Multiple RCE Vulnerabilities Affecting Veeam Backup & Replication

Summary

Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-26500 CVE-2022-26501 CVE-2022-26504 CVSS:3.0 Score: 8.8 to 9.8

Executive Summary

THREAT IMPACT MITIGATION
  • Several critical and high-severity vulnerabilities affecting Veeam Backup & Replication exploited by advertising fully weaponized tools for remote code execution.
  • Threat actors can exploit the vulnerabilities to:
    • Gain initial access
    • Disclose sensitive information
    • Perform DDoS attacks
    • Encrypt the infrastructure with malware
    • Gain privileges and execute arbitrary code remotely
  • Upgrade to 11.0.1.1261 P20220302

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil has analyzed several critical and high-severity vulnerabilities affecting Veeam Backup & Replication.
  • Several threat actors were seen advertising the fully weaponized tool for remote code execution to exploit the following vulnerabilities affecting Veeam Backup & Replication:
    • CVE-2022-26500 and CVE-2022-26501 with a CVSS V3 score of 9.8
    • CVE-2022-26504 with a CVSS V3 score of 8.8
  • A successful exploitation of the above-mentioned CVEs can lead to:
    • Copying files within the boundaries of the locale or from a remote SMB network
    • RCE without authorization ('Network Service' rights)
    • RCE/LPE without authorization ('Local System' rights)
Veeam Backup & Replication
Veeam Backup & Replication

What is Veeam Backup & Replication?

  • Veeam Backup & Replication is a proprietary backup app for virtual environments built on VMware vSphere, Nutanix AHV, and Microsoft Hyper-V hypervisors.
  • In addition to backing up and recovering VMs, it can protect and restore individual files and applications for environments such as Exchange and SharePoint.

CVEs Exploited By Threat Actors

CVE-2022-26500, CVE-2022-26501

  • Remote Code Execution vulnerability in Veeam Distribution Service
  • The Veeam distribution service, which uses TCP 9380 with default settings, allows threat actors who are not authenticated to access internal API functions.
  • This component allows threat actors to execute malicious code remotely without authentication.

CVE-2022-26504

  • Remote Code Execution vulnerability in Veeam Backup PSManager
  • The Veeam process.Backup.PSManager.exe using TCP 8732 with default settings, allows threat actors that are not administrators to authenticate using domain credentials.
  • This vulnerability allows domain attackers to execute malicious code remotely by attacking vulnerable components leading to gaining control of the system.

Information from OSINT

CloudSEK researchers were able to find a GitHub repository named “veeam-creds” with the following specifications:
  • It contained scripts for recovering passwords from the Veeam Backup and Replication credential manager.
  • The repository had the following 3 files:
    • Veeam-Get-Creds.ps1 - PowerShell script for getting and decrypting accounts directly from the Veeam's database.
    • VeeamGetCreds.yaml -PowerShell Empire module with adapted Veeam-Get-Creds.ps1 script.
    • Veampot.py - Python script to emulate vSphere responses to retrieve stored credentials from Veeam.

Possible Ransomware Affiliations

  • A malware named “Veeamp” was found in the wild being used by following two ransomware groups to dump credentials from a SQL database for Veeam backup management software.
    • Monti Ransomware
    • Yanluowang Ransomware
  • The malware file is a 32-bit .NET binary that attempts to connect with a SQL database named VeeamBackup upon launching and runs the following command: select ,, FROM ..
  • The credential dumper named “Veeamp.exe” after successful decryptions, prints the following in order:
    • Username
    • Encrypted Password
    • Decrypted Password
    • Description

Indicators of Compromise (IoCs)

Based on the results from VirusTotal, the following are the IOCs for Veeamp.
Hashes
9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732
Df492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54
78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d
Names
veeamp.exe vp.exe
9aa1.exe o_vp.exe
IP Address
13.107.4.52

References

Appendix

Veeam Backup & Replication Functionalities
Veeam Backup & Replication Functionalities
 
RCE Execution
RCE Execution

Table of Contents

Request an easy and customized demo for free