HQ/EMEAFind out how we can help your business
The Fog and Akira ransomware groups are the latest cybercriminal operations that adopted the exploitation of the remote code execution flaw on the vulnerable Veeam Backup & Replication (VBR) servers.
The security flaw in question is now known as CVE-2024-40711, caused by a vulnerability in an untrusted data deserialisation. Hence, this bug could enable unauthenticated threat actors to abuse it and execute low-complexity attacks.
Veeam confirmed this remote code execute vulnerability and immediately issued security patches last month. The updates were also joined by publishing its technical investigation on September 9.
However, the researchers delayed the release of the proof-of-concept exploit code until September 15 to give administrators adequate time to protect their systems. The delay was also caused by businesses using Veeam’s VBR software to back up, restore, and replicate virtual, physical, and cloud computers.
The PoC would also allow other threat actors to exploit the flaw, making the companies that employ the software common targets for threat actors who want quick access to a company’s backup data.
Despite the company’s immediate preventive measures, the Fog and Akira ransomware groups quickly adopted the RCE exploit.
According to investigations, the FOG and Akira ransomware operators have quickly employed the remote code execution flaw in their cybercriminal operations. These threat groups also add a “point” local account to the Administrators and Remote Desktop User groups along with previously compromised credentials.
In one instance, a cybercriminal threat group has released the Fog ransomware using the exploit. This event was quickly followed by another ransomware attack that deployed Akira. These events show that the Veeam RCE vulnerability became an attractive exploit for various threat groups.
In each case, the attackers accessed targets through hacked VPN gateways not configured for MFA. Some of these VPNs used unsupported software versions. In the Fog ransomware campaigns, the attacker installed it on a misconfigured Hyper-V server and then used the program ‘rclone’ to exfiltrate information.
Organisations that employ vulnerable VEEAM software should update it to its latest patch to avoid exploits from threat actors, especially ransomware operators.
