The Download
It is not as uncommon as one might expect, but older vulnerabilities often find new life when a ransomware gang weaponizes Proof of Concept (PoC) exploit code. That's the case here with a vulnerability in Veeam patched in March 2023. The vulnerability tracked as CVE-2023-27532 allows hackers to extract authenticated credentials from Veeam Backup and Replication product. The vulnerability was serious enough that CISA added it to the Known Exploitable Vulnerability (KEV) catalog.
Since its disclosure, security firm Group-IB reports EstateRansomware group has exploited the vulnerability for nefarious purposes, BlackBerry reports the Akira ransomware group exploited it against a Latin American airline, and a Cuba ransomware group has been known to exploit the vulnerability as well.
What To Do
If you are running Veeam Backup and Replication service it is important to patch CVE-2023-27532. The threat intelligence suggests this is being actively exploited, which is why the vulnerability was added to the CISA KEV. We recommend patching any vulnerability added to the KEV. ThreatMate will auto-recognize any vulnerability in the network that is on the KEV list and prioritize its remediation accordingly.
To Learn More: