Veeam vulnerability exploited to deploy malware via compromised VPN credentials
Hackers were seen deploying Fog and Akira ransomware on at least four occasions.
Hackers are abusing a vulnerability in a Veeam product to try and deploy ransomware against their targets.
This is according to cybersecurity researchers from Sophos, who detailed their findings on Infosec Exchange late last week. As per the researchers, crooks are using a combination of compromised credentials, and vulnerability abuse, to deploy Fog and Akira ransomware.
First, they would go after VPN gateways with poor passwords and no multi-factor authentication (MFA) set up. Some of these VPNs were even running unsupported software versions, it was said. After that, they would exploit a vulnerability in Veeam Backup & Replication, tracked as CVE-2024-40711, which allows them to create a local account.
Akira and Fog
CVE-2024-40711 is a critical vulnerability that allows unauthenticated remote code execution (RCE) via deserialization of untrusted data. By sending a malicious payload to the app, threat actors can be granted arbitrary code execution abilities, without authentication. It has a severity score of 9.8 (critical). Veeam released a fix for this flaw in the version 12.2 (build 12.2.0.334), which was pushed in September this year. The vulnerability affected previous versions of VBR, particularly version 12.1.2.172 and earlier.
Admins were advised to upgrade to the latest version to mitigate the risk of exploitation.
After creating a local account, the crooks would try to deploy either Fog, or Akira ransomware. In total, Sophos’ researchers observed four attack attempts so far.
“These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. Sophos X-Ops continues to track this threat behavior.”
Despite having only a handful of recorded attack attempts, the news was big enough to warrant an advisory from NHS England. As reported by The Hacker News, the advisory stressed that enterprise backup and disaster recovery applications were “valuable targets” for cybercriminals everywhere.
Via The Hacker News
More from TechRadar Pro
There’s now a Linux version of this dangerous VMware ransomwareHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now