At least one group of threat actors, known to operate with various high-profile ransomware gangs, has targeted Veeam backup servers. The attackers took advantage of a high-severity vulnerability in Veeam Backup and Replication (VBR) software. It was due to an unauthenticated user being able to access encrypted credentials. Exploiting this vulnerability allowed the attackers to access the backup infrastructure hosts and run code remotely with the highest privileges.
The Veeam Backup and Replication (VBR) Vulnerability
On March 23, a pentesting company called Horizon3 released an exploit, demonstrating how an unsecured API endpoint. It is weak link to extract the credentials in plain text. Even though the software vendor had fixed the problem on March 7 and provided workaround instructions, there were still about 7,500 internet-exposed VBR hosts that seemed to be vulnerable, warned Huntress Labs.
Threats and Malicious Techniques Used by Threat Actors
The attackers’ malicious activities and tools were similar to those previously attributed to a notorious threat group, FIN7. The Finnish-based cybersecurity and privacy company did threat hunt exercise using telemetry data from Endpoint Detection and Response (EDR). When they investigated Veeam servers, it generated suspicious alerts such as ‘sqlservr.exe’, ‘spawning cmd.exe’, and downloading PowerShell scripts. A closer examination showed that the attackers initially executed PowerShell scripts, such as PowerTrash, containing a payload, the DiceLoader/Lizar backdoor.
Potential Consequences and Recommendations
WithSecure reported that the attackers successfully conducted lateral movement using stolen credentials, testing their access with WMI invocations and net share commands. Even if the exact method for invoking the initial shell commands remains unknown and evidence of exploiting the CVE-2023-27532 vulnerability was not clear, companies should prioritize patching the vulnerability since other threat actors may try to leverage it. Since the attackers’ ultimate objective in this campaign remains obscure, the intrusions may have concluded with deploying ransomware if the attack chain completes successfully, and data theft could have been another potential outcome.
The Connection Between Domino and FIN7
FIN7 is known for its partnerships with various ransomware operations, including those run by the infamous Conti syndicate, REvil, Maze, Egregor, and BlackBasta. Recently IBM researchers have published a study about FIN7 partnering with former Conti members to distribute a new malware strain called Domino that allows access to the compromised host and planting a Cobalt Strike beacon for increased persistence. The relationship between Domino and FIN7 was based on DiceLoader’s massive code overlap, which IBM researchers have noted in their report.
Experts recommend that the organizations utilizing Veeam Backup and Replication should carefully consider the information given. They should and check for signs of compromise on their network. The attackers have used malware, various commands, and custom scripts to gather system and network information before penetrating Veeam’s backup database and retrieving the necessary credentials. Persistence for DiceLoader was achieved through the custom PowerShell script called PowerHold; however, WithSecure has interrupted the attacks before the hackers could execute the final payload.
Recap: Veeam Backup Servers
Threat hunting highlights how the attackers were able to exploit a vulnerability. They got access to Veeam’s backup infrastructure by using custom scripts and commands. Their use of malicious activities and tools has shown the need for cybersecurity companies to be vigilant. This also means to be proactive measures to prevent such attacks.
