Security
Headlines
HeadlinesLatestCVEs

Headline

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware. Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities. Initial access to the target

The Hacker News
#vulnerability#windows#cisco#backdoor#ssl#The Hacker News

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware.

Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities.

Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

“The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server,” security researcher Yeo Zi Wei said in an analysis published today.

“Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using a dormant account identified as ‘Acc1.’ Several days later, a successful VPN login using ‘Acc1’ was traced back to the remote IP address 149.28.106[.]252.”

Next, the threat actors proceeded to establish RDP connections from the firewall to the failover server, followed by deploying a persistent backdoor named “svchost.exe” that’s executed daily through a scheduled task.

Subsequent access to the network was accomplished using the backdoor to evade detection. The primary responsibility of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.

Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named “VeeamBkp,” alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft using the newly created account.

“This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server,” Zi Wei hypothesized.

“This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the ‘VeeamBkp’ account.”

The attack culminated in the deployment of the ransomware, but not before taking steps to impair defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts.

“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB said.

The disclosure comes as Cisco Talos revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains.

The double extortion model of exfiltrating data prior to encrypting files has further given rise to custom tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.

This necessitates that these e-crime groups establish long-term access to explore the environment in order to understand the network’s structure, locate resources that can support the attack, elevate their privileges, or allow them to blend in, and identify data of value that can be stolen.

“Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” Talos said.

“The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control. "Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Akira ransomware continues to evolve

As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

Amateurish 'CosmicBeetle' Ransomware Stings SMBs in Turkey

With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools

Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's

Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. "In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware

Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil

CVE-2023-27532: KB4424: CVE-2023-27532

Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts.