BleepingComputer reports that both Akira and Fog ransomware payloads were attempted to be launched in intrusions involving the exploitation of the critical remote code execution flaw in Veeam Backup & Replication servers, tracked as CVE-2024-40711, during the past month.
All of the attacks also entailed the utilization of previously stolen credentials to infiltrate VPN gateways without multi-factor authentication, some of which were on outdated software, according to a report from Sophos X-Ops researchers. "In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data," said Sophos X-Ops. Such a development comes more than a year after the high-severity Veeam Backup & Replication vulnerability, tracked as CVE-2023-27532, had been used in Cuba ransomware intrusions against critical infrastructure organizations in the U.S. and IT firms in Latin America, as well as in attacks by the FIN7 threat operation associated with the BlackBasta, REvil, and Conti ransomware gangs.
