ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs

An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution.

An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network.

Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant researchers first observed this affiliate targeting Veritas issues in the wild on October 22, 2022. Below is the list of flaws exploited by the ransomware gang’s affiliate:

CVE-2021-27876: The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. By using crafted input parameters in one of these commands, an attacker can access an arbitrary file on the system using System privileges.. (CVSS score: 8.1).
CVE-2021-27877: An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes: SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn’t yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands. (CVSS score: 8.2).
CVE-2021-27878: An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain unauthorized access and complete the authentication process. Subsequently, the client can execute data management protocol commands on the authenticated connection. The attacker could use one of these commands to execute an arbitrary command on the system using system privileges. (CVSS score: 8.8)

The three flaws were addressed with the release of version 21.2 in March 2021, but many public-facing endpoints are yet to be updated. The researchers identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be vulnerable.

The exploitation of these flaws can be easy by using a penetration testing framework like METASPLOIT which has a specific module to target these issues since September 2022.

“In late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.” reads the analysis published by Mandiant.

Once gained access to the target’s network, the affiliate used the legitimate Famatech’s Advanced IP Scanner and ADRecon utilities as part of an internal reconnaissance.

Then the threat actor used the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.

The UNC4466 group relies on SOCKS5 tunneling to communicate with compromised systems. The threat actor employed two separate tools to execute this technique, LIGOLO and REVSOCKS.

The group gathered clear-text credentials and credential material by using multiple credential access tools, including Mimikatz, LaZagne and Nanodump.

The threat actor evades detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring capability using the built in Set-MpPrefernce cmdlet.

The report includes Indicators of Compromise (IoCs) for this threat.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

The Teacher – Most Educational Blog
The Entertainer – Most Entertaining Blog
The Tech Whizz – Best Technical Blog
Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ALPHV/BlackCat ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.