Security vendors discovered that the well-known backup software Veritas products were infected by ALPHV (or BlackCat) ransomware last year by exploiting vulnerabilities, and reminded exposed corporate users to patch the vulnerabilities as soon as possible.
Last October, Google’s security subsidiary Mandiant discovered an attack targeting the execution of Veritas Backup Exec software. The hacker organization code-named UNC4466 used the Metasploit attack framework to abuse the three vulnerabilities CVE-2021-27876, CVE-2021-27877 and CVE-27878 of Veritas backup software in September to hack into a Windows server, and finally deployed Ransomware ALPHV ransomware.
ALPHV is a ransomware-as-a-service developed for the Rust language, also known as BlackCat. First discovered in November 2021, researchers believe it is a successor to the Blackmatter and Darkside ransomware that targeted video game developer Bandai Namco, among others.
When entering the victim’s system, UNC4466 uses the Windows IE browser to download scanning software and other data collection tools to collect other servers’ IP, host name and OS, hardware device information, Active Directory environment information including subnet domains, Password policies, computer and user account lists, etc. to external servers in order to understand the victim’s system environment. Finally, the hackers downloaded the remote control tool and the password collection tool respectively, and turned off the security software, and finally downloaded the ALPHV encryption tool to grab the victim’s files.
These three vulnerabilities affect Veritas Backup Exec 16.x, 20.x and 21.x versions. The risk value of the three vulnerabilities CVSS 3.1 ranges from 8.2 to 8.8, which are high-risk vulnerabilities. Veritas has released a security bulletin and version 21.2 software in March 2021 for patching.
However, so far, Mandiant has found more than 8,500 servers with IP addresses exposing the Veritas Backup Exec ndmp service by using the network scanning service in the market. Security vendors pointed out that although the exposed services are unknown due to the application version, the scan results did not directly find vulnerable systems, but it also shows that there are still a large number of execution entities that may be exposed.
Security vendors suggest that users should use the log files of the Windows version of Veritas Backup Exec. Through analysis, they can know whether they have been used to connect to remote systems.