Ransomware Alert: EstateRansomware Exploits Veeam Backup Software
Ransomware Alert: EstateRansomware Exploits Veeam Backup Software
Industry Updates

By Patricia A. Pramono • Studio 1080, Published on August 08, 2024

TABLE OF CONTENTS

SHARE THIS ARTICLE

A Brief Overview of EstateRansomware

A newly discovered ransomware operation, dubbed EstateRansomware, has begun exploiting a recently patched vulnerability in Veeam Backup & Replication software. The flaw, identified as CVE-2023-27532 and carrying a CVSS score of 7.5, has become a focal point for this emergent threat. This flaw has been leveraged by the ransomware group to infiltrate systems, encrypt critical data, and demand ransoms from victims​ (Enterprise Technology News and Analysis)​​ (OODA Loop)​​ (Security MEA)​.

Group-IB, a cybersecurity firm based in Singapore, uncovered this ransomware group in April 2024. The group's attack method involves exploiting the Veeam vulnerability to execute malicious activities. The initial access to the target environment was achieved through a Fortinet FortiGate firewall SSL VPN appliance, leveraging a dormant account​ (OODA Loop)​​ (VULNERA)​.

According to security researcher Yeo Zi Wei, the attackers used a brute-force approach on VPN accounts, eventually logging in successfully using the account "Acc1." This access point allowed them to establish Remote Desktop Protocol (RDP) connections to the failover server, deploying a persistent backdoor named "svchost.exe" executed daily via a scheduled task​ (SecurityWeek)​​ (Security Boulevard)​.

Characteristics of EstateRansomware

EstateRansomware sets itself apart from other ransomware threats through its highly sophisticated and multi-layered attack process. Unlike typical ransomware, which often relies on simple phishing attacks, EstateRansomware disables security measures like Windows Defender, utilizes PsExec for ransomware deployment, and employs a mix of credential harvesting tools. This advanced approach makes it particularly challenging for cybersecurity professionals to detect and mitigate​ (Security MEA)​​ (VULNERA)​.

The backdoor facilitated further network penetration, connecting to a command-and-control (C2) server over HTTP to execute arbitrary commands. The attackers then targeted the Veeam flaw to enable xp_cmdshell on the backup server and create a rogue user account "VeeamBkp." Tools like NetScan, AdFind, and NitSoft were employed for network discovery, enumeration, and credential harvesting​ (VULNERA)​​ (Blackswan Cybersecurity)​.

The attack's progression involved using the backdoor for continued access and avoiding detection, allowing them to manipulate the vulnerable Veeam Backup & Replication software. This enabled the activation of the xp_cmdshell stored procedure and the creation of the "VeeamBkp" account​ (Enterprise Technology News and Analysis)​​ (SecurityWeek)​.

The ransomware deployment was the final stage of the attack, preceded by disabling defenses and moving laterally from the Active Directory server to other servers and workstations using compromised domain accounts. Tools like DC.exe (Defender Control) and PsExec.exe were utilized to disable Windows Defender and execute the ransomware​ (OODA Loop)​​ (Blackswan Cybersecurity)​.

Tactics, Techniques, and Procedures of EstateRansomware

n summary, EstateRansomware employs several sophisticated tactics to evade detection and ensure the success of its attacks:

  • Disabling Security Software: The ransomware disables Windows Defender to avoid detection​ (Enterprise Technology News and Analysis)​.

  • Backdoor Deployment: It uses backdoors, such as "svchost.exe," to maintain persistent access to the network​ (OODA Loop)​​ (VULNERA)​.

  • Credential Harvesting: Tools like NetScan, AdFind, and NitSoft are used for network discovery and credential harvesting​ (Blackswan Cybersecurity)​.

  • Lateral Movement: The ransomware moves laterally within the network, using tools like PsExec to execute the ransomware on various systems without raising immediate suspicion​ (VULNERA)​​ (Security MEA)​​ (Security MEA)​.

Industries or Sectors Most Affected by EstateRansomware

The industries most affected by EstateRansomware include healthcare, finance, and manufacturing. These sectors are targeted due to the critical nature of their data and operations, which can lead to significant financial losses and operational downtime, making them more likely to pay ransoms.

  • Healthcare: The healthcare sector is a prime target due to the sensitive nature of patient data and the critical need for operational continuity. A successful ransomware attack can disrupt medical services, potentially putting lives at risk. Healthcare organizations are often pressured to pay ransoms quickly to restore access to patient records and medical systems​ (VULNERA)​​ (Security MEA)​.

