Ransomware actors have been taking advantage of a perilous flaw in Veeam Backup & Replication software, identified as CVE-2024-40711, according to a recent report from cybersecurity firm Sophos. This vulnerability has allowed malicious users to create unauthorized accounts and launch malware attacks.
In early September 2024, Veeam issued crucial security updates addressing multiple vulnerabilities in its products, including 18 that were marked as high to critical severity. The most alarming of these was the remote code execution (RCE) flaw—CVE-2024-40711—which received a CVSS v3.1 score of 9.8, indicating its potential for severe impact on applications.
The advisory from Veeam described this as “a vulnerability allowing unauthenticated remote code execution (RCE).” Florian Hauser, a cybersecurity researcher at CODE WHITE GmbH, was instrumental in reporting this issue, highlighting its vast effect on all versions prior to Veeam Backup & Replication 12.1.2.172.
In their research, Sophos X-Ops noted that the attackers have utilized compromised credentials alongside the Veeam vulnerability to deploy various ransomware strains, including Fog and Akira. “Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware,” said a representative from Sophos, emphasizing the pattern of breaches.
The firm discovered that the attackers accessed systems through VPN gateways lacking multifactor authentication. Many of these gateways were also running outdated software, further exacerbating the vulnerabilities. “In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all four cases overlap with earlier Akira and Fog ransomware attacks,” the statement continued.
Using the Veeam URI `/trigger` on port 8000, cybercriminals executed `net.exe` to create a local account named “point,” which was subsequently added to the local Administrators and Remote Desktop Users groups. In one documented instance, Fog ransomware was unleashed on an unprotected Hyper-V server, with rclone being used for data exfiltration.
“These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access,” the report concluded, underscoring the critical preventive measures organizations must adopt.
As ransomware attacks become increasingly sophisticated, the necessity for robust cybersecurity protocols cannot be overstated. Continuous monitoring and timely patching of vulnerabilities like CVE-2024-40711 are essential to protect sensitive information and maintain operational integrity in organizations using Veeam products.
