Russian cybercrime group FIN7, also known as Anunak and Carbanak, has been found to be exploiting unpatched instances of Veeam Backup & Replication in recent attacks. FIN7 is primarily focused on credit card information theft and is believed to have numerous sub-groups operating under its umbrella.
The group has been active since at least 2015 and has been linked to other threat actors that have transitioned to ransomware, including REvil, DarkSide, BlackMatter, Alphv, and Black Basta.
WithSecure, a cybersecurity company, caught FIN7 attacks at the end of March 2023 that exploited internet-facing servers running Veeam Backup & Replication software to execute payloads on the compromised environment.
The cybersecurity firm observed a Veeam Backup process executing a shell command to download and execute a PowerShell script that turned out to be the Powertrash in-memory dropper known to be used by FIN7. The dropper was used to drop Diceloader, a backdoor that enables attackers to perform various post-exploitation operations and has been linked to FIN7 before.
WithSecure identified suspicious activity targeting the exploited Veeam backup instances days before payloads were dropped, likely to probe and identify vulnerable servers.
The threat actor was seen performing network reconnaissance, stealing information from the Veeam backup database, exfiltrating stored credentials, achieving persistence for the Diceloader backdoor, and moving laterally using the stolen credentials. WithSecure notes that they have so far identified two instances of such attacks conducted by FIN7, which were likely part of a larger campaign.
CVE-2023-27532 (CVSS score of 7.5) was disclosed and patched in early March. Successful exploitation of the bug allows an attacker to obtain encrypted credentials that are stored in the configuration database.
Veeam Backup & Replication versions 12 and 11a have been released to address the vulnerability, and organizations are advised to update their Backup & Replication instances as soon as possible. Vulnerabilities in Veeam’s product have been exploited in previous attacks.
