Summary
ngCERT is issuing an urgent security advisory regarding a high-severity vulnerability in Veeam Backup and Replication (VBR) software, recently exploited by ransomware groups. The flaw is designated CVE-2023-27532, affecting VBR versions 12 and below. Threat actors exploit this weakness by obtaining encrypted and plaintext credentials stored in the configuration database, which is further used to elevate privileges and execute arbitrary code on affected systems. The successful exploitation of the vulnerability may result in malware installation, system takeover, data exfiltration and ultimately ransomware attacks. It is pertinent to note that, the Phobos ransomware group recently exploited this flaw in a ransomware attack on a cloud infrastructure, within the Nigerian Cyberspace. Accordingly, users are strongly advised to implement the latest security patches from VBR and other mitigation steps recommended herein.
Description & Consequence
The CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication (VBR) software, which allows unauthorized users to access sensitive information, including encrypted credentials. Cybercriminals exploit this flaw by connecting to the exposed Veeam services (C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe) on port TCP 9401, where they can issue requests to extract confidential data from backup infrastructure without proper authentication. To exploit CVE-2023-27532, attackers typically scan for unpatched Veeam instances exposed to the internet. Once they locate a vulnerable system, they bypass authentication mechanisms by sending crafted requests directly to the service, allowing them to obtain critical information, such as administrative credentials. With this information, attackers can escalate privileges, gain unauthorized access to the backup environment, and even compromise the entire network. Such an exploit can lead to severe consequences, including data breaches, ransomware deployment, or malicious data manipulation, as the backup servers often store highly sensitive and valuable information.
A successful exploitation of the VBR flaw could result in the following consequences:
- System Compromise.
- Malicious Script Injection.
- Data exfiltration.
- Reputational Damage.
- Financial Loss.
- Credential Theft.
- Denial of Service (DoS) attacks.
- Ransomware attacks.
Solution
ngCERT recommends the following to mitigate attacks:
- Immediately apply the available patches provided by Veeam (see https://www.veeam.com/kb4420, https://www.veeam.com/kb4245). Ensure timely update of all operating systems, software and web browsers.
- Implement multi-factor authentication (MFA) for VPN and other remote access services.
- Implement patch management policy to ensure firmware and software used are updated with the latest security patches to protect against known vulnerabilities
- Segment critical systems and enforce strict firewall rules to limit lateral movement within the network. Disable unnecessary RDP access and restrict it to specific, trusted IP addresses.
- Implement application control on hosts to prevent execution of unauthorized programs. Ensure that only approved security applications are used and running on enterprise systems.
- Deploy threat detection tools such as Endpoint Detection and Response (EDR), Network Traffic Analysis (NTA) to detect and respond to suspicious activities.
- Develop and maintain an incident response plan that includes procedures for ransomware attacks and data breaches. Provisions should be made for reporting the same to sectorial CSIRTs and ngCERT.
- Review and strengthen access controls and authentication mechanisms for the Veeam Backup & Replication environment.
- Regularly review and update the backup and recovery processes to ensure the integrity and security of the backup data.
Reference
Revision
