versions of VBR, specifically version 12.1.2.172 and earlier.
Administrators were advised to upgrade to the latest version to reduce the risk of exploitation.
After creating a local account, the crooks attempted to deploy the Fog or Akira ransomware. In total, Sophos researchers have observed four attack attempts so far.
“These cases underscore the importance of patching known vulnerabilities, updating/replacing VPNs that are no longer supported, and using multi-factor authentication to control remote access. Sophos X-Ops continues to monitor this threat behavior.”
Despite there being only a handful of recorded attack attempts, the news was big enough to warrant an advisory from NHS England. As reported by The hacker newsthe advisory emphasized that business backup and disaster recovery applications are “high-value targets” for cybercriminals around the world.
Via The hacker news