Security flaw CVE-2024-40711 exploited by Akira and Fog ransomware: a threat to Veeam Backup & Replication servers

The critical vulnerability CVE-2024-40711 in Veeam Backup & Replication servers is being actively exploited by the Akira and Fog ransomware. Despite the release of patches by Veeam, many companies remain vulnerable, leaving the door open to security incidents.

A critical vulnerability exploited by cybercriminals

A major security vulnerability, identified as CVE-2024-40711, endangers Veeam Backup & Replication (VBR) servers, used by many companies for data backup and recovery. Discovered by Code White security researcher Florian Hauser, the vulnerability enablesremote code execution (RCE) on vulnerable servers. The flaw results from untrusted data deserialization, which can be exploited by unauthenticated malicious actors in low-complexity attacks.

Capture d'écran alerte pour la faille Veeam CVE-2024-40711  par Code White
Screenshot CODE WHITE GmbH on X – Source @codewhitesec

A deserialization attack enables an attacker to manipulate unverified data, sent to an application which processes it into internal objects. When these objects are used, malicious commands can be executed. This is the process at play here, with Veeam.Backup.MountService.exe.

Veeam officially disclosed this vulnerability and released security patches on September 4, 2024. However, the threat is real, as many companies using this solution have yet to apply these patches, leaving their systems exposed. The CVE-2024-40711 vulnerability is classified as severity critical (CVSS v3.1 score: 9.8), which positions it as alarmingly easy to exploit by unauthenticated attackers. Cybercriminals were quick to take advantage of this situation, exploiting the flaw to carry out attacks with the Akira and Fog ransomwares.

Akira and Fog: two ransomwares taking advantage of the CVE-2024-40711 flaw

The Akira and Fog ransomware gangs were among the first to actively exploit this vulnerability. According to Sophos X-Ops investigators, these attacks have multiplied in recent weeks, with attackers using compromised credentials to create a local account called “dot”, then adding this account to the Local Administrators and Remote Desktop Users groups.

Sophos stated in a post on infosec.exchange:

“Each time, the attackers exploited VEEAM on the /trigger URI on port 8000, triggering the Veeam.Backup.MountService.exe to produce net.exe. The exploit creates a local account, “point”, and adds it to the Local Administrators and Remote Desktop Users groups. In the Fog ransomware incident, the attacker deployed it on an unprotected Hyper-V server, then used the rclone utility to exfiltrate the data.”

Exploitation of this vulnerability is therefore mainly via the interface exposed on port 8000, enabling attackers to compromise backup services and use tools such as net.exe, which is a Windows utility designed to manage users and network services, but which is abused here to create administrator accounts.

In some cases, the attackers deployed the Fog ransomware, while in others they attempted to install Akira. The indicators observed in these four incidents show similarities with previous attacks carried out by these two ransomwares. A common technique observed in these attacks is the exploitation of compromised VPN gateways, often without multi-factor authentication (MFA) enabled. What’s more, some of these VPN gateways were outdated software versions, further increasing the vulnerability of the targets.

In one specific incident involving Fog, attackers targeted an unprotected Hyper-V server. After infiltrating the system, they used the rclone tool to exfiltrate the data before triggering the ransomware. Although Sophos endpoint protection and incident response services prevented the ransomware from being installed in some cases, these incidents underline the importance ofapplying security patches promptly.

Detailed operation of the exploit

According to WatchTowr Labs ‘ detailed technical analysis , the exploitation of this flaw relies on the insecure deserialization of data by the Veeam.Backup.MountService.exe service, accessible via port 8000. This vulnerable service allows attackers to execute remote commands without prior authentication. By exploiting this flaw, cybercriminals can easily infiltrate systems and create malicious administrator accounts.

The Veeam.Backup.MountService.exe process is central to this exploitation. Once the attacker gains control, he can invoke tools such as net.exe to manage user accounts remotely. This tool is abused to add a malicious account to the administrator groups, thus enabling full access to the machine.

The importance of security patches and preventive measures

The rapid exploitation of the CVE-2024-40711 flaw by cybercriminals demonstrates the urgent need for companies to apply the security patches published by Veeam. Despite the release of these patches, many organizations have yet to secure their systems, exposing their sensitive data to increased risk. The time between the disclosure of the vulnerability and the appearance of the first exploits was short, with only a few days’ respite before the attacks multiplied.

In addition to applying patches, it is essential to secure VPN access, particularly obsolete or insecure VPNs, which are often exploited in this type of attack. Enabling multi-factor authentication (MFA) for remote access is another important measure to prevent unauthorized access.

Veeam Backup & Replication vulnerability history

This is not the first time that Veeam Backup & Replication software has been the target of ransomware attacks. In March 2023, another critical vulnerability, listed as CVE-2023-27532, was exploited by cybercriminals. This vulnerability made it possible to infiltrate backup infrastructure hosts. Cybersecurity firm WithSecure had observed attacks using this vulnerability, notably involving the FIN7 group, known for its links with ransomware operations such as Conti, REvil, Maze, Egregor, and BlackBasta.

A few months later, the same flaw was exploited in ransomware attacks in Cuba, targeting US critical infrastructures as well as IT companies in Latin America. These incidents demonstrate that cybercriminals pay particular attention to backup solutions, often perceived as prime targets due to the sensitive data they contain.

Most recently, in May 2024 Veeam warned its users of the availability of a patch for a critical authentication bypass flaw, vulnerability CVE-2024-29849 allows an attacker to bypass authentication and take control of the system.

Conclusion: protect infrastructures in the face of a growing threat

The recent attacks exploiting the CVE-2024-40711 vulnerability are a reminder of theimportance of reactivity when it comes to IT security. Companies using Veeam Backup & Replication solutions must ensure that they keep their systems up to date, apply security patches as soon as they become available, and reinforce protective measures such as multi-factor authentication for remote access.

Voluntary delay in PoC publication: WatchTowr Labs has voluntarily delayed publication of the proof of concept (PoC) until September 15, 2024, to give companies time to patch their infrastructures before a wave of massive attacks is unleashed.

Without these precautions, organizations expose themselves not only to ransomware attacks, but also to potentially catastrophic data breaches. The speed with which groups such as Akira and Fog have exploited this vulnerability demonstrates once again that cybersecurity must be a top priority for companies using critical backup infrastructures.

Sources and analysis :

Akira and Fog ransomware now exploit critical Veeam RCE flaw (Bleeping computer)

Veeam Backup & Response – RCE With Auth, But Mostly Without Auth (CVE-2024-40711) (WatchTowr Labs)

Partager cet article

Leave a Reply

Your email address will not be published. Required fields are marked *