Veeam vulnerability exploited to deploy malware via compromised VPN credentials

First, they would go after VPN gateways with poor passwords and no multi-factor authentication (MFA) set up. Some of these VPNs were even running unsupported software versions, it was said. After that, they would exploit a vulnerability in Veeam Backup & Replication, tracked as CVE-2024-40711, which allows them to create a local account.

Akira and Fog

CVE-2024-40711 is a critical vulnerability that allows unauthenticated remote code execution (RCE) via deserialization of untrusted data. By sending a malicious payload to the app, threat actors can be granted arbitrary code execution abilities, without authentication. It has a severity score of 9.8 (critical). Veeam released a fix for this flaw in the version 12.2 (build 12.2.0.334), which was pushed in September 2024. The vulnerability affected previous versions of VBR, particularly version 12.1.2.172 and earlier.

Admins were advised to upgrade to the latest version to mitigate the risk of exploitation.

After creating a local account, the crooks would try to deploy either Fog, or Akira ransomware. In total, Sophos’ researchers observed four attack attempts so far.

“These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. Sophos X-Ops continues to track this threat behavior.”

Despite having only a handful of recorded attack attempts, the news was big enough to warrant an advisory from NHS England. As reported by The Hacker News, the advisory stressed that enterprise backup and disaster recovery applications were “valuable targets” for cybercriminals everywhere.

Via The Hacker News

More from TechRadar Pro

• There's now a Linux version of this dangerous VMware ransomware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now