Attacks leveraging Veeam backup software flaw launched by novel ransomware gang

Newly emergent EstateRansomware ransomware group has deployed intrusions leveraging the already addressed high-severity Veeam Backup & Replication software flaw, tracked as CVE-2023-27532, since April, The Hacker News reports.

Intrusions by EstateRansomware involved the targeting of a Fortinet FortiGate firewall SSL VPN instance with brute-force attempts for initial access before launching the persistent "svchost.exe" backdoor and conducting remote desktop protocol-based lateral movement, an analysis from Group-IB showed. Exploitation of the vulnerability was then followed by "xp_cmdshell" activation and the creation of the new "VeeamBkp" account, which was used alongside NetScan and other hacking tools for malicious activities. Attackers then moved to deactivate Windows Defender before distributing ransomware, according to researchers. Such findings come after a Cisco Talos report detailing the evolving tactics, techniques, and procedures employed by ransomware operations. "The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus, and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves," said Cisco Talos.