An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product.
The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny.
Mandiant identifies the ALPHV affiliate as 'UNC4466,' noting that the method differs from the conventional breach, which depends on stolen credentials.
Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
- CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
- CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
- CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
The Veritas Backup software is affected by all three issues. They were disclosed by the vendor in March 2021, and a remedy was published with version 21.2. Despite the fact that it has been over two years, many endpoints remain vulnerable since they have not been updated to a safe version.
According to Mandiant, a commercial scanning service discovered more than 8,500 IP addresses on the public web advertising the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000 as well as ports 9000 and 10001.
"While this search result does not directly identify vulnerable systems, as the application versions were not identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by attackers" - Mandiant
On September 23, 2022, a Metasploit module to exploit these flaws was made available to the public. The code enables attackers to establish a session and interact with the compromised endpoints. According to Mandiant, UNC4466 began using the specific module a month after it was released.
Specifics of the attack
According to Mandiant's findings, UNC4466 compromises an internet-exposed Windows server running Veritas Backup Exec by utilizing the publicly accessible Metasploit module and gains persistent access to the host.
Following the first compromise, the threat actor gathered information on the victim's surroundings using the Advanced IP Scanner and ADRecon utilities. Next, they downloaded more tools on the host like LAZAGNE, LIGOLO, WINSW, RCLONE, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS).
To interact with the command and control server, the threat actor employed SOCKS5 tunneling. (C2). According to the researchers, UNC4466 used BITS transfers to download SOCKS5 tunneling tools before deploying the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing encryptors.
UNC4466 uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials in order to escalate privileges. Finally, the threat actor avoids discovery by erasing event logs and turning off Microsoft Defender's real-time monitoring capability.
Mandiant's report gives recommendations for defenders to take in order to detect and prevent UNC4466 assaults before the ALPHV payload is executed on their systems.