EstateRansomware exploits Veeam vulnerability for attacks
A newly patched security vulnerability in Veeam Backup & Replication software is being exploited by the emerging ransomware group, EstateRansomware.
Discovered by Group-IB in early April 2024, the attackers leveraged CVE-2023-27532 (CVSS score: 7.5) to execute malicious activities. Initial access was gained via a Fortinet FortiGate firewall SSL VPN using a dormant account. The attackers then moved laterally through the network, creating a backdoor for persistent access and connecting to a command-and-control server. They exploited the Veeam flaw to execute remote commands on the backup server, creating a rogue user account “VeeamBkp” and conducting network discovery and credential harvesting.
The attack culminated in deploying ransomware after disabling Windows Defender and moving laterally across servers and workstations. Cisco Talos highlighted that ransomware groups often exploit security flaws in public-facing applications, use phishing, or breach valid accounts to establish initial access. They employ a double extortion model, exfiltrating data before encrypting files, and use custom tools for data theft. The ransomware landscape has seen the emergence of new groups with distinct operational goals, underscoring a shift towards more specialized cybercriminal activities.
To respond to these exposures, companies must pay special attention and adopt modern security measures, such as implementing a multi-layer security framework, conducting regular backups, and monitoring network traffic for any suspicious activity and it’s also crucial to keep all software and systems up-to-date with the latest updates.
