Hackers are exploiting a critical vulnerability in Veeam Backup & Replication software (CVE-2024-40711) to deploy a newly discovered ransomware strain named “Frag.” This vulnerability, rated 9.8 on the CVSS severity scale, enables unauthenticated remote code execution, allowing attackers to gain administrative access and execute malicious commands. Sophos X-Ops researchers recently identified the threat actors behind this campaign as STAC 5881, a group known for leveraging compromised VPN appliances to gain entry into target networks and then exploiting the Veeam vulnerability to create unauthorized administrator accounts.
STAC 5881 has previously deployed other ransomware variants, including Akira and Fog, targeting critical infrastructure. In this recent incident, Sophos researchers noted the deployment of Frag ransomware, a previously undocumented malware that appends the “.frag” extension to encrypted files. The ransomware is executed via command line and requires attackers to specify the percentage of each file to be encrypted, a tactic designed to increase the likelihood of ransom payment by limiting data recovery options. In addition to creating an unauthorized account named “point,” the attackers also created a “point2” account in this attack, highlighting their strategic use of rogue accounts for sustained access and control.
Frag ransomware shares many tactics, techniques, and procedures (TTPs) with Akira and Fog ransomware, suggesting possible links between the threat actors or the adoption of shared tools and methods. This targeted attack on Veeam Backup & Replication aligns with an ongoing trend of ransomware groups targeting backup solutions to increase the impact of their campaigns, preventing victims from easily restoring their data without paying a ransom.
Cybersecurity experts strongly recommend organizations using Veeam Backup & Replication apply the latest patches released in September 2024 to address this vulnerability. Additionally, they advise isolating backup systems from the internet, enforcing multi-factor authentication for administrative access, and implementing continuous monitoring for any suspicious activities. As attackers increasingly target backup systems, taking proactive security measures has become critical to safeguarding sensitive data against ransomware attacks.