Nigerian ngCERT has issued an urgent warning of ransomware groups actively targeting critical systems by exploiting the vulnerability tracked as CVE-2023-27532 in Veeam Backup and Replication software, which has already been exploited in recent ransomware attacks involving the notorious Phobos ransomware group.
The vulnerability affects Veeam Backup and Replication versions 12 and below, and it allows attackers to gain unauthorized access to sensitive data, including encrypted and plaintext credentials stored in the Veeam configuration database. This flaw enables cybercriminals to elevate privileges, install malware, and execute arbitrary code on compromised systems.
By exploiting this vulnerability, attackers can connect to the Veeam Backup Service via port TCP 9401 and extract confidential information without requiring proper authentication. With the administrative credentials, they can compromise the entire network, leading to system takeovers, data exfiltration, and eventually, ransomware attacks.
The vulnerability was exploited recently by Phobos ransomware group in which they successfully leveraged this Veeam flaw in an attack targeting cloud infrastructure in Nigeria. Once inside the network, the attackers deployed ransomware, encrypted critical data, and demanded payment from the victims.
ngCERT strongly advises all users to immediately apply the available patches provided by Veeam to mitigate the risk of exploitation.
