Cybercrime group FIN7 targets Veeam backup servers

Researchers warn that a financially motivated cybercrime group known as FIN7 is compromising Veeam Backup & Replication servers and deploying malware on them. It’s not yet clear how attackers are breaking into the servers, but a possibility is that they’re taking advantage of a vulnerability patched in the popular enterprise data replication solution last month.

Researchers from cybersecurity firm WithSecure investigated two such compromises so far, dating from late March, but they believe are likely part of a larger campaign. The post-exploitation activity included setting up persistence, system and network reconnaissance, credential extraction and lateral movement.

Tools and techniques used consistent with past FIN7 activity

FIN7 or Carbon Spider is a cybercrime group that has been in operation since at least 2013 and has been associated with the Carbanak malware family. The group was known in its early years for launching malware attacks against organizations from the retail, restaurant, and hospitality sectors with the goal of stealing credit card information. However, FIN7 also expanded into ransomware, being associated with the Darkside and BlackMatter ransomware families, and more recently BlackCat/ALPHV.

A forensic analysis on the compromised Veeam servers showed that the SQL Server process “sqlservr.exe” that’s related to the Veeam Backup instance was used to execute a batch shell script, which in turn downloaded and executed a PowerShell script directly in memory. That PowerShell script was POWERTRASH, an obfuscated malware loader that’s been attributed to FIN7 in the past.

This PowerShell-based loader is designed to unpack embedded payloads and execute them on the system using a technique known as reflective PE injection. FIN7 was previously seen using this loader to deploy the Carbanak trojan, the Cobalt Strike beacon or a backdoor called DICELOADER or Lizar. The latter was also observed in the recent attacks against Veeam servers, establishing another link to FIN7.

The DICELOADER backdoor allowed attackers to deploy additional custom bash scripts and PowerShell scripts. Some of the scripts used were identical to those used by FIN7 in other attacks.

For example, some scripts collected information about the local system such as running processes, opened network connections, and listening ports and IP configuration. Another script used the Windows Instrumentation Interface to remotely collect information about other systems on the network. Yet another script that is known to be part of FIN7’s arsenal was used to resolve the collected IP addresses to local hosts that identified the computers on the network.

A custom script called gup18.ps1 that hasn’t been observed before was used to set up a persistence mechanism so that the DICELOADER backdoor starts on system reboot. The backdoor execution is achieved through DLL sideloading against an executable file called gup.exe that’s part of a legitimate application called Notepad++.

The attackers deliver both the legitimate gup.exe along with its configuration file and a maliciously modified library called libcurl.dll that gup.exe is designed to execute. This library then decodes the DICELOADER payload from another file and executes it.

The attackers were also seen executing Veeam-specific commands. For example, they used SQL commands to steal information from the Veeam backup database and a custom script to retrieve passwords from the server.

Possible CVE-2023-27532 exploitation

While the WithSecure researchers are not sure how the servers were compromised, they suspect that the attackers exploited a vulnerability tracked as CVE-2023-27532 that was patched by Veeam on March 7. The flaw allows an unauthenticated user who can connect to the server on TCP port 9401 to extract credentials stored in the server’s configuration database and potentially gain access to the server host system.

“A proof-of-concept (POC) exploit was made publicly available a few days prior to the campaign, on 23rd March 2023,” the WithSecure researchers said. “The POC contains remote command execution functionality. The remote command execution, which is achieved through SQL shell commands, yields the same execution chain observed in this campaign.”

This is coupled with the fact that the exploited servers had TCP port 9401 exposed to the internet, were running vulnerable versions of the software when they were compromised and recorded activity from an external IP address on port 9401 right before the SQL server instance invoked the malicious shell commands.

Some activity and shell commands were also recorded on the servers a few days before the malicious attack, which the researchers believe might be the result of an automated scan the attackers performed to identify vulnerable servers.

“We advise affected companies to follow the recommendations and guidelines to patch and configure their backup servers appropriately as outlined in KB4424: CVE-2023-27532,” the WithSecure researchers said. “The information in this report as well as our IOCs GitHub repository can also help organizations look for signs of compromise.”