A recently patched security issue in Veeam Backup & Replication software is being exploited by EstateRansomware, a new ransomware operation.

The Singapore-based Group-IB, which uncovered the threat actor in early April 2024, stated that the modus operandi involves the use of CVE-2023-27532 (CVSS score: 7.5) to carry out the malicious operations.

You might be interested in: Managed Detection and Response (MDR): What is it?

The first access to the target environment was facilitated by a Fortinet FortiGate firewall SSL VPN appliance with a dormant account.

“The threat actor pivoted laterally from the FortiGate Firewall through the SSL VPN service to access the failover server,” security researcher Yeo Zi Wei wrote in a report released today.

“Prior to the ransomware assault, there were VPN brute-force attempts detected in April 2024 using a dormant account known as ‘Acc1.’ Several days later, a successful VPN login via ‘Acc1’ was tracked back to the remote IP address 149.28.106[.]252.”

Next, the threat actors established RDP connections from the firewall to the failover server before deploying a permanent backdoor dubbed “svchost.exe,” performed daily via a scheduled job.

To avoid discovery, subsequent network access was made through the backdoor. The backdoor’s principal responsibility is to connect to a command-and-control (C2) server over HTTP and execute arbitrary commands supplied by the attacker.

Group-IB reported that the actor exploited Veeam flaw CVE-2023-27532 to enable xp_cmdshell on the backup server and create a rogue user account named “VeeamBkp.” They also conducted network discovery, enumeration, and credential harvesting activities using tools such as NetScan, AdFind, and NitSoft.

“This exploitation potentially involved an attack originating from the VeeamHax folder on the file server against the vulnerable version of Veeam Backup & Replication software installed on the backup server,” according to Zi Wei.

“This activity facilitated the activation of the xp_cmdshell stored procedure and subsequent creation of the ‘VeeamBkp’ account.”

The attack resulted in the deployment of the ransomware, but not before taking steps to weaken defenses and spreading from the AD server to all other servers and workstations using compromised domain accounts.

“Windows Defender was permanently disabled using DC.exe [Defender Control], followed by ransomware deployment and execution with PsExec.exe,” the group reported.

The finding comes after Cisco Talos discovered that most ransomware gangs prioritize gaining early access through security weaknesses in public-facing programs, phishing attachments, or breaching valid accounts, as well as evading defenses in their attack chains.

The twofold extortion strategy of exfiltrating data before encrypting files has also resulted in specialized tools developed by the actors (e.g., Exmatter, Exbyte, and StealBit) for sending secret information to an adversary-controlled infrastructure.

This implies that these e-crime groups have long-term access to the environment in order to study the network’s structure, locate resources that can support the attack, elevate their privileges or blend in, and identify valuable data that can be taken.

“Over the past year, we have witnessed major shifts in the ransomware space with the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology,” according to Talos.

“The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves.”