A critical vulnerability, tracked as CVE-2023-27532, in Veeam Backup & Replication has been exploited by multiple ransomware groups. The flaw, with a CVSS score of 7.5, allows attackers to obtain encrypted credentials from the configuration database, potentially giving them access to backup infrastructure hosts. Although the vulnerability was patched in March 2023, a public proof-of-concept (PoC) exploit code soon emerged, leading to its active exploitation by various threat actors.
Among the groups exploiting this vulnerability, the Russian cybercrime group FIN7 was observed using it since April 2023. In June 2024, the Akira ransomware, linked to the Storm-1567 group, was deployed against a Latin American airline. The attackers gained initial access via the Secure Shell (SSH) protocol, exfiltrated critical data, and then deployed Akira ransomware using legitimate tools and Living off-the-Land Binaries and Scripts (LOLBAS) for persistence.
During this attack, the intruders exploited the unpatched Veeam Backup & Replication server using a publicly available exploit. They created a user with administrative privileges, used network management tools for local scanning, and harvested data by accessing and compressing files from the Veeam backup folder. The entire operation, from initial access to data exfiltration, was completed in just 133 minutes.
Group-IB researchers also reported that the EstateRansomware gang utilized the same PoC exploit code to target the CVE-2023-27532 vulnerability in April 2024. The rapid deployment of ransomware and data exfiltration by these groups highlights the critical need for timely updates and robust security measures to protect against such vulnerabilities.