Recent cybersecurity reports indicate that threat actors are actively exploiting a critical security vulnerability in Veeam Backup & Replication software to deploy ransomware variants such as Akira and Fog. Sophos, a recognized cybersecurity vendor, has noted ongoing attacks that utilize compromised VPN credentials alongside the CVE-2024-40711 vulnerability to gain unauthorized access and install ransomware.
The vulnerability, rated 9.8 on the CVSS scale, enables unauthenticated remote code execution, allowing attackers to exploit systems effectively. Veeam addressed this particular flaw in version 12.2 of Backup & Replication released in early September 2024. The discovery of this vulnerability was credited to Florian Hauser, a security researcher with CODE WHITE in Germany.
Investigation by Sophos revealed that attackers initially accessed targeted organizations using compromised VPN gateways that lacked multifactor authentication—an increasingly essential layer of security. Many of the affected VPNs were reportedly using unsupported software versions, enhancing the attackers’ chances of success.
Once inside, the attackers exploited Veeam services by targeting the URI “/trigger” on port 8000. This attack registered the Veeam.Backup.MountService.exe process, which in turn spawned net.exe, creating a local user account named “point” and adding it to critical groups such as Administrators and Remote Desktop Users. In an attack associated with the deployment of Fog ransomware, the adversaries are said to have streamed the ransomware onto an unsecured Hyper-V server while utilizing rclone for data exfiltration.
This aggressive exploitation of CVE-2024-40711 has garnered attention from NHS England, which issued an advisory highlighting that enterprise backup and disaster recovery tools represent lucrative targets for cybercriminals. The advisory underlined the importance of safeguarding such applications against increasingly sophisticated cyber threats.
In light of the current vulnerability landscape, Palo Alto Networks’ Unit 42 revealed the emergence of a new ransomware variant named Lynx, a successor to the previously identified INC ransomware. This ransomware has targeted sectors such as retail, real estate, and finance in both the U.S. and U.K. Notably, Lynx is believed to have been rushed into the market following the unauthorized sale of the INC source code in March 2024. This variant bears a significant resemblance to its predecessor, sharing substantial portions of its source code.
Adding complexity to the situation, the U.S. Department of Health and Human Services reported that at least one healthcare organization has been compromised by Trinity ransomware, which is considered a rebranding of earlier malware types. The increasing prevalence of various ransomware strains underscores the urgent need for organizations to bolster their cybersecurity protocols.
Cyber attacks, particularly those delivering variants like BabyLockerKZ from the MedusaLocker family, remain a reality for many, primarily targeting organizations in the E.U. and South America. These criminals have been known to leverage publicly available tools and customized binaries to facilitate credential theft and lateral movement, illustrating the multifaceted nature of modern cyber threats.
In summary, the exploitation of critical vulnerabilities such as CVE-2024-40711 highlights the proactive measures that must be adopted to fortify organizational defenses. As threat vectors continue to evolve, business owners must remain vigilant in addressing the evolving risks of cyber attacks, applying the MITRE ATT&CK framework to develop robust security strategies that cover tactics from initial access to privilege escalation and persistence.
