Among the possible consequences of the attacks are infection with ransomware, data theft, and denial of service
Positive Technologies researcher, Nikita Petrov discovered three critical vulnerabilities in Veeam backup solutions that have all been patched by the vendor. Two affected Veeam Backup & Replication, a popular backup system for automating backup and disaster recovery, and another was identified in Veeam Agent for Microsoft Windows—Windows data backup software.
According to the vendor, Veeam solutions are used by about 400,000 customers from different countries, including 83% of organizations included in Fortune Global 500 and 69% of companies from Forbes Global 2000. Veeam occupies the largest market share in Europe, the Middle East, and Africa and ranks second in the global market. For the fifth year in a row, Veeam has been the leader in Gartner’s Magic Quadrant for Enterprise Backup and Recovery Software Solutions report.
«We believe that these vulnerabilities will be exploited in real attacks and will put many organizations at significant risk,» said Nikita Petrov. «That is why it is important to install updates as soon as possible or at least take measures to detect abnormal activity associated with these products.»
Both vulnerabilities (CVE-2022-26500, CVE-2022-26501) found in Veeam Backup & Replication allow an unauthorized attacker to perform Remote Code Execution (RCE). The vulnerable product versions are 9.5, 10, and 11.
These vulnerabilities can be used for a number of illegal actions:
- Gaining initial access. Attackers can gain persistence on the device to install malware or achieve other goals.
- Information disclosure. Vulnerabilities allow criminals to install malware to steal data or to directly execute commands that extract and delete data from the vulnerable device.
- Denial of service. Attackers may try to run code on the system hosting the vulnerable application and disrupt the operation of this or other applications.
- Encryption of infrastructure. RCE vulnerabilities can be used to deploy and run ransomware on the vulnerable device.
In turn, vulnerability CVE-2022-26503 in Veeam Agent for Microsoft Windows allows attackers to execute arbitrary code on the node with maximum rights (Local Privilege Escalation) and gain access to the resources of the compromised node with maximum privileges. The information stored on a personal computer or server may be highly valuable to attackers and used to plan and conduct future attacks. In case of further compromise of the domain account, attackers can gain access to information located on the local network. The vulnerability affects product versions 2.0, 2.1, 2.2, 3.0.2, 4.0, and 5.0.
Positive Technologies experts recommend to immediately install the security updates released by Veeam for affected products: 11a (build 188.8.131.521 P20220302) and 10a (build 10.0.1.4854 P20220304) for Veeam Backup & Replication, as well as 5 (build 184.108.40.20608) and 4 (build 220.127.116.118) for Veeam Agent for Microsoft Windows.
If installing security updates is not possible, Positive Technologies recommends carefully monitoring abnormal activity in relation to nodes with vulnerable products—in particular, checking event logs for the creation of new privileged user accounts and access to sensitive files.