Threat Actors Advertising Tool for Exploiting Vulnerabilities in Veeam Backup & Replication

Several remote code execution vulnerabilities have been identified in the Veeam Backup & Replication application which have been exploited by threat actors, with some threat actors advertising a weaponized tool that will achieve remote code execution by exploiting the flaws.

Veeam Backup & Replication is a backup app built that is used for backing up and restoring virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors and for backing up and recovering files in environments such as Microsoft Exchange and SharePoint.

In an October 24, 2022, advisory about the flaws, CloudSEK explained that multiple high-severity and critical flaws with CVSS v3 scores ranging from 8.8 to 9.8 were identified with multiple threat actors offering a fully weaponized tool for exploiting the flaws, including the following vulnerabilities:

  • CVE-2022-26500 (CVSS 9.8) – Improper limitation of path names in Veeam Distribution Service
  • CVE-2022-26501 (CVSS 9.8) – Improper authentication in Veeam Distribution Service
  • CVE-2022-26504 (CVSS 8.8) – Improper authentication in Veeam Backup PSManager

The successful exploitation of these flaws would allow the copying of files within the boundaries of the locale or from a remote SMB network, remote code execution without authorization, and local privilege escalation without authorization.

The researchers identified a repository on GitHub called Veeam-creds that contained scripts for recovering passwords from the Veeam Backup and Replication credential manager, and report they identified a malware variant called Veeamp that was being used in the wild by at least two ransomware operations (Monti & Yanluowang) to dump credentials from an SQL database for Veeam backup management software.

The vulnerabilities were reported to Veeam, which had already issued patches to fix the flaws in March 2022 and have been fixed in versions and (and later) of its software. The researchers shared the identified IoCs in their blog post.

Author: NetSec Editor