Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Recent Veeam Vulnerability Exploited in Ransomware Attacks

Sophos warns of ransomware operators exploiting a critical code execution vulnerability in Veeam Backup & Replication.

Ransomware operators are exploiting a critical-severity vulnerability in Veeam Backup & Replication to create rogue accounts and deploy malware, Sophos warns.

The issue, tracked as CVE-2024-40711 (CVSS score of 9.8), can be exploited remotely, without authentication, for arbitrary code execution, and was patched in early September with the release of Veeam Backup & Replication version 12.2 (build 12.2.0.334).

While neither Veeam, nor Code White, which was credited with reporting the bug, have shared technical details, attack surface management firm WatchTowr performed an in-depth analysis of the patches to better understand the vulnerability.

CVE-2024-40711 consisted of two issues: a deserialization flaw and an improper authorization bug. Veeam fixed the improper authorization in build 12.1.2.172 of the product, which prevented anonymous exploitation, and included patches for the deserialization bug in build 12.2.0.334, WatchTowr revealed.

Given the severity of the security defect, the security firm refrained from releasing a proof-of-concept (PoC) exploit, noting “we’re a little worried by just how valuable this bug is to malware operators.” Sophos’ fresh warning validates those fears.

“Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware,” Sophos noted in a Thursday post on Mastodon.

The cybersecurity firm says it has observed attackers deploying the Fog and Akira ransomware and that indicators in four incidents overlap with previously observed attacks attributed to these ransomware groups.

According to Sophos, the threat actors used compromised VPN gateways that lacked multi-factor authentication protections for initial access. In some cases, the VPNs were running unsupported software iterations.

Advertisement. Scroll to continue reading.

“Each time, the attackers exploited Veeam on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, ‘point’, adding it to the local Administrators and Remote Desktop Users groups,” Sophos said.

Following the successful creation of the account, the Fog ransomware operators deployed malware to an unprotected Hyper-V server, and then exfiltrated data using the Rclone utility.

Related: Okta Tells Users to Check for Potential Exploitation of Newly Patched Vulnerability

Related: Apple Patches Vision Pro Vulnerability to Prevent GAZEploit Attacks

Related: LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

Related: The Imperative for Modern Security: Risk-Based Vulnerability Management

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.