The Fog and Akira ransomware gangs have been observed exploiting a critical vulnerability that lets them run a remote code execution (RCE) on Veeam Backup and Replications servers.
While Veeam disclosed this critical deserialization bug and released a patch for CVE-2024-40711 on Sept. 4, publication of the proof-of-concept (PoC) developed by watchTowr Labs was delayed until Sept. 15 to give vulnerable businesses time to implement the necessary updates.
“Unfortunately, this window of opportunity proved to be insufficient for many customers, as is often the case when vulnerabilities are disclosed,” explained Patrick Tiquet, vice president, security and architecture at Keeper Security.
In an Oct. 10 post on X, Sophos X-Ops reported that in both cases involving Fog and Akira, the attackers initially accessed targets using compromised VPN gateways without multi-factor authentication (MFA) enabled. The researchers added that some of these VPNs were running unsupported software versions, making them even more vulnerable.
Tiquet pointed out that enabling MFA adds a critical layer of security. Even if a password gets compromised, Tiquet said an attacker cannot easily gain access without the second authentication factor, reducing the risk of successful attacks through stolen credentials.
“Implementing a password manager can also strengthen this defense by creating, storing and automatically filling high-strength random passwords for various accounts,” said Tiquet. “Password managers also support robust MFA options, making it significantly harder for bad actors to gain unauthorized access.”
Jason Soroko, senior fellow at Sectigo, said it’s common for organizations to delay patching so they can test the patch or work it into the timing of their maintenance windows. However, this gives the attackers a window to attack.
“Attackers can often reverse engineer patches and then create tailored malware to exploit the vulnerability that was patched,” explained Soroko. “This highlights the need to patch quickly regardless of whether white hat researchers release exploit code.”
The Fog ransomware group launched in May 2024 focused on attacking U.S. educational institutions. Akira started in March 2023 and has primarily targeted organizations based in Europe, North America, and Australia operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecom sectors.
