Sophos warns of Akira and Fog ransomware gangs exploiting critical Veeam RCE flaw
Take action: Patch your Veeam Backup & Replication program. No time like the present, you should do this immediately. Alternatively, you can wait to be listed on the ransomware gang dark site and start patching then.
Learn More
Sophos warns that ransomware groups are actively exploiting a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication (VBR) software, tracked as CVE-2024-40711. This flaw is caused by a deserialization of untrusted data issue, which allows unauthenticated attackers to execute code on vulnerable VBR servers with low complexity.
Sophos X-Ops incident responders reported that Akira and Fog ransomware quickly adopted the exploit in their campaigns. The attackers leveraged the vulnerability to gain initial access and used compromised VPN credentials—often with multifactor authentication disabled—to infiltrate targeted systems. In some cases, attackers used this access to create a local administrator account, allowing them to deploy ransomware more easily.
The Fog ransomware attack involved deploying ransomware on an unprotected Hyper-V server, followed by using the rclone utility to exfiltrate data. Similar methods were used in other incidents where Akira ransomware was deployed.
Veeam released patches for CVE-2024-40711 as part of its September 4 update, and organizations using Veeam’s software are strongly advised to apply these updates immediately. Additionally, implementing multifactor authentication on VPNs and restricting remote access to critical systems can reduce the risk of exploitation.
