A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware.
Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities.
Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.
"The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server," security researcher Yeo Zi Wei said in an analysis published today.
"Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using a dormant account identified as 'Acc1.' Several days later, a successful VPN login using 'Acc1' was traced back to the remote IP address 149.28.106[.]252."
Next, the threat actors proceeded to establish RDP connections from the firewall to the failover server, followed by deploying a persistent backdoor named "svchost.exe" that's executed daily through a scheduled task.
Subsequent access to the network was accomplished using the backdoor to evade detection. The primary responsibility of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.
Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp," alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft via the newly created account.
"This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server," Zi Wei hypothesized.
"This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the 'VeeamBkp' account."
The attack culminated in the deployment of the ransomware, but not before taking steps to impair defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts.
"Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe," Group-IB said.
The disclosure comes as Cisco Talos revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains to increase dwell time in victim networks.
The double extortion model of exfiltrating data prior to encrypting files has further given rise to custom tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.
This necessitates that these e-crime groups establish long-term access to explore the environment in order to understand the network's structure, locate resources that can support the attack, elevate their privileges, or allow them to blend in, and identify data of value that can be stolen.
"Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology," Talos said.
"The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus, and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves."
Veeam Vulnerability Also Exploited in Akira Ransomware Attacks
Canadian cybersecurity company BlackBerry, in a report published on July 11, 2024, revealed that an unnamed Latin American airline was targeted by a threat group using Akira ransomware last month by weaponizing CVE-2023-27532 for initial access.
"The threat actor initially accessed the network via Secure Shell (SSH) protocol and was successful in exfiltrating critical data before deploying a strain of the Akira ransomware the following day," the BlackBerry Research and Intelligence Team said.
"A number of legitimate tools were abused in conjunction with Living off-the-Land Binaries and Scripts (LOLBAS). This enabled the assailants to perform reconnaissance and persist in the newly compromised victim environment. Once the attacker had achieved their goal of exfiltrating data, the ransomware was deployed to encrypt and incapacitate the victim systems."
Akira ransomware is the work of a financially driven threat actor tracked by Microsoft under the name Storm-1567, which is also referred to as Gold Sahara and Punk Spider. The group has been active since at least March 2023.