Hackers Exploiting Veeam RCE Vulnerability to Deploy New “Frag” Ransomware

Hackers are currently exploiting a critical vulnerability in Veeam Backup & Replication software to distribute a new ransomware strain called “Frag.”

This vulnerability, tracked as CVE-2024-40711, allows unauthenticated remote code execution. It has a severity score of 9.8 out of 10 on the CVSS scale, indicating a high level of risk.

Sophos X-Ops researchers reported that these attacks are part of a threat activity cluster named STAC 5881. The attackers gained initial access by compromising VPN appliances and then exploited the Veeam vulnerability to create rogue administrator accounts.

This critical flaw affects Veeam Backup & Replication versions prior to 12.1.2.172. Veeam, a widely used backup solution with over 550,000 customers, including 74% of Global 2000 companies, released security patches for this vulnerability in early September 2024.

Previously, STAC 5881 had been seen deploying Akira and Fog ransomware variants. However, in a recent incident, Sophos researchers detected the use of a new, previously undocumented ransomware called Frag. Frag ransomware works through the command line, encrypting files and appending the “.frag” extension to them.

Sean Gallagher, the principal threat researcher at Sophos X-Ops, stated that, similar to past incidents, the attackers used a compromised VPN appliance to gain access and exploited the Veeam vulnerability to create a new account named “point.” In this case, a second account, “point2,” was also created.

Frag ransomware operates similarly to the Akira and Fog variants, suggesting that a new group may be adopting similar tactics.

The exploitation of the Veeam vulnerability follows a pattern of attackers targeting backup solutions to maximize the impact of their ransomware campaigns. By compromising backup systems, attackers make it harder for victims to recover their data without paying the ransom.

Cybersecurity experts strongly recommend that organizations using Veeam Backup & Replication immediately apply the latest security updates. Additionally, they advise isolating backup servers from the internet, enforcing multi-factor authentication for management access, and enhancing monitoring to detect unusual activities.

The emergence of new ransomware variants like Frag underscores the ongoing need for robust cybersecurity measures and the prompt patching of known vulnerabilities.