An addressed security loophole in Veeam Backup & Replication software is being taken advantage of by a budding ransomware syndicate by the name of EstateRansomware.
Discovered by Singapore-based Group-IB in early April 2024, the threat actor tactics included leveraging CVE-2023-27532 (CVSS score: 7.5) to conduct their malicious operations.
The initial breach into the target environment was reportedly aided through a Fortinet FortiGate firewall SSL VPN device utilizing an inactive account.
In an analysis published today, security researcher Yeo Zi Wei stated that “The threat actor progressed sideways from the FortiGate Firewall via the SSL VPN service to reach the failover server.”
“Before the ransomware assault, there were recorded VPN brute-force attempts in April 2024 utilizing an identified inactive account named ‘Acc1.’ Shortly after, a successful VPN login with ‘Acc1’ was traced back to remote IP address 149.28.106[.]252.”
Following this, the threat actors proceeded to establish RDP connections from the firewall to the failover server, subsequently implanting a persistent backdoor under the name “svchost.exe” that operates daily via a scheduled task.
Further access to the network was achieved using the backdoor to avoid detection. The backdoor’s primary function is to establish communication with a command-and-control (C2) server over HTTP and execute arbitrary directions given by the attacker.
Group-IB observed the actor exploiting Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server, create a rogue user account dubbed “VeeamBkp,” and perform network exploration, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft with the newly generated account.
“This exploitation potentially originated from the VeeamHax directory on the file server against the vulnerable iteration of Veeam Backup & Replication software installed on the backup server,” Zi Wei speculated.
“This action facilitated the activation of the xp_cmdshell stored procedure and subsequent establishment of the ‘VeeamBkp’ account.”
The incursion culminated in the unleashing of the ransomware but not before sabotaging defenses and progressing laterally from the AD server to all other servers and workstations using compromised domain accounts.
“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB revealed.
These revelations come as Cisco Talos brought to light that most ransomware factions prioritize establishing initial access through vulnerabilities in public-facing applications, deceptive email attachments, or breaching valid accounts and bypassing defenses within their attack sequences.
The double extortion strategy of extracting data before encrypting files has led to the development of tailored tools by the perpetrators (e.g., Exmatter, Exbyte, and StealBit) to transfer confidential data to an adversary-controlled infrastructure.
This necessitates that these electronic crime organizations establish prolonged access to examine the environment to comprehend the network’s architecture, discover resources that can assist the assault, elevate their privileges, or allow them to blend in, and pinpoint valuable data that can be stolen.
“In the past year, we have observed significant changes in the ransomware landscape with the emergence of multiple new ransomware groups, each showcasing distinct objectives, operational structures, and victimology,” Talos noted.
“This diversification highlights a shift towards more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus, and Akira carve out specific niches, focusing on unique operational objectives and stylistic choices to differentiate themselves.”
About Author
