Cybercriminals are actively exploiting a critical vulnerability in Veeam Backup & Replication, known as CVE-2024-40711, to deploy Akira and Fog ransomware. Security vendor Sophos has been tracking several attacks over the past month in which attackers leveraged compromised VPN credentials and this critical flaw to infiltrate networks.
Vulnerability Details
CVE-2024-40711, rated 9.8 on the CVSS scale, is a severe vulnerability that allows for unauthenticated remote code execution. It was discovered by security researcher Florian Hauser from CODE WHITE and was addressed by Veeam in Backup & Replication version 12.2, released in early September 2024.
According to Sophos, the attacks begin with unauthorized access through compromised VPN gateways that lacked multifactor authentication, often running outdated software versions. Once inside, attackers exploit Veeam on the /trigger URI through port 8000, using Veeam.Backup.MountService.exe to execute commands that create a local account called “point,” adding it to the Administrators and Remote Desktop Users groups.
Ransomware Deployment and Tactics
In one particular case, threat actors deployed Fog ransomware on an unprotected Hyper-V server and exfiltrated data using the rclone utility. While this attack was successful, other ransomware deployments were reportedly thwarted before they could cause damage.
NHS England has issued an advisory in response to these incidents, noting that enterprise backup and disaster recovery solutions are high-value targets for cybercriminals. The advisory urges organizations to prioritize security patches and multifactor authentication.
Rising Threats: New Ransomware Variants
Meanwhile, Palo Alto Networks’ Unit 42 recently identified a new ransomware strain named Lynx, believed to be a successor to INC ransomware, which has been in circulation since July 2024. This ransomware is targeting organizations in sectors such as retail, financial services, and real estate in both the U.S. and U.K. The development of Lynx was likely driven by the sale of INC ransomware’s source code on underground markets earlier this year.
Lynx shares much of its codebase with INC ransomware, which initially emerged in August 2023 and was designed to target both Windows and Linux systems.
The Growing Ransomware Landscape
This surge in ransomware activity follows a broader trend observed by cybersecurity experts. In recent advisories, the U.S. Department of Health and Human Services (HHS) warned of new threats such as Trinity ransomware, which first appeared in May 2024 and is believed to be a rebrand of 2023Lock and Venus ransomware.
Similarly, a financially motivated cybercrime group has been deploying a MedusaLocker variant called BabyLockerKZ across EU countries and South America. This attacker uses publicly available tools, known as living-off-the-land binaries (LoLBins), to assist in lateral movement and credential theft within compromised networks.
Conclusion
As cybercriminals continue to exploit critical software vulnerabilities and repackage existing ransomware strains, organizations must remain vigilant. Implementing timely patches, enforcing multifactor authentication, and strengthening security protocols are essential steps in protecting systems from these evolving threats.
