A new affiliate of the ALPHV/BlackCat ransomware, dubbed UNC4466, is exploiting vulnerabilities in the Veritas Backup Exec software to gain initial access to the targeted network. The three flaws were patched by the vendor several months ago.
Exploitation of Veritas bugs
Mandiant researchers observed that the UNC4466 group is exploiting the Veritas vulnerabilities in the wild since October 2022.
- Scanning of ports on the internet found more than 8,500 IP addresses still running Symantec/Veritas Backup Exec ndmp service on ports 9000, 10001, and the default port 10000, many of which could be exposed to the attack.
- In September 2022, a Metasploit module exploiting the vulnerabilities was released to the public, which is believed to be used by UNC4466 for its attacks.
Bugs under exploitation
The three high-severity vulnerabilities affecting the product are tracked as:
- CVE-2021-27876: arbitrary file access flaw
- CVE-2021-27877: remote unauthorized access
- CVE-2021-27878: arbitrary command execution flaw
These vulnerabilities were disclosed by Veritas in March 2021, and a fix was released with version 21.2.
Attack tactics and the toolset
For initial access, UNC4466 targets exposed Windows servers running an unpatched version of Veritas Backup Exec using the publicly-available Metasploit module.
- After obtaining access to the target network, the attackers use Advanced IP Scanner and ADRecon to collect further details on the environment.
- Based on the environment, additional tools such as Mimikatz, RCLONE, LAZAGNE, WINSW, Nanodump, and LIGOLO are downloaded on the compromised system.
- Eventually, new tasks are added to the default domain policy, security software is turned off, and then the ALPHV ransomware crypter is loaded through the Background Intelligent Transfer Service (BITS).
- To evade detection, the event logs are cleared and Microsoft Defender's real-time monitoring is disabled.
Concluding notes
ALPHV/BlackCat is a sophisticated RaaS offering, already known for exploiting unpatched systems exposed to the internet. The exploitation of these vulnerabilities in Veritas Backup Exec software further increases its attack surface. To stay protected, organizations are suggested to establish a stronger security framework with multi-layered defense architecture and a robust patch management system.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-453643139.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cd9b_shutterstock_2023392170.jpg)
