Threat actors are actively exploiting a critical vulnerability in Veeam Backup & Replication software to deploy a new ransomware strain called “Frag.”
The vulnerability, tracked as CVE-2024-40711, allows unauthenticated remote code execution and has a severity score of 9.8 out of 10 on the CVSS scale.
Sophos X-Ops researchers reported that the attacks are part of a threat activity cluster they’ve named STAC 5881.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
This group has been leveraging compromised VPN appliances to gain initial access to networks and then exploiting the Veeam vulnerability to create rogue administrator accounts.
The critical flaw affects Veeam Backup & Replication version 12.1.2.172 and earlier builds. Veeam, a popular backup solution used by over 550,000 customers worldwide, including 74% of Global 2000 companies, released patches for the vulnerability in early September 2024.
Previously, STAC 5881 was observed deploying Akira and Fog ransomware variants. However, in a recent incident, Sophos researchers detected the use of a new, previously undocumented ransomware called Frag.
Sean Gallagher, the principal threat researcher at Sophos X-Ops, stated, “Similar to previous events, the threat actor used a compromised VPN appliance for access, leveraged the Veeam vulnerability, and created a new account named ‘point’. However, in this incident, a ‘point2’ account was also created.”
The Frag ransomware is executed via the command line and requires attackers to specify a percentage for file encryption. It appends the “.frag” extension to encrypted files. Sophos has since added detection capabilities for the Frag binary to its endpoint protection software.
Researchers noted similar tactics, techniques, and practices between the Frag operators and those behind Akira and Fog ransomware. This suggests a possible connection or emergence of a new player adopting established tactics.
The exploitation of CVE-2024-40711 follows a pattern of attackers targeting backup solutions to maximize the impact of their ransomware campaigns. By compromising backup systems, threat actors aim to prevent victims from easily recovering their data without paying the ransom.
Cybersecurity experts strongly urge organizations using Veeam Backup & Replication to apply the latest security updates immediately.
They also recommend isolating backup servers from the Internet where possible, enforcing multi-factor authentication for management access, and implementing comprehensive monitoring to detect unusual activities.
As ransomware groups continue to evolve their tactics and target critical infrastructure, new variants like Frag highlight the ongoing need for robust cybersecurity measures and prompt patching of known vulnerabilities.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!