In the ever-evolving landscape of cybersecurity, a new ransomware group called EstateRansomware has caused quite a stir. This group exploits a recently patched vulnerability in Veeam Backup & Replication software, emphasizing the importance of regular software updates.
The discovery: The Singapore-based company Group-IB discovered this new threat in early April 2024. The attackers exploited the vulnerability CVE-2023-27532, which has a CVSS score of 7.5 - a clear sign of high risk.
The attack vector:
- Initial access: Via a Fortinet FortiGate Firewall SSL VPN using an inactive account.
- Lateral movement: From the firewall to the failover server using RDP connections.
- Persistence: Installation of a backdoor called “svchost.exe”, which is executed daily via a scheduled task.
- Further exploitation: Exploitation of the Veeam vulnerability to activate xp_cmdshell and create a malicious user account.
- Network exploration: Use of tools such as NetScan, AdFind and NitSoft.
- Final phase: Deactivation of Windows Defender and execution of the ransomware on all accessible systems.
New ransomware group EstateRansomware exploits Veeam backup vulnerability. Attack via Fortinet firewall, followed by backdoor installation. Regular updates and strong security strategies are crucial to protect against such threats.
Broader implications: This discovery comes at a time when Cisco Talos is seeing a shift in the ransomware landscape. New groups such as Hunters International, Cactus and Akira are specializing in specific niches and attack methods.
Connection to the Akira ransomware: Interestingly, the same Veeam vulnerability was also exploited by the Akira ransomware group, as demonstrated by a recent attack on a Latin American airline. This illustrates how quickly vulnerabilities are picked up by different threat actors.
Recommendations for prevention:
- Performing regular software updates
- Implementing multifactor authentication
- Use network segmentation to contain potential attacks
- Developing comprehensive backup strategies
- Training employees in cyber security
neonotu security is at the forefront of the fight against such threats. Our experts offer customized solutions to protect your IT infrastructure from ransomware and other cyber threats.
Contact us today for a comprehensive security consultation and let us protect your digital assets together.
