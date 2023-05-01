WithSecure Intelligence has identified FIN7, a notorious cybercriminal organization, as the perpetrator of two attacks targeting Veeam servers.

Suspicious activity by the attacker was detected on servers running Veeam Backup & Replication, likely exploiting a recently patched vulnerability.

While the reason for the Veeam server attacks is still unknown, organizations are advised to take measures to patch and secure their backup servers.

FIN7, also known as the Carbanak Group, is a notable cybercriminal organization with a history of executing financially driven attacks against various businesses, primarily in the hospitality and retail industries. According to WithSecure Intelligence, two attacks have been identified that utilize the tactics and techniques of the notorious FIN7 hacking group, targeting Veeam servers.

Suspicious activity on Veeam servers

According to the WithSecure report, on March 28, 2023, the first signs of activity were spotted on servers that were accessible through the internet and were running Veeam Backup & Replication. Although the precise method the threat actor employed to carry out the initial shell commands is unknown, it was presumably made possible by a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532, which can grant unauthenticated access to a Veeam Backup & Replication instance.

« On 24th March 2023, the SQL server process for Veeam backup instances executed another shell command to copy the “Web.config” file located within Veeam Backup & Replication program files to another file called “system.js”. The exact reason for this shell command remains unknown. However, it is plausible that the earlier activity was performed by the threat actor to probe and identify internet-facing servers vulnerable to CVE-2023-2753, something that FIN7 has reportedly done in the past. »

The initial activity was initiated from the same public IP address on the same day, suggesting that it is part of a more extensive campaign. However, given the limited scope of servers with the vulnerable TCP port 9401 publicly exposed, the attack is believed to be contained.

WithSecure reports that while the reason for these attacks is still unknown, as they were stopped before they could do further harm, the study still adds more information about FIN7, their methods, and possible further study.

Affected businesses are encouraged to take the suggested instructions to patch and properly set up their backup servers to prevent further attacks.