CISA confirms Veeam vulnerability is being used in ransomware attacks

The nation’s top cybersecurity agency has confirmed that ransomware gangs are using a vulnerability found last month in products from software company Veeam. 

For weeks, experts have expressed alarm about CVE-2024-40711 — a bug Veeam rated critical and gave a severity score of 9.8 when it was disclosed in September. 

CVE-2024-40711 could “allow an attacker to gain full control of a system, manipulate data, and potentially move laterally within a network, making it a relatively high-value target for threat actors,” according to researchers at Censys. 

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday that the vulnerability has been exploited and took the rare step of specifying that it was being used in ransomware attacks. 

Veeam released a fix on September 4 after the bug was discovered by Code White security researcher Florian Hauser. By September 15, proof-of-concept exploit code was released by watchTowr Labs. Veaam specializes in software for system backups and disaster recovery.

CISA gave federal civilian agencies until November 7 to patch the bug. 

CISA added the “Known To Be Used in Ransomware Campaigns?” tab in the Known Exploited Vulnerabilities (KEV) Catalog almost exactly a year ago but has rarely used it.

The tag is fitting, considering that researchers have warned of ransomware gangs specifically targeting CVE-2024-40711 because companies use Veeam for sensitive activities.

Cybersecurity firm Sophos said last week that its incident response team was tracking a series of attacks that involved the exploitation of CVE-2024-40711 and attempted deployment of ransomware. 

“In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks,” Sophos said. 

Sophos’ Sean Gallagher added on Thursday that they have found another case tied to the same campaign. 

Censys warned in September that the vulnerability is “particularly concerning because it’s likely to be exploited by ransomware operators to compromise backup systems and potentially create double-extortion scenarios.” 

They added that earlier vulnerabilities in Veeam Backup & Replication, such as CVE-2023-27532 disclosed back in July, “have already been exploited by ransomware groups like EstateRansomware, Akira, Cuba, and FIN7 for initial access, credential theft, and other malicious activities.”

“Although it is currently unknown if CVE-2024-40711 is actively being exploited, its potential for extracting large volumes of data and enabling lateral movement within networks suggests it could become a target for ransomware attacks,” Censys said last month. 

Incident response firm Rapid7 noted that more than 20% of their cases in 2024 so far have involved Veeam “being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.”

The U.K.’s National Health Service released its own warning about CVE-2024-40711 last week.