Veeam flaw becomes malware target a year after patching

Yet another new ransomware gang, this one dubbed EstateRansomware, is exploiting a Veeam vulnerability that was patched more than a year ago to drop file-encrypting malware, a LockBit variant, and extort payments from victims.

Veeam fixed the flaw, tracked as CVE-2023-27532, in March 2023 for versions 12/11a and later of its backup and replication software. The high-severity bug earned a 7.5 CVSS rating.

"Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database," the software vendor advised when it spotted the bug, before adding: “This may lead to an attacker gaining access to the backup infrastructure hosts.”

It now appears not all Veeam users got the patching-is-important memo, and now at least one criminal gang is exploiting unpatched systems to deploy ransomware.

Security researchers at Singaporean outfit Group-IB security researchers spotted EstateRansomware in early April, and say the crew gains initial access into targeted networks by brute force attacks against FortiGate firewall SSL VPN appliances using a dormant account.

According to analysis from Group-IB, subsequent VPN connections originated from a US-based IP address. After brute forcing their way in using valid credentials, the intruders established remote desktop protocol connections from the firewall to the failover server, we're told.

"An examination of the firewall configuration file revealed an existing RDP bookmark that granted access to the failover server," wrote Group-IB digital forensic analyst Yeo Zi Wei. "This bookmark, associated with the 'Acc1' VPN account, enabled the threat actor to access the failover server via RDP without requiring additional credentials.

The EstateRansomware gang then used this remote access to deploy a backdoor and scheduled it to execute daily to ensure persistent access to the victim's environment.

Next, the criminals used this access to steal user credentials and exploit the backup and replication software's vulnerability — just as Veeam had warned could happen if users didn't patch when it issued the fix back in March 2023.

The attack likely originated from a folder named “VeeamHax” on the file server against a vulnerable version of the software, the threat team hypothesized. And after accessing this folder the criminals activated xp_cmdshell (a stored SQL server procedure to execute Windows shell commands) and created a new account called "VeeamBkp."

"There is a strong likelihood that CVE-2023-27532.exe and VeeamHax are linked to the Proof of Concept published by [pen-testing outfit] Horizon3 and [Rapid7 security researcher] sfewer-r7 on GitHub," Wei noted. "Both the file server and backup server were identified to be running vulnerable versions of Veeam Backup & Replication: v9.5.2855 and v9.5.0.1922, respectively."

The thieves used several network scanning and password recovery tools, including SoftPerfect Netscan and Nirsoft, to collect information on hosts, open ports, file shares, and to steal credentials.

The crims also used these compromised accounts to access the Active Directory (AD) and other servers, and then disable Windows Defender before deploying the ransomware payload, which is a variant of LockBit 3.0 that encrypts files and clears logs.

  • Ransomware crews investing in custom data stealing malware
  • Malware that is 'not ransomware' wormed its way through Fujitsu Japan's systems
  • ViperSoftX variant spotted abusing .NET runtime to disguise data theft
  • Eldorado ransomware-as-a-service gang targets Linux, Windows systems

It's unclear how many victims were infected by EstateRansomware's data-locking malware. We've reached out to Group-IB for more information about the ransomware campaign.

Veeam Software spokesperson Heidi Monroe Kroft declined to answer specific questions about the ransomware attack but noted that the software provider released a patch to plug the hole on March 6, 2023.

"This was directly communicated to all our VBR customers," Kroft told The Register. "A Knowledge Base article was published detailing the issue. When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts."

This, she added, "underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner."

In other words: get those software updates if you want to avoid becoming a malware victim.

Group-IB's research on EstateRansomware's malware campaign echoes another ransomware report published today. This one, from Cisco Talos, analyzed the tactics, techniques and procedures (TTPs) favored by the top 14 ransomware groups. Talos found that the "most prolific" criminals on the scene prioritize gaining initial access via valid account credentials. ®


Related stories
3 weeks ago - Why Object First and Veeam tick the box for encryption and immutability Sponsored Feature  You know that a technology problem is serious when the White House holds a summit about it.…
Other stories
2 minutes ago - Not the real Satoshi — UK judge refers Wright to prosecutors, suggests arrest warrant and...
2 minutes ago - still processing — Ryzen 9000 will also have more overclocking headroom, for those interested. ...
2 minutes ago - Seismic information now allows us to make a planet-wide estimate of impact rates.
2 minutes ago - The 20 best Prime Day speaker deals we've reviewed in 2024  EngadgetAmazon Prime Day 2024: the best deals under $50  The VergeThe Best Prime Day Speaker Deals To Shop Right Now  ForbesOne of Our Favorite Bose Bluetooth Speakers Is $50 Off...
2 minutes ago - Weaknesses in the Imperium of Man — Developers canceled a beta test—but may have gotten one anyway. ...