Saturday, July 13, 2024
EHA

CISA Urges to Fix Backup Exec Bug Exploited to Deploy Ransomware

A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.

A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.

The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.

BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.

CVE(s)

CVEVendor/ProjectProductVulnerability NameDate Added to CatalogShort DescriptionActionDue Date
CVE-2021-27876VeritasBackup Exec AgentVeritas Backup Exec Agent File Access Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
CVE-2021-27877VeritasBackup Exec AgentVeritas Backup Exec Agent Improper Authentication Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.Apply updates per vendor instructions.2023-04-28
CVE-2021-27878VeritasBackup Exec AgentVeritas Backup Exec Agent Command Execution Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
Source : CISA

Timeline

  • March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
  • September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
  • October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.

Attack Phases of ALPHV

Initial Compromise and Establish Foothold

UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.

Internal Reconnaissance

Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.

The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.

With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.

Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.

Ingress Tool Transfer

Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.

C&C (Command and Control)

For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.

They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.

Escalate Privileges

For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.

As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.

Source: Mandiant
Source: Mandiant

Complete Mission

ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.

Exposure

As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.

However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.

Detection

For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.

Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      + ndmpd.cpp (nnn):

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      | Session 1 started

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen() : Opening SSL for: 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen(): certinfo = 0x00000; sslConn = 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm]      – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]

For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.

Indicators of Compromise

da202cc4b3679fdb47003d603a93c90dMIMIKATZ
5fe66b2835511f9d4d3703b6c639b866NANODUMP
1f437347917f0a4ced71fb7df53b1a05LIGOLO
b41dc7bef82ef384bc884973f3d0e8caREVSOCKS
c590a84b8c72cf18f35ae166f815c9dfSysinternals PSEXEC
24b0f58f014bd259b57f346fb5aed2eaWINSW
e31270e4a6f215f45abad65916da9db4REVSOCKS
4fdabe571b66ceec3448939bfb3ffcd1Advanced Port Scanner
68d3bf2c363144ec6874ab360fdda00aLAZAGNE
ee6e0cb1b3b7601696e9a05ce66e7f37ALPHV
f66e1d717b54b95cf32154b770e10ba4METASPLOIT
17424a22f01b7b996810ba1274f7b8e9METASPLOIT
45[.]61[.]138[.]109
185[.]141[.]62[.]123
5[.]199[.]169[.]209
45[.]61[.]138[.]109:45815
45[.]61[.]138[.]109:43937
45[.]61[.]138[.]109:36931
5[.]199[.]169[.]209:31600
45[.]61[.]138[.]109:41703
185[.]99[.]135[.]115:39839
185[.]99[.]135[.]115:41773
45[.]61[.]138[.]109:33971
185[.]141[.]62[.]123:50810
185[.]99[.]135[.]115:49196
hxxp://185[.]141[.]62[.]123:10228/update[.]exe

Struggling to Apply The Security Patch in Your System? – 

Related Read:

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles