Description
A newly identified ransomware group, EstateRansomware, has exploited a patched flaw in Veeam Backup & Replication software to carry out sophisticated cyberattacks. In early April 2024, researchers discovered this group’s modus operandi involves leveraging CVE-2023-27532, a vulnerability with a CVSS score of 7.5. The attacks, which could have a significant impact, are further facilitated by using a defunct account on a Fortinet FortiGate firewall SSL VPN appliance, allowing initial access to the target environment.
Attack Details
Initial Access and Lateral Movement:
The initial access was achieved through a Fortinet FortiGate firewall using the SSL VPN service. EstateRansomware leveraged an inactive account, ‘Acc1,’ to perform brute-force attempts, which were recorded in April 2024. The successful VPN login from a remote IP address using ‘Acc1’ enabled the threat actors to shift laterally to the failover server.
Backdoor Installation:
To maintain access, the attackers established RDP connections between the firewall and the failover server and installed a permanent backdoor named “svchost.exe.” This backdoor runs daily as part of a scheduled job, establishing an HTTP connection with a command-and-control (C2) server to execute commands issued by the attackers.
Exploitation of Veeam Backup & Replication Vulnerability:
Using the flaw CVE-2023-27532, the threat actors enabled xp_cmdshell on the backup server and created a rogue user account named “VeeamBkp.” This account facilitated network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft. The exploitation likely involved attacking the backup server’s vulnerable Veeam installation from the VeeamHax folder on the file server.
Disabling Security Measures:
The attackers used DC.exe (Defender Control) to permanently disable Windows Defender and deployed and executed malware with the PsExec.exe process.
Double Extortion Strategy:
EstateRansomware employs a twofold extortion strategy involving data exfiltration before file encryption. They use custom tools like Exmatter, Exbyte, and StealBit to transfer sensitive data to their controlled infrastructure. The threat actors aim for prolonged access to the victim networks, blending in and escalating their privileges to identify valuable data for theft.
Indicators of Compromise (IOCs)
File Hashes:
Recommendations
Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Veeam Backup & Replication Software Security Flaw Exploited by New Ransomware Group EstateRansomware
References