Hackers Exploiting Veeam RCE Vulnerability to Deploy New Frag Ransomware

Risk actors are actively exploiting a essential vulnerability in Veeam Backup & Replication software program to deploy a brand new ransomware pressure referred to as “Frag.”

The vulnerability, tracked as CVE-2024-40711, permits unauthenticated distant code execution and has a severity rating of 9.8 out of 10 on the CVSS scale.

Sophos X-Ops researchers reported that the assaults are a part of a menace exercise cluster they’ve named STAC 5881.

Managed Detection and Response Purchaser’s Information – Free Download (PDF)

This group has been leveraging compromised VPN home equipment to achieve preliminary entry to networks after which exploiting the Veeam vulnerability to create rogue administrator accounts.

The essential flaw impacts Veeam Backup & Replication model 12.1.2.172 and earlier builds. Veeam, a well-liked backup resolution utilized by over 550,000 clients worldwide, together with 74% of World 2000 firms, released patches for the vulnerability in early September 2024.

Beforehand, STAC 5881 was noticed deploying Akira and Fog ransomware variants. Nonetheless, in a current incident, Sophos researchers detected the usage of a brand new, beforehand undocumented ransomware referred to as Frag.

Sean Gallagher, the principal menace researcher at Sophos X-Ops, stated, “Just like earlier occasions, the menace actor used a compromised VPN equipment for entry, leveraged the Veeam vulnerability, and created a brand new account named ‘level’. Nonetheless, on this incident, a ‘point2’ account was additionally created.”

The Frag ransomware is executed by way of the command line and requires attackers to specify a proportion for file encryption. It appends the “.frag” extension to encrypted recordsdata. Sophos has since added detection capabilities for the Frag binary to its endpoint safety software program.

Researchers famous comparable techniques, strategies, and practices between the Frag operators and people behind Akira and Fog ransomware. This means a potential connection or emergence of a brand new participant adopting established techniques.

The exploitation of CVE-2024-40711 follows a sample of attackers concentrating on backup options to maximise the influence of their ransomware campaigns. By compromising backup methods, menace actors goal to stop victims from simply recovering their knowledge with out paying the ransom.

Cybersecurity specialists strongly urge organizations utilizing Veeam Backup & Replication to use the most recent safety updates instantly.

In addition they suggest isolating backup servers from the Web the place potential, implementing multi-factor authentication for administration entry, and implementing complete monitoring to detect uncommon actions.

As ransomware teams proceed to evolve their techniques and goal essential infrastructure, new variants like Frag spotlight the continuing want for sturdy cybersecurity measures and immediate patching of identified vulnerabilities.

Run non-public, Actual-time Malware Evaluation in each Home windows & Linux VMs. Get a 14-day free trial with ANY.RUN!