A critical vulnerability, identified as CVE-2023-27532 and assigned a CVSS score of 7.5, has been discovered in the Veeam Backup & Replication component. This vulnerability allows attackers to obtain encrypted credentials stored in the configuration database, potentially granting them access to backup infrastructure hosts.
The issue was addressed in March 2023, but a proof-of-concept (PoC) exploit code for this vulnerability was released publicly shortly thereafter. Since then, several cybercrime groups have been exploiting this vulnerability.
The Russian cybercrime group FIN7 has been exploiting the vulnerability since April 2023. Researchers have observed that in June 2024, a threat actor targeted a Latin American airline with the Akira ransomware. The initial access to the target network was gained via the Secure Shell (SSH) protocol. Attackers exfiltrated critical data before deploying the Akira ransomware the following day. They utilized legitimate tools and Living off-the-land Binaries and Scripts (LOLBAS) for surveillance and persistence. Once data exfiltration was completed, the attackers deployed ransomware to encrypt the infected systems. Akira, a Ransomware-as-a-Service (RaaS), has been used by Storm-1567 (also known as Punk Spider and GOLD SAHARA), a group active since 2023. Indicators, such as DNS queries to a Remmina-related domain, suggest the attacker is likely a Linux-based user.
During the attack on the Latin American airline, the attacker’s first visible access to an unpatched Veeam backup server was via SSH from a router’s IP address. Experts believe the attackers used the publicly available exploit for the CVE-2023-27532 vulnerability. Once inside the network, the attacker created a user named “backup” and added it to the Administrator group to gain elevated privileges. They then deployed the legitimate network management tool Advanced IP Scanner to scan local subnets identified via the “route print” command.
The attackers took control of Veeam backup data by accessing the Veeam backup folder and compressing and uploading various file types, including documents, images, and spreadsheets, to harvest confidential and valuable information. The free Windows file manager WinSCP was used to exfiltrate the data to a server controlled by the attackers.
The entire operation, from initial login to data exfiltration, took just 133 minutes, concluding with the final command at 4:55 PM UTC. “While NetScan ran on the primary Veeam backup server, antivirus (AV) protection was disabled on the virtual machine host, both through antivirus user interfaces (UI) and through the command line,” reads the report published by BlackBerry. “Now that persistence was fully in place, the threat actors attempted to deploy ransomware network-wide using the Veeam backup server as the control point. We saw the file 'w.exe'—Akira ransomware—being deployed across various hosts from the compromised Veeam server.”
Group-IB researchers also identified a ransomware group exploiting the flaw in Veeam Backup & Replication instances. They reported that in April 2024, the EstateRansomware gang used a PoC exploit code to target the CVE-2023-27532 vulnerability.
