Critical Veeam Vulnerability Exploited in Frag Ransomware Attacks

November 8, 2024

The Frag ransomware attacks recently exploited a critical security flaw in Veeam Backup & Replication (VBR) software, following its use in Akira and Fog ransomware attacks. The vulnerability, known as CVE-2024-40711, was discovered by Code White security researcher Florian Hauser. It allows unauthenticated threat actors to execute remote code on Veeam VBR servers. The proof-of-concept exploit was initially withheld to allow system administrators time to apply security updates issued by Veeam. Despite these precautions, the vulnerability was still exploited in ransomware attacks.

Sophos X-Ops incident responders found that the delay in releasing the exploit did little to prevent Akira and Fog ransomware attacks. The attackers exploited the RCE flaw along with stolen VPN gateway credentials to create rogue accounts on unpatched servers. The same threat activity cluster, known as 'STAC 5881', was later found to have used CVE-2024-40711 exploits in attacks that resulted in Frag ransomware being deployed on compromised networks.

Sean Gallagher, a principal threat researcher at Sophos X-Ops, observed that the tactics associated with STAC 5881 were used again, but this time, they led to the deployment of the previously-undocumented 'Frag' ransomware. The threat actor used a compromised VPN appliance for access, exploited the VEEAM vulnerability, and created a new account named 'point'. In this incident, a 'point2' account was also created.

According to a report by British cybersecurity company Agger Labs, the Frag ransomware gang extensively uses Living Off The Land binaries (LOLBins) in their attacks, which are legitimate software already available on compromised systems. This makes it difficult for defenders to detect their activity. The Frag gang's playbook is similar to that of Akira and Fog operators, as they often target unpatched vulnerabilities and misconfigurations in backup and storage solutions.

In March 2023, Veeam patched another high-severity VBR vulnerability, CVE-2023-27532, which can allow malicious actors to breach backup infrastructure. This exploit was later used in attacks linked to the financially motivated FIN7 threat group and was deployed in Cuba ransomware attacks targeting U.S. critical infrastructure organizations. Veeam reports that over 550,000 customers worldwide use its products, including approximately 74% of all companies in the Global 2,000 list.

Related News

• Ransomware Gangs Exploit Critical Veeam RCE Flaw: Akira and Fog Ransomware in Focus
• NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware
• Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software
• Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours
• Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software

Latest News

• Unresolved Vulnerabilities in Mazda Connect Could Allow Hackers to Install Persistent Malware
• Palo Alto Networks Issues Alert on Potential PAN-OS Remote Code Execution Vulnerability
• AndroxGh0st Malware Leverages Mozi Botnet for Enhanced IoT and Cloud Attacks
• CISA Issues Warning Over Exploitation of Critical Palo Alto Networks Vulnerability
• Critical RCE Vulnerabilities Identified in HPE's Aruba Networking Access Points