An ALPHV / BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access. The ALPHV ransomware operation was first discovered in December of 2021 and is believed to be run by former members of the Darkside and BlackMatter operations. The specific affiliate behind these attacks is being tracked as UNC4466 by Mandiant, with Mandiant noting that exploiting these vulnerabilities differs from their normal method of initial access, which relied on the use of valid accounts. Mandiant reports that it first observed these vulnerabilities in Veritas Backup being exploited in the wild on October 22, 2022. The targeted vulnerabilities are as follows:
- CVE-2021-27876 (CVSS score: 8.1): Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints
- CVE-2021-27878 (CVSS score: 8.8): Arbitrary command execution flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints
- CVE-2021-27877 (CVSS score: 8.2): Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication
These vulnerabilities were disclosed by Veritas in March 2021 and a patch was released with version 21.2. However, despite two years passing since these vulnerabilities were patched, there are still more than 8,500 publicly exposed IP addresses running Veritas Backup. On September 23, 2022, a Metasploit module was released to exploit these vulnerabilities.
Following the initial compromise from UNC4466 using the Metasploit module, the threat actor used the Advanced IP Scanner and ADRecon utilities to perform further reconnaissance. Next, they downloaded additional tools such as LaZagne, Ligolo, WinSW, RClone, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS). They used SOCKS5 tunnelling to communicate with their Command and Control server (C2). They used numerous tools such as Mimikatz and Nanodump to escalate their privileges and steal credentials. To hide their activity, the actors cleared event logs and disabled Microsoft Defender’s real-time monitoring capability.
While the specific version information isn’t known, there are still 8,500 publicly exposed devices running Veritas Backup software. Like many campaigns, this campaign from UNC446 relies on organizations not keeping up with critical patches. Having a good threat intelligence program and an adequate patching schedule allows security teams to quickly identify and fix vulnerabilities that may be present within an organization before they can be exploited by an attacker.