For security reasons, admins who use Veritas Backup Exec to perform backups should update the application as soon as possible. Attackers are currently exploiting three vulnerabilities and can execute malicious code after successful attacks.
The vulnerabilities (CVE-2021-27876, CVE-2021-27877, CVE-2021-27878) are all at threat level “hoch“ classified. Security updates in the form of Version 21.2 from Veritas Backup Exec have been available since March 2021. As Mandiant now explains in a report, since September 2022 there has been a module tailored to exploiting the vulnerabilities in the Metasploit tool collection for security researchers. According to Mandiant, a month later it observed the first attacks on Windows servers.
The attackers are said to be targeting publicly accessible instances of Veritas Backup Exec. According to the security researchers, over 8500 installations can be reached via the Internet. Some of them are said to be still vulnerable – they are not giving an exact number at the moment. It is also currently unknown to what extent the attacks are taking place.
Attackers could gain unauthorized access to instances due to flaws in SHA authentication. The researchers do not explain in detail how this is done.
If attackers are in the system, they should use various tools such as ADRecon to collect network information for further advance. In the further course they are to record access data with Mimikatz, among other things. In the end, according to Mandiant, they install the ransomware ALPHV, which encrypts data and demands a ransom.