A security flaw in Veeam Backup & Replication software, which has now been patched, is being exploited by a new ransomware operation called EstateRansomware.
Group-IB, based in Singapore, identified this threat actor in early April 2024 and revealed that the attack involved the use of CVE-2023-27532 (CVSS score: 7.5) to carry out malicious activities.
The initial access to the target environment was facilitated through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account.
“The threat actor later infiltrated into the network through the SSL VPN service provided by the FortiGate Firewall to reach the failover server,” security researcher Yeo Zi Wei explained in a recent analysis.
“In April 2024, VPN brute-force attempts were observed using a dormant account named ‘Acc1.’ Eventually, there was a successful VPN login using ‘Acc1’ from the IP address 149.28.106[.]252.”
The threat actors then established Remote Desktop Protocol (RDP) connections from the firewall to the failover server and deployed a persistent backdoor named “svchost.exe” to execute daily through a scheduled task.
Further access to the network was achieved using the backdoor to avoid detection. The backdoor’s main function was to connect to a command-and-control (C2) server over HTTP and execute commands issued by the attacker.
Group-IB observed the actor exploiting the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account called “VeeamBkp,” while also conducting network discovery, enumeration, and credential harvesting using tools like NetScan, AdFind, and NitSoft with the newly created account.
“This exploitation potentially started from the VeeamHax folder on the file server targeting the vulnerable version of Veeam Backup & Replication software on the backup server,” Zi Wei speculated.
“This activity led to the activation of xp_cmdshell stored procedure and the subsequent creation of the ‘VeeamBkp’ account.”
The ransomware attack was carried out after impairing defenses and moving laterally from the Active Directory (AD) server to other servers and workstations using compromised domain accounts.
“Windows Defender was disabled permanently using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” Group-IB disclosed.
Cisco Talos recently highlighted that most ransomware groups prioritize gaining initial access through security flaws in public-facing applications, phishing attachments, or breaching valid accounts, and finding ways to bypass defenses in their attacks.
The growing trend of exfiltrating data before encrypting files has led ransomware gangs to develop custom tools like Exmatter, Exbyte, and StealBit to transfer sensitive data to an adversary-controlled infrastructure.
This trend requires e-crime groups to establish long-term access to explore the network structure, locate resources for the attack, elevate privileges, blend in, and identify valuable data for theft.
“In the past year, we have seen significant changes in the ransomware landscape with the emergence of several new ransomware groups, each with unique goals, operational structures, and victim demographics,” Talos stated.
“This diversification reflects a move towards more targeted cybercriminal activities, with groups like Hunters International, Cactus, and Akira focusing on specific niches and operational objectives to differentiate themselves.”
