Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FIN7. Show all posts

Targeted: Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Hackers Exploit Vulnerable Veeam Backup Servers with FIN7 Tactics

Cyberattacks on vulnerable Veeam backup servers exposed online

Veeam Backup and Replication software is a popular choice for many organizations to protect their critical data. However, recent reports have revealed that hackers are targeting vulnerable Veeam backup servers that are exposed online, leaving organizations at risk of data theft and other cyberattacks. 

There is evidence that at least one group of threat actors, who have been associated with several high-profile ransomware gangs, are targeting Veeam backup servers. 

Starting from March 28th, there have been reported incidents of malicious activity and tools similar to FIN7 attacks being used to exploit a high-severity vulnerability in the Veeam Backup and Replication (VBR) software. 

This vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in the VBR configuration to unauthenticated users, potentially allowing unauthorized access to the backup infrastructure hosts.

The software vendor addressed the vulnerability on March 7 and offered instructions for implementing workarounds. However, on March 23, a pentesting company named Horizon3 released an exploit for CVE-2023-27532, which showed how the credentials could be extracted in plain text using an unsecured API endpoint. 

The exploit also allowed attackers to run code remotely with the highest privileges. Despite the fix, Huntress Labs reported that roughly 7,500 internet-exposed VBR hosts were still susceptible to the vulnerability.

Evidence of FIN7 tactics used in recent attacks

A recent report by cybersecurity and privacy company WithSecure reveals that attacks in late March targeted servers running Veeam Backup and Replication software that was publicly accessible. The techniques used in these attacks were similar to those previously associated with FIN7. 

The researchers deduced that the attacker exploited the CVE-2023-27532 vulnerability, given the timing of the campaign, the presence of open TCP port 9401 on compromised servers, and the vulnerable version of VBR running on the affected hosts. 

During a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response (EDR), the researchers discovered Veeam servers generating suspicious alerts such as sqlservr.exe spawning cmd.exe and downloading PowerShell scripts.

The reason behind the vulnerability is that some organizations use insecure configurations when setting up their Veeam backup servers, making them accessible over the Internet. Hackers can then exploit these weaknesses to gain access to sensitive data and files.

One of the most common attack methods is through brute-force attacks. In this method, hackers use automated tools to try different username and password combinations until they gain access to the Veeam backup server. They can also use other methods like social engineering or spear-phishing to get hold of credentials or trick users into installing malware on their systems.

Once the hackers have gained access, they can steal the backup files, modify or delete them, or use them to launch further attacks on the organization's systems. The impact of such attacks can be severe, causing loss of critical data, disruption to business operations, and significant financial losses.

Mitigating the risk of cyberattacks on Veeam backup servers

To prevent such attacks, organizations need to ensure that their Veeam backup servers are properly secured. This includes configuring the server to only allow access from trusted networks, implementing strong password policies, and keeping the software up-to-date with the latest security patches.

Additionally, organizations should consider implementing multi-factor authentication (MFA) to provide an extra layer of security. MFA requires users to provide more than one form of identification, such as a password and a one-time code sent to their mobile device, making it more difficult for hackers to gain access even if they have obtained login credentials.

Regular security audits and vulnerability assessments can also help identify potential weaknesses and enable organizations to take proactive measures to mitigate them before hackers can exploit them.

Veeam backup servers are a critical component of an organization's data protection strategy, and securing them should be a top priority. Organizations must take necessary steps to ensure that their Veeam backup servers are properly secured and not exposed to the internet. 

By taking these necessary steps, organizations can significantly reduce the risk of a security breach and protect their critical data from falling into the wrong hands. It is always better to be proactive and take preventive measures rather than deal with the aftermath of a cyberattack.