December 3, 2023

An affiliate of the BlackCat ransomware, dubbed UNC4466, is exploiting vulnerabilities in the Veritas Backup Exec software to gain initial access to the targeted network.

Researchers observed that the UNC4466 group has been exploiting the Veritas vulnerabilities in the wild since October 2022 based on the release of the Metasploit module that exploits the vulnerabilities

More than 8,500 IP addresses are still running Symantec/Veritas Backup Exec ndmp service on ports 9000, 10001, and the default port 10000, many of which could be exposed to the attack.


Modus of operandi

UNC4466 targets exposed Windows servers running an unpatched version of Veritas Backup Exec using the publicly available Metasploit module for gaining the initial access

After obtaining access to the target network, the attackers use Advanced IP Scanner and ADRecon to collect further details on the environment and uses additional tools such as Mimikatz, RCLONE, LAZAGNE, WINSW, Nanodump, and LIGOLO are downloaded on the compromised system.

New scheduled tasks are added to the default domain policy, security software is turned off, and then the ALPHV ransomware crypter is loaded through the Background Intelligent Transfer Service (BITS).

To evade detection, the event logs are cleared, and Microsoft Defender’s real-time monitoring is disabled.

  • CVE-2021-27876: arbitrary file access flaw
  • CVE-2021-27877: remote unauthorized access 
  • CVE-2021-27878: arbitrary command execution flaw

These above vulnerabilities were abused by the attackers and were disclosed by Veritas in March 2021, and a fix was released with version 21.2.


To stay protected, organizations are suggested to establish a stronger security framework with multi-layered defense architecture and a robust patch management system.

This research was documented by researchers from Mandiant

Indicators of Compromise

  • da202cc4b3679fdb47003d603a93c90d
  • 5fe66b2835511f9d4d3703b6c639b866
  • 1f437347917f0a4ced71fb7df53b1a05
  • b41dc7bef82ef384bc884973f3d0e8ca
  • c590a84b8c72cf18f35ae166f815c9df
  • 24b0f58f014bd259b57f346fb5aed2e
  • e31270e4a6f215f45abad65916da9db4
  • 4fdabe571b66ceec3448939bfb3ffcd1
  • 68d3bf2c363144ec6874ab360fdda00a
  • ee6e0cb1b3b7601696e9a05ce66e7f37
  • f66e1d717b54b95cf32154b770e10ba4
  • 17424a22f01b7b996810ba1274f7b8e9
  • 45[.]61[.]138[.]109
  • 185[.]141[.]62[.]123
  • 5[.]199[.]169[.]209
  • 45[.]61[.]138[.]109:45815
  • 45[.]61[.]138[.]109:43937
  • 45[.]61[.]138[.]109:36931
  • 5[.]199[.]169[.]209:31600
  • 45[.]61[.]138[.]109:41703
  • 185[.]99[.]135[.]115:39839
  • 185[.]99[.]135[.]115:41773
  • 45[.]61[.]138[.]109:33971
  • 185[.]141[.]62[.]123:50810
  • 185[.]99[.]135[.]115:49196
  • hxxp://185[.]141[.]62[.]123:10228/update[.]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: