Executive Summary

In October 2024, a critical vulnerability identified as CVE-2024-40711 was discovered in several Veeam products, posing a significant threat to organizations worldwide. This vulnerability, with a severity score of 9.8, allows for remote code execution (RCE) through the deserialization of untrusted data. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of this vulnerability in the wild, particularly in ransomware attacks. The sectors and countries targeted by these attacks have not been explicitly identified, but the nature of the vulnerability suggests a broad potential impact across various industries.

Technical Information

CVE-2024-40711 is a critical vulnerability affecting multiple Veeam products, including Veeam Backup & Replication, Veeam Agent for Linux, Veeam ONE, Veeam Service Provider Console, Veeam Backup for Nutanix AHV Plug-In, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In. The vulnerability arises from improper handling of serialized data, allowing attackers to execute arbitrary code remotely. This flaw can be exploited by sending a specially crafted payload to the vulnerable application, leading to unauthorized access and potential full system compromise. The vulnerability has been actively exploited in ransomware campaigns, with attackers leveraging it to deploy malicious payloads such as Fog and Akira ransomware. The exploitation of this vulnerability can result in data manipulation, lateral movement within networks, and significant operational disruptions.

Exploitation in the Wild

The exploitation of CVE-2024-40711 has been observed in ransomware campaigns, with attackers deploying Fog and Akira ransomware. Indicators of compromise (IOCs) from these attacks include specific file hashes, IP addresses, and domain names associated with the ransomware payloads. The overlap of IOCs with previous campaigns involving these ransomware families suggests a coordinated effort by financially motivated cybercriminals. The availability of proof of concept (PoC) exploit code on platforms like GitHub has further facilitated the exploitation of this vulnerability, enabling attackers to gain unauthorized access and execute arbitrary code on affected systems.

APT Groups using this vulnerability

While no specific advanced persistent threat (APT) groups have been identified using CVE-2024-40711, the vulnerability's exploitation in ransomware attacks suggests involvement by financially motivated cybercriminals. Previous vulnerabilities in Veeam products have been targeted by groups such as EstateRansomware, Akira, Cuba, and FIN7. These groups are known for their sophisticated attack techniques and focus on financial gain, making them likely candidates for exploiting this vulnerability.

Affected Product Versions

The following Veeam products and versions are affected by CVE-2024-40711: Veeam Backup & Replication versions 12.1.2.172 and all earlier version 12 builds, Veeam Agent for Linux version 6.1.2.1781 and all earlier version 6 builds, Veeam ONE version 12.1.0.3208 and all earlier version 12 builds, Veeam Service Provider Console version 8.0.0.19552 and all earlier version 8 and version 7 builds, Veeam Backup for Nutanix AHV Plug-In version 12.5.1.8 and all earlier version 12 builds, and Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Plug-In version 12.4.1.45 and all earlier version 12 builds.

Workaround and Mitigation

To mitigate the risk posed by CVE-2024-40711, organizations using Veeam products should apply the security patch released by Veeam on September 4, 2024. This patch addresses the vulnerability and prevents its exploitation. Additionally, implementing network segmentation can limit lateral movement opportunities for attackers, reducing the potential impact of a successful exploit. Organizations should also enhance monitoring for unusual activities and implement detection mechanisms for known IOCs associated with Fog and Akira ransomware. Regularly updating and patching systems, along with maintaining robust security practices, are essential to safeguarding against such vulnerabilities.

References

For further information on CVE-2024-40711 and its exploitation, please refer to the following resources: CISA Known Exploited Vulnerabilities Catalog, The Record Article on Veeam Vulnerability, Veeam Security Bulletin (September 2024), watchTowr Labs PoC, and RealStatus PoC.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities, ensuring the security and resilience of your organization's digital assets. For any questions or further assistance regarding this report or other cybersecurity concerns, please contact our team at ops@rescana.com. We are here to support you in safeguarding your organization against emerging threats.