Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software

July 10, 2024

EstateRansomware, a newly identified ransomware group, has been exploiting a vulnerability in Veeam Backup & Replication software, according to Group-IB, a Singapore-based cybersecurity firm. The group uses the security flaw, CVE-2023-27532, to execute its malicious activities. The initial access to the targeted environment was reportedly achieved through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

The threat actor then moved laterally from the FortiGate Firewall through the SSL VPN service to access the failover server. Before the ransomware attack, VPN brute-force attempts were observed in April 2024 using a dormant account named 'Acc1.' A successful VPN login using 'Acc1' was later traced back to the remote IP address 149.28.106[.]252. The threat actors then established RDP connections from the firewall to the failover server and deployed a persistent backdoor named 'svchost.exe' that runs daily through a scheduled task. The backdoor was used to evade detection and gain subsequent access to the network.

The main function of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker. The actor was observed exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named 'VeeamBkp.' Furthermore, the actor conducted network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft with the newly created account.

The attack eventually led to the deployment of the ransomware, but not before impairing defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts. 'Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,' Group-IB stated.

Cisco Talos has revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains. The double extortion model of exfiltrating data prior to encrypting files has led to the development of custom tools (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.

In the past year, there have been significant changes in the ransomware landscape with the emergence of new ransomware groups, each with unique goals, operational structures, and victim profiles. Groups such as Hunters International, Cactus, and Akira have focused on specific niches, distinguishing themselves with unique operational goals and stylistic choices.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.