Critical Veeam RCE Vulnerability Exploited by Akira and Fog Ransomware 

• Veeam disclosed a new flaw in its Backup and Replication servers, and it is already exploited by threat actors.
• Two ransomware gangs were seen abusing the now-patched flaw that allows remote code execution.
• Unauthenticated third parties could exploit the vulnerability attributed to the deserialization of untrusted data weakness.

Ransomware gangs are actively exploiting a critical security vulnerability in Veeam Backup & Replication (VBR) servers, enabling remote code execution (RCE), according to recent security reports.

This vulnerability, identified as CVE-2024-40711, poses a significant threat to organizations utilizing Veeam's data protection solutions and has been exploited in Akira and Fog ransomware attacks.

The flaw was discovered by Florian Hauser, a security researcher at Code White, and was attributed to a deserialization of untrusted data weakness. The vulnerability allows unauthenticated threat actors to conduct low-complexity attacks, potentially compromising backup data.

Following Veeam’s disclosure and released updates on September 4, watchTowr Labs provided a detailed technical analysis on September 9, and waited to release of a proof-of-concept exploit until September 15.

Attackers initially access targets via compromised VPN gateways lacking multifactor authentication. Vulnerable systems include those running unsupported software versions and unprotected Hyper-V servers.

In one case, Fog ransomware was deployed on a Hyper-V server with subsequent data exfiltration using the utility rclone. Similar tactics were observed in attempts to deploy Akira ransomware.

Akira Ransomware targeted businesses and critical infrastructure entities in North America, Europe, and Australia, impacting over 250 organizations and claiming approximately $42 million in ransomware proceeds as of January 1, 2024. Fog Ransomware has been heavily targeting higher educational institutions in the US by exploiting compromised VPNs.

The most recent Veeam exploit was seen in July and regards a novel ransomware operation known as EstateRansomware that abused a now-patched vulnerability in the Veeam Backup & Replication software, which allows unauthorized third parties to obtain encrypted credentials stored in the configuration database.