  • Finance: Financial institutions hold vast amounts of sensitive data, including personal and financial information of customers. An attack on these institutions can result in significant data breaches and financial losses. The need to maintain trust and avoid reputational damage makes these institutions likely to pay ransoms to regain control of their systems​ (Security MEA)​​ (Security MEA)​.

  • Manufacturing: The manufacturing sector is crucial due to its role in the supply chain. Disruptions caused by ransomware attacks can halt production lines, leading to substantial financial losses and delays in delivering products. The critical nature of manufacturing operations makes these organizations more inclined to pay ransoms to resume their activities swiftly​ (Security MEA)​​ (Security MEA)​.

Steps to Protect Against This Vulnerability

Organizations can take several steps to protect themselves from EstateRansomware and similar threats:

  • Regular Software Updates: Ensure all software, especially Veeam Backup & Replication, is up to date with the latest patches​ (Enterprise Technology News and Analysis)​​ (SecurityWeek)​. In situations like this, we can further assist by providing regular vulnerability assessment and penetration testing (VAPT) services to identify and address vulnerabilities promptly​ for your company.

  • Disable Unused Accounts: Regularly review and disable dormant or unused accounts to minimize potential entry points​ (VULNERA)​​ (Security MEA)​.

  • Enhance Security Protocols: Use advanced security measures like multi-factor authentication (MFA) and endpoint detection and response (EDR) solutions​ (Security Boulevard)​​ (Security MEA)​. We offer a series of managed security services to help organizations implement and maintain these advanced security measures effectively​.

  • Network Segmentation: Implement network segmentation to limit lateral movement within the network​ (VULNERA)​. Our Security Operations Center (SOC) can monitor network traffic and detect suspicious activities in real-time, enhancing overall network security.

  • Regular Backups: Maintain regular, secure backups and test restoration processes to ensure data recovery in case of an attack​ (Security MEA)​​ (Security MEA)​​ (Security MEA)​.

Conclusion

The exploitation of Veeam Backup & Replication software by EstateRansomware underscores the critical importance of timely patching and robust cybersecurity defenses. As ransomware groups continue to evolve and diversify their methods, organizations must remain vigilant and proactive in securing their networks against such sophisticated threats. Implementing comprehensive security strategies, including regular updates, advanced threat detection, and robust backup protocols, is essential to protect sensitive data and maintain operational integrity​ (Enterprise Technology News and Analysis)​​ (VULNERA)​​ (Security MEA)​​ (Security MEA)​​ (Security MEA)​.

 

References:

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

You had a year to patch this Veeam flaw – and now it's going to hurt some more​​ 

Year-Old Veeam Vulnerability Exploited in Fresh Ransomware Attacks​​​ 

Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software

New Ransomware Group Exploiting Veeam Backup Software Vulnerability

Veeam Backup Software Being Exploited By New Ransomware Group

EstateRansomware Threat Group Exploiting Veeam Backup Software Vulnerability (CVE-2023-27532)

EstateRansomware: A Sophisticated Threat to Enterprise Networks

You may like this...

Cybersecurity Insights
Understanding Malware Threats

Understanding Malware Threats

With digital transformation accelerating rapidly, understanding malware threats is crucial for both individuals and organizations. Malware, short for malicious software, refers to any software intentionally designed to cause damage to a computer, server, client, or computer network.

Read More
Industry Updates
PDN Data Breach and What Does it Mean For Us?

PDN Data Breach and What Does it Mean For Us?

In June 2024, we were rocked by a massive cyber attack that compromised our very own Pusat Data Nasional / National Data Center (PDN)

Read More
Industry Updates
Google Business Page Scam in Indonesia: A Growing Threat to Businesses and Consumers

Google Business Page Scam in Indonesia: A Growing Threat to Businesses and Consumers

A new wave of cyber scam has hit Indonesia. In this very week, we have witnessed an alarming surge of it, specifically targeting the Google Business Pages of numerous establishments across the nation. This wave of digital fraud has affected a wide array of businesses

Read More
Cybersecurity Insights
Ransomware in the Transport Sector: Proactive Cybersecurity Needed

Ransomware in the Transport Sector: Proactive Cybersecurity Needed

In January 2024, one of Indonesia's largest transportation companies became the target of a sophisticated ransomware attack. For an entire week, the company remained unaware that its systems had been breached, giving hackers ample time to infiltrate, exfiltrate, and potentially sell sensitive data.

Read More
Industry Updates
Important Update! New Presidential Directive for CSIRT Capabilities

Important Update! New Presidential Directive for CSIRT Capabilities

Let’s break this down. A CSIRT is about having the ability to detect, respond, and recover from cyber incidents. Whether it’s a breach, a ransomware attack, or just suspicious activity, a CSIRT ensures that you handle it quickly and avoid further damage.

Read More

Search Article by Category