Security agencies were alerting about the mass exploitation of a critical Veeam backup and replication vulnerability by ransomware groups.
The vulnerability tracked as CVE-2024-40711 with a CVSS score of 9.8, Successful exploitation of the vulnerability could lead to remote code execution (RCE), the alert noted. RCE could allow attackers to run code on a remote device without the need for physical access.
Ransomware groups are reportedly exploiting CVE-2024-40711 as a second stage exploit to create new local administrator accounts to facilitate further objectives on compromised networks.
Reports warn of exploitation attempts since shortly after official disclosure by Veeam. Security researchers have tracked attacks in the past month that have leveraged compromised credentials and CVE-2024-40711 to create an account and deploy ransomware. The firm did not note the target of this attack.
Attackers dropped Fog ransomware, and another attack saw the attempted deployment of Akira ransomware. In both attacks, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled. Some of these VPNs were running unsupported software versions.
Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, “point,” adding it to the local administrators and remote Desktop Users groups.
The vulnerability affects Veeam Backup & Replication 12.1.2.172. Veeam noted that unsupported product versions are not tested but are likely affected and should be considered vulnerable.
Affected organizations have been advised to review the Veeam Security Bulletin from and update Veeam Backup & Replication to version 12.2 (or above) as a matter of urgency.
Attackers can often reverse engineer patches and then create tailored malware to exploit the vulnerability that was patched. This highlights the need to patch quickly regardless of whether white hat researchers release exploit code.
