• Tue. Oct 10th, 2023

FIN7 Hackers Began Utilizing Veeam’s

Avatar photo

ByEsme Greene

Jun 8, 2023
FIN7 Hackers Began Utilizing Veeam’s
Esme Greene
Latest posts by Esme Greene (see all)

The Veeam Backup & Replication (VBR) backup application is used by unprotected instances of the Russian cybercriminal group Fin7 (Anunak, Carbanak) in attacks, according to data from security business professionals with Securer.

WithSecure recorded FIN7 cyberattacks at the end of March 2023 on systems connected to the Internet and running the Veeam Backup & Replication program. Attackers ran payloads during the attacks in a vulnerable setting.

Experts Research on Cyber Attacks

Researchers noticed the PowerShell script -dropperPowerTrash groupings being downloaded and run by the Veeam Backup process using a shell command. Back door DICELOADER (Lizar, Tirion), once connected to the FIN7 group, is used for distribution and allows attackers to carry out a variety of operations after exploitation.

“The exact method used by the attacker to invoke the initial shell commands remains unknown, but it was most likely achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532, which could allow unauthorized access to a Veeam Backup & Replication instance,” – stated WithSecure.

CVE-2023-27532 (CVSS score: 7.5) was patched in early March, and the proof-of-concept code for the flaw was subsequently posted. The bug impacts every version of the application and can be exploited by unauthorized attackers to steal credentials and remotely execute malware on SYSTEM’s behalf.

How Did the Attack Happen

The hackers broke into Veeam instances a few days prior to the servers becoming infected; this is how they discovered accessible servers. Attackers were able to carry out system reconnaissance, steal data from the Veeam backup database, obtain saved credentials, set DICELOADER backdoor stability, and carry out lateral (horizontal) movement using stolen credentials thanks to malicious activities.

FIN7 attacks have so far been detected in 2 incidents by WithSecure. The fact that the first activity in both cases was started on the same day from the same public IP address suggests that these episodes were a part of a wider operation. 

However, it can be believed that the scope of this attack is constrained given the rarity of open Veeam backup servers with TCP port 9401.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.