Threat actors are actively trying to exploit a patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.
Cybersecurity vendor Sophos said it has tracked a series of attacks over the past month using compromised VPN credentials and CVE-2024-40711 to create a local account and deploy ransomware.
CVE-2024-40711 with a CVSS rating of 9.8 out of 10.0 is related to critical vulnerability which allows remote code execution without authentication. This was resolved by Veeam in Backup & Replication version 12.2 in early September 2024.
Security researcher Florian Hauser from the German company CODE WHITE was is counted with detection and reporting of security flaws.
“In each case, the attackers initially gained access to the targets using compromised VPN gateways without multi-factor authentication enabled,” Sophos said. said. “Some of these VPNs used unsupported software versions.”
“Each time the attackers used VEEAM on the URI /trigger on port 8000, running Veeam.Backup.MountService.exe to create net.exe. The exploit creates a local account, a ‘point’, by adding it to the local Administrators and Remote Desktop Users groups.”
In the attack that led to the deployment of the Fog ransomware, the threat actors are said to have dropped the ransomware onto an unprotected Hyper-V server using the rclone utility to steal data. Other ransomware deployments have been unsuccessful.
Active exploitation of CVE-2024-40711 has begun prompted guidance from NHS England, which notes that “enterprise backup and disaster recovery programs are valuable targets for cyber threat groups”.
The disclosure comes after Palo Alto Networks Unit 42 detailed a successor to the INC ransomware called Lynx, which has been active since July 2024 and targets retail, real estate, architecture, finance and environmental services organizations in the US and UK.
The emergence of Lynx is said to have been triggered by the sale of INC ransomware source code on the criminal underground market back in March 2024, prompting malware authors to repackage the box and create new variants.
“Lynx Ransomware Shares Much of Its Source Code with INC Ransomware” Chapter 42 said. “The INC ransomware originally appeared in August 2023 and had variants compatible with Windows and Linux.”
It also follows a recommendation from the Health Sector Cybersecurity Coordinating Center (HC3) of the Department of Health and Human Services (HHS) that at least one healthcare organization in the country has been victimized Trinity extortionistsanother relatively new ransomware player that first came to light in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.
“This is a type of malware that infiltrates systems through multiple attack vectors, including phishing emails, malicious websites, and exploiting software vulnerabilities,” HC3 said. said. “Once inside a system, the Trinity ransomware uses a dual extortion strategy to target its victims.”
Cyberattackers were also seen delivering a MedusaLocker ransomware variant called BabyLockerKZ to a financially motivated threat actor known to be active since October 2022, with targets primarily located in the EU and South America.
“This attacker uses several well-known attack tools and LoLBins (LoLBins), a set of tools created by the same developer (possibly the attacker) to aid in credential theft and lateral movement in compromised organizations” , — said Talos. researchers said.
“These tools are basically wrappers around public tools that include additional features to streamline the attack process and provide a GUI or command-line interface.”
