Veeam vulnerability exploited to deploy malware via compromised VPN credentials

Ransomware

Hackers are abusing a vulnerability in a popular Veeam product to try and deploy ransomware against their targets.

Cybersecurity researchers from Sophos detailed their findings on Infosec Exchange, noting crooks are using a combination of compromised credentials, and vulnerability abuse, to deploy the Fog and Akira ransomware starins.

First, they would go after VPN gateways with poor passwords and no multi-factor authentication (MFA) set up. Some of these VPNs were even running unsupported software versions, it was said. After that, they would exploit a vulnerability in Veeam Backup & Replication, tracked as CVE-2024-40711, which allows them to create a local account.

Akira and Fog

CVE-2024-40711 is a critical vulnerability that allows unauthenticated remote code execution (RCE) via deserialization of untrusted data. By sending a malicious payload to the app, threat actors can be granted arbitrary code execution abilities, without authentication. It has a severity score of 9.8 (critical). Veeam released a fix for this flaw in the version 12.2 (build 12.2.0.334), which was pushed in September 2024. The vulnerability affected previous versions of VBR, particularly version 12.1.2.172 and earlier.

Admins were advised to upgrade to the latest version to mitigate the risk of exploitation.

After creating a local account, the crooks would try to deploy either Fog, or Akira ransomware. In total, Sophos’ researchers observed four attack attempts so far.

“These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. Sophos X-Ops continues to track this threat behavior.”

Despite having only a handful of recorded attack attempts, the news was big enough to warrant an advisory from NHS England. As reported by The Hacker News, the advisory stressed that enterprise backup and disaster recovery applications were “valuable targets” for cybercriminals everywhere.

Via The Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.