
Executive Summary
In recent developments, the Akira and Fog ransomware groups have been observed exploiting a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR) servers. This vulnerability, identified as CVE-2024-40711, poses significant risks to organizations utilizing Veeam's data protection solutions. The flaw allows unauthenticated attackers to execute arbitrary code, leading to potential data breaches and ransomware deployment. This report delves into the technical intricacies of the vulnerability, its exploitation in the wild, and provides actionable mitigation strategies to safeguard affected systems.
Technical Information
The vulnerability CVE-2024-40711 is a result of improper deserialization of untrusted data within Veeam Backup & Replication (VBR) servers. This flaw affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions. Disclosed on September 4, 2024, and patched on the same day, the vulnerability allows attackers to execute arbitrary code on vulnerable servers without requiring authentication. The technical analysis by watchTowr Labs highlights that the vulnerability stems from the mishandling of serialized data, enabling low-complexity attacks. The exploitation process involves sending specially crafted serialized objects to the VBR server, which, when deserialized, execute malicious code. This vulnerability is particularly dangerous as it does not require prior authentication, making it an attractive target for threat actors.
Exploitation in the Wild
The Akira and Fog ransomware groups have rapidly adopted this RCE flaw, leveraging it to escalate privileges and deploy ransomware. Sophos X-Ops incident responders have observed these groups using compromised credentials to gain initial access. The attack vectors include exploiting unsupported VPN software versions and deploying ransomware on unprotected Hyper-V servers. Data exfiltration is often conducted using tools like rclone. Indicators of Compromise (IOCs) include the creation of a "point" local account in Administrators and Remote Desktop Users groups and the use of rclone for data exfiltration.
APT Groups using this vulnerability
The Akira and Fog ransomware groups are financially motivated threat actors known for targeting critical infrastructure and IT companies. Their tactics, techniques, and procedures (TTPs) align with those of other notorious ransomware groups. Additionally, the FIN7 group, known for its connections to Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations, has previously exploited Veeam vulnerabilities in similar attacks.
Affected Product Versions
The vulnerability affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions. Organizations using these versions are at risk and should prioritize patching to mitigate potential exploitation.
Workaround and Mitigation
To mitigate the risks associated with CVE-2024-40711, organizations should immediately apply the latest security patches released by Veeam. Enforcing multifactor authentication (MFA) on all remote access gateways is crucial. Regularly auditing and updating VPN software to supported versions can prevent initial access through compromised gateways. Long-term measures include implementing network segmentation to limit lateral movement, conducting regular security assessments and penetration testing, and monitoring for unusual account activities and unauthorized access attempts.
References
For further reading and technical details, please refer to the following resources:
- Bleeping Computer Article: Akira and Fog ransomware now exploit critical Veeam RCE flaw (https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/)
- Veeam Security Advisory: Veeam Backup & Replication Vulnerability Disclosure (https://www.veeam.com/security/advisories)
- watchTowr Labs Technical Analysis: CVE-2024-40711 Analysis (https://github.com/watchtowrlabs/CVE-2024-40711)
- Censys Report: Unauthenticated RCE in Veeam Backup & Replication (https://censys.com/cve-2024-40711/)
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities. We encourage organizations to reach out to our cybersecurity team for further assistance or inquiries. Please contact us at ops@rescana.com for any questions regarding this report or other cybersecurity concerns.
Comments