Ransomware Groups Exploit Veeam Flaw CVE-2023-27532 in Nigerian Cyber Infrastructure

by do son · September 19, 2024

The Nigeria Computer Emergency Response Team (ngCERT) has issued an urgent alert warning of ransomware groups actively targeting critical systems across Nigeria. The alert focuses on a high-severity vulnerability (CVE-2023-27532) in Veeam Backup and Replication (VBR) software, which has already been exploited in recent ransomware attacks within the Nigerian cyberspace, including an incident involving the notorious Phobos ransomware group.

The vulnerability, CVE-2023-27532, affects VBR versions 12 and below, and it allows attackers to gain unauthorized access to sensitive data, including encrypted and plaintext credentials stored in the Veeam configuration database. This flaw enables cybercriminals to elevate privileges, install malware, and execute arbitrary code on compromised systems.

By exploiting this vulnerability, attackers can connect to the Veeam Backup Service via port TCP 9401 and extract confidential information without requiring proper authentication. Armed with administrative credentials, they can compromise the entire network, leading to system takeovers, data exfiltration, and eventually, ransomware attacks.

Recently, the Phobos ransomware group successfully leveraged this Veeam flaw in an attack targeting cloud infrastructure in Nigeria. Once inside the network, the attackers deployed ransomware, encrypted critical data, and demanded payment from the victims. This incident underscores the growing threat of ransomware actors targeting critical sectors, including government institutions, financial services, and cloud providers.

ngCERT strongly advises all users to immediately apply the available patches provided by Veeam to mitigate the risk of exploitation. Additionally, they recommend a multi-layered approach to cybersecurity, including:

Timely Updates: Keep all operating systems, software, and web browsers up-to-date.
Multi-Factor Authentication (MFA): Implement MFA for VPN and other remote access services.
Patch Management: Enforce a strict patch management policy to address known vulnerabilities.
Network Segmentation: Segment critical systems and restrict lateral movement with strict firewall rules.
Application Control: Prevent the execution of unauthorized programs and ensure only approved security applications are used.
Threat Detection: Deploy tools like EDR and NTA to detect and respond to suspicious activities.
Incident Response Plan: Develop and maintain a comprehensive incident response plan.
Access Control: Strengthen access controls and authentication mechanisms for VBR environments.
Backup and Recovery: Regularly review and update backup and recovery processes to ensure data integrity and security.