July 10, 2024 at 10:33AM
Veeam Backup & Replication software contains a patched security flaw being exploited by the ransomware group EstateRansomware. The threat actors used a dormant account to gain initial access, pivoting laterally through the SSL VPN service. They deployed a persistent backdoor to evade detection and carried out attacks, including disabling Windows Defender and deploying ransomware.
The meeting notes provide details about a data breach and malware attack involving the exploitation of a security flaw in Veeam Backup & Replication software by a ransomware operation called EstateRansomware. The attack involved the use of CVE-2023-27532 to gain initial access to the target environment and the exploitation of vulnerabilities in Fortinet FortiGate firewall SSL VPN appliance.
The threat actors then proceeded to establish RDP connections, deploy a persistent backdoor named “svchost.exe,” and disable Windows Defender before deploying the ransomware. The attack culminated in moving laterally from the AD server to all other servers and workstations using compromised domain accounts.
It is also mentioned that most ransomware gangs prioritize establishing initial access using security flaws in applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains. Additionally, the use of a double extortion model has given rise to custom tools developed by the actors to send confidential information to an adversary-controlled infrastructure.
The meeting notes also mention the emergence of new ransomware groups with unique goals and operational structures, highlighting a shift towards more boutique-targeted cybercriminal activities.
Overall, the notes emphasize the evolving nature of ransomware attacks and the need for organizations to stay vigilant and updated in their cybersecurity measures.