Getty Images
HC3 Warns Healthcare of Cyberattacks Against Popular Data Backup Software
Threat actors have been leveraging a vulnerability in Veeam Backup & Replication software to gain network access and execute malicious code.
The Health Sector Cybersecurity Coordination Center’s (HC3) latest alert details the growing trend of threat actors targeting a known vulnerability in Veeam Backup & Replication (VBR) software. VBR is a popular software product that can be used to back up, replicate, and restore data on virtual machines (VMs).
The vulnerability, known as CVE-2023-27532, is a high-severity vulnerability with a CVSS score of 7.5 that exposes encrypted credentials stored in the VBR configuration to unauthenticated users. If successfully exploited, threat actors may be able to gain access to the backup infrastructure hosts and could steal data or deploy ransomware.
“What makes this threat significant is that in addition to backing up and recovering VMs, it is used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the HPH sector,” HC3 noted.
“Veeam Backup & Replication also has the ability to provide transaction-level restores of Oracle and Microsoft SQL databases. HC3 recommends that all HPH sector entities be aware of suspicious activity, keep systems up to date, and immediately patch any vulnerable systems.”
Word spread about the vulnerability’s potential damage in late March 2023, when researchers identified threat actor group FIN7 carrying out attacks against internet-facing servers running VBR software. FIN7 is a long-standing financially motivated threat group that has been known to affiliate with other groups, such as BlackBasta, REvil, and Conti.
“On March 28th, malicious activity similar to FIN7 was observed across internet-facing servers running Veeam Backup & Replication software. A SQL server process written as “sqlservr.exe” related to the Veeam Backup instance executed a shell command, which performed in-memory download and execution of a PowerShell script,” the alert stated.
“According to threat researchers, based on the timing of the campaign, open TCP port 9401 on compromised servers, and the hosts running a vulnerable version of VBR, the researchers believe that the intruder likely exploited the CVE-2023-27532 vulnerability for access and malicious code execution.”
Veeam Software addressed the vulnerability by providing workaround instructions to customers on March 7. However, later that month, a penetration testing company released research that showed how an unsecured application programming interface (API) endpoint could be abused to extract credentials in plain text. The threat researchers suggested that approximately 7,500 internet-exposed VBR hosts may be vulnerable.
Veeam Software has stated that the vulnerability impacts all VBR versions and encouraged users to upgrade to a supported VBR version if they were previously using an outdated version. In addition, all users should apply the patch as soon as possible.
“HC3 recommends that all HPH sector entities remain vigilant and aware of suspicious activity, keep systems up to date, and immediately patch any vulnerable systems,” HC3 concluded.
“In addition to this, organizations are encouraged to take a proactive approach by using CISA’s free cybersecurity services and tools to strengthen their cyber posture.”