@ndma 02 May 2023

Threat Actor

FIN7

Description

Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.

Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication (VBR) software.

Tracked as CVE-2023-27532, the security issue exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure. This could be used to access the backup infrastructure hosts.

On March 23, Horizon3 pentesting company released an exploit for CVE-2023-27532, which also demonstrated how an unsecured API endpoint could be abused to extract the credentials in plain text. An attacker leveraging the vulnerability could also run code remotely with the highest privileges.

At the time, Huntress Labs warned that there were still approximately 7,500 internet-exposed VBR hosts that appeared to be vulnerable.

Reference