You had a year to patch this Veeam flaw – and now it's going to hurt some more

LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware

Yet another new ransomware gang, this one dubbed EstateRansomware, is now exploiting a Veeam vulnerability that was patched more than a year ago to deploy file-encrypting malware, a LockBit variant, and extort payments from victims.

Veeam fixed the flaw, tracked as CVE-2023-27532, in March 2023 for versions 12/11a and later of its backup and replication software. The high-severity bug earned a 7.5 CVSS rating.

"Replication component allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database," the software vendor advised when it spotted the bug, before adding: “This may lead to an attacker gaining access to the backup infrastructure hosts.”

It now appears not all Veeam users got the timely-patching-is-important memo, and now at least one criminal gang is exploiting unpatched systems to deploy ransomware.

This comes after reports last year that CVE-2023-27532 was likely being abused by Russian cyber-crime gang FIN7 to compromise systems within vulnerable organizations and steal credentials. The situation was thus not great in 2023, and now it's not getting better.

Security researchers at Singaporean outfit Group-IB spotted EstateRansomware at work in early April this year, and say the crew typically gains initial access into targeted networks using brute-force attacks against FortiGate SSL VPN firewall appliances using a dormant account dubbed 'Acc1'.

According to an analysis from Group-IB, subsequent VPN connections using that dormant account would originate from a US-based IP address. After entering the network via Acc1, the intruders would establish remote desktop connections from the firewall to a Windows-based failover server within the Veeam environment, we're told.

The EstateRansomware gang then used this remote desktop access to deploy a backdoor on the failover server and scheduled it to execute daily to ensure persistent access to the victim's environment. The backdoor would grant outside miscreants remote control over the server. We do note that at this point, the network is compromised, and even if CVE-2023-27532 was not exploited, significant damage could be by by the intruders anyway; hitting the Veeam bug to make it easier to deploy ransomware seems more like a coup de grâce to us than an essential step.

So, next, the criminals would connect from the failover server to a Windows file server in the victim's Veeam environment via remote desktop, and use that file server to harvest any credentials that could be found, probe the network, and exploit CVE-2023-27532 to gain control of the victims' Veeam backup servers. At that point, further internal account credentials and other data could be snatched from those backup servers.

It's believed the exploit code used was based on the Horizon3 and sfewer-r7 examples on GitHub.

The intruders additionally used network scanning and password recovery tools, including SoftPerfect Netscan and Nirsoft, to collect information on hosts, open ports, and file shares.

Armed with all this info gathered from an org, particularly the credentials, the fiends then accessed Active Directory (AD) and other services to disable Windows Defender and deploy a ransomware payload, which is a variant of LockBit 3.0 that encrypts files and clears logs, on however many workstations and servers they could find.

It's unclear how many victims were infected by EstateRansomware's data-locking malware. We've reached out to Group-IB for more information about the ransomware campaign.

Veeam Software spokesperson Heidi Monroe Kroft declined to answer specific questions about the ransomware attacks but noted that the software provider released a patch to plug the hole on March 6, 2023.

"This was directly communicated to all our VBR customers," Kroft told The Register. "A Knowledge Base article was published detailing the issue. When a vulnerability is identified and disclosed, attackers will still try to exploit and reverse-engineer the patches to use the vulnerability on an unpatched version of Veeam software in their exploitation attempts."

This, she added, "underlines the importance of ensuring customers are using the latest versions of all software and patches are installed in a timely manner."

In other words: Get those software updates if you want to avoid becoming a malware victim.

Group-IB's research on EstateRansomware's malware campaign echoes another ransomware report published today. This one, from Cisco Talos, analyzed the tactics, techniques and procedures (TTPs) favored by the top 14 ransomware groups. Talos found that the "most prolific" criminals on the scene prioritize gaining initial access via valid account credentials. ®

Editor's note: This story was updated to include details of prior exploitation of CVE-2023-27532 and clarify the steps taken in this latest attack.

More about


Send us news

Other stories you might like