Ransomware gang exploiting unpatched Veeam backup products

Researchers at WithSecure have issued an alert after uncovering evidence that a notorious cyber criminal gang is exploiting a recently disclosed vulnerability in Veeam Backup & Replication data backup and recovery software to access its victims’ networks.

Tracked as CVE-2023-27532, the Veeam vulnerability was first published on 7 March 2023. It enables an unauthenticated user who has accessed the backup infrastructure network perimeter to get their hands on encrypted credentials stored in the configuration database, which may ultimately lead to them gaining access to the backup infrastructure hosts.

It is classified as a high-severity bug and carries a CVSS v3 score of 7.5. It exists in the Veeam.Backup.Service.exe process of Veaam Backup & Replication, Veeam Cloud Connect, Veeam Cloud Connect for the Enterprise and Veeam Backup & Replication Community Edition.

“WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software,” wrote WithSecure analysts Neeraj Singh and Mohammad Kazem Hassan Nejad.

“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532,” they explained.

“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532”

FIN7 is a prolific and dangerous financially motivated operator that has deployed multiple strains of ransomware in its attacks – including BlackCat/ALPHV, BlackMatter, DarkSide and, at one time, REvil – after pivoting to extortion from payment card data theft about three years ago.

The group may have links to multiple recent high-profile cyber attacks, including the developing heist on UK public sector outsourcer Capita, payments systems giant NCR and Munster Technological University in Ireland. There is no indication at the time of writing that any of these intrusions involved exploitation of the Veeam compromise.

On 28 March 2023, Singh and Nejad said they saw activity across multiple internet-facing servers running Veeam Backup & Replication, in which a SQL server process related to the backup instance executed a shell command, which performed in-memory download and execution of a PowerShell script.

FIN7 is known to be particularly fond of the PowerShell scripting language – Mandiant once described PowerShell as the gang’s “love language” – and on this occasion, all instances of the PowerShell scripts seen were Powertrash, an obfuscated loader directly attributed to FIN7.

Powertrash itself is used to execute various payloads, including but not limited to old “favourites” such as the Carbanak malware, with which FIN7 originally made its name, and of course the ubiquitous Cobalt Strike, but this time round they used Diceloader (aka Lizar) to gain a foothold.

Singh and Nejad said that while the exact method FIN7 used to invoke the initial shell command was unknown, it was likely achieved via the Veeam bug, based on a number of factors:

• All affected servers had TCP open port 9401 – used for communication with the Veeam Backup Service over SSL exposed to the internet – and network activity with external IP addresses was seen over said port right before the shell command was invoked.
• The vulnerability was patched a few weeks prior, and exploitation of it requires access to port 9401.
• None of the affected servers had been patched against the Veeam bug.
• A proof-of-concept exploit was circulating on 23 March, which contains the same execution chain as seen in this campaign.

WithSecure’s observers said they also saw suspicious activity on the affected servers on 24 March, which they believe may have been evidence that FIN7 was performing large-scale vulnerability scanning to find at-risk servers.

Once inside, they said, FIN7 used a series of commands and custom scripts to begin to gather data on their targets, and executed a series of SQL commands to steal information from the Veeam backup database, as well as retrieving stored credentials and using them to attempt lateral movement.

Ultimately, it is possible that these footholds would have developed into ransomware hits, and with absent patching or widespread awareness, some may yet do so.

However, according to Singh and Nejad, the probable rarity of Veeam backup servers with TCP port 9401 publicly exposed means the scope of the incident is likely limited.

The vulnerability is resolved by builds 12 (12.0.0.1420 P20230223) and 11a (11.0.1.1261 P20230227) of Veeam Backup & Replication. As a temporary workaround, users operating an all-in-one Veeam appliance with no remote backup infrastructure components can block external connections to Port TCP 9401 in the backup server firewall until they can install the patch.