An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network.
The ALPHV ransomware operation
emerged in December 2021 and is considered to be run by former members of the Darkside and Blackmatter programs that shut down abruptly to escape law enforcement pressure.
Mandiant tracks the ALPHV affiliate as 'UNC4466' and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.
Mandiant reports that it observed the first cases of Veritas flaws exploitation in the wild on October 22, 2022. The high-severity flaws targeted by UNC4466 are:
- CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
- CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
- CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
All three flaws impact the Veritas Backup software. The vendor disclosed them
in March 2021 and released a fix with version 21.2. However, despite over two years having passed since then, many endpoints remain vulnerable as they have not updated to a safe version.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}