Hackers are actively exploiting a critical vulnerability in Veeam Backup & Replication software, designated as CVE-2024-40711, which allows for unauthenticated remote code execution (RCE). Reported by Florian Hauser from CODE WHITE GmbH, this vulnerability has become a significant security concern as it enables attackers to gain unauthorized access to systems and deploy ransomware. The situation is being closely monitored by Sophos X-Ops Managed Detection and Response (MDR) teams, who have observed multiple attacks leveraging this vulnerability in recent weeks.
In a series of attacks, hackers have compromised systems using stolen credentials, particularly targeting VPN gateways that lack multi-factor authentication. Some of these gateways were running outdated software versions, making them easy targets. Once inside, the attackers exploited the Veeam vulnerability by invoking the Veeam.Backup.MountService.exe on a specific URI, which allowed them to create unauthorized accounts with administrative privileges. This critical access enabled them to deploy ransomware effectively, such as Fog ransomware on Hyper-V servers.
One notable incident involved the attackers using the rclone utility to exfiltrate sensitive data while simultaneously deploying ransomware. Sophos has been able to thwart some of these attacks with their endpoint protection and MDR services, but the incidents underscore the need for robust cybersecurity measures. Organizations must prioritize patching known vulnerabilities, updating unsupported software, and implementing multi-factor authentication to enhance their defenses against such attacks.
In response to the situation, Veeam has released an update (VBR version 12.2.0.334) that addresses the CVE-2024-40711 vulnerability. Administrators are strongly urged to apply this patch immediately to protect their systems from exploitation. The exploitation of this vulnerability highlights the pressing need for proactive defense strategies, including timely software updates, stringent security protocols, and continuous monitoring of potential threats. Enterprises relying on Veeam Backup & Replication must take these steps to safeguard their systems and sensitive data from increasingly sophisticated cyber threats.
