Veeam Vulnerability Actively Exploited by Ransomware Gangs

NHS England’s National Cyber Security Operations Centre (CSOC) has issued a high-severity cyber alert in response to the active exploitation of a critical vulnerability, CVE-2024-40711, in Veeam’s Backup & Replication software.

This alert follows Veeam’s security bulletin from September, which addressed one critical and five high-severity vulnerabilities, including CVE-2024-40711. The NHS alert is in line with previous warnings, such as cyber alert CC-4542, highlighting the urgency for rapid patching and other defensive actions.

According to the advisory, ransomware groups have been leveraging CVE-2024-40711 as a second-stage exploit to create local Administrator accounts on compromised networks.

Executing Remote Code

This vulnerability, described as a critical “deserialization of untrusted data” issue, has a CVSSv3 score of 9.8. If exploited, it could enable an unauthenticated attacker to execute remote code on targeted systems.

NHS reports that exploitation attempts began shortly after the official disclosure by Veeam, and they assess that this trend is likely to continue.

Florian Hauser, a security researcher with CODE WHITE, discovered the security flaw. He recently tweeted about the vulnerability, which could result in serious consequences for unpatched enterprise backup and disaster recovery systems.

Cyber threat groups often target these systems due to their critical importance within corporate networks.

Attacks Linked to CVE-2024-40711 Exploitation

Sophos X-Ops has observed a recent wave of ransomware attacks involving CVE-2024-40711. In several incidents, attackers used compromised credentials and the vulnerability to deploy ransomware such as Akira and Fog.

Malefactors reportedly exploited the /trigger endpoint on port 8000 within Veeam, using the Veeam.Backup.MountService.exe to spawn net.exe and create a local account called “point,” which was subsequently added to the local Administrators and Remote Desktop Users groups.

One incident involved the deployment of Fog ransomware on an unprotected Hyper-V server, where the attacker then used the rclone utility to exfiltrate data.

According to Sophos X-Ops, these incidents often began with unauthorized access to VPN gateways lacking multifactor authentication and sometimes running unsupported software versions.

Patching and Security Measures

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, highlighted the significance of addressing unpatched vulnerabilities and implementing multifactor authentication, particularly for software with a public-facing component.

“When we look at how criminals or nation-states break into organizations, social engineering is the number one method, and in second place is where criminals take advantage of unpatched vulnerabilities,” Malik explained. He noted that focusing on these areas can help organizations reduce risk by over 90%.

“Beyond the unpatched software, there was no multi-factor authentication enabled on the VPN gateways,” Malik continued. “Any security software, in particular public-facing software, should have multi-factor authentication enabled to prevent account takeover. Just because software is providing security, it doesn’t mean they are secure by default.”

Using the Tools We Have

Adam Pilton, a Senior Cybersecurity Consultant at CyberSmart, added; “It is no surprise to see cyber criminals exploiting vulnerabilities to deploy ransomware. Since 2019, each year we have seen the money made by ransomware gangs increase, other than in 2022 where we saw a dip which was likely due to the Russian invasion of Ukraine. This year is no different and current data tells us that we are likely to see another increase.”

Pilton said cybercriminals use ransomware to make money successfully. As the National Cyber Security Centre stated in its 2023 annual report, we have the tools to protect ourselves; we just need to get better at using them. When it comes to ransomware, this is a very relevant statement.

“The exploit in question has a security patch available. It is imperative that this patch is applied. Effective vulnerability management is not a nice to have, it’s a must for businesses to be able to continue effectively operating. Cyber criminals will continue using ransomware because it works and we must step up our defences.”

Sophos’ incident team also stressed that entities should prioritize patching known vulnerabilities, upgrading or replacing outdated VPNs, and using multifactor authentication to control remote access. These measures can greatly reduce the likelihood of similar attacks.

Proactive Measures for Organizations

With ransomware groups continuing to exploit vulnerabilities like CVE-2024-40711, NHS England’s National CSOC urges organizations to take immediate action. Patching software vulnerabilities, especially those with active exploitations, can help prevent unauthorized access and protect sensitive data.

As ransomware tactics evolve, it becomes key for businesses to adopt a layered approach to cybersecurity, strengthening defenses at every stage of the attack chain.