Ransomware gang exploiting unpatched Veeam backup products

Researchers at WithSecure have issued an alert after uncovering evidence that a notorious cyber criminal gang is exploiting a recently disclosed vulnerability in Veeam Backup & Replication data backup and recovery software to access its victims’ networks.

Tracked as CVE-2023-27532, the Veeam vulnerability was first published on 7 March 2023. It enables an unauthenticated user who has accessed the backup infrastructure network perimeter to get their hands on encrypted credentials stored in the configuration database, which may ultimately lead to them gaining access to the backup infrastructure hosts.

It is classified as a high-severity bug and carries a CVSS v3 score of 7.5. It exists in the Veeam.Backup.Service.exe process of Veaam Backup & Replication, Veeam Cloud Connect, Veeam Cloud Connect for the Enterprise and Veeam Backup & Replication Community Edition.

“WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software,” wrote WithSecure analysts Neeraj Singh and Mohammad Kazem Hassan Nejad.

“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532,” they explained.

“Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access and execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532”

Neeraj Singh and Mohammad Kazem Hassan Nejad, WithSecure