Ransomware Gangs Exploit Critical Veeam RCE Flaw: Akira and Fog Ransomware in Focus

October 10, 2024

Ransomware groups are taking advantage of a critical security vulnerability that enables them to execute remote code (RCE) on susceptible Veeam Backup & Replication (VBR) servers. This security vulnerability, now identified as CVE-2024-40711, is a result of a deserialization of untrusted data vulnerability that unauthenticated threat actors can exploit in low-complexity attacks. This flaw was discovered by Code White security researcher Florian Hauser.

Veeam disclosed this vulnerability and released security updates on September 4. WatchTowr Labs published a technical analysis on September 9, but delayed publishing proof-of-concept exploit code until September 15 to allow admins adequate time to secure their servers. This delay was due to the widespread use of Veeam's VBR software as a data protection and disaster recovery solution for backing up, restoring, and replicating virtual, physical, and cloud machines, making it a prime target for malicious actors seeking quick access to a company's backup data.

Over the past month, Sophos X-Ops incident responders have observed the CVE-2024-40711 RCE flaw being exploited in Akira and Fog ransomware attacks. According to Sophos X-Ops, "In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks." In each case, the attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled.

In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data. In March 2023, Veeam patched another high-severity vulnerability in the Backup & Replication software (CVE-2023-27532) that could be exploited to breach backup infrastructure hosts. By late March, Finnish cybersecurity company WithSecure had spotted CVE-2023-27532 exploits deployed in attacks linked to the financially motivated FIN7 threat group, known for its links to Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations.

Months later, the same Veeam VBR exploit was used in Cuba ransomware attacks against U.S. critical infrastructure and Latin American IT companies. Veeam's products are used by over 550,000 customers worldwide, including at least 74% of all Global 2,000 companies.

Related News

• NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware
• Critical Remote Code Execution Vulnerability Detected in Veeam Backup & Replication Software
• Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours
• Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software
• Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required

Latest News

• Casio Hit by Underground Ransomware Gang: Stolen Data Leaked
• CISA Reports Active Exploitation of Critical Fortinet RCE Flaw
• Hackers Exploit GitHub and GitLab Platforms to Distribute Malware
• Palo Alto Networks Urges Customers to Patch Firewall Vulnerabilities
• Emergency Security Update Issued by Mozilla for Firefox Zero-Day Exploited in Attacks