A critical vulnerability in Veeam Backup & Replication (CVE-2024-40711) has recently come under active exploitation, with attackers leveraging this flaw to deploy ransomware, steal sensitive data, and compromise systems. The vulnerability, exploited through unsecured VPN gateways and unpatched systems, has affected organizations globally, leading to incidents involving ransomware families such as Fog and Akira. As cybercriminals continue to evolve their tactics, cybersecurity professionals must remain vigilant, prioritize timely patching, and enhance defenses to mitigate this growing threat.
Details of the Veeam Backup & Replication Vulnerability (CVE-2024-40711)
Veeam, a widely used backup and recovery solution, has become the latest target of sophisticated cyberattacks. Exploited through a known vulnerability, CVE-2024-40711, the attackers are taking advantage of organizations that have not updated their systems or are running unsupported versions of VPN software. The flaw lies in the Veeam.Backup.MountService.exe service, accessible through the URI /trigger on port 8000. Once exploited, the vulnerability allows the creation of a local account—typically named “point”—which is added to the Administrators and Remote Desktop Users groups, granting full access to the compromised system.
In several observed cases, attackers used this access to attempt ransomware deployment, notably Fog and Akira ransomware. According to Sophos X-Ops MDR and Incident Response teams, four separate attacks over the past month have involved these ransomware variants, with the attackers initially breaching targets through compromised VPN credentials.
In one case, a Fog ransomware attack targeted an unprotected Hyper-V server, using the rclone utility to exfiltrate data. The attack illustrates the severity of leaving known vulnerabilities unpatched and the importance of securing remote access points such as VPN gateways. Fortunately, Sophos endpoint protection and managed detection and response (MDR) services successfully thwarted several ransomware deployments, preventing what could have been catastrophic data losses.
“Sophos X-Ops MDR and Incident Response are tracking a series of attacks in the past month leveraging compromised credentials and a known vulnerability in Veeam (CVE-2024-40711) to create an account and attempt to deploy ransomware. In one case, attackers dropped Fog ransomware. Another attack in the same timeframe attempted to deploy Akira ransomware. Indicators in all 4 cases overlap with earlier Akira and Fog ransomware attacks. In each of the cases, attackers initially accessed targets using compromised VPN gateways without multifactor authentication enabled. Some of these VPNs were running unsupported software versions. Each time, the attackers exploited VEEAM on the URI /trigger on port 8000, triggering the Veeam.Backup.MountService.exe to spawn net.exe. The exploit creates a local account, “point,” adding it to the local Administrators and Remote Desktop Users groups. In the Fog ransomware incident, the attacker deployed it to an unprotected Hyper-V server, then used the utility rclone to exfiltrate data. Sophos endpoint protection and MDR prevented ransomware deployments in the other cases. These cases underline the importance of patching known vulnerabilities, updating/replacing out-of-support VPNs, and using multifactor authentication to control remote access. Sophos X-Ops continues to track this threat behavior.” Sophos X-op Said.
“Active exploitation of CVE-2024-40711
Security researchers have reported CVE-2024-40711 is under active exploitation by ransomware groups. These groups are reportedly exploiting CVE-2024-40711 as a second stage exploit to create new local Administrator accounts to facilitate further objectives on compromised networks. Reports warn of exploitation attempts since shortly after official disclosure by Veeam. Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in the wild by ransomware groups shortly after official disclosure, and the NHS England National CSOC assess exploitation of CVE-2024-40711 as highly likely to continue.” NSH England Said.
Key Attack Methods:
- Attackers accessed targets through compromised VPN gateways without multifactor authentication (MFA) enabled, further exploiting VPNs running outdated or unsupported software.
- The vulnerability was triggered on port 8000, allowing attackers to create new local administrator accounts.
- Ransomware like Fog and Akira was deployed following system compromise, with data exfiltrated using tools like rclone.
This recent spate of attacks underscores the importance of patching known vulnerabilities, particularly in widely used systems like Veeam. Organizations must also ensure their remote access methods are secured with MFA and that unsupported software is updated or replaced promptly.
“Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos – no technical details from us this time because this might instantly be abused by ransomware gangs” CODE WHITE GmbH Said.
10 Tips to Avoid Future Exploitation of Such Vulnerabilities:
To mitigate the risks posed by this and other vulnerabilities, cybersecurity professionals should implement the following best practices:
- Regularly Patch and Update Software
Ensure that all critical systems, including backup solutions like Veeam, are kept up to date with the latest security patches. This will close vulnerabilities like CVE-2024-40711 before they can be exploited. - Enforce Multifactor Authentication (MFA)
Implement MFA for all remote access points, including VPNs and administrative logins, to add an extra layer of security. This step is crucial in preventing unauthorized access even if credentials are compromised. - Replace Unsupported Software
Running outdated or unsupported software increases the likelihood of vulnerabilities being exploited. Ensure that all systems, especially VPN gateways, are updated or replaced with supported versions. - Conduct Regular Security Audits
Regular audits can help identify vulnerabilities in your infrastructure before attackers do. These audits should focus on both software patches and configuration issues. - Monitor for Suspicious Account Activity
Enable monitoring for the creation of new user accounts, particularly administrative accounts. In this case, the creation of the “point” account could have been a red flag if proactive monitoring was in place. - Restrict Administrative Access
Limit administrative access to critical systems only to authorized personnel and require justifications for any new administrative accounts. Use least privilege principles where possible. - Isolate Critical Backup Systems
Backup systems like Veeam should be isolated from the rest of the network where possible. This isolation prevents ransomware from easily spreading across systems once access is gained. - Implement Endpoint Detection and Response (EDR)
Use advanced EDR tools to monitor for unusual behavior, such as the execution of ransomware or unauthorized account creation. In several cases, Sophos EDR prevented ransomware deployment, showcasing its value. - Test Incident Response Plans
Regularly test and update your incident response plans. Knowing how to respond to a ransomware attack or data breach can significantly reduce the impact of an incident. - Secure Hyper-V and Virtual Environments
Hyper-V and other virtualization platforms should be secured with robust access controls and regular monitoring to prevent attackers from targeting virtual machines, as seen in the Fog ransomware incident.
Conclusion:
The active exploitation of the Veeam Backup & Replication vulnerability (CVE-2024-40711) is a stark reminder of the critical need for vigilance in cybersecurity. Unpatched systems, unsecured remote access points, and outdated software are prime targets for cybercriminals, as demonstrated by the recent ransomware attacks involving Fog and Akira. By following best practices such as patching, enabling MFA, and conducting regular audits, organizations can significantly reduce their exposure to these threats.
As attackers continue to evolve their tactics, cybersecurity professionals must remain proactive, staying ahead of potential exploits and reinforcing their defenses. The Veeam vulnerability may not be the last, but with the right security posture, it doesn’t have to lead to a successful breach.
Want to stay on top of cybersecurity news? Follow us on Facebook – X (Twitter) – Instagram – LinkedIn – for the latest threats, insights, and updates!
 is a stark reminder of the critical need for vigilan){kind=link}