A critical security flaw in Veeam Backup & Replication (VBR), tracked as CVE-2024-40711, has been exploited in multiple ransomware attacks, notably including recent deployments of Frag ransomware.

This vulnerability stems from a deserialization of untrusted data weakness, which allows unauthenticated attackers to execute remote code on Veeam VBR servers.

Veeam issued security updates for this flaw on September 4, 2024, prior to the delayed release of a proof-of-concept exploit on September 15, 2024.

Florian Hauser, a security researcher from Code White, identified the flaw and postponed the proof-of-concept release to give administrators time to implement necessary security updates.

Despite these precautions, threat actors quickly exploited the vulnerability, using stolen VPN credentials to compromise unpatched servers in attacks involving Akira and Fog ransomware.

Agger Labs reported that the Frag ransomware gang employs Living Off The Land binaries (LOLBins), complicating detection as they exploit existing software on compromised systems.

Sophos X-Ops incident responders observed that the same tactics were utilized by a threat activity cluster, STAC 5881, in deploying Frag ransomware.

The attackers have created new administrative accounts on compromised networks, previously naming one 'point' and recently adding 'point2'.

With over 550,000 customers globally, including about 74% of all companies in the Global 2000 list, Veeam's products are a prime target for cybercriminals.

Similar to previous ransomware groups, Frag operators specifically target unpatched vulnerabilities and misconfigurations within backup solutions.

This incident follows a pattern, as Veeam had previously addressed another significant vulnerability (CVE-2023-27532) in March 2023, which was exploited in attacks related to the FIN7 group and Cuba ransomware targeting U.S. critical infrastructure.