Remote Code Execution
8.8 to 9.8
- Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
- Threat actors can exploit the vulnerabilities to:
- Gain initial access
- Disclose sensitive information
- Perform DDoS attacks
- Encrypt the infrastructure with malware
- Gain privileges and execute arbitrary code remotely
- Upgrade to 18.104.22.1681 P20220302
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
- Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
- CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
- CVE-2022-26504 with a CVSS V3 score of 8.8
- A successful exploitation of the above-mentioned CVEs can lead to:
- Copying files within the boundaries of the locale or from a remote SMB network
- RCE without authorization ('Network Service' rights)
- RCE/LPE without authorization ('Local System' rights)
[caption id="attachment_21245" align="alignnone" width="1920"]
Veeam Backup & Replication[/caption]
What is Veeam Backup & Replication?
- Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
- In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.
CVEs Exploited By Threat Actors
- Remote Code Execution vulnerability in Veeam Distribution Service
- The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
- This component allows threat actors to execute malicious code remotely without authentication.
- Remote Code Execution vulnerability in Veeam Backup PSManager
- The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
- This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.
Information from OSINT
CloudSEK researchers were able to find a GitHub repository named “veeam-creds” with the following specifications:
- It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
- The repository had the following 3 files:
- Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
- VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
- Veampot.py - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.
Possible Ransomware Affiliations
- A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
- Monti Ransomware
- Yanluowang Ransomware
- The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command:
select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]
- The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
- Encrypted Password
- Decrypted Password
Indicators of Compromise (IoCs)
Based on the results from VirusTotal, the following are the IOCs for Veeamp.
[caption id="attachment_21246" align="aligncenter" width="1142"]
Veeam Backup & Replication Functionalities[/caption]
[caption id="attachment_21247" align="aligncenter" width="1677"]