HQ/EMEAFind out how we can help your business
The FIN7 threat group from Russia has been leveraging the unpatched Veeam software Backup & Replication instances to orchestrate their cybercriminal activities. These Russia-based threat actors started nearly a decade ago and primarily focus on executing financially motivated campaigns like stealing credit card information.
Earlier this year, researchers discovered a vulnerability within the Veeam software. Experts revealed that the flaw is CVE-2023-27532, with a critical score of 7.5. Researchers released a Proof-of-Concept (PoC) exploitation code for the vulnerability a couple of weeks after the discovery.
The software company claimed that if an attacker exploits the flaw successfully, it could allow them to acquire encrypted credentials stored within the Veeam backup database. In addition, the penetration testing company that disclosed the PoC claimed that the vulnerability allowed the attackers to open cleartext credentials.
The FIN7 threat group has executed several malicious activities through the Veeam software.
Based on reports, the Russian threat group has already launched various illegal activities against the Veeam software. These activities include data stealing, network reconnaissance, credentials exfiltration, Diceloader backdoor, and lateral movement through stolen information.
FIN7’s Powertrash in-memory dropper has also been downloaded and operated by a shell command during a Veeam Backup process. Furthermore, the attackers used the dropper to execute a couple of FIN7 backdoors, which allowed its operators to operate various post-exploitation activities.
It is still a mystery how the attackers initiate shell commands. However, some researchers suspect that the group exploited the CVE-2023-27532 in Veeam Backup & Replication since it could grant them authorised access to the instance.
Cybersecurity experts suggest that organisations that run on this software should patch and configure their backup servers and search for signs of infections. The security researchers responsible for discovering the exploit have identified several recent attacks.
Furthermore, some experts believe that the recent attacks could have been a part of a more extensive cybercriminal operation since the initial actions in both instances came from the same public IP address on the same day.
Fortunately, the scope of this attack is likely limited since few organisations have been adopting publicly accessible Veeam backup servers with TCP port 9401.
