Ransomware attackers are exploiting a vulnerability in a year-old backup

Security intelligence firm Group-IB reports that attackers from a newly formed ransomware group – EstateRansomware – exploited a year-old vulnerability (CVE-2023-27532) in backup software from Veeam as part of a sophisticated attack chain.

Anatomy of an attack

EstateRansomware exploited an inactive account on the Fortinet FortiGate firewall SSL VPN network to gain initial access.

After access was achieved, the team deployed a persistent backdoor, performed network discovery, and harvested information.

Attempts to exploit the CVE-2023-27532 vulnerability in Veeam were followed by the activation of a shell and the creation of a malicious user account, Group-IB reported. These rogue user accounts have made a concerted move.

Attackers have made extensive use of NetScan, AdFind, and various tools provided by NirSoft for network discovery, enumeration, and authentication harvesting.

EstateRansomware finally released its ransomware payload after disabling Windows Defender.

A variant of Lockbit 3.0 ransomware was used to encrypt files and delete logs.

LockBit 3.0 shares similarities with other types of ransomware such as BlackMatter and Alphv (also known as BlackCat), suggesting a possible connection or inspiration between these groups.

EstateRansomware

The EstateRansomware group first emerged in April 2024 and is active in attacks in the UAE, France, Hong Kong, Malaysia, and the US, according to Group-IB.

The group is one of several active ransomware groups currently operating, many of which use proxies to carry out attacks as part of a ransomware-as-a-service business model.

“The EstateRansomware group demonstrates a systematic and resourceful approach to ransomware attacks, particularly the amount of pre-exploitation work involved,” Fearghal Hughes, cyber threat intelligence analyst at ReliaQuest told CSOonline. “This demonstrates the need for a comprehensive and effective cyber security strategy.”

EstateRansomware’s approach relies heavily on exploiting unpatched network security vulnerabilities.

Martin Greenfield, CEO of security monitoring firm Quod Orbis, commented, “EstateRansomware is likely to target those organizations that don’t get the basics right, such as patching, making backups or ensuring that access controls are enforced.”

He added, “Not doing basic things correctly is the reason why there are so many violations of the law.” Organizations should ensure that there are regular and secure backups, your controls should be applied consistently and all your designs should be designed for failure to make your environment resilient.”

Application

ReliaQuest has provided a five-point action plan for dealing with EstateRansomware and similar threats:

  • Prioritizing timely patching of known vulnerabilities, especially those exposed in widely used software.
  • Adopting a zero-trust approach to network security.
  • Use multi-factor authentication for all remote access points and critical systems.
  • Use network isolation to limit the spread of ransomware.
  • Ensuring that backup systems are secure, regularly tested, and isolated from the main network.

Source link