Wednesday, December 6, 2023

CISA Urges to Fix Backup Exec Bug Exploited to Deploy Ransomware

A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.

A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.

The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.

BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.


CVEVendor/ProjectProductVulnerability NameDate Added to CatalogShort DescriptionActionDue Date
CVE-2021-27876VeritasBackup Exec AgentVeritas Backup Exec Agent File Access Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
CVE-2021-27877VeritasBackup Exec AgentVeritas Backup Exec Agent Improper Authentication Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.Apply updates per vendor instructions.2023-04-28
CVE-2021-27878VeritasBackup Exec AgentVeritas Backup Exec Agent Command Execution Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
Source : CISA


  • March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
  • September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
  • October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.

Attack Phases of ALPHV

Initial Compromise and Establish Foothold

UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.

Internal Reconnaissance

Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.

The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.

With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.

Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.

Ingress Tool Transfer

Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.

C&C (Command and Control)

For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.

They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.

Escalate Privileges

For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.

As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.

Source: Mandiant
Source: Mandiant

Complete Mission

ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.


As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.

However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.


For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.

Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      + ndmpd.cpp (nnn):

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      | Session 1 started

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen() : Opening SSL for: 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen(): certinfo = 0x00000; sslConn = 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm]      – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]

For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.

Indicators of Compromise

c590a84b8c72cf18f35ae166f815c9dfSysinternals PSEXEC
4fdabe571b66ceec3448939bfb3ffcd1Advanced Port Scanner

Struggling to Apply The Security Patch in Your System? – Try All-in-One Patch Manager Plus

Related Read:


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles