Security company CloudSEK revealed three critical vulnerabilities in Veeam Backup & Replication, one of the most popular backup solutions. The vulnerabilities have been exploited by multiple cybercriminals.

Organizations that use the most recent version of Backup & Replication are safe. Veeam fixed the vulnerabilities in November 2021 with version 11.0.1.1261. The details were kept secret at the time to prevent cybercriminals from exploiting the information to attack users with outdated software versions.

The latter remains a risk to this day, as some users still aren’t up-to-date. Nevertheless, CloudSEK — the security firm that discovered the vulnerabilities — considers the situation safe enough to disclose the details. On October 24, the security firm published a report on three critical vulnerabilities in Veeam Backup & Replication.

Three vulnerabilities

Two of the vulnerabilities (CVE-2022-26500 and CVE-2022-26501) allow cybercriminals to remotely execute code. Attackers don’t require login credentials to get in. Hence, the vulnerabilities received a rare CVSS score of 9.8.

The third vulnerability (CVE-2022-26504) also allows remote code execution. Attackers require domain credentials to abuse the vulnerability. Hence, the vulnerability received a lower CVSS score of 8.8.

In practice

Veeam Backup & Replication is one of the most popular backup solutions today. Although security researchers regularly find vulnerabilities in popular software products, actively exploited vulnerabilities are rare. The vulnerabilities in Veeam Backup & Replication have been exploited by cybercriminals on numerous occasions.

CloudSEK’s researchers found multiple advertisements in which cybercriminals offered to attack Veeam Backup & Replication users with specialized tools. In addition, the researchers located a GitHub repository containing scripts for decrypting Veeam passwords.

According to the researchers, the scripts are related to the vulnerabilities. Among other things, cybercriminals can exploit the vulnerabilities to steal the login databases of Veeam Backup & Replication users. The databases are encrypted. The scripts were developed to bypass Veeam’s encryption.

In addition, researchers suspect that the vulnerabilities were exploited by two ransomware groups: Monti and Yanluowang. Both groups have used ‘Veeamp’ in the past, a malware variant that moves a victim’s usernames and passwords to a remote SQL database en masse. Monti and Yanluowang may have developed the malware variant to exploit the vulnerabilities.

Mitigation

As mentioned earlier, Veeam fixed the vulnerabilities with software version 11.0.1.1261 in November 2021. Every new version has been secure since. The information in CloudSEK’s report is useful to cybercriminals. Hackers can follow the report as a guide to attack organizations with outdated versions. If your organization uses a vulnerable version, it’s important to update as soon as possible.

Tip: N-able’s Cove Data Protection aims to compete with Veeam, Datto and Commvault Metallic