Vulnerable Veeam Backup & Replication systems targeted by FIN7

Veeam Backup & Replication instances that have not been patched to remediate the CVE-2023-27532 vulnerability have been subjected to attacks by the Russian FIN7 hacking group facilitating Diceloader, or Lizar, backdoor infections since the end of March, according to SecurityWeek. FIN7 has exploited a Veeam Backup process to enable shell command execution prompting the download and execution of the PowerShell-based Powertrash in-memory dropper that was then used to deploy Diceloader, a WithSecure report showed. Vulnerable Veeam backup systems were also noted to have been targeted days prior to malware delivery. "WithSecure Intelligence has so far identified two instances of such attacks conducted by FIN7. As the initial activity across both instances were initiated from the same public IP address on the same day, it is likely that these incidents were part of a larger campaign. However, given the probable rarity of Veeam backup servers with TCP port 9401 publicly exposed, we believe the scope of this attack is limited," said WithSecure.