CISA Urges to Fix Backup Exec Bug Exploited to Deploy Ransomware

A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.

A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.

The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.

BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.

CVE(s)

CVEVendor/ProjectProductVulnerability NameDate Added to CatalogShort DescriptionActionDue Date
CVE-2021-27876VeritasBackup Exec AgentVeritas Backup Exec Agent File Access Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
CVE-2021-27877VeritasBackup Exec AgentVeritas Backup Exec Agent Improper Authentication Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.Apply updates per vendor instructions.2023-04-28
CVE-2021-27878VeritasBackup Exec AgentVeritas Backup Exec Agent Command Execution Vulnerability2023-04-07Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.Apply updates per vendor instructions.2023-04-28
Source : CISA

Timeline

  • March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
  • September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
  • October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.

Attack Phases of ALPHV

Initial Compromise and Establish Foothold

UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.

Internal Reconnaissance

Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.

The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.

With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.

Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.

Ingress Tool Transfer

Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.

C&C (Command and Control)

For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.

They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.

Escalate Privileges

For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.

As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.

Source: Mandiant
Source: Mandiant

Complete Mission

ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.

Exposure

As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.

However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.

Detection

For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.

Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      + ndmpd.cpp (nnn):

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      | Session 1 started

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen() : Opening SSL for: 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpsrvr]      – sslOpen(): certinfo = 0x00000; sslConn = 0x00000

[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm]      – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]

For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.

Indicators of Compromise

da202cc4b3679fdb47003d603a93c90dMIMIKATZ
5fe66b2835511f9d4d3703b6c639b866NANODUMP
1f437347917f0a4ced71fb7df53b1a05LIGOLO
b41dc7bef82ef384bc884973f3d0e8caREVSOCKS
c590a84b8c72cf18f35ae166f815c9dfSysinternals PSEXEC
24b0f58f014bd259b57f346fb5aed2eaWINSW
e31270e4a6f215f45abad65916da9db4REVSOCKS
4fdabe571b66ceec3448939bfb3ffcd1Advanced Port Scanner
68d3bf2c363144ec6874ab360fdda00aLAZAGNE
ee6e0cb1b3b7601696e9a05ce66e7f37ALPHV
f66e1d717b54b95cf32154b770e10ba4METASPLOIT
17424a22f01b7b996810ba1274f7b8e9METASPLOIT
45[.]61[.]138[.]109
185[.]141[.]62[.]123
5[.]199[.]169[.]209
45[.]61[.]138[.]109:45815
45[.]61[.]138[.]109:43937
45[.]61[.]138[.]109:36931
5[.]199[.]169[.]209:31600
45[.]61[.]138[.]109:41703
185[.]99[.]135[.]115:39839
185[.]99[.]135[.]115:41773
45[.]61[.]138[.]109:33971
185[.]141[.]62[.]123:50810
185[.]99[.]135[.]115:49196
hxxp://185[.]141[.]62[.]123:10228/update[.]exe

Struggling to Apply The Security Patch in Your System? – 

Related Read:

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

4 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

5 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

7 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

11 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

12 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

12 hours ago