Ethical Hacking News
Cybersecurity experts are sounding the alarm as a new ransomware attack, Akira and Fog, is now exploiting a critical security vulnerability in Veeam Backup & Replication (VBR) software. With over 550,000 customers worldwide using VBR software, this critical flaw poses a significant threat to businesses that rely on it to back up and restore critical data. To mitigate the risk of a successful attack, businesses should immediately update their VBR software and apply all available security patches.
Veeam Backup & Replication (VBR) software has a critical security vulnerability (CVE-2024-40711) that allows attackers to gain remote code execution (RCE). The vulnerability was discovered by Code White security researcher Florian Hauser and reported to Veeam on September 4, but not publicly disclosed until September 9. WatchTowr Labs published a technical analysis of the vulnerability on September 9, which was later used in Akira and Fog ransomware attacks. The CVE-2024-40711 flaw has been exploited in multiple ransomware attacks, including Akira, Fog, and Cuba, targeting companies with critical infrastructure and backup data. Businesses using VBR software are advised to update their software to the latest version, apply security patches, enable multifactor authentication, and conduct regular vulnerability assessments.
Cybersecurity experts are sounding the alarm as a new ransomware attack, Akira and Fog, is now exploiting a critical security vulnerability in Veeam Backup & Replication (VBR) software. This critical flaw, tracked as CVE-2024-40711, allows attackers to gain remote code execution (RCE) on vulnerable VBR servers, making it a prime target for malicious actors seeking quick access to company backup data.
The discovery of this vulnerability was made by Code White security researcher Florian Hauser, who reported the issue to Veeam on September 4. However, watchTowr Labs published a technical analysis of the vulnerability on September 9, only to delay publishing proof-of-concept exploit code until September 15. This delay was prompted by businesses using VBR software as a data protection and disaster recovery solution for backing up, restoring, and replicating virtual, physical, and cloud machines.
This makes Veeam's VBR software a very popular target for malicious actors seeking to gain unauthorized access to company backup data. According to watchTowr Labs, the CVE-2024-40711 RCE flaw was quickly picked up and exploited in Akira and Fog ransomware attacks, combined with previously compromised credentials to add a "point" local account to the local Administrators and Remote Desktop Users groups.
In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks. In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data.
This is not the first Veeam flaw targeted in ransomware attacks. Last year, on March 7, 2023, Veeam also patched a high-severity vulnerability in the Backup & Replication software (CVE-2023-27532) that can be exploited to breach backup infrastructure hosts. Weeks later, in late March, Finnish cybersecurity and privacy company WithSecure spotted CVE-2023-27532 exploits deployed in attacks linked to the financially motivated FIN7 threat group, known for its links to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations.
Months later, the same Veeam VBR exploit was used in Cuba ransomware attacks against U.S. critical infrastructure and Latin American IT companies. Veeam says its products are used by over 550,000 customers worldwide, including at least 74% of all Global 2,000 companies.
The severity of this situation cannot be overstated. As a popular data protection solution for businesses, any vulnerability in VBR software can have devastating consequences for organizations that rely on it to back up and restore critical data. The fact that attackers are now exploiting this critical flaw to gain access to company backup data highlights the need for prompt action by IT administrators and cybersecurity experts.
To mitigate the risk of a successful attack, businesses should immediately update their VBR software to the latest version and apply all available security patches. It is also essential to ensure that VPN gateways are running supported software versions and that multifactor authentication is enabled.
Furthermore, companies should conduct regular vulnerability assessments to identify potential weaknesses in their backup infrastructure hosts and take prompt action to address them. By taking proactive steps to secure their VBR software and other critical systems, businesses can reduce the risk of a successful ransomware attack and minimize the impact on their operations.
In conclusion, the discovery of the CVE-2024-40711 RCE flaw in Veeam Backup & Replication (VBR) software has significant implications for businesses that rely on it to protect their critical data. As cybersecurity experts and IT administrators work together to mitigate the risk of a successful attack, it is essential to remain vigilant and proactive in addressing potential vulnerabilities.
Related Information:
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
https://www.darkreading.com/application-security/poc-exploit-for-rce-flaw-but-patches-from-veeam
https://nvd.nist.gov/vuln/detail/CVE-2024-40711
https://www.cvedetails.com/cve/CVE-2024-40711/
https://nvd.nist.gov/vuln/detail/CVE-2023-27532
https://www.cvedetails.com/cve/CVE-2023-27532/
https://attack.mitre.org/groups/G1024/
https://thehackernews.com/2024/04/akira-ransomware-gang-extorts-42.html
https://en.wikipedia.org/wiki/REvil
https://www.mitnicksecurity.com/blog/who-is-revil-the-notorious-ransomware-hacking-group-explained
https://www.csoonline.com/article/570215/egregor-ransomware-group-explained-and-how-to-defend-against-it.html
https://www.upguard.com/blog/what-is-egregor-ransomware
https://www.cisa.gov/news-events/alerts/2024/05/10/cisa-and-partners-release-advisory-black-basta-ransomware
https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
Published: Thu Oct 10 18:28:52 2024 by llama3.2 3B Q4_K_M
