Advisory ID: ngCERT-2024-0033
Summary:
ngCERT is issuing an urgent security advisory regarding a high-severity vulnerability in Veeam Backup and Replication (VBR) software, recently exploited by ransomware groups. The flaw is designated CVE-2023-27532, affecting VBR versions 12 and below. Threat actors exploit this weakness by obtaining encrypted and plaintext credentials stored in the configuration database, which is further used to elevate privileges and execute arbitrary code on affected systems. The successful exploitation of the vulnerability may result in malware installation, system takeover, data exfiltration and ultimately ransomware attacks. It is pertinent to note that, the Phobos ransomware group recently exploited this flaw in a ransomware attack on a cloud infrastructure, within the Nigerian Cyberspace. Accordingly, users are strongly advised to implement the latest security patches from VBR, and other mitigation steps recommended herein.
Threat Type(s): Ransomware
Impact/Vulnerability: CRITICAL/HIGH
Product(s): Microsoft Exchange server, SQL Server, Windows Server, Linux Server, Oracle, Azure, AWS, VMware, Hyper-V
Platform(s): WIndows and Linux Operating Systems
Version(s): All Versions
Description:
The CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication (VBR) software, which allows unauthorized users to access sensitive information, including encrypted credentials. Cybercriminals exploit this flaw by connecting to the exposed Veeam services (C:\ProgramFiles\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe) on port TCP 9401, where they can issue requests to extract confidential data from backup infrastructure without proper authentication. To exploit CVE-2023-27532, attackers typically scan for unpatched Veeam instances exposed to the internet. Once they locate a vulnerable system, they bypass authentication mechanisms by sending crafted requests directly to the service, allowing them to obtain critical information, such as administrative credentials. With this information, attackers can escalate privileges, gain unauthorized access to the backup environment, and even compromise the entire network. Such an exploit can lead to severe consequences, including data breaches, ransomware deployment, or malicious data manipulation, as the backup servers often store highly sensitive and valuable information.
Solution:
- Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
- Block the malicious external IP addresses and other malicious IP addresses on your network.
- Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
- Activate built-in security features on endpoint devices which scan applications for malware.
- Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection and response solution including anti-malware software.
- Enforce a strong password policy, implement regular password changes.
- Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.
-
https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html
-
https://cisometric.com/articles/ransomware-alert-estateransomware-exploits-veeam-backup-software
-
https://cirt.gy/article/al2024_15-veeam-backup-replication-software-security-flaw-exploited-by-new-ransomware-group-estateransomware-15th-july-2024/