Now, a patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware known as EstateRansomware.
Singapore-headquartered Group-IB, which discovered the threat in early April 2024, said the modus operandi involves using CVE-2023-27532 (CVSS score: 7.5) to carry out malicious activities.
The initial access to the target environment is said to have been facilitated by a Fortinet FortiGate SSL VPN appliance using a dormant account.
“A threat actor bypassed the FortiGate firewall via an SSL VPN service to gain access to the failover switch server,” – Security researcher Yeo Ziwei said in an analysis published today.
“Prior to the ransomware attack in April 2024, VPN brute force attempts were reported using an inactive account identified as ‘Acc1.’ A few days later, a successful VPN login using “Acc1” was traced to the remote IP address 149.28.106(.)252”.
The threat actors then proceeded to establish RDP connections from the firewall to the failover server, followed by the deployment of a persistent backdoor called “svchost.exe” which is executed daily via a scheduled job.
Subsequent access to the network was done using a backdoor to avoid detection. The main responsibility of the backdoor is to connect to the control server (C2) via HTTP and execute arbitrary commands issued by the attacker.
Group-IB said it observed an actor exploit Veeam’s CVE-2023-27532 vulnerability to enable xp_cmdshell on a backup server and create a fake user account named “VeeamBkp” and to discover the network, enumerate, and collect credentials from using tools. like NetScan, AdFind and NitSoft using the account you just created.
“This exploit potentially involved an attack from the VeeamHax folder on the file server against a vulnerable version of the Veeam Backup & Replication software installed on the backup server,” Zi Wei suggested.
“This action contributed to the activation of the xp_cmdshell stored procedure and the subsequent creation of the ‘VeeamBkp’ account.”
The attack culminated in the deployment of the ransomware, but not before measures were taken to degrade the defenses and move from the AD server to all other servers and workstations using the compromised domain accounts.
“Windows Defender was permanently disabled using DC.exe (Defender Control) and then the ransomware was deployed and executed using PsExec.exe“, said Group-IB.
The disclosure comes after Cisco Talos showed that most ransomware groups prefer to gain initial access by exploiting security flaws in public applications, phishing attachments or hacking valid accounts and bypassing protections in their attack chains.
The double extortion model of extracting data before encrypting files has led to the creation of special tools developed by contributors (e.g. Exmatter, Exchangeand StealBit) to send sensitive information to infrastructure controlled by an adversary.
This requires these cybercrime teams to establish long-term access to study the environment to understand the network structure, find resources that can support an attack, elevate their privileges or allow them to merge, and identify important data that can be stolen.
“Over the past year, we’ve seen major shifts in the ransomware space with the emergence of many new ransomware groups, each exhibiting unique goals, operational structures, and victimology,” Talos said. said.
“Diversification highlights a shift towards more boutique cybercriminal activity, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on different operational goals and stylistic choices to differentiate themselves.”
