Ransomware groups are now taking advantage of a critical vulnerability that allows attackers to gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. This security flaw, tracked as CVE-2024-40711, stems from a deserialization of untrusted data issue that can be exploited by unauthenticated threat actors in relatively simple attacks.
Veeam disclosed the vulnerability and rolled out security updates on September 4, while watchTowr Labs provided a technical analysis on September 9. However, the publication of proof-of-concept exploit code was intentionally delayed until September 15 to allow administrators enough time to secure their servers. This precaution is particularly crucial given Veeam's widespread use as a data protection and disaster recovery solution for backing up, restoring, and replicating virtual, physical, and cloud machines, making it a prime target for malicious actors.
Recent findings by Sophos X-Ops incident responders indicate that the CVE-2024-40711 flaw was quickly exploited in attacks involving Akira and Fog ransomware. Attackers used previously compromised credentials to add a local account to the local Administrators and Remote Desktop Users groups. In one instance, Fog ransomware was deployed, while another attack attempted to release Akira ransomware. Indicators from these cases align with earlier Akira and Fog ransomware incidents.
In these attacks, the initial access was often gained through compromised VPN gateways lacking multi-factor authentication, some of which were running outdated software versions. In the Fog ransomware case, the attacker deployed it to an unprotected Hyper-V server and utilized the utility rclone to exfiltrate data.
This isn't the first time Veeam vulnerabilities have been targeted in ransomware attacks. In March 2023, Veeam patched a high-severity flaw (CVE-2023-27532) that could be exploited to breach backup infrastructure hosts. Shortly after, this vulnerability was linked to attacks by the financially motivated FIN7 threat group and was later observed in Cuba ransomware attacks against U.S. critical infrastructure and Latin American IT firms.
Veeam reports that its products are utilized by over 550,000 customers globally, including 74% of all Global 2000 companies, emphasizing the critical need for ongoing security vigilance.
