Ransomware targets unpatched Veeam servers

Attackers are taking advantage of a critical flaw in Veeam Backup & Replication software to launch ransomware attacks, according to an alert issued by antivirus firm Sophos. The vulnerability, identified as CVE-2024-40711, was patched by Veeam early last month, but hackers continue to exploit servers that have not yet been updated. The flaw allows unauthenticated attackers to remotely execute code on the backup server, putting companies’ data at risk.

With a score of 9.8 on a severity scale of 1 to 10, the vulnerability has been the target of multiple attacks, as noted by Sophos. In recent months, criminals have used compromised credentials and the Veeam breach to access corporate systems and deploy ransomware, blocking access to essential data and demanding payment to release it.

Attacks typically begin with the compromise of VPN gateways that do not have multi-factor authentication. Many of these servers were operating with outdated software versions, which made it easier for attackers to enter. After gaining access to the system, the vulnerability in Veeam is exploited to create a local account, allowing data theft and deployment of ransomware.

This is not the first incident involving Veeam software flaws in cyberattacks. In the past, similar vulnerabilities have been used in ransomware attacks, highlighting the importance of keeping software updated and implementing additional layers of security, such as multi-factor authentication, especially when accessing via VPN.

Veeam has already released updates to fix this vulnerability, and cybersecurity experts recommend that affected companies apply the fixes as soon as possible to prevent further attacks. Awareness and adoption of good security practices, such as regular updates and strengthened authentication, are critical to mitigating the growing risks of ransomware attacks.