Dive Brief:
- A critical vulnerability in Veeam Backup and Replication is being exploited by a new ransomware variant, Sophos X-Ops said in a Friday blog post.
- The cybercriminal group operating Frag, the previously undocumented ransomware, used similar tactics, techniques and procedures as those used by Akira and Fog threat groups. Those groups were involved in exploitation of the same vulnerability last month.
- “Similar to the previous events, the threat actor used a compromised VPN appliance for access, leveraged the Veeam vulnerability, and created a new account named ‘point,’" Sean Gallagher, principal threat researcher at Sophos X-Ops, said in the blog post. "However in this incident a ‘point2’ account was also created.”
Dive Insight:
Veeam Backup and Replication is used by enterprises to backup, replicate and restore virtual, physical and cloud machines. The use of multiple ransomware variants in attacks linked to CVE-2024-40711 exploits only escalates the risk confronting those customers.
All told, Veeam said it has more than 550,000 customers globally, including 74% of the Global 2000. It’s unclear how many organizations use Veeam Backup and Replication.
“We see this as a tool being used as part of a very specific kit of tactics, techniques and practices that are likely either connected to an access broker selling breached network access to other cybercriminals or a set of independent actors using multiple ransomware as a service platforms,” Gallagher said via email.
“Either way, it will potentially lead to more ransomware attacks with different malware,” Gallagher said. “The Frag ransomware is an example of this.”
The Cybersecurity and Infrastructure Security Agency added CVE-2024-40711, which has a CVSS score of 9.8, to its known exploited vulnerability catalog on Oct. 17. The deserialization vulnerability allows an unauthenticated attacker to perform remote code execution.
Veeam did not answer questions about Sophos’ research but reiterated advice for customers to upgrade to Veeam Backup and Replication v12.2. Veeam patched the vulnerability in a software update on Aug. 28.
“When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts,” Heidi Monroe Kroft, senior director of corporate communications and global public relations at Veeam, said via email Monday.