Ransomware: Sophos warns of attacks on Veeam vulnerability
Attackers are abusing a critical vulnerability in Veeam that allows code smuggling. Sophos has issued a warning about this.
A vulnerability in Veeam Backup & Replication is actively under attack by cybercriminals. Sophos warns that the company has observed a number of attacks aimed at installing ransomware.
On Mastodon, the IT security company discusses that cybercriminals are using compromised credentials and a known vulnerability (CVE-2024-40711) to attempt to create an account on vulnerable systems and install ransomware. In one case, the attackers installed a ransomware called Frog. During the same period, another attack attempted to distribute the Akira ransomware.
Four attacks observed by Sophos so far
Sophos has observed four attacks on the vulnerability up to the Mastodon report –, but there are likely to be many undetected attacks on the vulnerability. In the documented cases, the Akira and Frog ransomware was used.
Initial access to the affected networks was gained through compromised VPN gateways that did not have multi-factor authentication enabled. Some gateways also used software versions that were no longer supported. In all four cases, the attackers misused the URI /trigger
on port 8000 of the Veeam instance. This leads to Veeam.Backup.MountService.exe
calling the net.exe
command. The exploit creates the local account "point" and adds it to the groups of local administrators and remote desktop users.
The IT security researchers at Sophos have observed an attacker who installed the Frog ransomware in an unprotected HyperV server and then misused the rclone
tool to exfiltrate data. In the other cases, Sophos software prevented the ransomware from taking root. Sophos concludes from the incidents that it is important to seal known vulnerabilities, update or replace unsupported (VPN) software and enable multi-factor authentication to control remote access.
At the beginning of September, Veeam patched the vulnerability CVE-2024-40711, classified as a"critical" security risk with a CVSS score of 9.8, with updated software. The vulnerability allows attackers without a user account to remotely execute their own code (Remote Code Execution, RCE). IT managers should now follow Sophos's tips and update the software and check the status of the VPN software used in the organization.
(dmk)