Risk actors are actively trying to take advantage of a now-patched safety flaw in Veeam Backup & Replication to deploy Akira and Fog ransomware.
Sophos reports that it has been tracking a series of attacks over the past month, exploiting compromised VPN credentials and the CVE-2024-40711 vulnerability to establish a foothold on systems and deliver ransomware payloads.
The CVE-2024-40711 vulnerability, rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, is characterized by an unauthenticated remote code execution flaw that enables attackers to execute arbitrary code without authentication. It was addressed by Veeam in Backup & Replication model 12.2 in early September 2024.
Florian Hauser, a renowned safety researcher at Germany-based CODE WHITE, has earned recognition for his tireless efforts in uncovering and reporting critical safety deficiencies.
“In most cases, attackers exploited vulnerabilities in VPN gateways without multifactor authentication, allowing initial access to targeted systems,” Sophos. “Some of these VPNs utilize untested software modifications.”
Attackers consistently exploited a vulnerability in VEEAM’s URI /setoff on port 8000, which triggered the spawning of Veeam.Backup.MountService.exe and its subsequent execution of web.exe. The exploit generates a neighbourhood account, ‘Level’, which is then added to the native Directors and Distant Desktop Customers teams.
During the attack that ultimately resulted in the deployment of the Fog ransomware, the threat actors were reported to have exploited an unprotected Hyper-V server by dropping the malware and utilizing the rclone utility for data exfiltration purposes. Despite efforts to deploy ransomware opposites, these initiatives have thus far yielded no success.
The rapid exploitation of CVE-2024-40711 is met with a warning from NHS England, which emphasizes that “enterprise backup and disaster recovery capabilities are valuable assets for cybersecurity risk management.”
A successor to the INC ransomware, dubbed Lynx by Palo Alto Networks’ Unit 42 threat researchers, has been wreaking havoc since July 2022, specifically targeting organizations in the United States across various industries, including retail, real estate, construction, finance, and environmental services sectors. and U.Ok.
The alleged catalyst for Lynx’s development was the illicit sale of INC ransomware’s source code on the black market in March 2024, inspiring malware creators to refurbish the locker and generate fresh iterations.
According to Unit 42, the Lynx ransomware has been found to share a significant amount of its source code with the INC ransomware. “Incident responders first detected the INC ransomware in August 2023, noting that its variants were capable of targeting both Windows and Linux systems.”
It also complies with a recommendation from the U.S. The Division of Well being and Human Providers’ (HHS) Well being Sector Cybersecurity Coordination Heart (HC3) has reported that at least one healthcare entity within the nation has fallen victim to a relatively new ransomware player, first identified in May 2024 and believed to be a rebranding of 2023Lock and Venus ransomware.
“This type of malicious software, known as malware, exploits various entry points, including phishing emails, compromised websites, and unpatched software vulnerabilities to infiltrate programs.” As soon as infected systems are contained within the Trinity ransomware’s grasp, this malicious strain exploits a double-edged extortion tactic to target its unsuspecting victims.
Criminal actors have been observed deploying a MedusaLocker ransomware variant, dubbed BabyLockerKZ, since October 2022, targeting primarily European Union-based organizations in their ongoing campaign of cyber assaults. nations and South America.
The attacker leverages publicly disclosed exploitation tools, in conjunction with custom-built “living-off-the-land” binaries, designed by the same entity likely affiliated with the perpetrator, to facilitate credential exfiltration and lateral movement within compromised networks, according to Talos researchers.
“These tools primarily offer user-friendly interfaces around existing public instruments, enhancing their functionality with streamlined workflows and providing graphical or command-line options.”
