ALPHV ransomware exploits Veritas Backup Exec bugs for initial access

Gandalf_The_Grey

Level 78
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,738
An ALPHV/BlackCat ransomware affiliate was observed exploiting three vulnerabilities impacting the Veritas Backup product for initial access to the target network.

The ALPHV ransomware operation emerged in December 2021 and is considered to be run by former members of the Darkside and Blackmatter programs that shut down abruptly to escape law enforcement pressure.

Mandiant tracks the ALPHV affiliate as 'UNC4466' and notes that the method is a deviation from the typical intrusion that relies on stolen credentials.

Mandiant reports that it observed the first cases of Veritas flaws exploitation in the wild on October 22, 2022. The high-severity flaws targeted by UNC4466 are:
  • CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
  • CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
  • CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
All three flaws impact the Veritas Backup software. The vendor disclosed them in March 2021 and released a fix with version 21.2. However, despite over two years having passed since then, many endpoints remain vulnerable as they have not updated to a safe version.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top