A recently patched security vulnerability in Veeam Backup & Replication software has been exploited by a developing ransomware group known as EstateRansomware. Research conducted by Singapore-based cybersecurity firm Group-IB identified this new threat actor in early April 2024. Their operations leverage the CVE-2023-27532 vulnerability, which holds a CVSS score of 7.5, to facilitate their malicious activities.
The initial breach occurred through a Fortinet FortiGate firewall’s SSL VPN appliance, using a previously inactive account designated as “Acc1.” According to security researcher Yeo Zi Wei, this dormant account was exploited to gain unauthorized access, followed by lateral movement through the SSL VPN service to reach the failover server. VPN brute-force attempts were noted before a successful login from a remote IP address, which points to vulnerabilities in authentication processes as a significant entry point for threat actors.
Once within the network, the attackers established Remote Desktop Protocol (RDP) connections from the FortiGate firewall to the failover server. They deployed a persistent backdoor, named “svchost.exe,” facilitating their ongoing access. This backdoor is programmed to connect to a command-and-control server over HTTP, allowing the attackers to execute commands with minimal detection. Through the exploitation of the Veeam flaw, the operators aimed to enable features such as xp_cmdshell, create a rogue user account dubbed “VeeamBkp,” and conduct network reconnaissance using various tools.
The attack progressed with the threat actors moving laterally across the network and executing measures to bypass existing cybersecurity defenses. Notably, Windows Defender was disabled using a tool called DC.exe, leading to the eventual deployment of ransomware via PsExec.exe, marking a critical escalation of their activities.
This ransomware strategy aligns with broader trends identified by Cisco Talos, which notes that many cybercriminal groups now prioritize finding initial access through vulnerabilities in publicly available applications and exploiting existing accounts. Moreover, the rise of the double extortion model, where attackers first exfiltrate sensitive data before encrypting files, has led to the development of specialized tools designed to facilitate data leaks.
In an adjacent incident, BlackBerry reported that the Akira ransomware strain mirrored similar tactics by exploiting the same Veeam vulnerability (CVE-2023-27532) to compromise a Latin American airline. The attackers accessed the network through the Secure Shell (SSH) protocol, successfully exfiltrating critical business data ahead of executing their ransomware payload.
The increased sophistication of ransomware groups points to a significant evolution in tactics. The MITRE ATT&CK framework highlights relevant adversary techniques likely employed in these attacks, including initial access through exploiting known vulnerabilities, persistence via backdoor mechanisms, and privilege escalation by creating rogue accounts. Business owners must recognize the importance of robust security measures, including vigilant monitoring for anomalous account activity, to mitigate risks posed by such evolving threats.
The ongoing developments in ransomware tactics underscore the growing sophistication of cyber threats and the imperative for organizations to maintain strong cybersecurity postures to safeguard their assets.
