FIN7 Exploiting Veeam Backup Vulnerability

The Russian threat group FIN7 has been found exploiting unpatched Veeam Backup & Replication instances. FIN7, which has been active since at least 2015, primarily focuses on financially motivated crimes related to stealing credit card information.

The vulnerability tracked as  CVE-2023-27532, with a CVSS score of 7.5, was disclosed and patched. The Proof-of-Concept exploitation code was publicly released by researchers from Horizontal3.ai

Veeam stated that if successfully exploited, the bug could enable an attacker to obtain encrypted credentials stored in the Veeam backup database.

The threat actor was observed engaging in various malicious activities, including network reconnaissance, stealing data from the Veeam backup database, exfiltrating stored credentials, achieving persistence for the Diceloader backdoor, and lateral movement using stolen credentials.

The Powertrash in-memory dropper tool, was observed being downloaded and executed by a shell command during a Veeam Backup process. This dropper was used to carry Diceloader or Lizar, a backdoor also associated with FIN7, which allows the attackers to perform various post-exploitation actions.

While it is unclear how the initial shell commands were invoked by the threat actors, it is suspected that they exploited the CVE-2023-27532 in Veeam Backup & Replication, which can grant unauthorized access to the instance. 

The security researchers identified two instances of the latest attacks. The initial activities in both instances originated from the same public IP address on the same day, it is probable that they were part of a larger campaign.

The scope of this attack is likely limited due to the rarity of Veeam backup servers with TCP port 9401 exposed publicly.

Organizations patch and configure their backup servers and look for signs of compromise with the IOCs mentioned in the report.