The AvosLocker ransomware gang is abusing known vulnerabilities in Veritas backup servers to gain access to victim networks, At-Bay’s Cyber Research Team has warned in a recent blog post.
Veritas Backup Exec is a data protection software product that supports virtual, physical and cloud platforms. Veritas claims more than 2 million Backup Exec customers, mainly in the SMB and midmarket arena.
According to At-Bay, the threat actors are chaining three vulnerabilities in the Veritas software - CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 - to gain initial access and encrypt the victim’s network with the AvosLocker ransomware. All three bugs are related to the SHA authentication scheme used by Backup Exec. Although the vendor fixed the flaws back in March 2021, it seems that many systems are still remain unpatched.
AvosLocker is not the first RaaS group to use Backup Exec as an initial access vector. In October 2022, cybersecurity firm Mandiant warned that an affiliate of the ALPHV/BlackCat RaaS group was targeting publicly exposed Backup Exec installations to launch ransomware attacks.
According to At-Bay’s data, the AvosLocker attacks utilizing the Veritas vulnerabilities have been going on since January 2023.
The attack involves the following steps:
1. An attacker attempts to connect to the Veritas Backup Exec Agent using the NDMP. When the attacker receives a NOTIFY_CONNECT packet from the Backup Exec NDMP server. Then an attacker sends a CONNECT_OPEN request to the server and gets a CONNECT_OPEN reply packet. With the right status code, an attacker will know they have a connection.
2. An attacker then sends the Backup Exec NDMP server a config_get_server_info request to check what types of authentication are supported by the server.
3. An attacker then checks if the server has SHA authentication enabled – the content of the packet should include Auth Type: Unknown. The attacker authenticates their connection.
4. The attacker uploads a payload using the NDMP operation FILE_WRITE, which is a legitimate command used by the organization to write data to a file on the server, then uses the NDMP command EXECUTE_COMMAND to execute commands on the server.
“AvosLocker’s use of these vulnerabilities can also serve as a lesson in cyber crime underground operations: RaaS groups can share intelligence or steal tactics from one another in order to perpetuate their schemes. With multiple groups using Backup Exec as an entry vector, these attacks show that malicious actors do not operate in silos, and other ransomware groups may use the same vectors for their own schemes. Patching vulnerabilities as soon as possible protects organizations from all RaaS groups as they adapt to a changing ecosystem,” the researchers concluded.
