Another Ransomware Group Exploits Veeam Backup & Replication for Data Exfiltration

Date:

July 16, 2024

World map

A second ransomware group has been observed exploiting a year-old vulnerability (CVE-2023-27532) in Veeam’s flagship anti-ransomware solution to exfiltrate sensitive data.

Attackers can create bogus user accounts, deploy additional hacking tools, exfiltrate credentials and data, perform Active Directory reconnaissance, deploy post-exploitation tools, and deactivate security products.

Veeam’s Backup & Replication product offering is meant to protect sensitive data in the case of a ransomware attack, but the company said last year that the exploitation of a bug in the product can allow attackers to extract user credentials that are stored in the configuration database.

Other reports indicate that vulnerability researchers warned that the extractable credentials were being stored in cleartext, which is more than problematic from a security standpoint.

The company issued a patch in March 2023, but shortly after that the Cuba ransomware cybergang was observed exploiting the bug, and since then the exploit has been leverage in multiple attacks.

“Ownership of the Veeam backup data was taken via the Veeam backup folder, while the threat actor compressed and uploaded data from other systems. Common file types like documents, images and spreadsheets were included in this backup, in the hopes that confidential and potentially valuable data could be harvested and leveraged by the malicious actor for their own financial gain,” SecurityWeek reports.

Takeaway: Data backups are still highly recommended for disaster recovery, but organizations cannot depend on them as the primary means of recovering from a successful ransomware attack.

A recent study on the business impact from ransomware attacks found that nearly 80% of businesses depend on data backups not only for disaster recovery, but also as the primary means of recovering from a ransomware attack.

Aside from the fact that restoring thousands of devices from backups is logistically challenging and requires weeks of work, the other problem with this strategy is that the targeting of data backups - whether stored on-site or in the cloud - has increasingly become a favored tactic of ransomware attackers.

Early in the evolution of ransomware attack sequences, malicious payloads would simply encrypt files and demand payment for decryption keys. Security teams found success in either restoring from backups or accepting loss of data as an acceptable consequence.

But today’s attacks typically include the exfiltration of sensitive data, so even if systems can be restored without having to pay the ransomware operators for a decryption key, there is no guarantee that a ransom payment will prevent the stolen data from being exploited.

This challenge is further complicated by a common tactic where the attackers use legitimate network tools like the Windows Vssadmin process to delete shadow copy backup files.

Many vendors tout a “rollback” feature dependent on shadow copies that they claim will easily reverse encryption on an infected machine, and while automatic rollbacks are a nice feature to call out in marketing materials, it gives customers a false sense of security.

Today, it is increasingly likely that ransomware operators will wipe backups during the attack, so backups have limited utility regarding ransomware attacks. Even when uncorrupted backups are available, restoration of every infected device is an arduous task involving a manual wiping and re-imaging process that can take weeks or months, and at great cost.

For example, last year a manufacturing company with revenues nearing $1B annually was attacked by the Akira ransomware group. Akira encrypted all Windows workstations and servers halting their business and operations. All backups were destroyed and were not recoverable.

Not only was the company almost completely unable to conduct business or proceed with production, they also faced the unpleasant reality that they would need to rebuild all their systems from scratch which would require multiple technology partners and take months to complete.

While some larger companies can weather disruption like this, it may be an existential event for most small to medium organizations who may not have the resources required to spend weeks getting systems back up and running.

Data backups are an important aspect of disaster recovery, but ransomware attacks are not natural disasters, they are well planned and executed operations conducted by savvy threat actors who understand they must also target data backups for an attack to be successful.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.