Introduction
A recently patched security flaw in Veeam Backup & Replication software is being actively exploited by a nascent ransomware group known as EstateRansomware. The Singapore-based cybersecurity firm Group-IB identified the threat actor in early April 2024. The group is leveraging CVE-2023-27532 (CVSS score: 7.5) to carry out its malicious operations.
Initial Access
The attackers gained initial access to the target environment via a Fortinet FortiGate firewall SSL VPN appliance using a dormant account. Group-IB's security researcher Yeo Zi Wei elaborated on the method of attack, explaining that the threat actor laterally moved from the FortiGate Firewall through the SSL VPN service to access the failover server.
Attack Progression
VPN Brute-Force Attempts
Before launching the ransomware attack, the group conducted VPN brute-force attempts in April 2024, using a dormant account labeled 'Acc1.' Several days later, a successful VPN login traced back to the remote IP address 149.28.106[.]252 was identified.
Establishing Persistent Access
The attackers then established RDP connections from the firewall to the failover server. They deployed a persistent backdoor named "svchost.exe," which is executed daily through a scheduled task. This backdoor enabled subsequent access to the network, allowing the attackers to evade detection. The primary function of the backdoor is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands issued by the attacker.
Exploitation of Veeam Vulnerability
Group-IB observed the threat actor exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp." The attackers also conducted network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft through the newly created account. The exploitation likely originated from the VeeamHax folder on the file server, targeting the vulnerable version of Veeam Backup & Replication software installed on the backup server.
Ransomware Deployment
The attack culminated in the deployment of ransomware after the attackers took steps to impair defenses and move laterally from the Active Directory (AD) server to other servers and workstations using compromised domain accounts. The attackers permanently disabled Windows Defender using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe.
Broader Implications and Trends
Cisco Talos disclosed that most ransomware gangs prioritize establishing initial access using security flaws in public-facing applications, phishing attachments, or breaching valid accounts. They also focus on circumventing defenses to increase dwell time in victim networks. The double extortion model, which involves exfiltrating data before encrypting files, has led to the development of custom tools like Exmatter, Exbyte, and StealBit to send confidential information to attacker-controlled infrastructure.
To achieve their goals, these e-crime groups establish long-term access to explore the environment, understand the network structure, locate resources, elevate privileges, blend in, and identify valuable data that can be stolen.
Conclusion
The emergence of EstateRansomware and similar groups highlights significant shifts in the ransomware landscape, with new groups exhibiting unique goals, operational structures, and victimology. This diversification points to a trend towards more boutique-targeted cybercriminal activities, as groups like Hunters International, Cactus, and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves.
0 Comments