Cyber security news for all


    New Ransomware Group Exploiting Veeam Backup Software Vulnerability

    A recently patched flaw in Veeam Backup & Replication software is being exploited by a new ransomware operation known as EstateRansomware.

    Group-IB, based in Singapore, identified this threat actor in early April 2024. They reported that the attackers exploited CVE-2023-27532 (CVSS score: 7.5) to conduct their malicious activities.

    Initial access to the target environment was gained through a Fortinet FortiGate firewall SSL VPN appliance using an inactive account.

    “The threat actor moved laterally from the FortiGate firewall via the SSL VPN service to reach the failover server,” said security researcher Yeo Zi Wei in an analysis published today.

    “Before the ransomware attack, there were VPN brute-force attempts in April 2024 using a dormant account identified as ‘Acc1.’ A few days later, a successful VPN login with ‘Acc1’ was traced back to the remote IP address 149.28.106[.]252.”

    The attackers then established RDP connections from the firewall to the failover server and deployed a persistent backdoor named “svchost.exe,” which runs daily through a scheduled task.

    Using the backdoor, the threat actors accessed the network undetected. The backdoor’s main function is to connect to a command-and-control (C2) server over HTTP and execute commands from the attacker.

    Group-IB observed the attackers exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named “VeeamBkp.” They conducted network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft through this new account.

    “This exploitation likely started from the VeeamHax folder on the file server against the vulnerable Veeam Backup & Replication software on the backup server,” Zi Wei suggested.

    “This led to the activation of the xp_cmdshell stored procedure and the creation of the ‘VeeamBkp’ account.”

    The attack ended with the deployment of ransomware, after disabling defenses and moving laterally from the AD server to other servers and workstations using compromised domain accounts.

    “Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB reported.

    This disclosure comes as Cisco Talos noted that most ransomware groups focus on gaining initial access through security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and bypassing defenses in their attack chains.

    The double extortion model—exfiltrating data before encrypting files—has led to custom tools developed by attackers (e.g., Exmatter, Exbyte, and StealBit) to send stolen information to their infrastructure.

    This necessitates that these cybercriminal groups maintain long-term access to explore the environment, understand the network’s structure, find resources, elevate their privileges, blend in, and identify valuable data to steal.

    “Over the past year, we’ve seen significant changes in the ransomware landscape, with new groups emerging, each with unique goals, operational structures, and targets,” Talos said.

    “This diversification shows a shift toward more specialized cybercriminal activities, with groups like Hunters International, Cactus, and Akira carving out specific niches, focusing on distinct operational goals and methods to set themselves apart.”

    Recent Articles

    Related Stories