Ethical Hacking News
Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware: A Threat Assessment
A critical vulnerability in Veeam Backup & Replication has been successfully leveraged by threat actors to deploy Akira and Fog ransomware. This incident highlights the need for enterprises to prioritize their cybersecurity posture and stay vigilant against emerging threats.
The critical Veeam vulnerability (CVE-2024-40711) has been exploited by threat actors to deploy Akira and Fog ransomware. The attack vector involves compromising VPN credentials and exploiting the vulnerability to create a local account and deploy the ransomware. The vulnerability is rated 9.8 out of 10.0 on the CVSS scale, making it an extremely critical threat. Attackers have successfully deployed Akira and Fog ransomware using compromised VPN gateways without multifactor authentication enabled. The exploitation of this vulnerability highlights the importance of patching vulnerabilities promptly and implementing robust security measures to protect against these threats.
Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware: A Threat Assessment
The cybersecurity landscape has witnessed a significant escalation in recent times, with numerous high-profile attacks and vulnerabilities being exploited by malicious actors. The latest incident involves a critical vulnerability in Veeam Backup & Replication, which has been successfully leveraged by threat actors to deploy Akira and Fog ransomware.
According to a report released by Sophos, the security firm that has been tracking this particular attack vector, there have been several instances of attacks over the past month, all leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware. The vulnerability in question is rated 9.8 out of 10.0 on the CVSS scale, making it an extremely critical threat.
The attack vector employed by the attackers involves initially accessing targets using compromised VPN gateways without multifactor authentication enabled. In some cases, these VPNs were running unsupported software versions, providing an additional entry point for the attackers. The vulnerability in Veeam Backup & Replication is exploited by triggering the Veeam.Backup.MountService.exe to spawn net.exe. This creates a local account named 'point', which is added to the local Administrators and Remote Desktop Users groups.
In one notable incident, the threat actors deployed the Fog ransomware to an unprotected Hyper-V server using the rclone utility for data exfiltration. While other ransomware deployments were unsuccessful, this incident highlights the potential severity of the vulnerability and the tactics, techniques, and procedures (TTPs) employed by the attackers.
The recent exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. This incident also serves as a reminder that even critical vulnerabilities can be exploited if not addressed promptly.
Furthermore, this incident is part of a broader trend of ransomware attacks being conducted using various techniques, including phishing emails, malicious websites, and exploitation of software vulnerabilities. The emergence of Lynx ransomware shares a significant portion of its source code with INC ransomware, suggesting that the ransomware landscape continues to evolve and adapt.
In addition to the Akira and Fog ransomware deployments, there have been reports of another relatively new ransomware player, Trinity ransomware, which has targeted at least one healthcare entity in the country. This threat actor is believed to be a rebranding of 2023Lock and Venus ransomware, emphasizing the importance of staying vigilant and up-to-date with the latest security patches.
Lastly, there have been reports of a financially motivated threat actor known for delivering a MedusaLocker ransomware variant dubbed BabyLockerKZ. This attacker utilizes several publicly known attack tools and living-off-the-land binaries (LoLBins) to assist in credential theft and lateral movement in compromised organizations.
In conclusion, the exploitation of the critical Veeam vulnerability has resulted in successful deployments of Akira and Fog ransomware, underscoring the need for enterprises to prioritize their cybersecurity posture. The recent surge in ransomware attacks highlights the importance of staying vigilant, patching vulnerabilities promptly, and implementing robust security measures to protect against these threats.
Related Information:
https://thehackernews.com/2024/10/critical-veeam-vulnerability-exploited.html
https://nvd.nist.gov/vuln/detail/CVE-2024-40711
https://www.cvedetails.com/cve/CVE-2024-40711/
https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/
https://darktrace.com/blog/lifting-the-fog-darktraces-investigation-into-fog-ransomware
Published: Mon Oct 14 05:11:37 2024 by llama3.2 3B Q4_K_M
