Ethical Hacking News
A critical vulnerability has been added to the Known Exploited Vulnerabilities catalog by CISA, highlighting the need for organizations to prioritize data protection and remote access security. The Veeam Backup and Replication flaw is a severe RCE vulnerability that can be exploited to deploy malware and create rogue accounts.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Veeam Backup and Replication to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, CVE-2024-40711, is a severe remote code execution (RCE) flaw that can be exploited by attackers to gain unauthorized access to systems. Attacks exploiting the compromised credentials and Veeam vulnerability have been observed deploying ransomware, including Fog and Akira. CISA has ordered federal agencies to fix this vulnerability by November 7, 2024, emphasizing the importance of addressing known vulnerabilities. Private organizations are advised to review the KEV catalog and address the vulnerabilities in their infrastructure to prevent similar incidents. Organizations should apply security patches and updates, implement multifactor authentication, conduct vulnerability assessments, and develop incident response plans to mitigate attacks.
The recent addition of a critical vulnerability in Veeam Backup and Replication to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sent shockwaves through the cybersecurity community, highlighting the need for organizations to prioritize data protection and remote access security. The vulnerability, identified as CVE-2024-40711, is a severe remote code execution (RCE) flaw that can be exploited by attackers to gain unauthorized access to systems, deploy malware, and create rogue accounts.
The Veeam Backup and Replication software, which enables organizations to back up, restore, and replicate data across physical, virtual, and cloud environments, has been at the center of attention due to its widespread use in various industries. The vulnerability was first discovered by Florian Hauser, a cybersecurity researcher at CODE WHITE Gmbh, who reported it to CISA. The flaw impacts Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds.
Sophos researchers have observed recent attacks exploiting the compromised credentials and Veeam vulnerability CVE-2024-40711 to deploy ransomware, including Fog and Akira. In these cases, attackers accessed targets via VPN gateways lacking multifactor authentication, some of which ran outdated software. The overlap in indicators between these cases and prior Fog and Akira ransomware attacks suggests a coordinated effort by threat actors.
The attack vectors used by the attackers are varied, with some deploying ransomware on unprotected Hyper-V servers and using rclone for data exfiltration. In one case, attackers dropped Fog ransomware and created a local account named "point," adding it to the local Administrators and Remote Desktop Users groups. This indicates that the attackers were able to gain administrative access to the system, which can have severe consequences.
CISA has ordered federal agencies to fix this vulnerability by November 7, 2024, emphasizing the importance of addressing known vulnerabilities to protect their networks against attacks. Experts also recommend private organizations review the KEV catalog and address the vulnerabilities in their infrastructure to prevent similar incidents.
The recent addition of CVE-2024-40711 to the KEV catalog serves as a reminder of the critical importance of staying up-to-date with security patches, using multifactor authentication for remote access, and regularly reviewing vulnerability assessments. As organizations continue to rely on software like Veeam Backup and Replication for data protection and disaster recovery, it is essential that they prioritize cybersecurity measures to prevent exploitation.
In light of this development, it is crucial for organizations to take immediate action to address the vulnerabilities in their infrastructure. This includes:
1. Applying security patches and updates to all affected systems.
2. Implementing multifactor authentication for remote access to VPN gateways.
3. Conducting thorough vulnerability assessments to identify potential weaknesses.
4. Developing incident response plans to mitigate the impact of attacks.
By taking proactive measures, organizations can reduce their risk exposure and prevent similar incidents from occurring in the future.
Related Information:
https://securityaffairs.com/170014/security/u-s-cisa-adds-veeam-backup-and-replication-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/news-events/alerts/2024/10/17/cisa-adds-one-known-exploited-vulnerability-catalog
https://nvd.nist.gov/vuln/detail/CVE-2024-40711
https://www.cvedetails.com/cve/CVE-2024-40711/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/
Published: Sat Oct 19 11:48:32 2024 by llama3.2 3B Q4_K_M
