November 8, 2024 at 03:28PM
A critical vulnerability (CVE-2024-40711) in Veeam Backup & Replication has been exploited in multiple ransomware attacks, including Frag. Discovered by Code White, the flaw allows remote code execution. Delays in revealing exploit details were intended to protect users, but previous attacks showed little impact, highlighting Veeam’s popularity among threat actors.
### Meeting Takeaways:
1. **Security Flaw in Veeam VBR**:
– A critical vulnerability (CVE-2024-40711) was identified in Veeam Backup & Replication (VBR), leading to its exploitation in multiple ransomware attacks, including Akira, Fog, and Frag ransomware.
2. **Vulnerability Details**:
– The vulnerability stems from a deserialization of untrusted data, allowing unauthenticated attackers to execute remote code on Veeam VBR servers.
3. **Research and Response Timeline**:
– Code White security researcher Florian Hauser discovered the flaw, and a technical analysis was published by watchTowr Labs on September 9.
– To protect users, watchTowr Labs delayed the release of a proof-of-concept exploit until September 15, following Veeam’s security updates issued on September 4.
4. **Impact of the Vulnerability**:
– The Veeam VBR software is a popular target for attackers due to its widespread use as a disaster recovery and data protection solution.
– Despite the delayed disclosures, attackers quickly exploited the vulnerability, as evidenced by continued ransomware incidents.
5. **Current Threat Landscape**:
– Sophos X-Ops incident responders noted that the STAC 5881 threat activity cluster exploited the vulnerability, contributing to the deployment of Frag ransomware.
– Attackers compromised VPN appliances and exploited the Veeam weakness to create unauthorized accounts on vulnerable systems.
6. **Frag Ransomware Specifics**:
– The Frag ransomware gang employs tactics similar to those used by Akira and Fog, including exploiting unpatched vulnerabilities and system misconfigurations.
– They extensively utilize Living Off The Land binaries (LOLBins), complicating detection efforts.
7. **Historical Context**:
– In March 2023, Veeam addressed a previous high-severity vulnerability (CVE-2023-27532) that had been exploited in ransomware targeting U.S. critical infrastructure, showing that security weaknesses in Veeam products have systemic implications.
8. **User Base**:
– Veeam has over 550,000 customers globally, with approximately 74% of Global 2000 companies utilizing their products.
### Action Items:
– Ensure all Veeam VBR installations are updated with the latest security patches to mitigate the risk of exploitation.
– Increase awareness among IT departments regarding the vulnerabilities in Veeam products and potential ransomware tactics.
– Monitor for unusual account creations or access patterns, particularly in relation to VPN appliance activity.