Cybersecurity Threat Advisory: Veeam Backup vulnerability exploit

What is the threat?

CVE-2023-27532 is a privilege escalation vulnerability with a CVSS score of 7.5. A nascent ransomware operation known as EstateRansomware has been using a variant of LockBit 3.0 to encrypt files and clears logs, making it difficult to recover from the attack without backups. The exploitation of this flaw poses significant risks as it allows attackers to perform lateral movement within the network, disable Windows Defender, and eventually deploy ransomware. The ransomware being used has the following Indicators of Compromise (IOCs):

Unusual VPN login attempts from IP addresses, notably 149[.]28[.]106[.]252.
Presence of a rogue user account named “VeeamBkp”.
Execution of “svchost.exe” backdoor as a scheduled task.
Use of network scanning and credential harvesting tools like NetScan, AdFind, and Nirsoft utilities.
Disabling of Windows Defender using DC.exe (Defender Control).
Active network connections on the failover server to IP address 77[.]238[.]245[.]11 through an uncommon port 30001 confirmed a command and control (C2) address.
Ransomware deployment and execution with LB3.exe & PsExec.exe.

Why is it noteworthy?

Any unpatched Veeam Backup devices are susceptible which allows attackers to perform lateral movement within the network. Exploiting this vulnerability can grant attackers access to credentials used for backups, potentially compromising restored data. This vulnerability has been leveraged by ransomware attackers like EstateRansomware and Akira ransomware to gain initial access to target networks. It is unclear how many victims were infected by EstateRansomware’s data-locking malware to-date.

What is the exposure or risk?

As the LockBit 3.0 variant used in these attacks encrypts files and clears logs, it is especially important to ensure the integrity of the backup available is preserved to ensure successful recovery from the attack. Additionally, a success exploitation of the Veeam CVE-2023-27532 vulnerability allows attackers to conduct reconnaissance such as network discovery, credential harvesting, perform lateral movement, and other activities, as well as impairing an organization’s defense mechanisms.

What are the recommendations?

Barracuda MSP recommends taking the following actions to protect against these attacks:

Update Veeam Backup & Replication to version 12/11a or later. Refer to Veeam KB4581 for details: https://www.veeam.com/kb4581
Regularly check for signs of compromise, such as the creation of rogue accounts and the presence of unauthorized scheduled tasks.
Implement Barracuda XDR’s Endpoint Detection and Response (EDR) to detect and respond to suspicious activities such as deployment of backdoors and the use of tools like PsExec.
Delete or disable any dormant account to prevent unauthorized access. Implement multi-factor authentication (MFA) for VPN and other remote access services.
Isolate critical systems and backup servers from the main network to limit lateral movement by attackers.
Maintain regular, offline backups and ensure they are not connected to the main network to prevent them from being encrypted by ransomware.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Categories

Tags

Archives