Blackpoint’s Adversary Pursuit Group (APG) is currently tracking recently published vulnerabilities impacting Veeam Backup & Replication (VBR), exploitation of which may disrupt backup file restoration and integrity post-ransomware attack.

While there is no known exploitation at time of this writing – including within Blackpoint Active SOC-monitored environments – the APG’s threat actor tracking has identified several major threat groups with histories of exploiting VBR vulnerabilities, including Akira, Cuba, and FIN7.

What We Know So Far About the Veeam VBR CVEs

Per Veeam’s latest security bulletin (1), the following select vulnerabilities impact Veeam’s VBR version 12.1.2.172 and all earlier versions.

CVE-2024-40711 (CVSS Score 9.8)
  • What it is: A remote code execution (RCE) vulnerability
  • How it’s exploited: Without requiring authentication, threat actors can deploy and run malware through impacted VBR systems — potentially destroying or planting malicious scripts in backup records, or otherwise gaining persistence for other malicious activities.
CVE-2024-40713 (CVSS Score 8.8)
  • What it is: A privilege escalation vulnerability
  • How it’s exploited: Threat actors compromising a lower-access user account can bypass or otherwise adjust multi-factor authentication (MFA) settings, rendering file backups impossible to access post-ransomware attack.
CVE-2024-40710 (CVSS Score 8.8)
  • What it is: A chained series of vulnerabilities resulting in RCE
  • How it’s exploited: Threat actors with low-level user access on service accounts can ultimately exfiltrate saved credentials and passwords.
CVE-2024-39718 (CVSS Score 8.8)
  • What it is: An insecure communication vulnerability within the TLS certification
  • How it’s exploited: Threat actors on the same network as a vulnerable VBR system can intercept credential communications during attempts to restore systems, such as post-ransomware deployment.

Potential Risk to Your Organization from the Veeam VBR CVEs

It is the APG’s assessment that any organization currently using out-of-date Veeam VBR instances are at active risk of file backup compromise by ransomware threat groups.

While active exploitation of these vulnerabilities is unconfirmed at the time of this writing on September 06, 2024, the APG has tracked several criminal groups with histories of exploiting VBR vulnerabilities during ransomware and other cyber attacks, including:

Additionally, Group-IB reported in early April 2024 (updated July 2024) that another ransomware operation dubbed “Estate Ransomware” exploited a separate vulnerability in VBR (5, adding urgency to the patch status of this particular bulletin.

How to Mitigate Potential Veeam VBR Risk

Veeam has remediated these and other vulnerabilities in its latest version of VBR (6), which you may download directly from their website. Please update as soon as possible.

If you are unable to patch at this time, please:

  • Double-check your current environments for possibly forgotten or not-updated Veeam VBR instances, user accounts, and / or access permissions which are no longer needed; and
  • Monitor any remaining service accounts and lower-level user accounts for suspicious activity – including unusual MFA setting adjustments and data exfiltration.

Blackpoint’s Active SOC team further recommends that, wherever feasible, your organization should:

  • Ensure that Veeam only has access to a dedicated service account with minimum necessary permissions; and
  • Discontinue any unnecessary low-level Veeam backup user accounts, moving instead to that single dedicated Veeam account.

Current SOC Status for Veeam VBR Exploitation

Blackpoint’s Active SOC has NOT seen any indicators of compromise (IoCs) in our partners’ environments showing threat actor exploitation of Veeam VBR via these newly released CVEs.

The Active SOC team will continue to actively monitor for any associated IoCs. The APG team will update this notice as a courtesy to you for your environments, should we detect otherwise.

Date Published
Sep 6, 2024

By
Blackpoint Cyber