EstateRansomware gang exploits vulnerability in Veeam backup software

EstateRansomware, a newly identified ransomware group, has been exploiting a vulnerability in Veeam Backup & Replication software, as reported by Group-IB, a Singapore-based cybersecurity firm.

The group exploits CVE-2023-27532 (CVSS score 7.5) which was patched in March 2023. The initial access to the targeted environment was reportedly achieved through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.

VPN brute-force attempts were observed in April 2024 using a dormant account named 'Acc1'. A successful VPN login using 'Acc1' was traced back to the remote IP address 149.28.106[.]252. The threat actors then established RDP connections from the firewall to the failover server and deployed a persistent backdoor named 'svchost.exe' that runs daily through a scheduled task. This backdoor enabled the attackers to evade detection and gain subsequent access to the network.

The backdoor's primary function is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker. The attackers exploited the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named 'VeeamBkp'.

The attack then deployed ransomware. Before this, the attackers impaired defenses and moved laterally from the Active Directory (AD) server to all other servers and workstations using compromised domain accounts. Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe.

Organizations using Veeam Backup & Replication software are urged to apply the latest security patches to mitigate the vulnerability CVE-2023-27532 and to monitor their ingress firewalls and other interner facing systems to mitigate similar attacks.