The CVE-2024-40711 vulnerability discovered in Veeam Backup & Replication continues to wreak havoc on unpatched systems. While this flaw had already enabled the Akira and Fog ransomwares to launch devastating attacks, it is now being exploited by a newcomer, the Frag ransomware. By specifically targeting Veeam backup servers, these malicious actors demonstrate, once again if proof were needed, the importance of rapidly applying security updates. Companies need to understand the urgency of securing their infrastructures to prevent these vulnerabilities from being continually exploited.
Veeam security vulnerabilities and their impact
Vulnerabilities in backup systems have become prime targets for cybercriminals. Veeam Backup & Replication (VBR), one of the world’s most widely used tools for data backup and recovery, is now at the center of security concerns with the exploitation of its critical flaw CVE-2024-40711. This weakness, discovered by Code White researcher Florian Hauser, exploits untrusted data deserialization, enabling attackers to execute malicious code remotely.
The CVE-2024-40711 flaw and its implications for businesses
CVE-2024-40711 poses a serious threat, particularly for companies that have not yet applied the security updates released by Veeam on September 4. The flaw allows malicious actors to access VBR servers without authentication, giving them the ability to manipulate administrator accounts and execute commands remotely on vulnerable machines. Efforts by Veeam and security researchers to delay the release of technical details and POCs (proof of concept) were intended to give administrators time to secure their infrastructures, but ransomware groups quickly found ways to exploit the breach. The impact on companies is potentially disastrous, ranging from data exfiltration to total paralysis of their backup systems. Due to its exploitation in the Akira and Fog ransomware attacks, this vulnerability exposes companies that have not updated to increased risks of data loss and business disruption.
Exploitation methods by the Akira and Fog groups
The attacks carried out by the Akira and Fog groups illustrate the ingenuity of cybercriminals in exploiting security vulnerabilities. These groups combined Veeam’s RCE vulnerability with stolen VPN credentials to infiltrate servers and create malicious administrative accounts. Adding these accounts to the remote desktop user group allows them to control servers exposed on the Internet, making backup systems vulnerable to unauthorized access and ransomware attacks. Sophos X-Ops, an organization specializing in security incident response, has revealed that this method of attack enables an almost complete takeover of unsecured VBR servers.
We recently reported on the exploitation of this critical flaw by the Akira and Fog ransomwares in an article detailing the threat posed by CVE-2024-40711 to Veeam Backup & Replication servers. By highlighting the impact of these vulnerabilities, this article already underlined the importance of quickly patching vulnerabilities to avoid massive intrusions. Today, the arrival of the Frag ransomware confirms the urgency of a proactive security strategy for Veeam infrastructures.
Frag ransomware: a newcomer to the cyberattack scene
The CVE-2024-40711 vulnerability has been exploited as part of a set of malicious activities, dubbed STAC 5881 by Sophos. Recently Sophos X-Ops analysts once again observed tactics associated with STAC 5881 – but this time they observed the deployment of a new “Frag” ransomware. Frag ransomware uses similar methods to Akira and Fog ransomware. Researchers have observed that after using compromised VPNs to access systems and exploit the Veeam Frag flaw creates administrator accounts . These new accounts, named “point” and “point2”, can then be used to control compromised networks. According to Sean Gallagher, Frag acts directly via the command line, with several configurable parameters and a percentage of encryption as a mandatory parameter. This ransomware allows attackers to choose which files and directories to encrypt, adding the .frag extension to compromised files. In a recent case, the ransomware was blocked by Sophos Endpoint Protection’s CryptoGuard function, and a specific detection was added for this malware.
A notable feature of Frag is its use of LOLBins (Living Off The Land binaries) to evade detection systems. These tools, such as WinRAR or WinSCP, are used to exfiltrate files without arousing suspicion, as they are already present on the target networks. According to Agger Labs, this method enables attackers to blend in with network activity, making detection even more difficult. This technique, already employed by Akira and Fog, testifies to the growing adaptability of ransomware operators, who exploit such trusted software to operate discreetly within attacked infrastructures.
Protecting your infrastructure: essential measures
Given the seriousness of this flaw and the proliferation of ransomware exploiting CVE-2024-40711, businesses need to prioritize updates and patches to their VBR servers (Backup Server from Veeam). Increased vigilance is required to detect suspicious activity linked to administrative accounts, and it is essential to harden security configurations, including isolating backups to reduce risks in the event of compromise. Strengthening VPN access and multi-factor authentication are also key measures for limiting unauthorized access, particularly for systems exposed to the Internet.
By strengthening defenses and staying abreast of the latest threats, companies can effectively guard against ransomware attacks and minimize the risks associated with security breaches.
