The CVE-2023-27532 (CVSS score: 7.5) vulnerability in Veeam Backup & Replication, although patched in March 2023, is still being actively exploited by a new ransomware group: EstateRansomware. This new threat was identified in April 2024. A recent analysis by Group-IB cybersecurity researchers, shows that this group uses dormant VPN accounts and advanced exploitation techniques to penetrate unsecured networks. This flaw has already been patched by Veeam for versions 12/11a and later of the software, so it’s urgent to update for those who haven’t already done so, so you don’t risk ending up with encrypted Veeam backups exposed to ransomware.
Table des matières
ToggleInitial access and network compromise
The EstateRansomware attack began in April 2024, when cybercriminals exploited a dormant VPN account named ‘Acc1’. The attackers initially accessed the network via this dormant account through the SSL VPN service of the FortiGate firewall. After brute-force attempts on the VPN, a successful login was traced to a remote IP address, enabling the attackers to connect to the failover server via RDP (Remote Desktop Protocol). A successful connection is logged from IP address 149.28.106[.]252.
Backdoor installation
The attackers installed a backdoor named “svchost.exe” on the failover server to maintain persistent access. Configured to run daily via a scheduled task, this backdoor connected to a command and control server via an unusual port, port 30001. This technique enabled the attackers to minimize the chances of detection by existing security systems, and to remain connected to the victim’s network even after interrupting their initial VPN connection
“Further analysis of ‘svchost.exe’ confirmed that 77.238.245[.]11:30001 functions as a command and control (C2) address. This backdoor establishes a reverse tunnel using the HTTP protocol to connect to the C2 server, enabling the threat’s author to remotely execute commands on the failover server.” detail Group-IB researchers.
Attack sequence :
- Exploitation of flaw CVE-2023-27532: this critical vulnerability in Veeam Backup & Replication was the first target.
- VPNbrute force attempt via the dormant “Acc1” account.
- Successful VPN connection using “Acc1” between firewall and failover server via RDP without the need for additional credentials.
- Deployment of a persistent backdoor named “svchost.exe” and implementation of a scheduled task to ensure its daily execution.
- The EstateRansomware payload is deployed, encrypting data prior to the ransom demand.
This initial intrusion marks the beginning of their attack, enabling access to critical systems. This incident highlights the need to effectively manage dormant accounts – an inactive account should always be disabled – and to monitor network access to prevent intrusions.
Preparing for the attack: tools and techniques used
Activating the xp_cmdshell stored procedure on the backup server enabled the creation of a malicious user account named “VeeamBkp”. To prepare their attack and exploit the vulnerability of flaw CVE-2023-27532, EstateRansomware cybercriminals deployed a series of tools through this newly created account to analyze and map the target network. These included SoftPerfect Netscan, which was used to identify active systems and their connections, as well as various password recovery tools from Nirsoft.
These tools were then used “to scan the network and collect information such as live hosts, open ports, file shares and credentials. Additional collection of credentials was performed on the backup server via the newly created ‘VeeamBkp’ account. With the collected information, the threat actor performed a lateral pivot to the Active Directory (AD) server via RDP to continue the network analysis.”say Group-IB researchers
AdFind was used to collect identification information and user details. This meticulous reconnaissance phase was crucial to understanding the structure and weak points of the network, thus facilitating access to critical systems. These preparations show just how well organized and determined the attackers were to carry out their attack.
“From the AD server, AdFind, a command-line query tool that can be used to gather information from Active Directory, was downloaded from “hxxp://www[.]joeware[.]net/freetools/tools/adfind/” and used by the threat author to enumerate domain users. ”
Group-IB.
The attack in action: deployment phases
The EstateRansomware attack intensified once initial access had been secured. The attackers performed a lateral move from the AD server to all other servers and workstations using compromised domain accounts. After gathering sufficient information, the attackers disabled Windows Defender using DC.exe and deployed the EstateRansomware ransomware (LB3.exe) on the compromised hosts. The ransomware encrypted data and left a ransom note, while deleting Windows event logs to hamper incident response efforts. This sequence of actions demonstrates the precision and efficiency of cybercriminals in achieving their goal.
Deployment and progress of the attack :
- Injection of ransomware on critical systems.
- Automatic propagation of the malware across the network.
- Deletion of backups to prevent recovery
Finally, a few recommendations: it is essential to regularly monitor and audit accounts, deleting or disabling any dormant accounts to prevent unauthorized access. Implementing multi-factor authentication (MFA) for VPNs and other remote access services is also essential. Adopt a patch management policy to ensure that your firmware and software are up to date with the latest security patches, protecting you against known vulnerabilities. As we saw back in June, Veeam is very reactive in patching critical CVE vulnerabilities. Segmenting critical systems and applying strict firewall rules also helps to limit lateral movement within the network. Also consider disabling unnecessary RDP access and limiting it to specific, reliable IP addresses. Implement application control on hosts to prevent the execution of unauthorized programs, and ensure that only approved security applications are used. Implement an Endpoint Detection and Response (EDR) solution to detect and respond to suspicious activity more quickly.
If, despite all these precautions, you still fall victim to a ransomware attack, don’t hesitate to call on the services of SOS Ransomware. Our experts can help you recover your encrypted data, ensuring business continuity… Protect your business by calling on our specialized data recovery services after a ransomware attack.
For more details, please consult the original study: