Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication

Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
Updated on
February 27, 2023
Published on
October 24, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26500 CVE-2022-26501 CVE-2022-26504 CVSS:3.0 Score: 8.8 to 9.8

Executive Summary

THREAT IMPACT MITIGATION
  • Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
  • Threat actors can exploit the vulnerabilities to:
    • Gain initial access
    • Disclose sensitive information
    • Perform DDoS attacks
    • Encrypt the infrastructure with malware
    • Gain privileges and execute arbitrary code remotely
  • Upgrade to 11.0.1.1261 P20220302

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
  • Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
    • CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
    • CVE-2022-26504 with a CVSS V3 score of 8.8
  • A successful exploitation of the above-mentioned CVEs can lead to:
    • Copying files within the boundaries of the locale or from a remote SMB network
    • RCE without authorization ('Network Service' rights)
    • RCE/LPE without authorization ('Local System' rights)
[caption id="attachment_21245" align="alignnone" width="1920"]Veeam Backup & Replication Veeam Backup & Replication[/caption]

What is Veeam Backup & Replication?

  • Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
  • In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.

CVEs Exploited By Threat Actors

CVE-2022-26500, CVE-2022-26501

  • Remote Code Execution vulnerability in Veeam Distribution Service
  • The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
  • This component allows threat actors to execute malicious code remotely without authentication.

CVE-2022-26504

  • Remote Code Execution vulnerability in Veeam Backup PSManager
  • The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
  • This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.

Information from OSINT

CloudSEK researchers were able to find a GitHub repository named “veeam-creds” with the following specifications:
  • It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
  • The repository had the following 3 files:
    • Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
    • VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
    • Veampot.py - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.

Possible Ransomware Affiliations

  • A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
    • Monti Ransomware
    • Yanluowang Ransomware
  • The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command: select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]
  • The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
    • Username
    • Encrypted Password
    • Decrypted Password
    • Description

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for Veeamp.
Hashes
9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
Df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
Names
veeamp.exe vp.exe
9aa1.exe o_vp.exe
IP Address
13.107.4.52

References

Appendix

[caption id="attachment_21246" align="aligncenter" width="1142"]Veeam Backup & Replication Functionalities Veeam Backup & Replication Functionalities[/caption]   [caption id="attachment_21247" align="aligncenter" width="1677"]RCE Execution RCE Execution[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.