Posted on April 30, 2023 at 12:39 PM

Hackers exploit a high-severity flaw in Veeam Backup and the Replication software

Hackers have targeted Veeam backup servers. The hackers behind this exploit have been known to work with several high-profile ransomware groups. Researchers have detected malicious activity and tools mimicking FIN7 exploits used to conduct this campaign since March 28.

Hackers exploit vulnerable Veeam backup servers

The exploits started less than one week after an attack was available, exploiting high-severity vulnerability within the Veeam Backup and the Replication software. The exploit is tracked as CVE-2023-27532, and it exposes hidden credentials stored within the VBR configuration to unconfirmed users within the backup infrastructure. The exploit can also be used to access the backup infrastructure hosts.

The company issued a path to this flaw on March 7 and shared workaround instructions on the same. On March 23, Horizon3 conducted a penetration test on the company, which showed how an unsecured API endpoint could be exploited to extract credentials from an attacker. The hacker can also exploit the flaw to run code remotely using the highest privileges.

Huntress Labs has said that around 7,500 VBR hosts have been exposed to the internet. These hosts appear to be vulnerable. A report by WithSecure shared a statement saying that they detected targeted servers using Veeam Backup and Replication software being accessed over the public web. This activity was detected in late March.

The strategies used by the threat actors appear similar to the malicious activity linked to FIN7. Depending on the timing of this campaign, the open TCP port 9401on compromised the servers, while the hosts operated a malicious version of VBR. According to the researchers, the hacker exploited the CVE-2023-27532 flaw to access the malicious code and exploit it

WithSecure conducted an exercise to detect this threat using telemetry data using its Endpoint Detection and Response (EDR). The researchers said that some Veeam servers created fake alerts.

Links to FIN7 malicious activity

An in-depth look into this exploit shows that the hacker started executing the PowerTrash PowerShell script previously linked to FIN7. The exploit also had a DiceLoader or Lizar backdoor executed on the infected machine.

DiceLoader, also known as the Lizar backdoor, is tracked as Tirion. The backdoor is associated with the malicious FIN7 activity. The recent incidents linked to this hacker group used a different backdoor known as PowerPlant by researchers at Mandiant.

Neeraj Singh, one of the senior researchers at WithSecure, has said that DiceLoader and PowerTrash are not the only links to the malicious FIN7 activity. The FIN7 toolkit also comes with a PowerShell script that resolves IP addresses to the hostnames, and a custom one is also used for reconnaissance within the lateral movement stage of the attack.

Singh also said they detected technical overlaps with the previous reports on malicious activity linked to FIN7. These overlaps exist in the command line execution patterns and the file naming conventions.

After gaining initial access, the threat actors will deploy their malware, several commands, and custom scripts to gather system and network data. It also includes the credentials obtained from the Veeam backup database.

The persistence for DiceLoader was obtained using a custom PowerShell script known as PowerHold. The WithSecure researchers also said that the hacker used lateral movement with the stolen credentials, stealing access with WMI invocations and ‘net share’ commands.

The report by WithSecure said that the hacker succeeded in the lateral movement effort. They also used stolen credentials while relying on the SMB communication protocol to send PowerShell scripts into the administrative shares of the targeted user.

This malicious exploit’s goal is still unknown, as the hacking activity was disrupted before the final payload could be planted or executed. The researchers also said that the hacking activity might have ended after using ransomware if the attack chain had been completed. The theft of data might also have serious implications.

WithSecure has urged organizations using Veeam Backup and Replication software to use the generated information and data to seek any signs of a compromised network.

The exact method used to invoke the initial shell command is unknown, and the evidence on exploiting this flaw is unknown. Companies are also looking to patch the flaw because other hackers might try to leverage the exploit.

IBM researchers recently published a report on a partnership between FIN7 and former members of the Conti group. The hackers distributed a malware strain known as Domino that offers access to the affected host. It also supports the installation of a Cobalt Stroke beacon to increase persistence.