Cyber Defense Advisors

Critical Veeam Vulnerability Exploited to Spread Akira and Fog Ransomware

Threat actors are actively attempting to exploit a now-patched security flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.

Cybersecurity vendor Sophos said it has been tracking a series of attacks in the past month leveraging compromised VPN credentials and CVE-2024-40711 to create a local account and deploy the ransomware.

CVE-2024-40711, rated 9.8 out of 10.0 on the CVSS scale, refers to a critical vulnerability that allows for unauthenticated remote code execution. It was addressed by Veeam in Backup & Replication version 12.2 in early September 2024.

Security researcher Florian Hauser of Germany-based CODE WHITE has been credited with discovering and reporting security shortcomings.

“In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled,” Sophos said. “Some of these VPNs were running unsupported software versions.”

“Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, ‘point,’ adding it to the local Administrators and Remote Desktop Users groups.”

In the attack that led to the Fog ransomware deployment, the threat actors are said to have drop the ransomware to an unprotected Hyper-V server, while using the rclone utility to exfiltrate data. The other ransomware deployments were unsuccessful.

The active exploitation of CVE-2024-40711 has prompted an advisory from NHS England, which noted that “enterprise backup and disaster recovery applications are valuable targets for cyber threat groups.”

The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K.

The emergence of Lynx is said to have been spurred by the sale of INC ransomware’s source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants.

“Lynx ransomware shares a significant portion of its source code with INC ransomware,” Unit 42 said. “INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux.”

It also follows an advisory from the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) that at least one healthcare entity in the country has fallen victim to Trinity ransomware, another relatively new ransomware player that first became known in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.

“It is a type of malicious software that infiltrates systems through several attack vectors, including phishing emails, malicious websites, and exploitation of software vulnerabilities,” the HC3 said. “Once inside the system, Trinity ransomware employs a double extortion strategy to target its victims.”

Cyber attacks have also been observed delivering a MedusaLocker ransomware variant dubbed BabyLockerKZ by a financially motivated threat actor known to be active since October 2022, with targets primarily located in the E.U. countries and South America.

“This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations,” Talos researchers said.

“These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.