Akira and Fog ransomware now exploit critical Veeam RCE flaw

Akira and Fog ransomware now exploit critical Veeam RCE flaw

October 10, 2024 at 06:10PM

Ransomware gangs are exploiting a critical vulnerability (CVE-2024-40711) in Veeam Backup & Replication servers, allowing remote code execution. Disclosed on September 4 with updates, attackers used compromised VPNs to deploy Akira and Fog ransomware. Veeam has a history of vulnerabilities attracting such malicious activity, impacting many global organizations.

**Meeting Takeaways:**

1. **Critical Vulnerability Identified**:
– Veeam Backup & Replication (VBR) servers have been exposed to a critical security vulnerability, tracked as CVE-2024-40711, allowing remote code execution (RCE). The flaw arises from a deserialization of untrusted data that can be exploited by unauthenticated attackers.

2. **Timeline of Disclosure and Response**:
– Veeam disclosed the vulnerability and released security updates on September 4, 2023.
– watchTowr Labs published a detailed technical analysis on September 9 but delayed releasing exploit proof-of-concept code until September 15 to provide time for admins to secure their systems.

3. **Impact on Businesses**:
– The vulnerability has made Veeam’s VBR software a high-value target due to its widespread usage in backing up, restoring, and replicating data across various platforms.

4. **Recent Exploits**:
– Recent ransomware attacks, specifically Akira and Fog, have utilized this vulnerability alongside previously compromised credentials to establish local admin accounts.
– Sophos X-Ops identified cases where attackers accessed systems through compromised VPN gateways lacking multifactor authentication and using outdated software.

5. **Incident Highlights**:
– In the Fog ransomware incident, the attacker exploited an unprotected Hyper-V server and exfiltrated data using the utility rclone.
– Previous warnings highlight consistent exploitation of Veeam vulnerabilities in attacks targeting sensitive infrastructure and organizations.

6. **Historical Context**:
– This is not the first instance of Veeam vulnerabilities leading to ransomware attacks. A high-severity vulnerability (CVE-2023-27532) was previously patched by Veeam in March 2023, which was later exploited in attacks by financially motivated threat groups.

7. **Veeam’s Market Presence**:
– Veeam products are utilized by over 550,000 customers globally, including 74% of all Global 2000 companies, indicating a significant impact from security vulnerabilities on large enterprises.

**Next Steps**:
– Organizations using Veeam VBR are advised to apply the latest security updates immediately and review their security protocols, particularly concerning VPN access and authentication methods.

Full Article