April 19, 2024

An affiliate of the BlackCat ransomware, dubbed UNC4466, is exploiting vulnerabilities in the Veritas Backup Exec software to gain initial access to the targeted network.

Researchers observed that the UNC4466 group has been exploiting the Veritas vulnerabilities in the wild since October 2022 based on the release of the Metasploit module that exploits the vulnerabilities

More than 8,500 IP addresses are still running Symantec/Veritas Backup Exec ndmp service on ports 9000, 10001, and the default port 10000, many of which could be exposed to the attack.

Advertisements

Modus of operandi

UNC4466 targets exposed Windows servers running an unpatched version of Veritas Backup Exec using the publicly available Metasploit module for gaining the initial access

After obtaining access to the target network, the attackers use Advanced IP Scanner and ADRecon to collect further details on the environment and uses additional tools such as Mimikatz, RCLONE, LAZAGNE, WINSW, Nanodump, and LIGOLO are downloaded on the compromised system.

New scheduled tasks are added to the default domain policy, security software is turned off, and then the ALPHV ransomware crypter is loaded through the Background Intelligent Transfer Service (BITS).

To evade detection, the event logs are cleared, and Microsoft Defender’s real-time monitoring is disabled.

  • CVE-2021-27876: arbitrary file access flaw
  • CVE-2021-27877: remote unauthorized access 
  • CVE-2021-27878: arbitrary command execution flaw

These above vulnerabilities were abused by the attackers and were disclosed by Veritas in March 2021, and a fix was released with version 21.2.

Advertisements

To stay protected, organizations are suggested to establish a stronger security framework with multi-layered defense architecture and a robust patch management system.

This research was documented by researchers from Mandiant

Indicators of Compromise

  • da202cc4b3679fdb47003d603a93c90d
  • 5fe66b2835511f9d4d3703b6c639b866
  • 1f437347917f0a4ced71fb7df53b1a05
  • b41dc7bef82ef384bc884973f3d0e8ca
  • c590a84b8c72cf18f35ae166f815c9df
  • 24b0f58f014bd259b57f346fb5aed2e
  • e31270e4a6f215f45abad65916da9db4
  • 4fdabe571b66ceec3448939bfb3ffcd1
  • 68d3bf2c363144ec6874ab360fdda00a
  • ee6e0cb1b3b7601696e9a05ce66e7f37
  • f66e1d717b54b95cf32154b770e10ba4
  • 17424a22f01b7b996810ba1274f7b8e9
  • 45[.]61[.]138[.]109
  • 185[.]141[.]62[.]123
  • 5[.]199[.]169[.]209
  • 45[.]61[.]138[.]109:45815
  • 45[.]61[.]138[.]109:43937
  • 45[.]61[.]138[.]109:36931
  • 5[.]199[.]169[.]209:31600
  • 45[.]61[.]138[.]109:41703
  • 185[.]99[.]135[.]115:39839
  • 185[.]99[.]135[.]115:41773
  • 45[.]61[.]138[.]109:33971
  • 185[.]141[.]62[.]123:50810
  • 185[.]99[.]135[.]115:49196
  • hxxp://185[.]141[.]62[.]123:10228/update[.]
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

HashiCorp Critical Vulnerability – CVE-2024-3817

April 18, 2024

Cisco Integrated Management Controller Vulnerabilities

April 18, 2024

Windows Kernel Vulnerability – CVE-2024-21338 PoC Exploit Released

April 17, 2024

Cisco Duo Identify Data Breach

April 17, 2024

Tanium new Automate Feature

April 16, 2024

Patch released CVE-2024-3400 added to KEV Catalog

April 16, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading