Feds Warn of Rise in Attacks Involving Veeam Software Flaw
Governance & Risk Management , Patch Management
Alert Concerns Vendor’s Veeam Backup & Replication Product Marianne Kolbasuk McGee (HealthInfoSec) • May 11, 2023 Federal authorities are warning the healthcare sector about a rise in cyberattacks against certain Veeam software.
Federal authorities are warning the healthcare sector of a rise in cyberattacks against a backup application made by software developer Veeam. The attacks appear tied to exploitation of a high-severity vulnerability in the vendor’s software disclosed in March.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The vulnerability, tracked as CVE-2023-27532, exposes encrypted credentials stored in Veeam Backup & Replication. Its exploitation could lead to unauthorized access to backup infrastructure hosts, says the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center in an alert Wednesday.
Such intrusions could result in data theft or deployment of ransomware.
All versions of the Veeam software – which backs up, replicates and restores data on virtual machines – are affected by the issue. Additionally, the software also has the ability to provide transaction-level restores of Oracle and Microsoft SQL databases, HHS HC3 said.
“What makes this threat significant is that in addition to backing up and recovering virtual machines, VBR is used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the healthcare and public health sector,” HHS HC3 writes.
Researchers in late March identified attacks carried out by at least one cybercrime group, FIN7, against internet-facing servers running Veeam Backup & Replication software. FIN7 has been connected to a number of high-profile attacks and is known for affiliating with ransomware groups including BlackBasta, the alert says.
Veeam Software issued workaround instructions for the vulnerability on March 7.
A penetration testing firm later that month released an exploit of the vulnerability demonstrating how an unsecured API endpoint could be abused to extract the credentials in plain text.
A malicious actor could leverage the vulnerability to run code remotely with the highest privileges, HHS HC3 writes. “What is significant about this is that threat researchers determined that approximately 7,500 internet-exposed VBR hosts appeared to be vulnerable.”
Veeam now has a patch.
Rick Vanover, senior director of product strategy at Veeam told Information Security Media Group the company strongly encourages all customers to use the latest versions of all software and patch in a timely manner.
“When the vulnerability was identified and reported by a security researcher we immediately developed a patch to mitigate the vulnerability for Veeam Backup & Replication v11 and v12 and we directly communicated with all our VBR customers before the vulnerability was disclosed publicly,” he said.
Researchers at security firm Rapid7 also identified an uptick in incidents involving the Veeam backup and replication product, but not specifically in the healthcare sector.
Caitlin Condon, senior manager of security research,said that the company conducted an initial analysis on the Veeam Backup & Replication vulnerability a couple months ago. “We’ve seen Veeam leveraged in ransomware and other threat campaigns several times in the past, both as an initial attack vector and as a way to exfiltrate data from victim environments, she said.
Rapid7 researchers confirmed in March that the root cause of CVE-2023-27352 vulnerability is a lack of authentication on a remote Windows Communication Foundation, Microsoft’s service-oriented application framework, Condon said.
“Successful exploitation allows an attacker to both leak plaintext credentials and execute code remotely with local system privileges on the Veeam Backup & Replication server,” she said.
The credentials stored by the service are intended to allow the product to authenticate to the multitude of connected components that comprise the organization’s backup infrastructure. “While the vulnerability description says that an attack may expose encrypted credentials, our team and others have confirmed that credentials are transferred over the wire in plaintext.”
Condon took issue with the CVSS score, which is 7.5. “That score significantly understates the impact of the flaw. 9.1 would be a more realistic CVSS score, which would correctly categorize this vulnerability as critical.”
Entities using Veeam’s backup and replication software should follow the company’s recommended mitigations, including applying the vendor’s patch or and in some cases, blocking external connections to port TCP 9401 in the backup server firewall as a temporary remediation until the patch is installed, HHS HC3 said.