At least two ransomware groups have been exploiting a year-old vulnerability in Veeam Backup & Replication to exfiltrate data, security researchers warn.
Patched in March 2023, the exploited security defect is tracked as CVE-2023-27532 (CVSS score of (CVSS score of 7.5). Proof-of-concept (PoC) code targeting it was published shortly after, and the first exploitation of unpatched Veeam Backup & Replication instances was seen in April 2023.
Veeam warned last year that successful exploitation of the bug allows attackers to extract encrypted credentials stored in the configuration database, while Horizon3.ai said that cleartext credentials can also be obtained.
In August 2023, shortly after the Cuba ransomware cybergang was seen exploiting the flaw in attacks, CISA added CVE-2023-27532 to its Known Exploited Vulnerabilities (KEV) catalog.
Singaporean threat intelligence firm Group-IB now warns that the vulnerability was exploited in an April 2024 incident. In the attack, Group-IB says, the EstateRansomware group used an exploit likely derived from publicly available PoC code to crash a vulnerable Veeam Backup & Replication instance.
Shortly after, the attackers created a rogue user account, deployed additional tools, exfiltrated credentials, and performed Active Directory reconnaissance. Initial access to the victim’s environment, however, was obtained using a dormant account on a FortiGate Firewall SSL VPN.
In another incident in June 2024, which cybersecurity firm BlackBerry attributes to the Akira ransomware group, CVE-2023-27532 was exploited to compromise a Latin American airline, create a rogue user account, and steal victim data.
The Akira gang likely exploited the unpatched Veeam Backup & Replication instance for initial access, deployed various post-exploitation tools, performed Active Directory reconnaissance, and deactivated security products.
“Ownership of the Veeam backup data was taken via the Veeam backup folder, while the threat actor compressed and uploaded data from other systems. Common file types like documents, images and spreadsheets were included in this backup, in the hopes that confidential and potentially valuable data could be harvested and leveraged by the malicious actor for their own financial gain,” BlackBerry explains.
Veeam Backup & Replication versions 12 (build 12.0.0.1420 P20230223) and later, and 11a (build 11.0.1.1261 P20230227) and later address CVE-2023-27532. Organizations should install these iterations on their Veeam Backup & Replication servers.
Related: Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Related: Microsoft Warns of Windows Hyper-V Zero-Day Being Exploited
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
