An ALPHV/BlackCat ransomware affiliate has been observed exploiting three vulnerabilities affecting the Veritas Backup product for initial target network access.
The ALPHV ransomware operation was born in December 2021 and is believed to be run by former members of the Darkside and Blackmatter programs who shut down abruptly to escape pressure from law enforcement.
Mandiant tracks affiliate ALPHV as “UNC4466” and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.
Mandiant reports observing the first instances of Veritas exploits in the wild on October 22, 2022. The high-severity flaws targeted by UNC4466 are:
- CVE-2021-27876: Arbitrary File Access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS rating: 8.1)
- CVE-2021-27877: Unauthorized remote access and execution of privileged commands to the BE Agent via SHA authentication. (CVSS rating: 8.2)
- CVE-2021-27878: Arbitrary command execution flaw resulting from an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS rating: 8.8)
The three flaws affect the Veritas Backup software. The seller disclosed them in March 2021 and released a patch with version 21.2. However, although more than two years have passed since then, many terminals remain vulnerable because they have not been updated to a safe version.
Mandiant reports that a business analysis service has shown that there are over 8,500 IP addresses on the public web that advertise the “Symantec/Veritas Backup Exec ndmp” service on the default port 10000 and on ports 9000 and 10001.
A Metasploit module to exploit these vulnerabilities was made public on September 23, 2022. The code allows attackers to create a session and interact with hacked endpoints.
According to Mandiant, UNC4466 started using the particular module a month after it became available.
According to Mandiant’s observations, UNC4466 compromises an Internet-facing Windows server running Veritas Backup Exec using the publicly available Metasploit module and maintains persistent access to the host.
After the initial compromise, the threat actor used the Advanced IP Scanner and ADRecon utilities to gather information about the victim’s environment.
Then they uploaded additional tools to the host like LAZAGNE, LIGOLO, WINSW, RCLONE and finally the ALPHV ransomware encryptor via Background Intelligent Transfer Service (BITS).
The threat actor used SOCKS5 tunneling to communicate with the command and control server (C2).
Researchers explain that UNC4466 used BITS transfers to download SOCKS5 tunneling tools and deployed the ransomware payload by adding immediate tasks to the default domain policy, disabling security software, and running the encryptor.
To elevate privileges, UNC4466 uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials.
Finally, the threat actor evades detection by clearing event logs and disabling Microsoft Defender’s real-time monitoring capability.
Mandiant’s report provides guidance that defenders can follow to detect UNC4466 attacks in a timely manner and mitigate them before the ALPHV payload is executed on their systems.