One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8609881 |
| Date de publication | 2024-11-12 15:16:50 (vue: 2024-11-12 16:08:26) |
| Titre | Critical Veeam RCE bug now used in Frag ransomware attacks |
| Texte | ## Snapshot Researchers at Cody White security have discovered a critical vulnerability in Veeam Backup & Replication (VBR), [CVE-2024-40711](https://security.microsoft.com/intel-explorer/cves/CVE-2024-40711/), has been exploited in ransomware attacks, including Akira, Fog, and more recently, Frag ransomware. ## Description The vulnerability allows for remote code execution (RCE) by unauthenticated attackers due to a deserialization of untrusted data weakness. Despite efforts to delay exploitation by withholding a proof-of-concept exploit and Veeam issuing [updates](https://www.veeam.com/kb4649), [Sophos X-Ops](https://news.sophos.com/en-us/2024/11/08/veeam-exploit-seen-used-again-with-a-new-ransomware-frag/) observed that threat actors, using stolen VPN credentials, exploited the RCE flaw to gain access to unpatched servers, adding rogue accounts to critical groups. The threat activity cluster known as "STAC 5881" has been linked to these attacks, with Sophos detailing the use of the CVE-2024-40711 exploit in conjunction with compromised VPN appliances to deploy Frag ransomware. According to Researchers at [Agger Labs,](https://agger-labs.com/ransomware/unpacking-the-frag-ransomware-how-attackers-exploit-vulnerabilities-and-use-lolbins-to-disrupt-organisations/) the Frag ransomware gang is known for using Living Off The Land binaries (LOLBins) to evade detection and has a similar attack pattern to [Akira](https://sip.security.microsoft.com/intel-profiles/eb747f064dc5702e50e28b63e4c74ae2e6ae19ad7de416902e998677b4ad72ff?tid=72f988bf-86f1-41af-91ab-2d7cd011db47) and [Fog](https://security.microsoft.com/intel-explorer/articles/b474122c) operators, targeting unpatched vulnerabilities and misconfigurations in backup and storage solutions. Another high-severity VBR vulnerability, [CVE-2023-27532](https://security.microsoft.com/intel-explorer/cves/CVE-2023-27532/), was patched by [Veeam](https://www.veeam.com/kb4424) in March 2023 but was later exploited by the FIN7 threat group in Cuba ransomware attacks against U.S. critical infrastructure organizations. Veeam\'s products are widely used, with over 550,000 customers globally, including a significant portion of the Global 2,000 companies. ## Microsoft Analysis and Additional OSINT Context CVE-2024-40711 affects Veeam Backup and Recovery version 12.0.0.120 to 12.2.0.334 and was added to the [Known Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-40711&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=) on October 10, 2024. Cybersecurity Infrastructure Security Agency (CISA) strongly encourages all organizations to prioritize timely remediation of cataloged vulnerabilities as part of their vulnerability management practices. In March 2023, Veeam disclosed CVE-2023-27532, a similar vulnerability that affects Veeam Backup & Replication component and allows unauthenticated users within the backup infrastructure network to obtain encrypted credentials. The vulnerability was used as an initial access vector in an Akira ransomware attack where the attacker leveraged AnyDesk to maintain persistence and exfiltrate data. This illustrates a rising trend where cybercriminals and state-sponsored actors are utilizing Remote Monitoring and Management (RMM) tools in their attacks. Microsoft has indicated that the misuse of RMMs, especially in ransomware incidents, represents an increasing threat. This is largely because these tools are often authorized for legitimate use by Managed Service Providers (MSPs) and IT teams, which complicates automated detection efforts. For further insights into how threat actors are leveraging RMMs in their operations, check out the [Recent OSINT trends in abuse of remote monitoring and management tools](https://security.microsoft.com/intel-explorer/articles/687fdb34). ## Recommendations Veeam reccomends users immediately update Veeam Backup & Replication to version 12.2 to mitiage this threat: |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 000 120 2023 2024 2024** 27532 27532/ 2d7cd011db47 334 365/security/defender 40711 40711&field 40711/ 41af 550 5881 86f1 91ab abuse access accessed according accounts action activity actors added added&items adding additional advanced affects again against agency agger akira alert alerts all allow allows analysis another antivirus any anydesk api appliances are artifacts associated attack attacker attackers attacks attacks/ audit authorized automated backup based because been behind binaries bleeping bleepingcomputer block breach breaches bug bulletin but by=field can card catalog cataloged changes check cisa cloud cluster code cody com/en com/entra/identity com/intel com/kb4424 com/kb4649 com/microsoft com/news/security/critical com/ransomware/unpacking companies complicates component compromised computer concept conjunction content context copyright cover credentials critical cuba customers cve cve=&sort cybercriminals cybersecurity data date defender delay delivered deploy deployment description deserialization despite detail detailing detect detected detection disclosed discovered disrupt distribution does due edr efforts enable encourages encrypted endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/overview endpoint/prevent equivalent especially evade even evolving execution exfiltrate exploit exploitation exploited explorer/articles/687fdb34 explorer/articles/b474122c explorer/cves/cve features fin7 first flaw fog following following frag frag/ from full fulltext=cve further gain gang global globally gov/known gov/vuln/detail/cve group groups has have high how https://agger https://learn https://news https://nvd https://security https://sip https://www illustrates immediate immediately impact implement incidents including increasing indicated infrastructure initial insights insitute investigation investigations issuing known labs land largely later learndoc learndoc#use learning least legitimate leveraged leveraging linked living lolbins machine maintain majority malicious managed management march microsoft misconfigurations misuse mitiage mitigations mode monitored monitoring more msps network new nist non not now obtain ocid=magicti october off often operations operators ops organisations/ organizations osint out over page=20&url= part passive patched pattern per permission persistence platform/secure portion post practices prevent principle prioritize privilege privileged product products profiles/eb747f064dc5702e50e28b63e4c74ae2e6ae19ad7de416902e998677b4ad72ff prohibited proof protection protections providers ransomware rapidly rce reccomends recent recently recommendations recommends recovery reduce reducing reduction reference references remediate remediation remote replication represents reproduction researchers reserved resolve response rights rising rmm rmms rogue rule rules run running scenes search security seen september servers service services settings severity sight significant significantly similar site snapshot solutions sophos sponsored stac standards state status stolen stopping storage strongly surface take tamper tamper protection targeting teams techniques technology thereof these threat threat: tid=72f988bf timely tools trend trends turn unauthenticated unknown unpatched untrusted update updates us/2024/11/08/veeam use used users using utilizing variants vbr vector veeam version volume vpn vulnerabilities vulnerability weakness when where which white widely withholding within without works wrapper=all&field written your national observed to |
| Tags | Ransomware Tool Vulnerability Threat Prediction |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.