top of page

Exploiting CVE-2024-40711: Akira and Fog Ransomware Target Veeam Backup & Replication Systems

Image for report on CVE-2024-40711

Executive Summary

In recent developments, the Akira and Fog ransomware groups have been observed exploiting a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR) servers. This vulnerability, identified as CVE-2024-40711, poses significant risks to organizations utilizing Veeam's data protection solutions. The flaw allows unauthenticated attackers to execute arbitrary code, leading to potential data breaches and ransomware deployment. This report delves into the technical intricacies of the vulnerability, its exploitation in the wild, and provides actionable mitigation strategies to safeguard affected systems.

Technical Information

The vulnerability CVE-2024-40711 is a result of improper deserialization of untrusted data within Veeam Backup & Replication (VBR) servers. This flaw affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions. Disclosed on September 4, 2024, and patched on the same day, the vulnerability allows attackers to execute arbitrary code on vulnerable servers without requiring authentication. The technical analysis by watchTowr Labs highlights that the vulnerability stems from the mishandling of serialized data, enabling low-complexity attacks. The exploitation process involves sending specially crafted serialized objects to the VBR server, which, when deserialized, execute malicious code. This vulnerability is particularly dangerous as it does not require prior authentication, making it an attractive target for threat actors.

Exploitation in the Wild

The Akira and Fog ransomware groups have rapidly adopted this RCE flaw, leveraging it to escalate privileges and deploy ransomware. Sophos X-Ops incident responders have observed these groups using compromised credentials to gain initial access. The attack vectors include exploiting unsupported VPN software versions and deploying ransomware on unprotected Hyper-V servers. Data exfiltration is often conducted using tools like rclone. Indicators of Compromise (IOCs) include the creation of a "point" local account in Administrators and Remote Desktop Users groups and the use of rclone for data exfiltration.

APT Groups using this vulnerability

The Akira and Fog ransomware groups are financially motivated threat actors known for targeting critical infrastructure and IT companies. Their tactics, techniques, and procedures (TTPs) align with those of other notorious ransomware groups. Additionally, the FIN7 group, known for its connections to Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations, has previously exploited Veeam vulnerabilities in similar attacks.

Affected Product Versions

The vulnerability affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions. Organizations using these versions are at risk and should prioritize patching to mitigate potential exploitation.

Workaround and Mitigation

To mitigate the risks associated with CVE-2024-40711, organizations should immediately apply the latest security patches released by Veeam. Enforcing multifactor authentication (MFA) on all remote access gateways is crucial. Regularly auditing and updating VPN software to supported versions can prevent initial access through compromised gateways. Long-term measures include implementing network segmentation to limit lateral movement, conducting regular security assessments and penetration testing, and monitoring for unusual account activities and unauthorized access attempts.

References

For further reading and technical details, please refer to the following resources:

  • Bleeping Computer Article: Akira and Fog ransomware now exploit critical Veeam RCE flaw (https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/)
  • Veeam Security Advisory: Veeam Backup & Replication Vulnerability Disclosure (https://www.veeam.com/security/advisories)
  • watchTowr Labs Technical Analysis: CVE-2024-40711 Analysis (https://github.com/watchtowrlabs/CVE-2024-40711)
  • Censys Report: Unauthenticated RCE in Veeam Backup & Replication (https://censys.com/cve-2024-40711/)

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities. We encourage organizations to reach out to our cybersecurity team for further assistance or inquiries. Please contact us at ops@rescana.com for any questions regarding this report or other cybersecurity concerns.

34 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page