A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.
A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.
The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.
BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.
|CVE||Vendor/Project||Product||Vulnerability Name||Date Added to Catalog||Short Description||Action||Due Date|
|CVE-2021-27876||Veritas||Backup Exec Agent||Veritas Backup Exec Agent File Access Vulnerability||2023-04-07||Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.||Apply updates per vendor instructions.||2023-04-28|
|CVE-2021-27877||Veritas||Backup Exec Agent||Veritas Backup Exec Agent Improper Authentication Vulnerability||2023-04-07||Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.||Apply updates per vendor instructions.||2023-04-28|
|CVE-2021-27878||Veritas||Backup Exec Agent||Veritas Backup Exec Agent Command Execution Vulnerability||2023-04-07||Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.||Apply updates per vendor instructions.||2023-04-28|
- March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
- September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
- October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.
Attack Phases of ALPHV
Initial Compromise and Establish Foothold
UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.
Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.
The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.
With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.
Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.
Ingress Tool Transfer
Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.
C&C (Command and Control)
For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.
They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.
For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.
As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.
ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.
As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.
However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.
For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.
Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr] + ndmpd.cpp (nnn):
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr] | Session 1 started
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr] – sslOpen() : Opening SSL for: 0x00000
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr] – sslOpen(): certinfo = 0x00000; sslConn = 0x00000
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm] – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]
For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.
Indicators of Compromise
|4fdabe571b66ceec3448939bfb3ffcd1||Advanced Port Scanner|
Struggling to Apply The Security Patch in Your System? – Try All-in-One Patch Manager Plus