Veeam Backup & Replication servers exposed on the Internet are targeted by at least one group of cybercriminals! With this access, the goal is clear: to execute a ransomware to encrypt data.
On March 23, Horizon3 released an exploit for the CVE-2023-27532 security flaw that affects the Veeam Backup & Replication application. Thanks to this demonstration and these technical details, attacks are more accessible, and therefore, more numerous, especially since this vulnerability allows an unauthenticated attacker, located remotely, to obtain access to the backup server.
According to Huntress Labs, as of March 23, 2023, there were still approximately 7,500 Veeam Backup & Replication servers exposed on the Internet and vulnerable to this security breach. That’s not insignificant out of the 450,000 total businesses using Veeam today.
Moreover, since the end of March, there are attacks initiated by the Russian-speaking cybercriminal group FIN7, aimed at Veeam servers. According to the analysis conducted by WithSecure, it is indeed the security flaw CVE-2023-27532 that is exploited, especially because the port 9401/TCP is targeted. Once the Veeam server is compromised, it starts to perform suspicious actions such as execution and downloading of PowerShell scripts from the Internet (icsnd16_64refl.ps1, icbt11801_64refl.ps1)with SYSTEM rights.
These scripts are used for reconnaissance and if the attack goes through, it can end with the execution of ransomware. This is not surprising since FIN7 is known to have partnered with ransomware groups such as REvil, BlackBasta and Conti.
How to protect against the CVE-2023-27532 vulnerability?
The good news is that the CVE-2023-27532 vulnerability has already been patched since March 7, 2023. The editor Veeam specifies that there are two versions that can protect against this security flaw:
- Veeam Backup & Replication 12: build 12.0.0.1420 P20230223 (and higher)
- Veeam Backup & Replication 11a: build 11.0.1.1261 P20230227 (and higher)
Although this article refers to attacks from the Internet, this vulnerability could be exploited via the company’s internal network.