Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software

July 10, 2024

EstateRansomware, a newly identified ransomware group, has been exploiting a vulnerability in Veeam Backup & Replication software, according to Group-IB, a Singapore-based cybersecurity firm. The group uses the security flaw, CVE-2023-27532, to execute its malicious activities. The initial access to the targeted environment was reportedly achieved through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

The threat actor then moved laterally from the FortiGate Firewall through the SSL VPN service to access the failover server. Before the ransomware attack, VPN brute-force attempts were observed in April 2024 using a dormant account named 'Acc1.' A successful VPN login using 'Acc1' was later traced back to the remote IP address 149.28.106[.]252. The threat actors then established RDP connections from the firewall to the failover server and deployed a persistent backdoor named 'svchost.exe' that runs daily through a scheduled task. The backdoor was used to evade detection and gain subsequent access to the network.

The main function of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker. The actor was observed exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named 'VeeamBkp.' Furthermore, the actor conducted network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft with the newly created account.

The attack eventually led to the deployment of the ransomware, but not before impairing defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts. 'Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,' Group-IB stated.

Cisco Talos has revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains. The double extortion model of exfiltrating data prior to encrypting files has led to the development of custom tools (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.

In the past year, there have been significant changes in the ransomware landscape with the emergence of new ransomware groups, each with unique goals, operational structures, and victim profiles. Groups such as Hunters International, Cactus, and Akira have focused on specific niches, distinguishing themselves with unique operational goals and stylistic choices.

Related News

• Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required
• Delays in Updating Known Exploited Vulnerabilities (KEV) Catalog Pose Risks
• Veeam Addresses Multiple Vulnerabilities in Veeam ONE Platform
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• Cuba Ransomware Gang Exploits Veeam Vulnerability in Attacks on U.S. Critical Infrastructure

Latest News

• Citrix Addresses Critical and High-Severity Bugs in NetScaler Product
• New OpenSSH Vulnerability May Lead to Remote Code Execution
• Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released
• Blast-RADIUS Attack Exploits RADIUS Authentication Protocol Vulnerability
• Global Cybersecurity Agencies Issue Joint Advisory on China-affiliated APT40's Quick Exploit Adaptation