ALPHV Ransomware Exploits Veritas Backup Exec
April 5th, 2023 |
Ransomware group ALPHV is actively exploiting three known vulnerabilities in Veritas Backup Exec software.
Veritas Backup Exec is a popular backup and recovery software used by thousands of organizations worldwide. However, like all software, it is not immune to bugs and vulnerabilities. ALPHV has identified and exploited three vulnerabilities that compromise target systems. Once they gain access, they can have many options including installing back doors, information theft and ransomware.
The exploits being targeted are:
CVE-2021-27876
CVE-2021-27877
CVE-2021-27878
Cyber insurance carriers have identified Acreto as one of the most effective ways to prevent Ransomware. These carriers strongly recommend and even mandate Acreto for high-risk customers. Acreto provisions in minutes and deploys in a few hours.
The Acreto platform addresses the ALPHV and other ransomware challenges by:
-
Eliminating the Internet attack surface
-
Eliminating the internal attack surface through segmentation
-
Advanced file controls that prevent the download of file types such as .exe, .dll, .msi and .scr used by malware
-
Implementing inline SSL/TLS Decrypt
-
Implementing inline threat detection and mitigation for all communications.
Technical Data
According to reports, UNC4466 gains access to an internet-exposed Windows server that runs Veritas Backup Exec using a publicly available Metasploit module. Once the initial compromise is achieved, the threat actor utilizes Advanced IP Scanner and ADRecon tools to gather information about the victim’s environment.
The attacker then downloads additional tools like LAZAGNE, LIGOLO, WINSW, and RCLONE and eventually deploys the ALPHV ransomware encryptor through BITS (Background Intelligent Transfer Service).
The threat actor establishes SOCKS5 tunneling to communicate with the command-and-control server (C2). The report states that UNC4466 uses BITS transfers to download SOCKS5 tunneling tools and deploys the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing the encryptor.
The attacker uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials to elevate privileges. Finally, the threat actor attempts to evade detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring capability.
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.