Hackers target vulnerable Veeam backup servers exposed online

Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.

Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication (VBR) software.

Tracked as CVE-2023-27532, the security issue exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure. This could be used to access the backup infrastructure hosts.

The software vendor fixed the issue on March 7 and provided workaround instructions.

On March 23, Horizon3 pentesting company released an exploit for CVE-2023-27532, which also demonstrated how an unsecured API endpoint could be abused to extract the credentials in plain text. An attacker leveraging the vulnerability could also run code remotely with the highest privileges.

At the time, Huntress Labs warned that there were still approximately 7,500 internet-exposed VBR hosts that appeared to be vulnerable.

FIN7 connections

Threat researchers at Finnish cybersecurity and privacy company WithSecure note in a report this week that the attacks they observed in late March targeted servers running Veeam Backup and Replication software that were accessible over the public web.

The tactics, techniques, and procedures were similar to activity previously attributed to FIN7.

Based on the timing of the campaign, open TCP port 9401on compromised servers, and the hosts running a vulnerable version of VBR, the researchers believe that the intruder likely exploited the CVE-2023-27532 vulnerability for access and malicious code execution.

While performing a threat hunt exercise using telemetry data from WithSecure's Endpoint Detection and Response (EDR), the researchers noticed some Veeam servers that generated suspicious alerts (e.g. sqlservr.exe spawning cmd.exe and downloading PowerShell scripts).

A closer look showed that the threat actor initially executed the PowerTrash PowerShell script, seen in past attacks attributed to FIN7, that included a payload - the DiceLoader/Lizar backdoor, to be executed on the compromised machine.

DiceLoader, also tracked as Tirion, has also been linked to FIN7 malicious activity in the past. It is worth noting that more recent incidents attributed to this gang made use of a different backdoor that Mandiant researchers call PowerPlant.

WithSecure highlights that the names for the PowerShell scripts (icsnd16_64refl.ps1, icbt11801_64refl.ps1) seen in the attacks followed the naming convention previously reported for FIN7 files.

Neeraj Singh, a senior researcher at WithSecure, told BleepingComputer that DiceLoader and PowerTrash were not the only connections to FIN7 activity.

A PowerShell script (host_ip.ps1) for resolving IP addresses to hostnames and a custom one used for reconnaissance in the lateral movement stage of the attack are also known to be part of FIN7's toolkit.

Singh said that they also observed other technical overlaps with previous reports on activity attributed to FIN7. Some examples are command line execution patterns as well as file naming conventions.

Once they got access to the host, the hackers used their malware, various commands, and custom scripts to collect system and network information, as well as credentials from the Veeam backup database. 

Persistence for DiceLoader was achieved trough a custom PowerShell script called PowerHold, the researchers at WithSecure say, adding that the threat actor also attempted lateral movement using stolen credentials, testing their access with WMI invocations and ‘net share’ commands.

WithSecure reports that the attacker was successful in their lateral movement effort. Using the stolen credentials, the hackers relied on the SMB communication protocol to drop PowerShell scripts onto the target's administrative shares.

The ultimate objective of the threat actors in this campaign remains unclear, as the attacks were interrupted before planting or executing the final payload.

However, the researchers say that the intrusions may have ended with deploying ransomware if the attack chain completed successfully. Data theft could have been another potential consequence.

WithSecure recommends organizations that use Veeam Backup and Replication software heed the information they provided and use it to look for signs of compromise on their network.

Even if the exact method for invoking the initial shell commands remains unknown and evidence of exploiting of CVE-2023-27532 was not clear, companies should prioritize patching the vulnerability since other threat actors may try to leverage it.  

FIN7 is known for its partnership with various ransomware operations, including the ones ran by the infamous Conti syndicate, REvil, Maze, Egregor, and BlackBasta.

Recently, IBM researchers published a report about FIN7 teaming up with former Conti members to distribute a new malware strain called Domino that provides access to the compromised host and also allows planting a Cobalt Strike beacon for increased persistence.

The connection between Domino and FIN7 was based on massive code overlap with DiceLoader, IBM researchers note in their report.