October 14, 2024 at 05:00AM
Threat actors are exploiting a critical vulnerability in Veeam Backup & Replication (CVE-2024-40711) to deploy Akira and Fog ransomware, leveraging compromised VPN credentials. Sophos warns of successful attacks via unprotected systems. In parallel, new ransomware variants like Lynx and Trinity are emerging, highlighting increasing cybersecurity threats across sectors.
### Meeting Takeaways – October 14, 2024
#### Key Points:
1. **Exploitation of Veeam Backup Vulnerability**:
– **CVE-2024-40711** is a critical vulnerability (rated 9.8/10.0) that allows unauthenticated remote code execution.
– It was patched in Backup & Replication version 12.2 (released September 2024).
– Attackers are using compromised VPN credentials to exploit this flaw, deploying ransomware variants Akira and Fog.
2. **Attack Methodology**:
– Threat actors initially access systems through compromised VPN gateways lacking multifactor authentication.
– Attacks exploit Veeam on the URI /trigger via port 8000, creating a local account added to the Administrators and Remote Desktop Users groups.
3. **Recent Ransomware Incidents**:
– The Fog ransomware deployment utilized an unprotected Hyper-V server for data exfiltration.
– Other ransomware attempts using this method were not successful.
– An advisory was issued by NHS England highlighting the significance of backup and disaster recovery applications as prime targets.
4. **Emerging Ransomware Trends**:
– **Lynx ransomware**, a successor to INC ransomware, has been active since July 2024, targeting multiple sectors in the U.S. and U.K.
– Lynx shares source code with INC ransomware, which initially emerged in August 2023.
– **Trinity ransomware**, identified as a rebrand of previous ransomware families, is also emerging, employing a double extortion strategy.
5. **MedusaLocker Variant Observations**:
– A new variant, **BabyLockerKZ**, has been linked to financially motivated attacks occurring since October 2022, primarily targeting Europe and South America.
6. **General Cybersecurity Context**:
– The threats are increasingly sophisticated, relying on several attack vectors like phishing and exploiting software vulnerabilities.
– Publicly known attack tools and living-off-the-land binaries are being used to facilitate these cyber attacks.
#### Recommendations:
– Organizations should implement multifactor authentication on all VPN gateways.
– Regularly update and patch backup and disaster recovery applications to mitigate vulnerabilities like CVE-2024-40711.
– Be vigilant about the emergence of new ransomware variants and conduct training to enhance employee awareness regarding phishing and secure software practices.
#### Follow-Up:
For more insights and updates, consider following our organization’s social media platforms on Twitter and LinkedIn.