A critical vulnerability in Veeam Backup & Replication software, identified as CVE-2024-40711, is being exploited by hackers to deploy ransomware.
The vulnerability, which allows for unauthenticated remote code execution (RCE), was reported by Florian Hauser with CODE WHITE Gmbh and has been tracked by Sophos X-Ops MDR and Incident Response.
Over the past month, Sophos has observed a series of attacks leveraging compromised credentials and the CVE-2024-40711 vulnerability to create unauthorized accounts and attempt to deploy ransomware.
In one case, attackers successfully dropped Fog ransomware on an unprotected Hyper-V server, while another attack attempted to deploy Akira ransomware. Indicators in all four cases overlap with earlier Akira and Fog ransomware attacks.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The attackers initially gained access to targets using compromised VPN gateways without multifactor authentication enabled, some of which were running unsupported software versions.
They then exploited the Veeam vulnerability by triggering the Veeam.Backup.MountService.exe on the URI /trigger on port 8000, which spawned net.exe and created a local account named “point.” This account was added to the local Administrators and Remote Desktop user groups, granting attackers privileged access to the system.
In the Fog ransomware incident, the attackers not only deployed ransomware but also used the utility rclone to exfiltrate sensitive data from the compromised system. Sophos endpoint protection and MDR prevented ransomware deployments in the other cases.
These incidents highlight the importance of patching known vulnerabilities, updating or replacing out-of-support VPNs, and using multifactor authentication to control remote access.
Veeam has released an update (VBR version 12.2.0.334) that patches the CVE-2024-40711 vulnerability, and administrators are strongly urged to apply the patches immediately to safeguard their systems from exploitation.
The exploitation of CVE-2024-40711 underscores the need for proactive defense strategies, including timely updates, strong security measures, and continuous monitoring of potential threats.
Enterprises relying on Veeam Backup & Replication are advised to update their systems and strengthen remote access defenses to prevent similar attacks.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar