An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network.
Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant researchers first observed this affiliate targeting Veritas issues in the wild on October 22, 2022. Below is the list of flaws exploited by the ransomware gang’s affiliate:
The three flaws were addressed with the release of version 21.2 in March 2021, but many public-facing endpoints are yet to be updated. The researchers identified over 8,500 installations of Veritas Backup Exec instances that are currently exposed to the internet, some of which may still be vulnerable.
The exploitation of these flaws can be easy by using a penetration testing framework like METASPLOIT which has a specific module to target these issues since September 2022.
“In late 2022, UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module `exploit/multi/veritas/beagent_sha_auth_rce`. Shortly after, the Metasploit persistence module was invoked to maintain persistent access to the system for the remainder of this intrusion.” reads the analysis published by Mandiant.
Once gained access to the target’s network, the affiliate used the legitimate Famatech’s Advanced IP Scanner and ADRecon utilities as part of an internal reconnaissance.
Then the threat actor used the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.
The UNC4466 group relies on SOCKS5 tunneling to communicate with compromised systems. The threat actor employed two separate tools to execute this technique, LIGOLO and REVSOCKS.
The group gathered clear-text credentials and credential material by using multiple credential access tools, including Mimikatz, LaZagne and Nanodump.
The threat actor evades detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring capability using the built in Set-MpPrefernce cmdlet.
The report includes Indicators of Compromise (IoCs) for this threat.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ALPHV/BlackCat ransomware)