Threat actors behind the Fog and Akira ransomware are exploiting a known vulnerability the Veeam backup and disaster recovery software to create an account and attempt to deploy ransomware
Tracked as CVE-2024-40711, the flaw is an input validation error that allows remote code execution.
The attacks were first spotted by the Sophos X-Ops threat research team over the past month.
“In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks,” the researchers wrote.
The intruders gained initial access via compromised VPN gateways without multifactor authentication enabled, with some of the hacked gateways running unsupported software versions.
“Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, "point," adding it to the local Administrators and Remote Desktop Users groups,” the team explained.
In the Fog ransomware incident, the threat actor deployed it to an unprotected Hyper-V server and then exfiltrated data using the rclone tool.
Last week, the US and UK cyber agencies issued a joint warning about the Russia-linked APT29 hackers (aka BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard), linked to Russia's Foreign Intelligence Service (SVR), actively targeting vulnerable Zimbra and JetBrains TeamCity servers. The group is exploiting known vulnerabilities (CVE-2022-27924 and CVE-2023-42793) to compromise servers, particularly in sectors such as diplomacy, defense, technology, and finance, to gather foreign intelligence and prepare for future cyber operations.