| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-26500
CVE-2022-26501
CVE-2022-26504 |
CVSS:3.0 Score:
8.8 to 9.8 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
|
- Threat actors can exploit the vulnerabilities to:
- Gain initial access
- Disclose sensitive information
- Perform DDoS attacks
- Encrypt the infrastructure with malware
- Gain privileges and execute arbitrary code remotely
|
- Upgrade to 11.0.1.1261 P20220302
|
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
- Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
- CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
- CVE-2022-26504 with a CVSS V3 score of 8.8
- A successful exploitation of the above-mentioned CVEs can lead to:
- Copying files within the boundaries of the locale or from a remote SMB network
- RCE without authorization ('Network Service' rights)
- RCE/LPE without authorization ('Local System' rights)
[caption id="attachment_21245" align="alignnone" width="1920"]
Veeam Backup & Replication[/caption]
What is Veeam Backup & Replication?
- Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
- In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.
CVEs Exploited By Threat Actors
CVE-2022-26500, CVE-2022-26501
- Remote Code Execution vulnerability in Veeam Distribution Service
- The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
- This component allows threat actors to execute malicious code remotely without authentication.
CVE-2022-26504
- Remote Code Execution vulnerability in Veeam Backup PSManager
- The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
- This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.
Information from OSINT
CloudSEK researchers were able to find a GitHub repository named “veeam-creds” with the following specifications:
- It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
- The repository had the following 3 files:
- Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
- VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
- Veampot.py - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.
Possible Ransomware Affiliations
- A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
- Monti Ransomware
- Yanluowang Ransomware
- The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command:
select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]
- The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
- Username
- Encrypted Password
- Decrypted Password
- Description
Indicators of Compromise (IoCs)
Based on the results from VirusTotal, the following are the IOCs for Veeamp.
| Hashes |
| 9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 |
| Df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54 |
| 78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d |
| Names |
| veeamp.exe |
vp.exe |
| 9aa1.exe |
o_vp.exe |
| IP Address |
| 13.107.4.52 |
|
References
Appendix
[caption id="attachment_21246" align="aligncenter" width="1142"]
Veeam Backup & Replication Functionalities[/caption]
[caption id="attachment_21247" align="aligncenter" width="1677"]
RCE Execution[/caption]
