Key Takeaways

• A critical vulnerability, CVE-2024-40711, was discovered in Veeam Backup & Replication, allowing unauthenticated remote code execution.
• CVE-2024-40711 has a CVSS score of 9.8, indicating an urgent need for remediation due to its severity.
•  Threat actors are actively exploiting this vulnerability to deploy Akira and Fog ransomware.
• Veeam issued security updates to address these vulnerabilities in early September 2024.
• Multiple Veeam products were also affected by different vulnerabilities, including Veeam Backup & Replication, Veeam ONE, and Veeam Agent for Linux, among others.
• Organizations are urged to implement regular update protocols, enhance monitoring, and develop incident response plans to mitigate risks.

Overview

Threat actors have exploited a recent critical vulnerability in Veeam Backup & Replication to deploy Akira and Fog ransomware. This vulnerability, designated as CVE-2024-40711, is rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, highlighting its severe nature. Veeam addressed this security flaw in version 12.2 of Backup & Replication, released in early September 2024.

Florian Hauser, a security researcher with CODE WHITE based in Germany, discovered the vulnerability and reported it to Veeam. Hauser emphasized the urgency of patching systems, stating, “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos—no technical details from us this time because this might instantly be abused by ransomware gangs.”

The exploitation of this vulnerability has raised security concerns. In a recent attack linked to the Fog ransomware, threat actors managed to deploy the ransomware on an unprotected Hyper-V server. During the same operation, they utilized the rclone utility to exfiltrate sensitive data.

However, other attempts to deploy ransomware were reportedly unsuccessful. Attempted exploits picked up by Sophos endpoint detection all used compromised VPN gateways lacking multifactor authentication (MFA) to exploit Veeam on the widely exposed port 8000, triggering the Veeam.Backup.MountService.exe to launch net.exe. The exploit creates a local account, “point,” and adds it to the local Administrators and Remote Desktop Users groups.

Timely Patches and Advisory

Veeam took prompt action by disclosing the vulnerability and releasing security updates on September 4, 2024. Following this, watchTowr Labs published a technical analysis of the vulnerabilities on September 9, 2024.

Notably, they delayed the publication of proof-of-concept exploit code until September 15, 2024, to give administrators adequate time to secure their systems. Given its widespread use, Veeam’s products are a prime target for malicious actors looking for quick access to backup data, emphasizing the need for timely remediation.

Moreover, according to an advisory from Cyble, CVE-2024-40711 is just one of several vulnerabilities that affected Veeam products. The Cyble advisory released a summary of the latest vulnerabilities and patches from various vendors, focusing on the following CVEs linked to Veeam:

• CVE-2024-40711: Critical, CVSS score 9.8, allowing unauthenticated remote code execution.
• CVE-2024-40713: High severity.
• CVE-2024-40710: High severity.
• CVE-2024-39718: Medium severity.
• CVE-2024-40714: High severity.
• CVE-2024-40712: Medium severity.
• CVE-2024-40709: Medium severity.
• CVE-2024-42024: Medium severity.
• CVE-2024-42019: Medium severity.
• CVE-2024-42023: Medium severity.
• CVE-2024-42021: Medium severity.
• CVE-2024-42022: Medium severity.
• CVE-2024-42020: Medium severity.
• CVE-2024-38650: Medium severity.
• CVE-2024-39714: Medium severity.
• CVE-2024-39715: Medium severity.
• CVE-2024-38651: Medium severity.
• CVE-2024-40718: Medium severity.

The vulnerabilities primarily impact several Veeam products, posing significant security risks. Among these is Veeam Backup & Replication, which is widely used for data protection and disaster recovery. Additionally, the Veeam Agent for Linux is affected, as well as Veeam ONE, which provides monitoring and analytics for backup operations.

Furthermore, the Veeam Service Provider Console is included in the list of vulnerable products, along with Veeam Backup for Nutanix AHV. Lastly, Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization also face these security concerns. Organizations utilizing any of these products should take immediate action to secure their systems against potential exploitation. 

Technical Details of CVE-2024-40711

CVE-2024-40711 is classified as a remote code execution vulnerability, allowing unauthenticated attackers to send a malicious payload that can lead to a complete system takeover. The affected software versions include Veeam Backup & Replication 12.1.2.172 and all earlier versions.

During an investigation, Cyble’s ODIN scanner identified approximately 2,466 internet-exposed instances of Veeam Backup, predominantly in the United States. 

The CVE-2024-40711 vulnerability is not an isolated incident. On March 7, 2023, Veeam patched another high-severity vulnerability, CVE-2023-27532, which was exploited in attacks linked to the financially motivated FIN7 threat group, notorious for its connections to various ransomware operations including Conti, REvil, Maze, Egregor, and BlackBasta. 

Recommendations and Mitigations

Here are several mitigation and recommendation strategies for addressing the vulnerabilities in Veeam products:

• Ensure that the latest patches released by Veeam are implemented immediately to address the critical vulnerabilities.
• Create a routine schedule for regular updates across all Veeam products to maintain security and compliance.
• Regularly perform security assessments and audits to identify and remediate potential vulnerabilities in your systems.
• Isolate Veeam products from the internet wherever possible to reduce the attack surface and minimize exposure to potential threats.
• Enforce MFA for accessing Veeam management interfaces to add an additional layer of security against unauthorized access.
• Utilize comprehensive monitoring tools to detect suspicious activities and potential exploitation attempts in real-time.
• Establish and regularly update an incident response plan that includes procedures for identifying, responding to, and recovering from security incidents.
• Assess any third-party tools or integrations used with Veeam products to ensure they do not introduce additional vulnerabilities.

Conclusion

Veeam’s products, used by over 550,000 customers globally, including 74% of the Global 2000 companies, represent a dangerous risk if not properly secured. Organizations relying on Veeam’s Backup & Replication solutions must act swiftly to apply the necessary patches and protect their defenses against potential ransomware attacks. 

Related