CISA confirms Veeam vulnerability is being used in ransomware attacks

Avatar

The nation’s top cybersecurity agency has confirmed that ransomware gangs are using a vulnerability found last month in products from software company Veeam. 

For weeks, experts have expressed alarm about CVE-2024-40711 — a bug Veeam rated critical and gave a severity score of 9.8 when it was disclosed in September. 

CVE-2024-40711 could “allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors,” according to researchers at Censys

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday that the vulnerability has been exploited and took the rare step of specifying that it was being used in ransomware attacks. 

Veeam released a fix on September 4 after the bug was discovered by Code White security researcher Florian Hauser. By September 15, proof-of-concept exploit code was released by watchTowr Labs. Veaam specializes in software for system backups and disaster recovery.

CISA gave federal civilian agencies until November 7 to patch the bug. 

CISA added the “Known To Be Used in Ransomware Campaigns?” tab in the Known Exploited Vulnerabilities (KEV) Catalog almost exactly a year ago but has rarely used it.

The tag is fitting, considering that researchers have warned of ransomware gangs specifically targeting CVE-2024-40711 because companies use Veeam for sensitive activities.

Cybersecurity firm Sophos said last week that its incident response team was tracking a series of attacks that involved the exploitation of CVE-2024-40711 and attempted deployment of ransomware. 

“In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks,” Sophos said. 

Sophos’ Sean Gallagher added on Thursday that they have found another case tied to the same campaign. 

Censys warned in September that the vulnerability is “particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios.” 

They added that earlier vulnerabilities in Veeam Backup & Replication, such as CVE-2023-27532 disclosed back in July, “have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for initial access, credential theft, and other malicious activities.”

“Although it is currently unknown if CVE-2024-40711 is actively being exploited, its potential for extracting large volumes of data and enabling lateral movement within networks suggests it could become a target for ransomware attacks,” Censys said last month. 

Incident response firm Rapid7 noted that more than 20% of their cases in 2024 so far have involved Veeam “being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.”

The U.K.’s National Health Service released its own warning about CVE-2024-40711 last week.

TechnologyCybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

North Korean IT Workers in Western Firms Now Demanding Ransom for Stolen Data

Next Post

Crypto platform Radiant Capital says $50 million in digital coins stolen following account compromises

Related Posts

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security
Avatar
Read More