Veeam备份软件漏洞被发现新勒索软件组利用

admin 2024年7月11日11:29:33评论23 views字数 4791阅读15分58秒阅读模式

Veeam备份软件漏洞被发现新勒索软件组利用

A now-patched security flaw in Veeam Backup & Replication software is being exploited by a nascent ransomware operation known as EstateRansomware.

Veeam 备份和恢复软件中一个现已修补的安全漏洞正被一个新兴的勒索软件操作组织 EstateRansomware 利用。

Singapore-headquartered Group-IB, which discovered the threat actor in early April 2024, said the modus operandi involved the exploitation of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious activities.

新加坡总部的 Group-IB 于 2024 年 4 月初发现该威胁行为者,称其作案手法涉及利用 CVE-2023-27532(CVSS 得分:7.5)进行恶意活动。

Initial access to the target environment is said to have been facilitated by means of a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

据称,通过使用一个休眠账户的 Fortinet FortiGate 防火墙 SSL VPN 设备,初始访问目标环境。

"The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server," security researcher Yeo Zi Wei said in an analysis published today.

安全研究员 Yeo Zi Wei 在今天发布的分析中表示:“威胁行为者通过 SSL VPN 服务从 FortiGate 防火墙横向移动,访问了故障切换服务器。”

"Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using a dormant account identified as 'Acc1.' Several days later, a successful VPN login using 'Acc1' was traced back to the remote IP address 149.28.106[.]252."

“在勒索软件攻击之前,2024 年 4 月注意到使用标识为 'Acc1' 的休眠账户进行的 VPN 暴力破解尝试。几天后,使用 'Acc1' 的成功 VPN 登录被追溯到远程 IP 地址 149.28.106[.]252。”

Next, the threat actors proceeded to establish RDP connections from the firewall to the failover server, followed by deploying a persistent backdoor named "svchost.exe" that's executed daily through a scheduled task.

接下来,威胁行为者通过防火墙建立 RDP 连接到故障切换服务器,然后部署名为“svchost.exe”的持久后门,通过计划任务每天执行。

Subsequent access to the network was accomplished using the backdoor to evade detection. The primary responsibility of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.

随后,使用后门绕过检测访问网络。后门的主要职责是通过 HTTP 连接到命令和控制(C2)服务器,并执行攻击者发出的任意命令。

Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp," alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft using the newly created account.

Group-IB 表示,观察到行为者利用 Veeam 漏洞 CVE-2023-27532,目的是在备份服务器上启用 xp_cmdshell,并创建一个名为 'VeeamBkp' 的伪造用户账户,同时使用 NetScan、AdFind 和 NitSoft 等工具进行网络发现、枚举和凭证收集活动。

"This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server," Zi Wei hypothesized.

Zi Wei 推测:“这种利用可能涉及从文件服务器上的 VeeamHax 文件夹对安装在备份服务器上的易受攻击版本的 Veeam 备份和恢复软件发起攻击。”

"This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the 'VeeamBkp' account."

“这一活动促使激活 xp_cmdshell 存储过程,并随后创建 'VeeamBkp' 账户。”

Veeam备份软件漏洞被发现新勒索软件组利用

The attack culminated in the deployment of the ransomware, but not before taking steps to impair defenses and moving laterally from the AD server to all other servers and workstations using compromised domain accounts.

攻击最终部署了勒索软件,但在此之前采取了削弱防御的步骤,并通过受损的域账户从 AD 服务器横向移动到所有其他服务器和工作站。

"Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe," Group-IB said.

Group-IB 表示:“使用 DC.exe [Defender Control] 永久禁用 Windows Defender 后,部署并执行勒索软件 PsExec.exe。”

The disclosure comes as Cisco Talos revealed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and circumventing defenses in their attack chains.

这一披露之际,Cisco Talos 透露,大多数勒索软件团伙优先通过公共应用程序中的安全漏洞、网络钓鱼附件或破解有效账户来建立初始访问,并在其攻击链中绕过防御。

The double extortion model of exfiltrating data prior to encrypting files has further given rise to custom tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) to send the confidential information to an adversary-controlled infrastructure.

在加密文件之前窃取数据的双重勒索模式,进一步催生了由攻击者开发的定制工具(如 Exmatter、Exbyte 和 StealBit)将机密信息发送到对手控制的基础设施。

This necessitates that these e-crime groups establish long-term access to explore the environment in order to understand the network's structure, locate resources that can support the attack, elevate their privileges, or allow them to blend in, and identify data of value that can be stolen.

这要求这些电子犯罪集团建立长期访问,以便探索环境,了解网络结构,定位支持攻击的资源,提高他们的权限,或者让他们融入其中,并识别有价值的数据进行盗窃。

"Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology," Talos said.

Talos 表示:“在过去一年中,我们目睹了勒索软件领域的重大变化,出现了多个新的勒索软件组织,每个组织都表现出独特的目标、操作结构和受害者群体。”

"The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves."

“这种多样化突显了向更具针对性的网络犯罪活动的转变,诸如 Hunters International、Cactus 和 Akira 等组织划定了特定的利基市场,专注于独特的操作目标和风格选择,以区分自己。”

参考资料

[1]https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html

关注我们

        欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。

原文始发于微信公众号(知机安全):Veeam备份软件漏洞被发现新勒索软件组利用

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年7月11日11:29:33
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Veeam备份软件漏洞被发现新勒索软件组利用https://cn-sec.com/archives/2941771.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息