July 11, 2024 at 03:37AM
EstateRansomware exploits unpatched Veeam vulnerabilities to drop LockBit variant ransomware and extort payments from victims. The gang gains initial access through brute force attacks against FortiGate firewalls and exploits a Veeam flaw to establish persistence and execute ransomware. Veeam issued a patch in March 2023, emphasizing the importance of timely updates to prevent exploitation.
From the meeting notes, it is clear that a new ransomware gang named EstateRansomware is exploiting a previously patched vulnerability in Veeam software to deploy file-encrypting malware, a LockBit variant, and extort payments from victims. The vulnerability, tracked as CVE-2023-27532, was patched by Veeam in March 2023 for versions 12/11a and later. The gang gains initial access into targeted networks by brute force attacks against FortiGate firewall SSL VPN appliances using a dormant account. They then establish remote desktop protocol connections, deploy backdoors, and schedule them to execute daily to maintain persistent access. Subsequently, they exploit the Veeam software vulnerability and steal user credentials, eventually deploying the ransomware payload.
Veeam spokesperson, Heidi Monroe Kroft, confirmed that the company released a patch to plug the vulnerability and directly communicated it to all VBR customers, emphasizing the importance of ensuring customers are using the latest versions of all software and installing patches in a timely manner to avoid exploitation attempts.
This attack emphasizes the significance of promptly updating software and utilizing the latest versions to mitigate the risk of becoming a victim of malware.