Ransomware, Patch/Configuration Management

Attacks leveraging Veeam backup software flaw launched by novel ransomware gang

Share

Newly emergent EstateRansomware ransomware group has deployed intrusions leveraging the already addressed high-severity Veeam Backup & Replication software flaw, tracked as CVE-2023-27532, since April, The Hacker News reports.

Intrusions by EstateRansomware involved the targeting of a Fortinet FortiGate firewall SSL VPN instance with brute-force attempts for initial access before launching the persistent "svchost.exe" backdoor and conducting remote desktop protocol-based lateral movement, an analysis from Group-IB showed. Exploitation of the vulnerability was then followed by "xp_cmdshell" activation and the creation of the new "VeeamBkp" account, which was used alongside NetScan and other hacking tools for malicious activities. Attackers then moved to deactivate Windows Defender before distributing ransomware, according to researchers. Such findings come after a Cisco Talos report detailing the evolving tactics, techniques, and procedures employed by ransomware operations. "The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus, and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves," said Cisco Talos.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.