Currently, a group of threat actors, who are known to work with multiple high-profile ransomware gangs, are targeting Veeam backup servers. Since March 28, there have been reports of intrusions showing malicious activity and tools similar to those used in FIN7 attacks.
This occurred shortly after the discovery of a severe vulnerability in the Veeam Backup and Replication (VBR) software. The security issue, which is known as CVE-2023-27532, exposes encrypted credentials stored in the VBR configuration to unauthorized users within the backup infrastructure. This vulnerability could enable attackers to gain access to the backup infrastructure hosts.
On March 23, Horizon3, a pen-testing company, released an exploit for CVE-2023-27532. The exploit establishes how an unsecured API endpoint could be exploited to extract credentials in plain text. Furthermore, an attacker who influence the vulnerability could remotely execute code with the highest privileges. Simultaneously, Huntress Labs alerted that around 7,500 VBR hosts, which were accessible on the internet, still seemed to be vulnerable.
Story credit
