Malicious individuals are actively exploiting a fixed security weakness in Veeam Backup & Replication to propagate Akira and Fog ransomware.
Cybersecurity company Sophos mentioned that it has been monitoring a series of incidents over the last month utilizing compromised VPN credentials and CVE-2024-40711 to establish a local account and unleash the ransomware.
CVE-2024-40711, with a score of 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, pertains to a critical vulnerability that permits unauthenticated remote code execution. Veeam addressed it in Backup & Replication version 12.2 in early September 2024.
The discovery and reporting of security deficiencies were attributed to security researcher Florian Hauser from the Germany-based CODE WHITE.
“In all these instances, attackers first infiltrated targets by exploiting compromised VPN gateways lacking multi-factor authentication,” as per Sophos statements. “Some of these VPNs were using outdated software versions.”
“Each time, the attackers manipulated VEEAM on the URI /trigger on port 8000, invoking the Veeam.Backup.MountService.exe to invoke net.exe. The exploit generates a local account, ‘point,’ integrating it into the local Administrators and Remote Desktop Users groups.”
In the incident that resulted in the deployment of the Fog ransomware, the perpetrators purportedly deposited the ransomware on an unprotected Hyper-V server, while utilizing the rclone tool to extract data. The other ransomware installments were unsuccessful.
The active exploitation of CVE-2024-40711 has led to a cautionary notice from NHS England, indicating that “enterprise backup and disaster recovery applications are high-priority targets for cyber threat groups.”
The unveiling coincides with Palo Alto Networks Unit 42 outlining a new ransomware called Lynx, which emerged as a successor to INC ransomware since July 2024, targeting entities in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K.
The emergence of Lynx is purportedly linked to the sale of INC ransomware’s source code on the criminal black market as early as March 2024, resulting in malware creators repackaging the locker to spawn fresh variants.
“Lynx ransomware shares a significant portion of its source code with INC ransomware,” stated Unit 42. “INC ransomware first surfaced in August 2023 and had editions compatible with both Windows and Linux.”
Additionally, a notification from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) indicated that at least one healthcare entity in the U.S. had been hit by Trinity ransomware, another relatively new ransomware player that was first identified in May 2024 and is suspected to be a rebrand of 2023Lock and Venus ransomware.
“It is a breed of malicious software that penetrates systems through various attack channels, including phishing emails, malicious websites, and exploitation of software vulnerabilities,” the HC3 pointed out. “Once inside the system, Trinity ransomware adopts a double extortion mechanism to target its victims.”
Cyber assaults have also been sighted delivering a variant of MedusaLocker ransomware dubbed BabyLockerKZ by a financially driven threat actor known to be operational since October 2022, with main targets situated primarily in E.U. nations and South America.
“This attacker utilizes multiple publicly accessible attack tools and living-off-the-land binaries (LoLBins), a package of tools constructed by the same developer (possibly the attacker) to facilitate credential theft and lateral movement within compromised organizations,” as highlighted by researchers from Talos mentioned.
“These tools primarily serve as wrappers around publicly accessible tools, integrating extra functionalities to streamline the attack process and deliver graphical or command-line interfaces.”
About Author
