Black Arrow Cyber Advisory 05 April 2023 – ALPHV Ransomware Affiliate Targeting Vulnerable Veritas Backup Exec Installations to Gain Initial Access

Executive Summary

An affiliate of the ALPHV Ransomware group, tracked as UNC4466, are targeting vulnerable and publicly exposed Veritas Backup Exec installations as part of a ransomware attack. Veritas Backup Exec is a data and backup recovery software, used by over 45,000 businesses worldwide. According to Mandiant, there are currently around 8,500 publicly exposed installations and a number are unpatched and vulnerable; patches were made available in 2021.

What is the risk to my business?

Exploitation of the vulnerabilities allow an attacker to gain unauthorised access, execute commands and compromise data. Using this attack method UNC4466 are able to encrypt data belonging to an organisation and demand a ransom for decryption. The affected versions of Backup Exec are 16.x, 20.x and 21.1.

Technical Summary

By exploiting the vulnerabilities above, the attacker is able to gain unauthorised access to the Backup Exec agent. Subsequently, the attacker can then execute commands or use specially crafted input parameters to access files on the system; both of which use system privileges, the highest privilege possible. The attacker is then in a position where they can encrypt an organisation’s data and make ransom demands.

Detection and indicators of compromise

The update from Mandiant notes that the exploitation leaves a noticeable imprint on the Backup Exec log files. Mandiant have also identified the following indicators of compromise:

Reference to the following tools:

Advanced Port Scanner, ALPHV, LAZAGNE, LIGOLO, MIMIKATZ, NANODUMP, REVSOCKS, Sysinternals, PSEXEC, WINSW

IP addresses:

45.61.138.109 on ports: 33971, 36931, 41703, 43937, 45815

185.141.62.123 on ports: 50810 and for the address hxxp://185.141.62.123:10228/update.exe

5.199.169.209 on port: 31600

185.99.135.115 on ports:39839, 49196 and 41774

What can I do?

If organisations are using a vulnerable version of Veritas Backup Exec, this should be updated immediately. The vulnerabilities were patched in Backup Exec 21.2, the current version is now 22. To detect an incident, organisations should look to check the Backup Exec log files on vulnerable versions and look for connections to unknown IP addresses.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

The security advisory from Veritas can be found here: https://www.veritas.com/support/en_US/security/VTS21-001

The Mandiant report can be found here:

https://www.mandiant.com/resources/blog/alphv-ransomware-backup

Previous
Previous

Black Arrow Cyber Threat Briefing 07 April 2023

Next
Next

Black Arrow Cyber Threat Briefing 31 March 2023