A critical security vulnerability in Veeam Backup & Replication software, now patched, has been exploited by a new ransomware group known as EstateRansomware. The cyber threat, discovered by Singapore-headquartered Group-IB in early April 2024, leverages CVE-2023-27532 (CVSS score: 7.5) to carry out its malicious activities.

Initial Access and Lateral Movement

The attackers gained initial access through a Fortinet FortiGate firewall SSL VPN appliance using a dormant account. "The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server," explained Yeo Zi Wei, a security researcher at Group-IB. Before the ransomware attack, there were VPN brute-force attempts noted in April 2024 using the dormant account identified as 'Acc1.' A successful VPN login using 'Acc1' was later traced back to the remote IP address 149.28.106[.]252.

Following this, the attackers established RDP connections from the firewall to the failover server and deployed a persistent backdoor named "svchost.exe," which is executed daily through a scheduled task. This backdoor connects to a command-and-control (C2) server over HTTP, allowing the attackers to execute arbitrary commands undetected.

Exploiting the Veeam Flaw

Using the backdoor, the attackers exploited the Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp." They conducted network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft through the newly created account.

"The exploitation likely involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server," hypothesized Zi Wei. This activity activated the xp_cmdshell stored procedure and led to the creation of the 'VeeamBkp' account.

Disabling Defenses and Deploying Ransomware

The attack culminated in the deployment of the ransomware after disabling Windows Defender using DC.exe (Defender Control). The ransomware was then executed using PsExec.exe, following a sequence of steps to impair defenses and move laterally from the AD server to other servers and workstations using compromised domain accounts.

Broader Implications and Industry Response

This incident underscores the evolving tactics of ransomware gangs. Cisco Talos has revealed that most ransomware groups focus on establishing initial access through security flaws in public-facing applications, phishing attachments, or breaching valid accounts. They prioritize circumventing defenses to extend their presence in victim networks.

The double extortion model, which involves exfiltrating data before encrypting files, has led to the development of custom tools like Exmatter, Exbyte, and StealBit. These tools facilitate the theft of confidential information and require attackers to maintain long-term access to understand the network, elevate privileges, and identify valuable data.

The Changing Landscape of Ransomware

Over the past year, the ransomware landscape has seen significant changes with the emergence of new groups exhibiting unique operational goals and victimology. According to Talos, groups like Hunters International, Cactus, and Akira are carving out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves.

This diversification reflects a shift toward more targeted cybercriminal activities, with new groups adapting their tactics to maximize their impact and profitability. As ransomware continues to evolve, organizations must remain vigilant, ensuring their defenses are robust and up-to-date to protect against these sophisticated threats.