HC3: TLP Clear Sector Alert May 10, 2023

Executive Summary

Cyber attacks launched by threat actors against Veeam Backup & Replication are on the rise. Veeam Backup & Replication (VBR) is a software product created by Veeam Software that is used to back up, replicate, and restore data on virtual machines (VMs). What makes this threat significant is that in addition to backing up and recovering VMs, it is used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the HPH sector. Veeam Backup & Replication also has the ability to provide transaction-level restores of Oracle and Microsoft SQL databases. HC3 recommends that all HPH sector entities be aware of suspicious activity, keep systems up to date, and immediately patch any vulnerable systems.

Report

In late March 2023, threat researchers identified attacks carried out by at least one threat actor group, FIN7, against internet-facing servers running Veeam Backup & Replication software. FIN7 is a threat actor group that was discovered in the mid-2010s. The cybercrime group is financially motivated, has been connected to numerous high-profile attacks, and their evolution includes developing new tools, and expanding their operations. FIN7 is known for affiliating with other threat actor groups such as Conti, REvil, and BlackBasta.

On March 28th, malicious activity similar to FIN7 was observed across internet-facing servers running Veeam Backup & Replication software. A SQL server process written as “sqlservr.exe” related to the Veeam Backup instance executed a shell command, which performed in-memory download and execution of a PowerShell script. According to threat researchers, based on the timing of the campaign, open TCP port 9401 on compromised servers, and the hosts running a vulnerable version of VBR, the researchers believe that the intruder likely exploited the CVE-2023-27532 vulnerability for access and malicious code execution.

View the detailed report below.