Veeam RCE Bug Now a Target for Frag Ransomware Operators

 

Recently, a critical VBR (Veeam Backup & Replication) security flaw was exploited by cyber thieves to distribute Frag ransomware along with the Akira and Fog ransomware attacks. Florian Hauser, a security researcher with Code White, has discovered that the vulnerability (tracked as CVE-2024-40711) is a result of the deserialization of untrusted data weakness that unauthenticated threat actors can abuse to gain remote code execution (RCE) on Veeam VBR servers by exploiting. 

Despite releasing a technical analysis of CVE-2024-40711 on September 9, Watchtower Labs delayed the release of a proof-of-concept exploit until September 15 to allow admins to take advantage of the security updates that Veeam released on September 4 for this vulnerability. 

According to Sophos researchers, ransomware operators are leveraging a critical vulnerability in Veeam Backup & Replication called CVE-2024-40711 to create rogue accounts and deploy malware to users in order to execute their attacks. On early September 2024, Veeam released security updates for the Service Provider Console, Veeam Backup & Replication, and Veeam One products to address several vulnerabilities that could undermine the security of their products.

The company fixed 18 issues with high or critical severity for these products. This September's security bulletin contains a critical, remote code execution (RCE) vulnerability tracked as CVE-2024-40711 that affects Veeam Backup & Replication (VBR), which has a CVSS v3.1 score of 9.8 (CVSS score of 10.4). A software product developed by the Veeam software company called Veeam Backup & Replication offers a comprehensive solution for data protection and disaster recovery. With this technology, companies are able to back up, restore, and replicate data across physical, virtual, and cloud environments at the same time. 

There is a vulnerability in the Linux kernel that allows unauthenticated remote code execution (RCE)." as stated in the advisory. The vulnerabilities were discovered by Florian Hauser, a researcher at CODE WHITE Gmbh who specializes in cybersecurity. In addition to Veeam Backup & Replication 12.1.2.172, earlier versions of version 12 are also affected by this flaw.  According to the Sophos X-Ops incident response team, the delay in releasing an exploit did not have much effect on the number of Akira and Fog ransomware attacks that were prevented. 

By exploiting the RCE vulnerability along with stolen credentials from the VPN gateway, the attackers were able to register rogue accounts on unpatched servers and exploit the RCE flaw. There was also a threat activity cluster, which was known as 'STAC 5881,' that was later found to have used exploits from CVE-2024-40711 to download Frag ransomware onto compromised networks, as a result of attacks that exploited CVE-2024-40711. 

According to Sean Gallagher, a principal threat researcher at Sophos X-Ops, the tactics associated with STAC 5881 were used again, this time, however, they led to the deployment of the previously undocumented 'Frag' ransomware which is now being referred to as Black Drop. There is a possibility that the threat actor exploited a vulnerability in the VEEAM component to gain access to the system, created a new account named 'point', and accessed the system from that account. As a result of this incident, a second account has also been created, known as 'point2'. 

Anew report by British cybersecurity company Agger Labs revealed that the Frag ransomware gang has made extensive use of Living Off The Land binaries (LOLBins), a type of software that is already installed on compromised computers and which is commonly known as Living Off The Land software (LOLBins). Defendants have a hard time detecting their activity due to the fact that this is difficult to detect. According to the Frag gang's playbook, the playbook of Akira and Fog operators is somewhat similar, as they often exploit vulnerabilities in unpatched backup and storage software and misconfigurations in the solutions that they deploy. This vulnerability has a high severity and can allow malicious actors to breach backup infrastructure if not patched. Veeam patched another high severity vulnerability in March 2023, CVE-2023-27532. There has been extensive use of this exploit in attacks linked to the financially motivated FIN7 threat group and in Cuba ransomware attacks that targeted companies and institutions critical to the American economy. 

Over 500,000 consumers worldwide rely on Veeam's products, including approximately 74% of all companies from the Global 2,000 list. Veeam reports that its products are used by over 550,000 customers worldwide. Agger Labs, a cybersecurity firm, also noted that tactics, techniques, and practices used by the threat actors behind Frag share many similarities to those used by Akira and Fog threat actors in their tactics, techniques, and practices. 

The main reason why Frag ransomware can remain stealthy is that it uses LOLBins, an approach that has been widely adopted by more traditional actors in the cybercrime sphere. The attackers can now bypass endpoint detection systems by employing familiar, legitimate software already present on most networks to conduct malicious operations. The fact that ransomware crews are adapting their approaches to ransomware shows that they are changing their approach despite not being new to the threat actor space.” 

Agger Labs notes. Despite Frag's use of LOLBins, the function has been used by ransomware strains like Akira and Fog which also use similar techniques to blend in with normal network activity and hide from detection.". As a result of using LOLBins as a means of exploitation for malicious purposes, these operators make it harder for us to detect them timely.”